<![CDATA[Anomaly detection in web server environments is essential for identifying early indicators of cyberattacks that arise from abnormal request behaviors. Traditional signature-based mechanisms often fail to detect emerging or obfuscated threats, requiring more adaptive analytical approaches. This study proposes an optimized anomaly detection model using K-Means clustering enhanced with engineered security-rule features and the Elbow Method. Two datasets were used: a small dataset of 3,399 log entries from one VPS and a large dataset of 223,554 entries collected from three VPS nodes, all sourced from local production servers of the Department of Computer and Business, Politeknik Negeri Cilacap. The preprocessing pipeline includes timestamp normalization, removal of non-informative static resources, numerical feature scaling, and TF-IDF encoding of URL paths. Domain-driven security features entropy scores, encoded-payload indicators, abnormal status-code ratios, and request-rate deviations were integrated to improve anomaly separability. Experiments across five model configurations show that combining larger datasets with rule-based features significantly enhances clustering performance, achieving a Silhouette Score of 0.9136 and a Davies–Bouldin Index of 0.4712. The results validate the effectiveness of incorporating security-rule engineering with unsupervised learning to support early-warning threat detection in web server environments.]]>
Copyrights © 2025
