Toward Specification-Based Intrusion Detection for Web Applications

Introduction

In specification-based detection the correct behavior of a system is modeled formally and would be later verified during system operation for detecting anomalies. In this paper we argue that comparing to anomaly and signature-based approaches, specification-based approach is an appropriate and precise way to build IDSes for web applications. This is due to standardized nature of web architecture including protocols (HTTP, SOAP) and data formats (HTML, XHTML, XML), which makes the challenging task of formal specification feasible. In this paper we propose a novel architecture based on ICAP protocol for a specificationbased web application IDS, in which input parameters as well as the output content of a web application are specified formally by regular expressions and the IDS verifies the specification when users have interactions with the application.

A more precise and comprehensive specification makes the IDS engine more powerful and increase the detection rate while decrease the false alarms. A correct specification that exactly matches the real behavior of the system is very important. If the specification is so strict then some normal behavior of the system may be detected as malicious activity and false positives arise. On the other hand, If the specification is so loose or general, then some abnormal behavior of the system may be considered as normal activity and it causes false negatives. Because of the variety of systems and normal behaviors, designing a general specification-based IDS with formal specifications of all normal activities is generally so complicated and imprecise. So researchers mainly focus on a specific system or network protocol and try to formalize the specifications in order to build a specification-based IDS[1].