Christopher Kruegel
ABSTRACT
Web-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult to keep up with the daily disclosure of web-related vulnerabilities, and, in addition, vulnerabilities may be introduced by installation-specific web-based applications. Therefore, misuse detection systems should be complemented with anomaly detection systems. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications. The system correlates the server-side programs referenced by client queries with the parameters contained in these queries. The application-specific characteristics of the parameters allow the system to perform focused analysis and produce a reduced number of false positives. The system derives automatically the parameter profiles associated with web applications (e.g., length and structure of parameters) from the analyzed data. Therefore, it can be deployed in very different application environments without having to perform time-consuming tuning and configuration.
- M. Almgren and U. Lindqvist. Application-Integrated Data Collection for Security Monitoring. In Proceedings of Recent Advances in Intrusion Detection (RAID), LNCS, pages 22--36, Davis,CA, October 2001. Springer. Google Scholar
Digital Library
- Apache 2.0 Documentation, 2002. http://www.apache.org/.Google Scholar
- D. Barbara, R. Goel, and S. Jajodia. Mining Malicious Data Corruption with Hidden Markov Models. In 16th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Cambridge, England, July 2002.Google Scholar
- Patrick Billingsley. Probability and Measure. Wiley-Interscience, 3 edition, April 1995.Google Scholar
- CERT/CC. "Code Red Worm" Exploiting Buffer Overflow In IIS Indexing Service DLL. Advisory CA-2001-19, July 2001.Google Scholar
- CGI Security Homepage. http://www.cgisecurity.com/, 2002.Google Scholar
- K. Coar and D. Robinson. The WWW Common Gateway Interface, Version 1.1. Internet Draft, June 1999.Google Scholar
- csSearch. http://www.cgiscript.net/.Google Scholar
- Cyberstrider WebWho. http://www.webwho.co.uk/.Google Scholar
- D.E. Denning. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 13(2):222--232, February 1987. Google ScholarDigital Library
- R. Fielding et al. Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616, June 1999. Google ScholarDigital Library
- S. Forrest. A Sense of Self for UNIX Processes. In Proceedings of the IEEE Symposium on Security and Privacy, pages 120--128, Oakland, CA, May 1996. Google ScholarDigital Library
- A.K. Ghosh, J. Wanken, and F. Charron. Detecting Anomalous and Unknown Intrusions Against Programs. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'98), pages 259--267, Scottsdale, AZ, December 1998. Google ScholarDigital Library
- K. Ilgun, R.A. Kemmerer, and P.A. Porras. State Transition Analysis: A Rule-Based Intrusion Detection System. IEEE Transactions on Software Engineering, 21(3):181--199, March 1995. Google ScholarDigital Library
- IMP Webmail Client. http://www.horde.org/imp/.Google Scholar
- H. S. Javitz and A. Valdes. The SRI IDES Statistical Anomaly Detector. In Proceedings of the IEEE Symposium on Security and Privacy, May 1991.Google ScholarCross Ref
- C. Ko, M. Ruschitzka, and K. Levitt. Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-based Approach. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pages 175--187, May 1997. Google ScholarDigital Library
- C. Kruegel, T. Toth, and E. Kirda. Service Specific Anomaly Detection for Network Intrusion Detection. In Symposium on Applied Computing (SAC). ACM Scientific Press, March 2002. Google ScholarDigital Library
- T. Lane and C.E. Brodley. Temporal sequence learning and data reduction for anomaly detection. In Proceedings of the 5th ACM conference on Computer and communications security, pages 150--158. ACM Press, 1998. Google ScholarDigital Library
- W. Lee and S. Stolfo. A Framework for Constructing Features and Models for Intrusion Detection Systems. ACM Transactions on Information and System Security, 3(4), November 2000. Google ScholarDigital Library
- W. Lee, S. Stolfo, and K. Mok. Mining in a Data-flow Environment: Experience in Network Intrusion Detection. In Proceedings of the 5th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '99), San Diego, CA, August 1999. Google ScholarDigital Library
- J. Liberty and D. Hurwitz. Programming ASP.NET. O'REILLY, February 2002. Google ScholarDigital Library
- U. Lindqvist and P.A. Porras. Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In IEEE Symposium on Security and Privacy, pages 146--161, Oakland, California, May 1999.Google ScholarCross Ref
- Miva HtmlScript. http://www.htmlscript.com/.Google Scholar
- V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998. Google ScholarDigital Library
- Phorum: PHP Message Board. http://www.phorum.org/.Google Scholar
- PHP Advisory Homepage. http://www.phpadvisory.com/, 2002.Google Scholar
- M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX LISA '99 Conference, November 1999. Google ScholarDigital Library
- Security Focus Homepage. http://www.securityfocus.com/, 2002.Google Scholar
- Andreas Stolcke and Stephen Omohundro. Hidden Markov Model Induction by Bayesian Model Merging. Advances in Neural Information Processing Systems, 1993. Google ScholarDigital Library
- Andreas Stolcke and Stephen Omohundro. Inducing Probabilistic Grammars by Bayesian Model Merging. In Conference on Grammatical Inference, 1994. Google ScholarDigital Library
- K. Tan and R. Maxion. "Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. In Proceedings of the IEEE Symposium on Security and Privacy, pages 188--202, Oakland, CA, May 2002. Google ScholarDigital Library
- Robert Tarjan. Depth-First Search and Linear Graph Algorithms. SIAM Journal of Computing, 1(2):10--20, June 1972.Google ScholarCross Ref
- Security Tracker. Vulnerability statistics April 2001-march 2002. http://www.securitytracker.com/learn/statistics.html, April 2002.Google Scholar
- N. Ye, Y. Zhang, and C. M. Borror. Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability, 52(3), September 2003.Google Scholar
Index Terms
- Anomaly detection of web-based attacks
Recommendations
A multi-model approach to the detection of web-based attacks
Web securityWeb-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult ...
Unknown Attacks Detection Using Feature Extraction from Anomaly-Based IDS Alerts
SAINT '12: Proceedings of the 2012 IEEE/IPSJ 12th International Symposium on Applications and the InternetIntrusion Detection Systems (IDSs) play an important role detecting various kinds of attacks and defend our computer systems from them. There are basically two main types of detection techniques: signature-based and anomaly-based. A signature-based IDS ...
Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries
Best papers of the Sec Track at the 2006 ACM SymposiumWeb-based applications have become a popular means of exposing functionality to large numbers of users by leveraging the services provided by web servers and databases. The wide proliferation of custom-developed web-based applications suggests that ...
Comments