INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)

Nathalie Dagorn

2006

Abstract

Intrusion detection systems (IDS) are usually classified into two categories: misuse- and anomaly detection systems. Misuse detection is based on signatures; it is precise but can only accommodate already known attacks. Unlike this, anomaly detection models a system’s usual behavior and is able to detect new attacks, but some major challenges remain to be solved in this field, in particular the improvement of the detection process and the reduction of false alarms. On the application/service level, several misuse detection systems exist and work, but only one anomaly detection system is known to be efficient for now. In this short paper, we propose a Web learning-based anomaly detection system based on this system, and resulting from the junction of academic research in several fields, which we improved. The system analyzes HTTP requests as logged by most of the Web servers; it exclusively relates to the queries containing attributes. The analysis process implements a multi-model statistical approach. A Bayesian network is used as decision process, specifying six states (one normal state and five attack states) at the classification node. The system is improved after each log analysis thanks to a technique of alarm clustering, which allows filtering false positive. Compared to traditional anomaly detection systems, the system we present globally gains in sensitivity (each step of the process reduces the number of false positive to be dealt with) and in specificity (if an attack is detected, its type is immediately specified). Moreover, a co-operation feature (alarm correlation) with other systems is proposed for distributed intrusion detection. To date, the system has only been partially implemented but the preliminary experiments in real environment show encouraging results.

References

  1. Dagorn, N., 2006. Intrusion Detection for Web Applications. Proceedings of the 5th IADIS International Conference on www/Internet (ICWI 2006). Murcia, Spain.
  2. Dain, 0. and Cunningham, R.K., 2002. Fusing heterogeneous alert streams into scenarios. In D. Barbara and S. Jajodia (Eds.), Applications of Data Mining in Computer Security. Kluwer Academic Publishers, Boston, MA.
  3. Debar, H. and Wespi, A., 2001. Aggregation and correlation of intrusion-detection alerts. Proceedings of the 4thWorkshop on Recent Advances in Intrusion Detection (RAID). LNCS, Springer Verlag, pp. 85-103.
  4. Julisch, K, 2003a. Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 6(4).
  5. Julisch, K., 2003b. Using Root Cause Analysis to Handle Intrusion Detection Alarms. PhD Thesis, University of Dortmund, Germany.
  6. Kruegel, C., Toth, T., Kirda, E., 2002. Service Specific Anomaly Detection for Network Intrusion Detection. Proceedings of the 17th ACM Symposium on Applied Computing (SAC). ACM Press, Madrid, Spain.
  7. Kruegel, C., Vigna, G., 2003. Anomaly detection of Webbased attacks. Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS'03). Washington, DC. ACM Press, New York.
  8. Kruegel, C., Mutz, D., Robertson, W., Valeur, F., 2003. Bayesian Event Classification for Intrusion Detection. Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society Press, USA.
  9. Kruegel, C., Vigna, G., Robertson, W., 2005. A multimodel approach to the detection of web-based attacks. Computer Networks, Vol. 48, Issue 5. Elsevier.
  10. State, R., 2005. Intrusion Detection. Tutorial Master2. Nancy1.
  11. Valdes, A. and Skinner, K., 2000. Adaptive, Model-based Monitoring for Cyber Attack Detection. Recent Advances in Intrusion Detection (RAID 2000). Lecture Notes in Computer Science, No. 1907, pp. 80-92.
  12. Valdes, A. and Skinner, K., 2001. Probabilistic alert correlation. Proceedings of the 4thWorkshop on Recent Advances in Intrusion Detection (RAID). LNCS, Springer Verlag, Berlin, pp. 54-68.
Download


Paper Citation


in Harvard Style

Dagorn N. (2006). INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION) . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 32-39. DOI: 10.5220/0002097900320039


in Bibtex Style

@conference{secrypt06,
author={Nathalie Dagorn},
title={INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={32-39},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002097900320039},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)
SN - 978-972-8865-63-4
AU - Dagorn N.
PY - 2006
SP - 32
EP - 39
DO - 10.5220/0002097900320039