Anomaly detection of web-based attacks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Anomaly detection of web-based attacks

Full text

Pdf (253 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 10th ACM conference on Computer and communications security table of contents

Washington D.C., USA

SESSION: Intrusion detection table of contents

Pages: 251 - 261

Year of Publication: 2003

ISBN:1-58113-738-9

Authors

Christopher Kruegel	University of California, Santa Barbara, Santa Barbara, CA
Giovanni Vigna	University of California, Santa Barbara, Santa Barbara, CA

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 35, Downloads (12 Months): 318, Citation Count: 27

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/948109.948144 What is a DOI?

ABSTRACT

Web-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult to keep up with the daily disclosure of web-related vulnerabilities, and, in addition, vulnerabilities may be introduced by installation-specific web-based applications. Therefore, misuse detection systems should be complemented with anomaly detection systems. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications. The system correlates the server-side programs referenced by client queries with the parameters contained in these queries. The application-specific characteristics of the parameters allow the system to perform focused analysis and produce a reduced number of false positives. The system derives automatically the parameter profiles associated with web applications (e.g., length and structure of parameters) from the analyzed data. Therefore, it can be deployed in very different application environments without having to perform time-consuming tuning and configuration.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Magnus Almgren , Ulf Lindqvist, Application-Integrated Data Collection for Security Monitoring, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, p.22-36, October 10-12, 2001
	2	Apache 2.0 Documentation, 2002. http://www.apache.org/.
	3	D. Barbara, R. Goel, and S. Jajodia. Mining Malicious Data Corruption with Hidden Markov Models. In 16th Annual IFIP WG 11.3 Working Conference on Data and Application Security, Cambridge, England, July 2002.
	4	Patrick Billingsley. Probability and Measure. Wiley-Interscience, 3 edition, April 1995.
	5	CERT/CC. "Code Red Worm" Exploiting Buffer Overflow In IIS Indexing Service DLL. Advisory CA-2001-19, July 2001.
	6	CGI Security Homepage. http://www.cgisecurity.com/, 2002.
	7	K. Coar and D. Robinson. The WWW Common Gateway Interface, Version 1.1. Internet Draft, June 1999.
	8	csSearch. http://www.cgiscript.net/.
	9	Cyberstrider WebWho. http://www.webwho.co.uk/.
	10	Dorothy E. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, Feb. 1987 [doi>10.1109/TSE.1987.232894]
	11	R. Fielding et al. Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616, June 1999.
	12	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji , Thomas A. Longstaff, A Sense of Self for Unix Processes, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.120, May 06-08, 1996
	13	A. K. Gosh , J. Wanken , F. Charron, Detecting Anomalous and Unknown Intrusions Against Programs, Proceedings of the 14th Annual Computer Security Applications Conference, p.259, December 07-11, 1998
	14	Koral Ilgun , R. A. Kemmerer , Phillip A. Porras, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transactions on Software Engineering, v.21 n.3, p.181-199, March 1995 [doi>10.1109/32.372146]
	15	IMP Webmail Client. http://www.horde.org/imp/.
	16	H. S. Javitz and A. Valdes. The SRI IDES Statistical Anomaly Detector. In Proceedings of the IEEE Symposium on Security and Privacy, May 1991.
	17	C. Ko , M. Ruschitzka , K. Levitt, Execution monitoring of security-critical programs in distributed systems: a Specification-based approach, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.175, May 04-07, 1997
	18	Christopher Krügel , Thomas Toth , Engin Kirda, Service specific anomaly detection for network intrusion detection, Proceedings of the 2002 ACM symposium on Applied computing, March 11-14, 2002, Madrid, Spain [doi>10.1145/508791.508835]
	19	Terran Lane , Carla E. Brodley, Temporal sequence learning and data reduction for anomaly detection, Proceedings of the 5th ACM conference on Computer and communications security, p.150-158, November 02-05, 1998, San Francisco, California, United States [doi>10.1145/288090.288122]
	20	Wenke Lee , Salvatore J. Stolfo, A framework for constructing features and models for intrusion detection systems, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.227-261, Nov. 2000 [doi>10.1145/382912.382914]
	21	Wenke Lee , Salvatore J. Stolfo , Kui W. Mok, Mining in a data-flow environment: experience in network intrusion detection, Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining, p.114-124, August 15-18, 1999, San Diego, California, United States [doi>10.1145/312129.312212]
	22	Jesse Liberty , Dan Hurwitz, Programming ASP.NET, O'Reilly & Associates, Inc., Sebastopol, CA, 2002
	23	U. Lindqvist and P.A. Porras. Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST). In IEEE Symposium on Security and Privacy, pages 146--161, Oakland, California, May 1999.
	24	Miva HtmlScript. http://www.htmlscript.com/.
	25	V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998.
	26	Phorum: PHP Message Board. http://www.phorum.org/.
	27	PHP Advisory Homepage. http://www.phpadvisory.com/, 2002.
	28	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	29	Security Focus Homepage. http://www.securityfocus.com/, 2002.
	30	Andreas Stolcke , Stephen M. Omohundro, Hidden Markov Model} Induction by Bayesian Model Merging, Advances in Neural Information Processing Systems 5, [NIPS Conference], p.11-18, November 30-December 03, 1992
	31	Andreas Stolcke , Stephen M. Omohundro, Inducing Probabilistic Grammars by Bayesian Model Merging, Proceedings of the Second International Colloquium on Grammatical Inference and Applications, p.106-118, September 21-23, 1994
	32	Kymie M. C. Tan , Roy A. Maxion, "Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.188, May 12-15, 2002
	33	Robert Tarjan. Depth-First Search and Linear Graph Algorithms. SIAM Journal of Computing, 1(2):10--20, June 1972.
	34	Security Tracker. Vulnerability statistics April 2001-march 2002. http://www.securitytracker.com/learn/statistics.html, April 2002.
	35	N. Ye, Y. Zhang, and C. M. Borror. Robustness of the Markov chain model for cyber attack detection. IEEE Transactions on Reliability, 52(3), September 2003.

CITED BY 27

	Yong Tang , Shigang Chen, An Automated Signature-Based Approach against Polymorphic Internet Worms, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.879-892, July 2007
	Niels Provos , Joe McClain , Ke Wang, Search worms, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
	Tak-Chung Fu , Chung-Leung Lui, Agent-oriented network intrusion detection system using data mining approaches, International Journal of Agent-Oriented Software Engineering, v.1 n.2, p.158-174, July 2007
	Shekhar R. Gaddam , Vir V. Phoha , Kiran S. Balagani, K-Means+ID3: A Novel Method for Supervised Anomaly Detection by Cascading K-Means Clustering and ID3 Decision Tree Learning Methods, IEEE Transactions on Knowledge and Data Engineering, v.19 n.3, p.345-354, March 2007
	Miyuki Hanaoka , Makoto Shimamura , Kenji Kono, TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems, IEICE - Transactions on Information and Systems, v.E90-D n.12, p.2019-2032, December 2007
	Fredrik Valeur , Giovanni Vigna , Christopher Kruegel , Engin Kirda, An anomaly-driven reverse proxy for web applications, Proceedings of the 2006 ACM symposium on Applied computing, April 23-27, 2006, Dijon, France
	Ashish Kamra , Elisa Bertino , Guy Lebanon, Mechanisms for database intrusion detection and response, Proceedings of the 2nd SIGMOD PhD workshop on Innovative database research, June 13-13, 2008, Vancouver, Canada
	Davide Balzarotti , Marco Cova , Viktoria V. Felmetsger , Giovanni Vigna, Multi-module vulnerability analysis of web-based applications, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Kenneth L. Ingham , Anil Somayaji , John Burge , Stephanie Forrest, Learning DFA representations of HTTP for protecting web applications, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1239-1255, April, 2007
	Prahlad Fogla , Wenke Lee, Evading network anomaly detection systems: formal reasoning and practical techniques, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Ashish Kamra , Evimaria Terzi , Elisa Bertino, Detecting anomalous access patterns in relational databases, The VLDB Journal — The International Journal on Very Large Data Bases, v.17 n.5, p.1063-1077, August 2008
	K. G. Anagnostakis , S. Sidiroglou , P. Akritidis , K. Xinidis , E. Markatos , A. D. Keromytis, Detecting targeted attacks using shadow honeypots, Proceedings of the 14th conference on USENIX Security Symposium, p.9-9, July 31-August 05, 2005, Baltimore, MD
	Spiros Antonatos , Kostas Anagnostakis , Evangelos Markatos, Honey@home: a new approach to large-scale threat monitoring, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
	Nong Ye , Bashettihalli Harish , Toni Farley, Attack profiles to derive data observations, features, and characteristics of cyber attacks, Information-Knowledge-Systems Management, v.5 n.1, p.23-47, January 2005
	Chetan Parampalli , R. Sekar , Rob Johnson, A practical mimicry attack against powerful system-call monitors, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
	Kevin Borders , Atul Prakash, Web tap: detecting covert web traffic, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
	Alexander Moshchuk , Tanya Bragin , Damien Deville , Steven D. Gribble , Henry M. Levy, SpyProxy: execution-based detection of malicious web content, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Weng-Keen Wong , Andrew Moore , Gregory Cooper , Michael Wagner, What's Strange About Recent Events (WSARE): An Algorithm for the Early Detection of Disease Outbreaks, The Journal of Machine Learning Research, 6, p.1961-1998, 12/1/2005
	Fredrik Valeur , Giovanni Vigna , Christopher Kruegel , Richard A. Kemmerer, A Comprehensive Approach to Intrusion Detection Alert Correlation, IEEE Transactions on Dependable and Secure Computing, v.1 n.3, p.146-169, July 2004
	Christopher Kruegel , Giovanni Vigna , William Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.717-738, 5 August 2005
	Guofei Gu , Alvaro A. Cárdenas , Wenke Lee, Principled reasoning and practical applications of alert fusion in intrusion detection systems, Proceedings of the 2008 ACM symposium on Information, computer and communications security, March 18-20, 2008, Tokyo, Japan
	V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Spiros Antonatos , Periklis Akritidis , Vinh The Lam , Kostas G. Anagnostakis, Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-38, December 2008
	Mark Burgess, Probabilistic anomaly detection in distributed computer networks, Science of Computer Programming, v.60 n.1, p.1-26, March 2006
	Mohammad Saniee Abadeh , Jafar Habibi , Zeynab Barzegar , Muna Sergi, A parallel genetic local search algorithm for intrusion detection in computer networks, Engineering Applications of Artificial Intelligence, v.20 n.8, p.1058-1069, December, 2007
	Ting Liu , Andrew W. Moore , Alexander Gray, New Algorithms for Efficient High-Dimensional Nonparametric Classification, The Journal of Machine Learning Research, 7, p.1135-1158, 12/1/2006
	Georgios Portokalidis , Herbert Bos, SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1256-1274, April, 2007