Anomaly detection of web-based attacks
- 27 October 2003
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
- p. 251-261
- https://doi.org/10.1145/948109.948144
Abstract
Web-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult to keep up with the daily disclosure of web-related vulnerabilities, and, in addition, vulnerabilities may be introduced by installation-specific web-based applications. Therefore, misuse detection systems should be complemented with anomaly detection systems. This paper presents an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web-based applications. The system correlates the server-side programs referenced by client queries with the parameters contained in these queries. The application-specific characteristics of the parameters allow the system to perform focused analysis and produce a reduced number of false positives. The system derives automatically the parameter profiles associated with web applications (e.g., length and structure of parameters) from the analyzed data. Therefore, it can be deployed in very different application environments without having to perform time-consuming tuning and configuration.Keywords
This publication has 9 references indexed in Scilit:
- Detecting computer and network misuse through the production-based expert system toolset (P-BEST)Published by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- The SRI IDES statistical anomaly detectorPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Service specific anomaly detection for network intrusion detectionPublished by Association for Computing Machinery (ACM) ,2002
- A framework for constructing features and models for intrusion detection systemsACM Transactions on Information and System Security, 2000
- Mining in a data-flow environmentPublished by Association for Computing Machinery (ACM) ,1999
- Temporal sequence learning and data reduction for anomaly detectionPublished by Association for Computing Machinery (ACM) ,1998
- State transition analysis: a rule-based intrusion detection approachIEEE Transactions on Software Engineering, 1995
- An Intrusion-Detection ModelIEEE Transactions on Software Engineering, 1987
- Depth-First Search and Linear Graph AlgorithmsSIAM Journal on Computing, 1972