Detection of Web-based Attacks

Description

Web-based systems are a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the whole Internet, creating easily-exploitable entry points for the compromise of entire networks.

Existing prevention systems are often insufficient to protect this class of applications, because the security mechanisms provided are either not well-understood or simply disabled by the web developers ``to get the job done.'' Therefore, prevention mechanisms should be complemented by intrusion detection systems, which are able to identify attacks and provide early warning about suspicious activities.

Our initial research focused on the use of stateful misuse-based intrusion detection systems to detect complex attacks whose evidence was scattered across different event stream. However, web-based applications often implement custom, site-specific services for which there is no known signature. Therefore, signature-based detection systems should work side-to-side with anomaly detection systems.

Our second line of research was the development of a multi-model, web-based anomaly detection system that learns the normal usage profiles associated with web-based applications and identify attacks as anomalous deviations from the established profiles.

Publications

C. Kruegel and G. Vigna, "Anomaly Detection of Web-based Attacks," in Proceedings of ACM Conference on Computer and Communication Security (CCS), Washington, DC, October 2003. [ PDF, BibTeX]
C. Kruegel, G. Vigna, and W. Robertson, "A Multi-model Approach to the Detection of Web-based Attacks," in Computer Networks, vol. 48, no. 5, August 2005. [PDF, BibTeX]
W. Robertson, G. Vigna, C. Kruegel, and R. Kemmerer, "Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks," in Proceeding of the Network and Distributed System Security (NDSS) Symposium, San Diego, CA, February 2006. [PDF, BibTeX]
F. Valeur, G. Vigna, C. Kruegel, and E. Kirda, "An Anomaly-driven Reverse Proxy for Web Applications," in Proceedings of the ACM Symposium on Applied Computing (SAC), Dijon, France, April 2006. [PDF, BibTeX]
G. Vigna, W. Robertson, V. Kher, and R.A. Kemmerer, "A Stateful Intrusion Detection System for World-Wide Web Servers," in Proceedings of the Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, December 2003. [ PDF, BibTeX]
F. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the Detection of SQL Attacks," in Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005. [ PDF, BibTeX entry]

People

G. Vigna.
R. Kemmerer.
D. Mutz.
W. Robertson.
F. Valeur.
C. Kruegel.
E. Kirda.

Acknowledgments

This research was supported by the Army Research Office, under agreement DAAD19-01-1-0484, and by the National Science Foundation, under grants CCR-0238492 and CCR-0524853.