INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)

Nathalie Dagorn

doi:10.5220/0002097900320039

INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)

Nathalie Dagorn

2006

Abstract

Intrusion detection systems (IDS) are usually classified into two categories: misuse- and anomaly detection systems. Misuse detection is based on signatures; it is precise but can only accommodate already known attacks. Unlike this, anomaly detection models a system’s usual behavior and is able to detect new attacks, but some major challenges remain to be solved in this field, in particular the improvement of the detection process and the reduction of false alarms. On the application/service level, several misuse detection systems exist and work, but only one anomaly detection system is known to be efficient for now. In this short paper, we propose a Web learning-based anomaly detection system based on this system, and resulting from the junction of academic research in several fields, which we improved. The system analyzes HTTP requests as logged by most of the Web servers; it exclusively relates to the queries containing attributes. The analysis process implements a multi-model statistical approach. A Bayesian network is used as decision process, specifying six states (one normal state and five attack states) at the classification node. The system is improved after each log analysis thanks to a technique of alarm clustering, which allows filtering false positive. Compared to traditional anomaly detection systems, the system we present globally gains in sensitivity (each step of the process reduces the number of false positive to be dealt with) and in specificity (if an attack is detected, its type is immediately specified). Moreover, a co-operation feature (alarm correlation) with other systems is proposed for distributed intrusion detection. To date, the system has only been partially implemented but the preliminary experiments in real environment show encouraging results.

Download

Paper Citation

in Harvard Style

Dagorn N. (2006). INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION) . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 32-39. DOI: 10.5220/0002097900320039

in Bibtex Style

@conference{secrypt06,
author={Nathalie Dagorn},
title={INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={32-39},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002097900320039},
isbn={978-972-8865-63-4},
}

in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - INTRUSION DETECTION FOR WEB APPLICATIONS (SHORT VERSION)
SN - 978-972-8865-63-4
AU - Dagorn N.
PY - 2006
SP - 32
EP - 39
DO - 10.5220/0002097900320039