Skip to main content
SpringerLink
Log in

Boosting Web Intrusion Detection Systems by Inferring Positive Signatures

  • Conference paper
On the Move to Meaningful Internet Systems: OTM 2008 (OTM 2008)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5332))

Abstract

We present a new approach to anomaly-based network intrusion detection for web applications. This approach is based on dividing the input parameters of the monitored web application in two groups: the “regular” and the “irregular” ones, and applying a new method for anomaly detection on the “regular” ones based on the inference of a regular language. We support our proposal by realizing Sphinx, an anomaly-based intrusion detection system based on it. Thorough benchmarks show that Sphinx performs better than current state-of-the-art systems, both in terms of false positives/false negatives as well as needing a shorter training period.

This research is supported by the research program Sentinels (http://www.sen tinels.nl). Sentinels is being financed by Technology Foundation STW, the Netherlands Organization for Scientific Research (NWO), and the Dutch Ministry of Economic Affairs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The MITRE Corporation: Common Vulnerabilities and Exposures database (2004), http://cve.mitre.org

  2. Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: NDSS 2006: Proc. of 17th ISOC Symposium on Network and Distributed Systems Security (2006)

    Google Scholar 

  3. Symantec Corporation: Internet Security Threat Report (2006), http://www.symantec.com/enterprise/threat-report/index.jsp

  4. Web Application Security Consortium: Web Application Firewall Evaluation Criteria (2006), http://www.webappsec.org/projects/wafec/

  5. Kruegel, C., Toth, T.: Using Decision Trees to Improve Signature-based Intrusion Detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  6. Axelsson, S.: The base-rate fallacy and the difficulty of intrusion detection. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(3), 186–205 (2000)

    Article  MathSciNet  Google Scholar 

  7. Bolzoni, D., Crispo, B., Etalle, S.: ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems. In: LISA 2007: Proc. 21th Large Installation System Administration Conference, USENIX Association, pp. 141–152 (2007)

    Google Scholar 

  8. Balzarotti, D., Cova, M., Felmetsger, V.V., Vigna, G.: Multi-Module Vulnerability Analysis of Web-based Applications. In: CCS 2007: Proc. 14th ACM Conference on Computer and Communication Security, pp. 25–35. ACM Press, New York (2007)

    Google Scholar 

  9. Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.: POSEIDON: a 2-tier Anomaly-based Network Intrusion Detection System. In: IWIA 2006: Proc. 4th IEEE International Workshop on Information Assurance, pp. 144–156. IEEE Computer Society Press, Los Alamitos (2006)

    Google Scholar 

  10. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5), 717–738 (2005)

    Article  Google Scholar 

  11. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  12. Debar, H., Dacier, M., Wespi, A.: A Revised Taxonomy of Intrusion-Detection Systems. Annales des Télécommunications 55(7–8), 361–378 (2000)

    Google Scholar 

  13. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1 (1999)

    Google Scholar 

  14. Kruegel, C., Vigna, G.: Anomaly Detection of Web-based Attacks. In: CCS 2003: Proc. 10th ACM Conference on Computer and Communications Security, pp. 251–261 (2003)

    Google Scholar 

  15. Fernau, H.: Algorithms for Learning Regular Expressions. In: Jain, S., Simon, H.U., Tomita, E. (eds.) ALT 2005. LNCS (LNAI), vol. 3734, pp. 297–311. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  16. van Trees, H.L.: Detection, Estimation and Modulation Theory. Part I: Detection, Estimation, and Linear Modulation Theory. John Wiley and Sons, Inc., Chichester (1968)

    MATH  Google Scholar 

  17. Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks: The International Journal of Computer and Telecommunications Networking 34(4), 579–595 (2000)

    Article  Google Scholar 

  18. Mahoney, M.V., Chan, P.K.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  19. McHugh, J.: Testing Intrusion Detection Systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security (TISSEC) 3(4), 262–294 (2000)

    Article  Google Scholar 

  20. Vigna, G., Robertson, W.K., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: CCS 2004: Proc. 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM Press, New York (2004)

    Google Scholar 

  21. Ingham, K.L., Inoue, H.: Comparing Anomaly Detection Techniques for HTTP. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  22. Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks: The International Journal of Computer and Telecommunications Networking 51(5), 1239–1255 (2007)

    Article  MATH  Google Scholar 

  23. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In: S&P 2006: Proc. 26th IEEE Symposium on Security and Privacy, pp. 258–263. IEEE Computer Society, Los Alamitos (2006)

    Google Scholar 

  24. Almgren, M., Debar, H., Dacier, M.: A lightweight tool for detecting web server attacks. In: NDSS 2000: Proc. of 11th ISOC Symposium on Network and Distributed Systems Security (2000)

    Google Scholar 

  25. Almgren, M., Lindqvist, U.: Application-integrated data collection for security monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 22–36. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Damiano Bolzoni & Sandro Etalle

  2. Eindhoven Technical University, The Netherlands

    Sandro Etalle

Authors
  1. Damiano Bolzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sandro Etalle
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STARLab, Vrije Universiteit Brussel (VUB),, Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. School of Computer Science and Information Technology, RMIT University, Bld 10.10, 376-392 Swanston Street, VIC 3001, Melbourne,, Australia

    Zahir Tari

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bolzoni, D., Etalle, S. (2008). Boosting Web Intrusion Detection Systems by Inferring Positive Signatures . In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems: OTM 2008. OTM 2008. Lecture Notes in Computer Science, vol 5332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88873-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-88873-4_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-88872-7

  • Online ISBN: 978-3-540-88873-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation