A multi-model approach to the detection of web-based attacks

Computer Networks

Volumn 48, Issue 5, 2005, Pages 717-738

  Kruegel, Christopher ^a   Vigna, Giovanni ^a   Robertson, William ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Anomaly Models; Intrusion Detection; Machine Learning; World Wide Web

Indexed keywords

ERROR DETECTION; LEARNING SYSTEMS; MATHEMATICAL MODELS; PARAMETER ESTIMATION; SECURITY SYSTEMS; SERVERS;

ANAMOLY MODELS; INTRUSION DETECTION; SECURITY METHODOLOGIES; TIME-CONSUMING TUNING;

WORLD WIDE WEB;

EID: 18844395404     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2005.01.009     Document Type: Article

References (48)

1. M. Almgren, H. Debar, M. Dacier, A lightweight tool for detecting web server attacks, in: Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA, February 2000
2. M. Almgren, and U. Lindqvist Application-integrated data collection for security monitoring Proceedings of recent advances in intrusion detection (RAID), Davis, CA, October 2001 LNCS 2001 Springer 22 36
3. Apache 2.0 Documentation, 2004. Available from:
4. P. Billingsley Probability and measure third ed. 1995 Wiley-Interscience New York
5. CERT/CC, "Code Red Worm" Exploiting Buffer Overflow In IIS Indexing Service DLL, Advisory CA-2001-19, July 2001
6. CGI Security Homepage, 2004. Available from:
7. K. Coar, D. Robinson, The WWW Common Gateway Interface, Version 1.1. Internet Draft, June 1999
8. csSearch, 2004. Available from:
9. Cyberstrider Web Who. Available from:
10. D.E. Denning An intrusion detection model IEEE Transactions on Software Engineering 13 2 1987 222 232
11. R. Fielding et al., Hypertext Transfer Protocol-HTTP/1.1. RFC 2616, June 1999
12. H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, B. Miller, Formalizing sensitivity in static analysis for intrusion detection, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2004
13. S. Forrest, A sense of self for UNIX processes, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1996, pp. 120-128
14. A.K. Ghosh, J. Wanken, F. Charron, Detecting anomalous and unknown intrusions against programs, in: Proceedings of the Annual Computer Security Application Conference (ACSAC'98), Scottsdale, AZ, December 1998, pp. 259-267
15. Anthony Hayter Probability and statistics for engineers and scientists second ed. 2001 Duxbury Press Florence, KY
16. K. Ilgun, R.A. Kemmerer, and P.A. Porras State transition analysis: a rule-based intrusion detection system IEEE Transactions on Software Engineering 21 3 1995 181 199
17. IMP Webmail Client. Available from:
18. ISS, Realsecure. Available from:
19. H.S. Javitz, A. Valdes, The SRI IDES statistical anomaly detector, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1991
20. D. Klein, Defending against the wily surfer: Web-based attacks and defenses, in: Proceedings of the USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, CA, April 1999
21. C. Ko, M. Ruschitzka, K. Levitt, Execution monitoring of security-critical programs in distributed systems: a specification-based approach, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1997, pp. 175-187
22. C. Kruegel, D. Mutz, W.K. Robertson, F. Valeur, Bayesian event classification for intrusion detection, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV, December 2003
23. C. Kruegel, D. Mutz, F. Valeur, and G. Vigna On the detection of anomalous system call arguments Proceedings of the 8th European symposium on research in computer security (ESORICS '03), Gjovik, Norway, October 2003 LNCS 2003 Springer-Verlag 326 343
24. C. Kruegel, T. Toth, and E. Kirda Service specific anomaly detection for network intrusion detection Proceedings of the symposium on applied computing (SAC), March 2002 2002 ACM Scientific Press
25. C. Kruegel, and G. Vigna Anomaly detection of Web-based attacks Proceedings of the 10th ACM conference on computer and communication security (CCS'03), Washington, DC, October 2003 2003 ACM Press New York 251 261
26. T. Lane, and C.E. Brodley Temporal sequence learning and data reduction for anomaly detection Proceedings of the ACM conference on computer and communications security, San Francisco, CA 1998 ACM Press New York 150 158
27. W. Lee, and S. Stolfo A framework for constructing features and models for intrusion detection systems ACM Transactions on Information and System Security 3 4 2000 227 261
28. J. Liberty, and D. Hurwitz Programming ASP.NET 2002 O'Reilly Sebastopol, CA
29. M. Liljenstam, D. Nicol, V. Berk, R. Gray, Simulating realistic network worm traffic for worm warning system design and testing, in: Proceedings of the ACM Workshop on Rapid Malcode, Washington, DC, 2003, pp. 24-33
30. U. Lindqvist, P.A. Porras, Detecting computer and network misuse with the production-based expert system toolset (P-BEST), in: IEEE Symposium on Security and Privacy, Oakland, CA, May 1999, pp. 146-161
31. M. Mahoney, P. Chan, Learning nonstationary models of normal network traffic for detecting novel attacks, in: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, Edmonton, Alberta, Canada, 2002, pp. 376-385
32. Miva HtmlScript. Available from:
33. V. Paxson, Bro: a system for detecting network intruders in real-time, in: Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998
34. Phorum: PHP Message Board. Available from:
35. PHP Advisory Homepage. Available from:
36. L. Portnoy, E. Eskin, S. Stolfo, Intrusion detection with unlabeled data using clustering, in: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA, November 2001
37. M. Roesch, Snort-lightweight intrusion detection for networks, in: Proceedings of the USENIX LISA '99 Conference, Seattle, WA, November 1999
38. Security Focus Homepage. Available from:
39. R. Sekar, M. Bendre, P. Bollineni, D. Dhurjati, A fast automaton-based method for detecting anomalous program behaviors, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2001
40. G. Snedecor, and W. Cochran Statistical methods eighth ed. 1998 Iowa State University Press
41. A. Stolcke, S. Omohundro, Hidden Markov model induction by Bayesian model merging, in: Proceedings of Advances in Neural Information Processing Systems, 1993
42. A. Stolcke, S. Omohundro, Inducing probabilistic grammars by Bayesian model merging, in: International Conference on Grammatical Inference, 1994
43. K.M.C. Tan, K.S. Killourhy, R.A. Maxion, Undermining an anomaly-based intrusion detection system using common exploits, in: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Zurich, Switzerland, October 2002, pp. 54-73
44. R. Tarjan Depth-first search and linear graph algorithms SIAM Journal of Computing 1 2 1972 10 20
45. G. Vigna, W. Robertson, V. Kher, R.A. Kemmerer, A stateful intrusion detection system for world-wide Web servers, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV, December 2003, pp. 34-43
46. D. Wagner, and D. Dean Intrusion detection via static analysis Proceedings of the IEEE symposium on security and privacy, Oakland, CA, May 2001 2001 IEEE Press
47. D. Wagner, P. Soto, Mimicry attacks on host-based intrusion detection systems, in: Proceedings of the ACM Conference on Computer and Communications Security, Washington, DC, November 2002, pp. 255-264
48. C. Warrender, S. Forrest, B.A. Pearlmutter, Detecting intrusions using system calls: alternative data models, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 1999, pp. 133-145