Learning DFA representations of HTTP for protecting web applications

Computer Networks

Volumn 51, Issue 5, 2007, Pages 1239-1255

  Ingham, Kenneth L ^a   Somayaji, Anil ^b   Burge, John ^a   Forrest, Stephanie ^a,c  

^a University of New Mexico   (United States)

^b CARLETON UNIVERSITY   (Canada)

^c SANTA FE INSTITUTE   (United States)

Author keywords

Anomaly intrusion detection; Finite automata induction; Web server security

Indexed keywords

AUTOMATA THEORY; DATA REDUCTION; HEURISTIC METHODS; SECURITY OF DATA; SERVERS; WORLD WIDE WEB;

ANOMALY INTRUSION DETECTION; FINITE AUTOMATA INDUCTION; WEB SERVER SECURITY;

NETWORK PROTOCOLS;

EID: 33846369107     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2006.09.016     Document Type: Article

References (58)

1. J.O. Kephart, A biologically inspired immune system for computers, in: Proceedings of Artificial Life IV, the Fourth International Workshop on the Synthesis and Simulation of Living Systems, MIT Press, Cambridge, MA, US, 1994, pp. 130-139, . Accessed 31 May 2002.
2. S. Forrest, A.S. Perelson, L. Alien, R. Cherukuri, Self-nonself discrimination in a computer, in: Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy, May 16-18 1994, Oakland, CA, USA, Los Almitos, CA, USA: IEEE Computer Society Press, 1994. pp. 202-212.
3. S.A. Hofmeyr, S. Forrest, Immunizing computer networks: Getting all the machines in your network to fight the hacker disease, in: Proceedings 1999 IEEE Symposium on Security and Privacy, 1999. pp. 9-12.
4. S.A. Hofmeyr, An immunological model of distributed detection and its application to computer security, Ph.D. thesis. University of New Mexico, Computer Science Department, May 1999.
5. P. Williams, K. Anchor, J. Bebo, G. Gunsch, G. Lament, GDIS: Towards a computer immune system for detecting network intrusions, in: Lecture Notes in Computer Science 2212, Springer-Verlag, 2001, pp. 117-133. Presented at the fourth International Symposium on Recent Advanced in Intrusion Detection (RAID 2001), . Accessed 19 August 2002.
6. S. Forrest, S. Hofmeyr, A. Somayaji, T. Longstaff, A sense of self for Unix processes, in: Proceedings of 1996 IEEE Symposium on Security and Privacy, May 6-8 1996, Oakland, CA, USA, IEEE Computer Society Press, Los Alamitos, CA, USA, 1996. pp. 120-128.
7. S.A. Hofmeyr, S. Forrest, A. Somayaji, Intrusion detection using sequences of system calls. Journal of Computer Security 6 (3) (1998) 151-180, . Accessed 13 March 2002.
8. A. Somayaji, S. Forrest, Automated response using system-call delays, in: Proceedings of the 9th USENIX Security Symposium, USENIX Association, Berkeley, CA, US, 2000. pp. 185-197, . Accessed 31 May 2002.
9. A. Somayaji, Operating system stability and security through process homeostasis, Ph.D. thesis, University of New Mexico, . Accessed 31 May 2002.
10. W. Robertson, G. Vigna, C. Kruegel, R.A. Kemmerer, Using generalization and characterization techniques in the anomaly-based detection of web attacks, in: Proceedings of Network and Distributed System Security Symposium Conference, 2006, Internet Society, 2006, . Accessed 12 February 2006.
11. Moore D., Paxson V., Savage S., Shannon C., Staniford S., and Weaver N. Inside the slammer worm. IEEE Security and Privacy 01 4 (2003) 33-39
12. JP. Anderson, Computer security technology planning study, Technical Report ESD-TR-73-51, United States Air Force, Electronic Systems Division, October 1972.
13. T.F. Lunt, Detecting Intruders in Computer Systems, in: Proceedings of 1993 Conference on Auditing and Computer Technology, 1993, . Accessed 22 August 2002.
14. Heberlein L.T., Dias G.V., Levitt K.N., Mukherjee B., Wood J., and Wolber D. A network security monitor. Proceedings of the IEEE Symposium on Security and Privacy (1990), IEEE Press
15. Kruegel C., and Vigna G. Anomaly detection of web-based attacks. Proceedings of the 10th ACM Conference on Computer and communications security (2003), ACM Press 251-261
16. M. Roesch, Snort-lightweight intrusion detection for networks, in: Proceedings of 13th Systems Administration Conference-LISA'99, 1999. pp. 229-238, . Accessed 30 June 2002.
17. S. Patton, W. Yurcik, D. Doss, An Achilles' heel in signature-based IDS: Squealing false positives in SNORT, in: Proceedings of RAID 2001 fourth International Symposium on Recent Advances in Intrusion Detection October 10-12, 2001, Davis, CA, USA, 2001. Available from: . Accessed 3 January 2003.
18. M.J. Ranum, A network firewall, in: Proceedings of the First World Conference on System Administration and Security, SANS Institute, 5401 Westbard Ave. Suite 1501, Bethesda, MD 20816, 1992.
19. G.W. Treese, A. Wolman, X through the firewall and other application relays, in: Proceedings of the USENIX Summer Conference, USENIX Association, Berkeley, CA, 1993, . Accessed 20 February 2002.
20. M. Handley, V. Paxson, C. Kreibich, Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics, in: Proceedings of Conference of 10th USENIX Security Symposium, USENIX Association, Berkleley, CA, USA, 2001. pp. 115-131, . Accessed 20 February 2002.
21. E. Strother, Denial of service protection: the nozzle, in: Proceedings of Annual Computer Security Applications Conference, December 11-15, 2000, New Orleans, LA, USA, IEEE Computer Society, Los Alamitos, CA, USA, 2000. pp. 32-41, . Accessed 20 February 2002.
22. C. Ko, G. Fink, K. Levitt, Automated detection of vulnerabilities in privileged programs by execution monitoring, in: Proceedings of Tenth Annual Computer Security Applications Conference, 5-9 December 1994, Orlando, FL, USA, IEEE Computer Society Press, Los Alamitos, CA, USA, (1994). pp. 134-144.
23. P.G. Neumann, P.A. Porras, Experience with EMERALD to date, in: Proceedings of First USENIX Workshop on Intrusion Detection and Network Monitoring (ID'99), April 9-12, 1999, Santa Clara, CA, USA, USENIX Association, Berkeley, CA, USA, 1999, pp. 73-80, . Accessed 20 August 2002.
24. Hofmeyr S.A., and Forrest S. Architecture for an artificial immune system. Evolutionary Computation 7 1 (2000) 1289-1296
25. J. Balthrop, S. Forrest, M. Glickman, Revisiting lisys: Parameters and normal behavior, in: Proceedings of the 2002 Congress on Evolutionary Computation, 2002, . Accessed 19 August 2002.
26. C. Marceau, Characterizing the behavior of a program using multiple-length n-grams, in: Proceedings of New Security Paradigms Workshop 2000, September 18-22, 2000, Ballycotton, Ireland, ACM, New York, NY, USA, 2001. pp. 101-110, . Accessed 13 August 2002.
27. W. Lee, S.J. Stolfo, Data mining approaches for intrusion detection, in: Proceedings of the 7th Usenix Security Symposium, Usenix Association, 1998.
28. C. Warrender, S. Forrest, B.A. Pearlmutter, Detecting intrusions using system calls: Alternative data models, in: Proceedings of IEEE Symposium on Security and Privacy, 1999. pp. 133-145.
29. R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, A fast automaton-based method for detecting anomalous program behaviors, in: Proceedings of IEEE Symposium on Security and Privacy, IEEE, 2001. pp. 144-155. URL: .
30. C. Kruegel, D. Mutz, F. Valeur, G. Vigna, On the detection of anomalous system call arguments, in: Proceedings of ESORICS 2003, 8th European Symposium on Research in Computer Security, vol. 2808 of Lecture Notes in Computer Science, Springer, 2003. pp. 326-343.
31. Mahoney M.V., and Chan P.K. Learning nonstationary models of normal network traffic for detecting novel attacks. Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining (2002), ACM Press 376-385
32. Mahoney M.V. Network traffic anomaly detection based on packet bytes. Proceedings of the 2003 ACM Symposium on Applied computing (2003), ACM Press 346-350
33. K. Wang, S.J. Stolfo, Anomalous payload-based network intrusion detection, in: Proceedings of Recent Advances in Intrusion Detection, 7th International Symposium, RAID 2004, Sophia Antipolis, France, September 15-17, 2004, vol. 3224 of Lecture Notes in Computer Science, Springer, 2004. pp. 203-222.
34. R. Vargiya, P. Chan, Boundary detection in tokenizing network application payload for anomaly detection, in: Proceedings of the ICDM Workshop on Data Mining for Computer Security (DMSEC), 2003. pp. 50-59. Workshop held in conjunction with The Third IEEE International Conference on Data Mining. Available from: . Accessed 5 April 2006.
35. Lippmann R., Haines J., Fried D., Korba J., and Das K. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34 4 (2000) 579-595
36. Kruegel C., Vigna G., and Robertson W. A multi-model approach to the detection of web-based attacks. Computer Networks 48 5 (2005) 717-738
37. E. Tombini, H. Debar, L. Me, M. Ducassé, A serial combination of anomaly and misuse IDSes applied to HTTP traffic, in: Proceedings of 20th Annual Computer Security Applications Conference, 2004.
38. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee, Hypertext transfer protocol-HTTP/1.1, RFC 2616, . Accessed 2 October 2002 (June 1999).
39. SecurityFocus, What is bugtraq?, . Accessed 10 January 2003.
40. SecurityFocus, Vulnerabilities, . Accessed 24 April 2006 (2005).
41. Open Source Vulnerability Database (OSVDB), Osvdb: The open source vulnerability database, . Accessed 24 April 2006.
42. Packet Storm, Packet storm: Know better, . Accessed 24 April 2006.
43. Jupitermedia, Sourcebank: The search engine for developers, . Accessed 24 April 2006.
44. R. Lippmann, D. Fried, I. Graf, J. Haines, K. Kendall, D. McClung, D. Weber, S. Webster, D. Wyschogrod, R. Cunningham, M. Zissman, Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation, in: Proceedings of DARPA Information Survivability Conference and Exposition, 2000. DISCEX '00, vol. 2 (1999). pp. 12-26.
45. R. Lippmann, J. Haines, D. Fried, J. Korba, K. Das, Analysis and results of the 1999 DARPA off-line intrusion detection evaluation, in: H. Debar, L. Me, S. Wu (Eds.), Proceedings of Third International Workshop, RAID 2000 on Recent Advances in Intrusion Detection, 2-4 October 2000, Toulouse, France, Springer-Verlag, Berlin, Germany, 2000. pp. 162-182.
46. D. Wagner, P. Soto, Mimicry attacks on host-based intrusion detection systems, in: Proceedings of the 9th ACM conference on Computer and Communications Security, ACM Press, 2002. pp. 255-264.
47. Manevitz L.M., and Yousef M. One-class svms for document classification. Journal of Machine Learning and Research 2 (2002) 139-154
48. N.V. Chawla, N. Japkowicz, A. Kotcz, Editorial: Special issue on learning from imbalanced data sets, SIGKDD Explor. Newsl. 6 (1) (2004). pp. 1-6.
49. M. Salganicoff, Density-adaptive learning and forgetting, in: Proceedings of International Conference on Machine Learning (1993). pp. 276-283.
50. Prokhorov D.V., and Wunsch II D.C. Adaptive critic designs. IEEE Transactions on Neural Networks 8 5 (1997) 997-1007
51. Littman M.L., and Ackley D.H. Adaptation in constant utility non-stationary environments. In: Belew R.K., and Booker L.B. (Eds). Proceedings of the Fourth International Conference on Genetic Algorithms (1991), Morgan Kaufmann, San Mateo, CA 136-142
52. Gold E. Complexity of automaton identification from given data. Information and Control 37 3 (1978) 302-320
53. K.J. Lang, Random DFA's can be approximately learned from sparse uniform examples, in: Proceedings of the Fifth ACM Workshop on Computational Learning Theory, ACM, New York, NY, (1992). pp. 45-52, URL: .
54. Cicchello O., and Kremer S.C. Inducing grammars from sparse data sets: a survey of algorithms and results. Journal of Machine Learning and Research 4 (2003) 603-632
55. K.J. Lang, B.A. Pearlmutter, R.A. Price, Results of the Abbadingo One DFA learning competition and a new evidence-driven state merging algorithm, Lecture Notes in Computer Science 1433, in: Proceedings of ICGI-98. URL .
56. A. L. Oliveria, J. Silva, Efficient search techniques for the inference of minimum sized finite automata, in: Proceedings of the Fifth String Processing and Information Retrieval Symposium, IEEE Computer Press, 1998. pp. 81-89.
57. D. Wagner, D. Dean, Intrusion detection via static analysis, in: Proceedings of the 2001 IEEE Symposium on Security and Privacy, 2001. Available from: . Accessed 21 April 2006.
58. Kosoresow A.P., and Hofmeyr S.A. Intrusion detection via system call traces. IEEE Software 14 5 (1997) 35-42