Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries

Journal of Computer Security

Volumn 17, Issue 3, 2009, Pages 305-329

  Vigna, Giovanni ^a   Valeur, Fredrik ^a   Balzarotti, Davide ^a   Robertson, William ^a   Kruegel, Christopher ^b   Kirda, Engin ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

Author keywords

Anomaly detection; Data compartmentalization; Database security; Web security

Indexed keywords

ANOMALY DETECTION; ANOMALY DETECTION SYSTEMS; ANOMALY DETECTOR; BACK-END DATABASE; COMBINED ANALYSIS; COMMERCIAL PRODUCTS; CRITICAL INFORMATION; DATA COMPARTMENTALIZATION; DATABASE SECURITY; DETECTION RATES; EARLY WARNING; FALSE NEGATIVES; FALSE POSITIVE; FALSE POSITIVE RATES; RESEARCH PROTOTYPE; SENSITIVE INFORMATIONS; SQL QUERY; USAGE PATTERNS; WEB APPLICATION; WEB REQUESTS; WEB SECURITY; WEB SERVERS; WEB-BASED APPLICATIONS; WEB-BASED ATTACKS;

DATABASE SYSTEMS; DETECTORS; ERROR DETECTION; WEB SERVICES;

HTTP;

EID: 68149139611     PISSN: 0926227X     EISSN: None     Source Type: Journal    
DOI: 10.3233/JCS-2009-0321     Document Type: Article

References (30)

1. P. Akritidis, K. Anagnostakis and E. Markatos, Efficient content-based detection of zero-day worms, in: Proceedings of the International Conference on Communications (ICC), Seoul, Korea, May 2005.
2. M. Almgren, H. Debar and M. Dacier, A lightweight tool for detecting web server attacks, in: Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA, February 2000.
3. M. Almgren and U. Lindqvist, Application-integrated data collection for security monitoring, in: Proceedings of Recent Advances in Intrusion Detection (RAID), Davis, CA, LNCS, Vol. 2212, Springer, 2001, pp. 22-36.
4. R. Andersson, punBB - fast and lightweight PHP-powered discussion board, 2005, http://www. punbb.org/
5. S. Axelsson, The base-rate fallacy and its implications for the difficulty of intrusion detection, in: Proceedings of the 6th ACM Conference on Computer and Communications Security, Singapore, 1999.
6. I. Balepin, S. Maltsev, J. Rowe and K. Levitt, Using specification-based intrusion detection for automated response, in: Proceedings of Recent Advances in Intrusion Detection (RAID), Pittsburgh, PA, 2003.
7. Breach Security, Breachgate, August 2006, http://www.breach.com/
8. Citrix, Citrix application firewall, August 2006, http://www.citrix.com/
9. Common vulnerabilities and exposures, 2003, http://www.cve.mitre.org/
10. A. Hayter, Probability and Statistics for Engineers and Scientists, 2nd edn, Duxbury Press, 2001.
11. C. Kruegel and G. Vigna, Anomaly detection of web-based attacks, in: Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS'03), Washington, DC, ACM Press, 2003, pp. 251-261.
12. C. Kruegel, G. Vigna and W. Robertson, A multi-model approach to the detection of web-based attacks, Computer Networks 48(5) (2005), 717-738.
13. S. Lee, W. Low and P. Wong, Learning fingerprints for a database intrusion detection system, in: 7th European Symposium on Research in Computer Security (ESORICS), Zurich, Switzerland 2002.
14. W. Lee, W. Fan, M. Miller, S. Stolfo and E. Zadok, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security 10(1) (2002), 5-12.
15. D. Mutz, F. Valeur, C. Kruegel and G. Vigna, Anomalous system call detection, ACM Transactions on Information and System Security 9 (2006), 61-93.
16. myBloggie - PHP and mySQL Blog/Weblog script, 2005, http://mybloggie. mywebland.com/
17. MySQL - The world's most popular open-source database, 2005, http://www.mysql.com/
18. NetContinuum, Nc-1100 af, August 2006, http://www.netcontinuum.com/
19. PHP: Hypertext Preprocessor, 2005, http://www.php.net/
20. phPay - webshop or catalog based on SQL and PHP, 2005, http://phpay.sourceforge.net/
21. K. Poulsen, Tower records settles charges over hack attacks, April 2004, http://www.securityfocus. com/news/8508
22. M. Roesch, Snort - lightweight intrusion detection for networks, in: Proceedings of the USENIX LISA'99 Conference, Seattle, WA, November 1999.
23. K.A.S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos and A.D. Keromytis, Detecting targeted attacks using shadow honeypots, in: Proceeding of the USENIX Security Symposium, Baltimore, MD, August 2005.
24. E. Tombini, H. Debar, L. Mé and M. Ducassé, A serial combination of anomaly and misuse IDSes applied to HTTP traffic, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC), Tucson, AZ, December 2004.
25. T. Toth and C. Kruegel, Accurate buffer overflow detection via abstract payload execution, in: Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), Zurich, Switzerland, October 2002.
26. T. Toth and C. Kruegel, Evaluating the impact of automated intrusion response mechanisms, in: Proceedings of the Annual Computer Security Application Conference (ACSAC), Las Vegas, NV, 2002.
27. F. Valeur, D. Mutz and G. Vigna, A learning-based approach to the detection of SQL attacks, in: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), Vienna, Austria, July 2005, Springer, 2005, pp. 123-140.
28. F. Valeur, G. Vigna, C. Kruegel and E. Kirda, An anomaly-driven reverse proxy for web applications, in: Proceedings of the ACM Symposium on Applied Computing (SAC), Dijon, France, April 2006.
29. Victoria's Secret reveals too much, October 2003, http://www.cbsnews.com/
30. G. Vigna, W. Robertson, V. Kher and R. Kemmerer, A stateful intrusion detection system for worldwide web servers, in: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), Las Vegas, NV, December 2003, IEEE Computer Society, 2003, pp. 34-43.