anomaly_signatures - Using Generalization and...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard A. Kemmerer Reliable Software Group Department of Computer Science University of California, Santa Barbara { wkr,vigna,chris,kemm } Abstract The custom, ad hoc nature of web applications makes learning-based anomaly detection systems a suitable approach to provide early warning about the exploita- tion of novel vulnerabilities. However, anomaly-based systems are known for producing a large number of false positives and for providing poor or non-existent infor- mation about the type of attack that is associated with an anomaly. This paper presents a novel approach to anomaly- based detection of web-based attacks. The approach uses an anomaly generalization technique that automat- ically translates suspicious web requests into anomaly signatures. These signatures are then used to group re- current or similar anomalous requests so that an admin- istrator can easily deal with a large number of similar alerts. In addition, the approach uses a heuristics-based technique to infer the type of attacks that generated the anomalies. This enables the prioritization of the at- tacks and provides better information to the adminis- trator. Our approach has been implemented and eval- uated experimentally on real-world data gathered from web servers at two universities. 1. Introduction In the past ten years, the World-Wide Web has evolved from a system to provide access to static infor- mation into a full-fledged distributed execution infras- tructure. Web-based applications have become a popu- lar way to provide access to services and dynamically- generated information. The popularity of web-based ap- plications, such as online shopping catalogs and web- based discussion forums, is a result of the ease of de- velopment, deployment, and access of this class of ap- plications. Even network devices and traditional appli- cations (such as mail servers) often provide web-based interfaces that are used for administration as well as con- figuration. Unfortunately, while the developers of the software infrastructure (that is, the developers of web servers and database engines) usually have a deep understanding of the security issues associated with the development of critical software, the developers of web-based applica- tions often have little or no security skills. These devel- opers mostly focus on the functionality for the end-user and often work under stringent time constraints, without the resources (or the knowledge) necessary to perform a thorough security analysis of the application code. The result is that poorly-developed code, riddled with secu- rity flaws, is deployed and made accessible to the whole Internet....
View Full Document

This note was uploaded on 02/10/2012 for the course CSE 5800 taught by Professor Staff during the Fall '09 term at FIT.

Page1 / 15

anomaly_signatures - Using Generalization and...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online