Tammo Krueger
Konrad Rieck
ABSTRACT
The growing amount of web-based attacks poses a severe threat to the security of web applications. Signature-based detection techniques increasingly fail to cope with the variety and complexity of novel attack instances. As a remedy, we introduce a protocol-aware reverse HTTP proxy TokDoc (the token doctor), which intercepts requests and decides on a per-token basis whether a token requires automatic "healing". In particular, we propose an intelligent mangling technique, which, based on the decision of previously trained anomaly detectors, replaces suspicious parts in requests by benign data the system has seen in the past. Evaluation of our system in terms of accuracy is performed on two real-world data sets and a large variety of recent attacks. In comparison to state-of-the-art anomaly detectors, TokDoc is not only capable of detecting most attacks, but also significantly outperforms the other methods in terms of false positives. Runtime measurements show that our implementation can be deployed as an inline intrusion prevention system.
- K. G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting targeted attacks using shadow honeypots. In Proc. of USENIX Security Symposium, pages 129--144, 2005. Google Scholar
Digital Library
- M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In Recent Adances in Intrusion Detection (RAID), pages 63--86, September 2007. Google ScholarDigital Library
- P. Düssel, C. Gehl, P. Laskov, and K. Rieck. Incorporation of application layer protocol syntax into anomaly detection. In Proc. of International Conference on Information Systems Security (ICISS), pages 188--202, 2008. Google ScholarDigital Library
- J. M. Estévez-Tapiador, P. García-Teodoro, and J. E. Díaz-Verdejo. Measuring normality in http traffic for anomaly-based intrusion detection. Computer Networks, 45(2):175--193, 2004. Google ScholarDigital Library
- S. Forrest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for unix processes. In Proc. of IEEE Symposium on Security and Privacy, pages 120--128, Oakland, CA, USA, 1996. Google ScholarDigital Library
- M. Handley, V. Paxson, and C. Kreibich. Network intrusion detection: Evasion, traffic normalization and end-to-end protocol semantics. In Proc. of USENIX Security Symposium, 2001. Google ScholarDigital Library
- K. L. Ingham, A. Somayaji, J. Burge, and S. Forrest. Learning DFA representations of HTTP for protecting web applications. Computer Networks, 51(5):1239--1255, 2007. Google ScholarDigital Library
- C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proc. of 10th ACM Conf. on Computer and Communications Security, pages 251--261, 2003. Google ScholarDigital Library
- C. Kruegel, G. Vigna, and W. Robertson. A multi-model approach to the detection of web-based attacks. Computer Networks, 48(5), 2005. Google ScholarDigital Library
- T. Krueger, C. Gehl, K. Rieck, and P. Laskov. An architecture for inline anomaly detection. In Proc. of European Conference on Computer Network Defense (EC2ND), pages 11--18, 2008. Google ScholarDigital Library
- M. E. Locasto, K. Wang, A. D. Keromytis, and S. J. Stolfo. Flips: Hybrid adaptive intrusion prevention. In Recent Adances in Intrusion Detection (RAID), pages 82--101, 2005. Google ScholarDigital Library
- Microsoft. Microsoft security intelligence report: January to June 2008. Microsoft Corporation, 2008.Google Scholar
- V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23--24):2435--2466, Dec. 1999. Google ScholarDigital Library
- R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee. McPAD: A multiple classifier system for accurate payload-based anomaly detection. Computer Networks, In Press, Corrected Proof:--, 2008. Google ScholarDigital Library
- K. Rieck and P. Laskov. Detecting unknown network attacks using language models. In Detection of Intrusions and Malware, and Vulnerability Assessment, Proc. of 3rd DIMVA Conference, LNCS, pages 74--90, July 2006. Google ScholarDigital Library
- K. Rieck and P. Laskov. Linear-time computation of similarity measures for sequential data. Journal of Machine Learning Research, 9(Jan):23--48, 2008. Google ScholarDigital Library
- W. Robertson, G. Vigna, C. Kruegel, and R. A. Kemmerer. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In Proc. of Network and Distributed System Security Symposium (NDSS), 2006.Google Scholar
- M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. of USENIX Large Installation System Administration Conference LISA, pages 229--238, 1999. Google ScholarDigital Library
- B. W. Silverman. Density Estimation for Statistics and Data Analysis. Chapman & Hall/CRC, 1986.Google Scholar
- Y. Song, A. D. Keromytis, and S. J. Stolfo. Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In Proc. of Network and Distributed System Security Symposium (NDSS), 2009.Google Scholar
- Symantec. Symantec global internet security report: Trends for July--December 07. Volume XIII, Symantec Corporation, Apr. 2008.Google Scholar
- F. Valeur, G. Vigna, C. Kruegel, and E. Kirda. An anomaly-driven reverse proxy for web applications. In Proc. of the 2006 ACM symposium on Applied computing, pages 361--368, 2006. Google ScholarDigital Library
- G. Vigna, F. Valeur, D. Balzarotti, W. Robertson, C. Kruegel, and E. Kirda. Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries. J. Comput. Secur., 17(3):305--329, 2009. Google ScholarDigital Library
- K. Wang, J. Parekh, and S. Stolfo. Anagram: A content anomaly detector resistant to mimicry attack. In Recent Adances in Intrusion Detection (RAID), pages 226--248, 2006. Google ScholarDigital Library
- R. R. Wilcox. Introduction to Robust Estimation and Hypothesis Testing. Academic Press, 1997.Google Scholar
Index Terms
- TokDoc: a self-healing web application firewall
Recommendations
NIDS: A Network Based Approach to Intrusion Detection and Prevention
IACSIT-SC '09: Proceedings of the 2009 International Association of Computer Science and Information Technology - Spring ConferenceComputer networks have added new dimensions to the global communication. But intrusions and misuses have always threatened the secured data communication over networks. Consequently, network security has come into issue. Now-a-days intrusion detection ...
Experiences on Designing an Integral Intrusion Detection System
DEXA '08: Proceedings of the 2008 19th International Conference on Database and Expert Systems ApplicationNetwork Intrusion Detection Systems (NIDS) have the challenge to prevent network attacks and unauthorised remote use of computers. In order to achieve this goal, NIDS usually follow two different strategies. The first one aims at detecting forbidden ...
RIDS: An Instant Approach to Network Intrusion Detection and Prevention
ICECT '09: Proceedings of the 2009 International Conference on Electronic Computer TechnologyWith the progression of time, we have been blessed with the gifts of science. Computer networks are one of those gifts. But as the network proceeded, intrusions and misuses followed. Consequently, network security has come to the fore front and has ...
Comments