Algorithm for detecting attacks on Web applications based on machine learning methods and attributes queries
DOI:
https://doi.org/10.54654/isj.v2i14.118Keywords:
web attack, network security, signature method, anomaly detection method, machine learning method, Web application firewall, ModSecurityTóm tắt
Abstract— Almost developed applications tend to become as accessible as possible to the user on the Internet. Different applications often store their data in cyberspace for more effective work and entertainment, such as Google Docs, emails, cloud storage, maps, weather, news,... Attacks on Web resources most often occur at the application level, in the form of HTTP/HTTPS-requests to the site, where traditional firewalls have limited capabilities for analysis and detection attacks. To protect Web resources from attacks at the application level, there are special tools - Web Application Firewall (WAF). This article presents an anomaly detection algorithm, and how it works in the open-source web application firewall ModSecurity, which uses machine learning methods with 8 suggested features to detect attacks on web applications.
Downloads
References
Аналитический центр InfoWatch. Глобальное исследование утечек конфиденциальной информации в 2018 году. – 2019. URL: https://www.infowatch.ru/resources/report2018 (дата обращение 03.07.2018).
Ростелеком Solar. Solar JSOC Security Report 2018 и тренды 2019. 2019. URL: https://rt-solar.ru/analytics/reports/ (дата обращение 03.07.2018).
Statista. Global number of web attacks blocked per day from 2015 to 2018 (in 1,000s). 2019. URL: https://www.statista.com/statistics/494961/web-attacks-blocked-per-day-worldwide/ (дата обращение 03.07.2018)
Modi, C. A survey of intrusion detection techniques in cloud / C. Modi, D. Patel, B. Borisaniya [et al.] // Journal of Network and Computer Applications. – 2013. – Vol. 36, no. 1. – P. 42–57.
Khamphakdee, N. Improving intrusion detection system based on snort rules for network probe attack detection / N. Khamphakdee, N. Benjamas, S. Saiyod // Information and Communication Technology (ICoICT), 2014 2nd International Conference On. – IEEE. 2014. – P. 69–74.
Scarfone, K. A., Mell, M. Guide to Intrusion Detection and Prevention Systems (IDPS)| NIST. –2007. URL: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf (дата обращение 03.07.2018).
Vigna, G. A stateful intrusion detection system for world-wide web servers / G. Vigna, W. Robertson, V. Kher, [и др.] // Computer Security Applications Conference, 2003. Proceedings. 19th Annual. – IEEE. 2003. – P. 34–43.
Sekar, R. An Efficient Black-box Technique for DefeatingWeb Application Attacks. NDSS. – 2009.
Mutz, D. An experience developing an IDS stimulator for the blackbox testing of network intrusion detection systems / D. Mutz, G. Vigna, R. Kemmerer // Computer Security Applications Conference, 2003. Proceedings. 19th Annual. – IEEE. 2003. – P. 374–383.
Li, X. BLOCK: a black-box approach for detection of state violation attacks towards web applications / X. Li, Y. Xue // Proceedings of the 27th Annual Computer Security Applications Conference. – ACM. 2011. – P. 247–256.
Saxena, P. Efficient fine-grained binary instrumentationwith applications to taint-tracking / P. Saxena, R. Sekar, V. Puranik // Proceedings of the 6th annual IEEE/ACM international symposium on Code generation and optimization. – ACM. 2008. – P. 74–83.
Браницкий, А. А. Анализ и классификация методов обнаружения сетевых атак / А. А. Браницкий, И. В. Котенко // Труды СПИИРАН. – 2016. – Т. 2, № 45. – С. 207–244.
Heckerman, D. A tutorial on learning with Bayesian networks. D. Heckerman. Innovations in Bayesian networks. – Springer, 2008. – P. 33–82.
Friedman, N. Bayesian network classifiers / N. Friedman, D. Geiger, M. Goldszmidt // Machine learning. – 1997. – Vol. 29, no. 2–3. – P. 131–163.
Goldszmidt, M. Bayesian network classifiers // Wiley Encyclopedia of Operations Research and Management Science. – 2010.
Barbara, D. Detecting novel network intrusions using Bayes estimators / D. Barbara, N. Wu, S. Jajodia // Proceedings of the 2001 SIAM International Conference on Data Mining. – SIAM. 2001. – P. 1–17.
Емельянова, Ю. Г. Нейросетевая технология обнаружения сетевых атак на информационные ресурсы / Ю. Г. Емельянова, А. А. Талалаев, И. П. Тищенко [и др.] // Программные системы: теория и приложения. – 2011. – Т. 2, № 3. – С. 3–15.
Tavallaee, M. A Detailed Analysis of the KDD CUP 99 Data Set / M. Tavallaee, E. Bagheri, W. Lu [и др.] // Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications. – Ottawa, Ontario, Canada: IEEE Press, 2009. – Pp. 53—58. – (CISDA’09). – URL: http://dl.acm.org/citation.cfm?id= 1736481.1736489.
Васильев, В. И. Интеллектуальная система обнаружения атак в локальных беспроводных сетях / В. И. Васильев, И. В. Шарабыров // Вестник Уфимского государственного авиационного технического университета. – 2015. – Т. 19, 4 (70).
Su, M.-Y. Real-time anomaly detection systems for Denial-of-Service attacks by weighted knearest neighbor classifiers / M.-Y. Su // Expert Systems with Applications. – 2011. – Vol. 38, no. 4. – P. 3492–3498.
Lee, C. H. Network intrusion detection through genetic feature selection / C. H. Lee, J. W. Chung, S. W. Shin // Soft-ware Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2006. SNPD 2006. Seventh ACIS International Conference on. – IEEE. 2006. – P. 109–114.
Ireland, E. Intrusion detection with genetic algorithms and fuzzy logic / E. Ireland // UMM CSci senior seminar conference. – 2013. – P. 1–6.
Kruegel Christopher, Vigna Giovanni. Anomaly detection of web-based
attacks, Proceedings of the 10th ACM conference on Computer and
communications security. ACM. 2003. – P. 251–261.
Kruegel, C. Using decision trees to improve signature-based intrusion detection / C. Kruegel, T. Toth // Recent Advances in Intrusion Detection. – Springer. 2003. – P. 173–191.
Bouzida, Y. Neural networks vs. decision trees for intrusion detection. Y. Bouzida, F. Cuppens. IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM). Vol. 28. – 2006.
Nguyen, H.T., Torrano-Gimenez, C., Alvarez, G., Petrovic, S., and Franke, K., Application of the generic feature selection measure in detection of web attacks, in Computational Intelligence in Security for Information Systems, Herrero, Á. and Corchado, E., Eds., Berlin, Heidelberg: Springer, 2011.
Kozik, R., Choraś, M., Holubowicz, W., and Renk, R., Extreme learning machines for web layer anomaly detection, in Image Processing and Communications Challenges 8, Choraś, R.S., Ed., Cham: Springer Int. Publ., 2017, pp. 226–233.
Kozik, R. and Choras, M., Adapting an ensemble of one-class classifiers for a web-layer anomaly detection system, Proc. 10th Int. Conf. on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), Krakow, 2015, pp. 724–729.
Loffler, M., Improvement of intrusion detection using multiple classifier model, Diploma Thesis, FIIT STU, 2017.
Šoltes, F., Improving security of a web system using biology inspired methods, Diploma Thesis, FIIT STU, 2016.
Manh Thang Nguyen, Аlexander Kozachok. Representation Model of Requests to Web Resources, Based on a Vector Space Model and Attributes of Requests for HTTP Protocol. Journal of Science and Technology on Information Security. Vol. 10, No. 2, 2019.
Downloads
Published
How to Cite
Issue
Section
License
Proposed Policy for Journals That Offer Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
Proposed Policy for Journals That Offer Delayed Open Access
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication, with the work [SPECIFY PERIOD OF TIME] after publication simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).