Toward Specification-Based Intrusion Detection for Web Applications

In specification-based detection the correct behavior of a system is modeled formally and would be later verified during system operation for detecting anomalies. In this paper we argue that comparing to anomaly and signature-based approaches, specification-based approach is an appropriate and precise way to build IDSes for web applications. This is due to standardized nature of web architecture including protocols (HTTP, SOAP) and data formats (HTML, XHTML, XML), which makes the challenging task of formal specification feasible. In this paper we propose a novel architecture based on ICAP protocol for a specificationbased web application IDS, in which input parameters as well as the output content of a web application are specified formally by regular expressions and the IDS verifies the specification when users have interactions with the application.