Cooperative Intrusion Detection for Web Applications

This contribution involves cooperative information systems, and more precisely interorganizational systems (IOS). Indeed, experience of real enterprises shows that most IOS interoperate today over the Web. To “ensure” security of these IOS on the Web (in particular, security of the applications they are made of), various hardware and software protection can be employed. Our work falls into the field of intrusion detection, and covers more precisely intrusion detection for Web applications. Several misuse-based intrusion detection systems (IDSs) were developed recently for Web applications, whereas, to our knowledge, only one anomaly-based Web IDS exists and works effectively to date. This one was unfortunately conceived disregarding any kind of cooperation. In previous work, we improved it to gain in sensitivity and specificity. This paper describes a cooperation feature added to the IDS, so that it is able to perform an alarm correlation with other detectors, allowing coo-perative intrusion detection, as well as an event correlation to detect distributed attacks. The first experiments in real environment show encouraging results.

[1]  Juan M. Estévez-Tapiador,et al.  Concepts and Attitudes for Internet Security (A review of Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin). , 2003 .

[2]  Christopher Krügel,et al.  Intrusion Detection and Correlation - Challenges and Solutions , 2004, Advances in Information Security.

[3]  Marc Dacier,et al.  A Lightweight Tool for Detecting Web Server Attacks , 2000, NDSS.

[4]  Mike Shema,et al.  Hacking Exposed Web Applications, Second Edition , 2006 .

[5]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[6]  Géraldine Schmidt,et al.  Compétences Relationnelles et Métamorphose des Organisations , 2002 .

[7]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[8]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[9]  Thomas Froehlicher La dynamique de l'organisation relationnelle: conventions et reseaux sociaux au regard de l'enchevetrement des modes de coordination , 2000 .

[10]  G. T. Gangemi,et al.  Computer Security Basics , 2006 .

[11]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[12]  Nathalie Dagorn,et al.  Intrusion Detection for Web Applications (Short Version) , 2006, SECRYPT.

[13]  Jacques Thevenot,et al.  L'Internet marchand : caractérisation et positionnements stratégiques , 2000 .

[14]  Xinzhou Qin,et al.  A Probabilistic-Based Framework for INFOSEC Alert Correlation , 2005 .

[15]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[16]  Klaus Julisch,et al.  Using root cause analysis to handle intrusion detection alarms , 2003 .

[17]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[18]  Preeti Sharma The effects of interorganizational systems on process and structure in buyer -seller exchange , 2000 .

[19]  B. Aubert,et al.  Systèmes d'information inter-organisationnels , 2002 .

[20]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[21]  Zied Elouedi,et al.  Réseaux bayésiens naïfs et arbres de décision dans les systèmes de détection d'intrusions , 2006, Tech. Sci. Informatiques.

[22]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.