Adaptively Detecting Malicious Queries in Web Attacks

Web request query strings (queries), which pass parameters to the referenced resource, are always manipulated by attackers to retrieve sensitive data and even take full control of victim web servers and web applications. However, existing malicious query detection approaches in the current literature cannot cope with changing web attacks with constant detection models. In this paper, we propose AMODS, an adaptive system that periodically updates the detection model to detect the latest unknown attacks. We also propose an adaptive learning strategy, called SVM HYBRID, leveraged by our system to minimize manual work. In the evaluation, an up-to-date detection model is trained on a ten-day query dataset collected from an academic institute’s web server logs. Our system outperforms existing web attack detection methods, with an F-value of 94.79% and FP rate of 0.09%. The total number of malicious queries obtained by SVM HYBRID is 2.78 times that by the popular Support Vector Machine Adaptive Learning (SVM AL) method. The malicious queries obtained can be used to update the Web Application Firewall (WAF) signature library.

[1]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[2]  Xiangliang Zhang,et al.  Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks , 2014, Knowl. Based Syst..

[3]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[4]  Ricardo Vilalta,et al.  Metalearning - Applications to Data Mining , 2008, Cognitive Technologies.

[5]  Xiangjian He,et al.  RePIDS: A multi tier Real-time Payload-based Intrusion Detection System , 2013, Comput. Networks.

[6]  Jack W. Davidson,et al.  Joza: Hybrid Taint Inference for Defeating Web Application SQL Injection Attacks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[7]  David H. Wolpert,et al.  Stacked generalization , 1992, Neural Networks.

[8]  Christopher Krügel,et al.  Protecting a Moving Target: Addressing Web Application Concept Drift , 2009, RAID.

[9]  Christian E. Schaerer,et al.  URL query string anomaly sensor designed with the bidimensional Haar wavelet transform , 2015, International Journal of Information Security.

[10]  Marco Vieira,et al.  Evaluation of Web Security Mechanisms Using Vulnerability & Attack Injection , 2014, IEEE Transactions on Dependable and Secure Computing.

[11]  Juan E. Tapiador,et al.  Automatic generation of HTTP intrusion signatures by selective identification of anomalies , 2015, Comput. Secur..

[12]  Lam-for Kwok,et al.  Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection , 2014, J. Netw. Comput. Appl..

[13]  Richard O. Duda,et al.  Pattern classification and scene analysis , 1974, A Wiley-Interscience publication.

[14]  Hiroshi Asakura,et al.  Detecting Malicious Inputs of Web Application Parameters Using Character Class Sequences , 2015, 2015 IEEE 39th Annual Computer Software and Applications Conference.

[15]  Salvatore J. Stolfo,et al.  Anagram: A Content Anomaly Detector Resistant to Mimicry Attack , 2006, RAID.

[16]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[17]  Roberto Tronci,et al.  HMMPayl: An intrusion detection system based on Hidden Markov Models , 2011, Comput. Secur..

[18]  Novia Admodisastro,et al.  Current state of research on cross-site scripting (XSS) - A systematic literature review , 2015, Inf. Softw. Technol..

[19]  Christopher N. Gutierrez,et al.  pSigene: Webcrawling to Generalize SQL Injection Signatures , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[20]  Larry A. Rendell,et al.  Layered Concept-Learning and Dynamically Variable Bias Management , 1987, IJCAI.

[21]  Wenke Lee,et al.  McPAD: A multiple classifier system for accurate payload-based anomaly detection , 2009, Comput. Networks.

[22]  Benjamin Livshits,et al.  Towards fully automatic placement of security sanitizers and declassifiers , 2013, POPL 2013.

[23]  Duc-Son Pham,et al.  A Study of Web Application Firewall Solutions , 2015, ICISS.

[24]  Xiangyu Zhang,et al.  Path sensitive static analysis of web applications for remote code execution vulnerability detection , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[25]  Timo Hämäläinen,et al.  Online anomaly detection using dimensionality reduction techniques for HTTP log analysis , 2015, Comput. Networks.

[26]  Hai Sheng Li An Intrusion Detection Based on Markov Model , 2011 .

[27]  Ran El-Yaniv,et al.  Online Choice of Active Learning Algorithms , 2003, J. Mach. Learn. Res..

[28]  Greg Schohn,et al.  Less is More: Active Learning with Support Vector Machines , 2000, ICML.

[29]  Ji Zhang,et al.  Detecting anomalies from big network traffic data using an adaptive detection approach , 2015, Inf. Sci..

[30]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[31]  Daphne Koller,et al.  Support Vector Machine Active Learning with Applications to Text Classification , 2000, J. Mach. Learn. Res..

[32]  Lior Rokach,et al.  Ensemble-based classifiers , 2010, Artificial Intelligence Review.

[33]  R. Suganya,et al.  Data Mining Concepts and Techniques , 2010 .

[34]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[35]  Abu Bakar Sultan,et al.  Systematic literature review on SQL injection attack , 2016 .

[36]  V. Vapnik Estimation of Dependences Based on Empirical Data , 2006 .

[37]  Richard Granger,et al.  Beyond Incremental Processing: Tracking Concept Drift , 1986, AAAI.

[38]  Mark Stamp,et al.  HTTP attack detection using n-gram analysis , 2014, Comput. Secur..

[39]  Fabrizio Sebastiani,et al.  Machine learning in automated text categorization , 2001, CSUR.

[40]  Kim-Kwang Raymond Choo,et al.  Web application protection techniques: A taxonomy , 2016, J. Netw. Comput. Appl..

[41]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[42]  Neminath Hubballi,et al.  OCPAD: One class Naive Bayes classifier for payload based anomaly detection , 2016, Expert Syst. Appl..