Detecting attacks against data in web applications

RRABIDS (Ruby on Rails Anomaly Based Intrusion Detection System) is an application level intrusion detection system for applications implemented with the Ruby on Rails framework. It is aimed at detecting attacks against data in the context of web applications. This anomaly based IDS focuses on the modeling of the application profile in the absence of attacks (called normal profile) using invariants. These invariants are discovered during a learning phase. Then, they are used to instrument the web application at source code level, so that a deviation from the normal profile can be detected at run-time. This paper illustrates on simple examples how the approach detects well known categories of web attacks that involve a state violation of the application, such as SQL injections. Finally, an assessment phase is performed to evaluate the accuracy of the detection provided by the proposed approach.

[1]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[2]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[3]  Vincent Nicomette,et al.  A Clustering Approach for Web Vulnerabilities Detection , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[4]  Miguel Castro,et al.  Securing software by enforcing data-flow integrity , 2006, OSDI '06.

[5]  Bruno d'Ausbourg,et al.  Implementing Secure Dependencies over a Network by Designing a Distributed Security SubSystem , 1996, J. Comput. Secur..

[6]  Stephen McCamant,et al.  The Daikon system for dynamic detection of likely invariants , 2007, Sci. Comput. Program..

[7]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[8]  R. Sekar,et al.  Anomalous Taint Detection , 2008, RAID.

[9]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[10]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Michael Karr,et al.  Affine relationships among variables of a program , 1976, Acta Informatica.

[12]  Giovanni Vigna,et al.  Swaddler: An Approach for the Anomaly-Based Detection of State Violations in Web Applications , 2007, RAID.

[13]  Eric Totel,et al.  Application Data Consistency Checking for Anomaly Based Intrusion Detection , 2009, SSS.

[14]  Christopher Krügel,et al.  Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks , 2006, NDSS.

[15]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.