AN ANOMALY-BASED WEB APPLICATION FIREWALL

Alejandro Perez-Villegas, Gonzalo Alvarez

2009

Abstract

A simple and effective web application firewall is presented. This system can detect both known and unknown web attacks following a positive security model. For attack detection, the system relies on an XML file, which thoroughly describes normal web application behavior. Any irregular behavior is flagged as intrusive. An initial training phase is required to statistically characterize how normal traffic for a given target application looks like. The system has been tested with a real web application as target and an artificial request generator as input. Experiments show that after the training phase, when the XML file is correctly configured, good results are obtained, with a very high detection rate and a very low false alarm rate.

References

  1. Alvarez, G. and Petrovic, S. (2003). A new taxonomy of web attacks suitable for efficient encoding. Computers and Security, 22(5):453-449.
  2. Estévez-Tapiador, J., García-Teodoro, P., and Díaz-Verdejo, J. (2004). Measuring normality in http traffic for anomaly-based intrusion detection. Computer Networks, 45(2):175-193.
  3. Kruegel, C., Vigna, G., and Robertson, W. (2005). A multimodel approach to the detection of web-based attacks. Computer Networks, 48(5):717-738.
  4. ModSecurity (2009). Open source signature-based web application firewall, http://www.modsecurity.org.
  5. Patcha, A. and Park, J. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12):3448- 3470.
  6. Petrovic, S., Í lvarez, G., Orfila, A., and Carbó, J. (2006). Labelling clusters in an intrusion detection system using a combination of clustering evaluation techniques. In Proceedings of the 39th Hawaii International Conference on System Sciences, Kauai, Hawaii (USA). IEEE Computer Society Press. 8 pages (CD ROM).
  7. Provost, F., Fawcett, T., and Kohavi, R. (1998). The case against accuracy estimation for comparing induction algorithms. In Proceedings of the 15th International Conference on Machine Learning, San Mateo, CA. Morgan Kaufmann.
Download


Paper Citation


in Harvard Style

Perez-Villegas A. and Alvarez G. (2009). AN ANOMALY-BASED WEB APPLICATION FIREWALL . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 23-28. DOI: 10.5220/0002218900230028


in Bibtex Style

@conference{secrypt09,
author={Alejandro Perez-Villegas and Gonzalo Alvarez},
title={AN ANOMALY-BASED WEB APPLICATION FIREWALL},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={23-28},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002218900230028},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - AN ANOMALY-BASED WEB APPLICATION FIREWALL
SN - 978-989-674-005-4
AU - Perez-Villegas A.
AU - Alvarez G.
PY - 2009
SP - 23
EP - 28
DO - 10.5220/0002218900230028