DocumentCode
2779370
Title
Integrated Detection of Attacks Against Browsers, Web Applications and Databases
Author
Criscione, C. ; Salvaneschi, G. ; Maggi, F. ; Zanero, S.
Author_Institution
Dipt. di Elettron. e Inf., Politec. di Milano, Milan, Italy
fYear
2009
fDate
9-10 Nov. 2009
Firstpage
37
Lastpage
45
Abstract
Anomaly-based techniques were exploited successfully to implement protection mechanisms for various systems. Recently, these approaches have been ported to the web domain under the name of "web application anomaly detectors" (or firewalls) with promising results. In particular, those capable of automatically building specifications, or models, of the protected application by observing its traffic (e.g., network packets, system calls, or HTTP requests and responses) are particularly interesting, since they can be deployed with little effort. Typically, the detection accuracy of these systems is significantly influenced by the model building phase (often called training), which clearly depends upon the quality of the observed traffic, which should resemble the normal activity of the protected application and must be also free from attacks. Otherwise, detection may result in significant amounts of false positives (i.e., benign events flagged as anomalous) and negatives (i.e., undetected threats). In this work we describe Masibty, a web application anomaly detector that have some interesting properties. First, it requires the training data not to be attack-free. Secondly, not only it protects the monitored application, it also detects and blocks malicious client-side threats before they are sent to the browser. Third, Masibty intercepts the queries before they are sent to the database, correlates them with the corresponding HTTP requests and blocks those deemed anomalous. Both the accuracy and the performance have been evaluated on real-world web applications with interesting results. The system is almost not influenced by the presence of attacks in the training data and shows only a negligible amount of false positives, although this is paid in terms of a slight performance overhead.
Keywords
Internet; security of data; Masibty application; Web application anomaly detectors; Web applications; Web browsers; anomaly-based techniques; client-side threats; databases; firewalls; integrated attack detection; Application software; Computer networks; Databases; Detectors; Frequency; Information security; Protection; Telecommunication traffic; Traffic control; Training data;
fLanguage
English
Publisher
ieee
Conference_Titel
Computer Network Defense (EC2ND), 2009 European Conference on
Conference_Location
Milan
Print_ISBN
978-1-4244-6049-6
Type
conf
DOI
10.1109/EC2ND.2009.13
Filename
5494330
Link To Document