ABSTRACT
Careless development of web-based applications results in vulnerable code being deployed and made available to the whole Internet, creating easily-exploitable entry points for the compromise of entire networks. To ameliorate this situation, we propose an approach that composes a web-based anomaly detection system with a reverse HTTP proxy. The approach is based on the assumption that a web site's content can be split into security sensitive and non-sensitive parts, which are distributed to different servers. The anomaly score of a web request is then used to route suspicious requests to copies of the web site that do not hold sensitive content. By doing this, it is possible to serve anomalous but benign requests that do not require access to sensitive information, sensibly reducing the impact of false positives. We developed a prototype of our approach and evaluated its applicability with respect to several existing web-based applications, showing that our approach is both feasible and effective.
- P. Akritidis, K. Anagnostakis, and E. Markatos. Efficient Content-Based Detection of Zero-Day Worms. In Proceedings of the International Conference on Communications (ICC), Seoul, Korea, May 2005.Google ScholarCross Ref
- M. Almgren, H. Debar, and M. Dacier. A lightweight tool for detecting web server attacks. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA, February 2000.Google Scholar
- M. Almgren and U. Lindqvist. Application-Integrated Data Collection for Security Monitoring. In Proceedings of Recent Advances in Intrusion Detection (RAID), LNCS, pages 22--36, Davis, CA, October 2001. Springer. Google ScholarDigital Library
- R. Andersson. punBB - fast and lightweight PHP-powered discussion board. http://www.punbb.org/, 2005.Google Scholar
- Breach Security. Breachgate. http://www.breach.com/, June 2005.Google Scholar
- S. Chen, J. Xu, and E. Sezer. Non-Control-Data Attacks Are Realistic Threats. In Proceedings of the USENIX Security Symposium, Baltimore, MD, August 2005. Google ScholarDigital Library
- Common Vulnerabilities and Exposures. http://www.cve.mitre.org/, 2003.Google Scholar
- C. Kruegel and G. Vigna. Anomaly Detection of Web-based Attacks. In Proceedings of the 10thACM Conference on Computer and Communication Security (CCS '03), pages 251--261, Washington, DC, October 2003, ACM Press. Google ScholarDigital Library
- myBloggie - PHP and mySQL Blog/Weblog script. http://mybloggie.mywebland.com/, 2005.Google Scholar
- MySQL - The world's most popular open-source database. http://www.mysql.com/, 2005.Google Scholar
- PHP: Hypertext Preprocessor. http://www.php.net/, 2005.Google Scholar
- phPay - webshop or catalog based on SQL and PHP. http://phpay.sourceforge.net/, 2005.Google Scholar
- K. Poulsen. Tower records settles charges over hack attacks. http://www.securityfocus.com/news/8508, April 2004.Google Scholar
- M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the USENIX LISA '99 Conference, Seattle, WA, November 1999. Google ScholarDigital Library
- K. A. S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, and A. D. Keromytis. Detecting Targeted Attacks Using Shadow Honeypots. In Proceeding of the USENIX Security Symposium, Baltimore, MD, August 2005. Google ScholarDigital Library
- E. Tombini, H. Debar, L. Mé, and M. Ducassé. A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic. In Proceedings of the Annual Computer Security Aapplications Cconference (ACSAC), Tucson, AZ, December 2004. Google ScholarDigital Library
- T. Toth and C. Kruegel. Accurate Buffer Overflow Detection Via Abstract Payload Execution. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), Zurich, Switzerland, October 2002. Google ScholarDigital Library
- Victoria's Secret Reveals Too Much. http://www.cbsnews.com/, October 2003.Google Scholar
- G. Vigna, W. Robertson, V. Kher, and R. Kemmerer. A Stateful Intrusion Detection System for World-Wide Web Servers. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003), pages 34--43, Las Vegas, NV, December 2003. Google ScholarDigital Library
Index Terms
- An anomaly-driven reverse proxy for web applications
Recommendations
Bypassing proxy: a solution to overloaded web caching systems
ACOS'06: Proceedings of the 5th WSEAS international conference on Applied computer scienceThis paper presents a technique to solve the overloading conditions of HTTP proxy servers. It is achieved by eliminating the unnecessary requests reaching the proxy servers. These unnecessary requests are the miss requests which cause the proxy to store ...
Anomaly detection of web-based attacks
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityWeb-based vulnerabilities represent a substantial portion of the security exposures of computer networks. In order to detect known web-based attacks, misuse detection systems are equipped with a large number of signatures. Unfortunately, it is difficult ...
Reducing errors in the anomaly-based detection of web-based attacks through the combined analysis of web requests and SQL queries
Best papers of the Sec Track at the 2006 ACM SymposiumWeb-based applications have become a popular means of exposing functionality to large numbers of users by leveraging the services provided by web servers and databases. The wide proliferation of custom-developed web-based applications suggests that ...
Comments