Be the first to like this
Essa é minha Dissertação de Mestrado - USP - 2006.
Esse pesquisa apresentou uma proposta para detecção de ataques em aplicação Web protegidas por SSL (https) sem compartilhamento da chave privada do servidor.
Na época não existiam firewalls de aplicação - WAF's - com essa caracterísitca, sendo que este estudo foi inovador. Ainda é...
Secure channel, as the one generated by protocols like SSL and TLS, has been used on network services to provide partner authentication, integrity and confidentiality.
However, its utilization prevents a network intrusion detection system to observe and analyze packets content. As an alternative to circumvent this problem, the present work proposes an agent-based intrusion detection, prevention and containment architecture capable to capture messages flows directly at the host application and introduce it on a distributed intrusion detection framework.
The ADACA (Attack Detection, Analysis and Containment Agent) is a hybrid agent that can operate on active and passive mode. In this context, it is able to detect attacks where the application payload is encrypted by secure protocols, like SSL and TLS, and take some predefined measure before the host application process a malicious content. Further that, Intrusion Detection Message Exchange Format (IDMEF) standard proposed by IDWG is considered to send alerts between agent ADACA and an IDS central. The results shown that is practicable to use an application agent attached to an application as a complement of network intrusion detection systems.