Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Icc2009

414 views

Published on

Presentation of the paper "HMM-Web: a framework for the
detection off attacks against Web Applications" at the IEEE International Conference on Communications, Dresden, Germany, June 14-18 2009

  • Be the first to comment

  • Be the first to like this

Icc2009

  1. 1. HMM-Web: a framework for the detection off attacks against Web Applications I. Corona, D. Ariu, G. Giacinto June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu Pattern Recognition and Applications Group Department of Electrical and Electronic Engineering University of Cagliari, Italy PRA Pattern Recognition and Applications Group Presenter Davide Ariu R A P
  2. 2. Motivations <ul><li>Why we do address the problem of securing Web Applications? </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  3. 3. Motivations June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu Source: X-Force® 2008 Trend & Risk Report – January 2009
  4. 4. Protection of Web Applications <ul><li>Web Applications can be protected using a Web-Application Firewall ( WAF ) </li></ul><ul><ul><li>WAF filter applications’ input using a set of rules. </li></ul></ul><ul><li>Writing rules for a Web-Application Firewall is a procedure: </li></ul><ul><ul><li>Vulnerable to zero-days attacks </li></ul></ul><ul><ul><ul><li>WAF can’t stop an attack if it doesn’t have a rule against it </li></ul></ul></ul><ul><ul><li>Time Expensive </li></ul></ul><ul><ul><ul><li>Rules must be written by hand by the administrator </li></ul></ul></ul><ul><ul><li>Prone to errors </li></ul></ul><ul><ul><ul><li>Requires the administrator having an in-depth knowledge of applications which reside on the Web-Server </li></ul></ul></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  5. 5. HMM-Web <ul><li>HMM-Web addresses all of the weaknesses of Web-Application Firewalls because is an Intrusion Detection System: </li></ul><ul><ul><li>Anomaly Based </li></ul></ul><ul><ul><ul><li>This means which is also able to face with zero-days attacks </li></ul></ul></ul><ul><ul><li>Fully Automated for what concerns the training procedure </li></ul></ul><ul><ul><ul><li>Time saving </li></ul></ul></ul><ul><ul><ul><li>Doesn’t require the administrator having knowledge of applications which reside on the Web-Server </li></ul></ul></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  6. 6. An usage scenario June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  7. 7. Request URI Modelling <ul><li>As attacks like XSS and SQL-Injection exploit input validation flaws, we want to model the input provided by the user. </li></ul><ul><li>User-provided data are passed by the browser to the Web-Server (then to the application) using a sequence of attribute-value pairs. </li></ul><ul><li>Consequently, we want to model: </li></ul><ul><ul><li>The sequence of attributes </li></ul></ul><ul><ul><li>The value of each attribute </li></ul></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  8. 8. Request URI Modelling <ul><li>From the example request URI </li></ul><ul><li>GET /search.php?cat=32&key=hmm HTTP/1.1 </li></ul><ul><li>we extract: </li></ul><ul><ul><li>The name of the application: “ search.php ” </li></ul></ul><ul><ul><li>The sequence of attributes: “ cat-key ” </li></ul></ul><ul><ul><li>The value of each attribute: </li></ul></ul><ul><ul><ul><li>“ 32 ” for the attribute cat </li></ul></ul></ul><ul><ul><ul><li>“ hmm ” for the attribute key </li></ul></ul></ul><ul><li>These are the elements that HMM-Web analyses </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  9. 9. Classifier Ensemble <ul><li>HMM-Web is based on Hidden Markov Models </li></ul><ul><li>For each application running on the Web Server HMM-Web creates a module consisting of </li></ul><ul><ul><li>An HMM-Ensemble to model the sequence of attributes </li></ul></ul><ul><ul><ul><li>This feature allows to detect request URI modified by hand </li></ul></ul></ul><ul><ul><li>An HMM-Ensemble for each one of attributes received by the Web Application </li></ul></ul><ul><ul><ul><li>This feature allows to detect if one attribute is receiving an anomalous value. </li></ul></ul></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  10. 10. IDS-Scheme June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  11. 11. Noise in the training set <ul><li>HMM-Web is trained on a training set made of requests toward the Web-Server we want to protect. </li></ul><ul><li>This means that this training set might contain both legitimate and attack requests. </li></ul><ul><li>From a P attern R ecognition point of view,this is a problem of training on noisy data .. </li></ul><ul><li>How does this noise affect HMM-Web performances? </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  12. 12. Noise in the training set <ul><li>The assumption that the most part of queries inside the training set is legitimate is not reasonable for applications which are rarely interrogated. </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  13. 13. Noise in the training set Countermeasure <ul><li>We propose to model the fraction of attacks inside the training set as: </li></ul><ul><li>Where: </li></ul><ul><ul><li>M is the number of applications on the Web Server </li></ul></ul><ul><ul><li>N is the number of queries in the training set </li></ul></ul><ul><ul><li>is the number of queries on the i-th application </li></ul></ul><ul><ul><li>is the fraction of attacks on the i-th application </li></ul></ul><ul><ul><li>How can we estimate effectively </li></ul></ul><ul><ul><li>for each application? </li></ul></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  14. 14. Noise in the training set Countermeasure <ul><li>Experimental results show that even a rough estimate of the amount of attacks inside the training set, allows to improve the performances of the IDS. </li></ul><ul><li>A good estimate of is that provided by the following formula: </li></ul><ul><li>is simply the ratio between the number of queries toward the i-th application and the overall number of queries. </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  15. 15. Attribute value codification <ul><li>The values passed to the attributes might contain digits, alphabetic letters or meta-characters. </li></ul><ul><li>As it is not important distinguishing between elements belonging to each one of these categories, HMM-Web </li></ul><ul><ul><li>Replaces all the digits with the symbol “N” </li></ul></ul><ul><ul><li>Replaces all the alphabetic letters with the symbol “A” </li></ul></ul><ul><ul><li>Leaves immutate meta-characters </li></ul></ul><ul><li>E.g. The attribute value “ /dir/sub/1,2 ” becomes “ /AAA/AAA/N,N ” </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  16. 16. Experimental Setup <ul><li>We tested HMM-Web on a production Web-Server of our Academic Institution. </li></ul><ul><li>The Web-Server hosts 52 Applications: </li></ul><ul><ul><li>24 provide services for registered users </li></ul></ul><ul><ul><li>28 provide public services </li></ul></ul><ul><li>Dataset D: 150.000 queries toward the Web –Server </li></ul><ul><li>Dataset A: 38 attacks against 18 applications </li></ul><ul><ul><li>19 Cross Site Scripting Attacks </li></ul></ul><ul><ul><li>19 SQL Injection Attacks </li></ul></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  17. 17. Experimental Results Effectiveness of attributes’ codification June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu The curve on the right has been obtained using the codification proposed by Kruegel et al. In “A multimodel approach to the detection of web-based attacks”, Computer Networks, 2005.
  18. 18. Experimental Result Effectiveness of the MCS Approach June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  19. 19. Conclusions <ul><li>In this work we propose an anomaly-based IDS for the protection of Web-Applications </li></ul><ul><li>Respect to traditional WAF HMM-Web is able to face with zero-days attacks and doesn’t require the administrator having an in-dept knowledge of applications to be protected. </li></ul><ul><li>We suggest also a solution for the codification of queries toward the web server and a strategy to take into account the noise into the training set . </li></ul><ul><li>HMM-Web achieves excellent results in terms of detection/false positive rate, even against attacks that are similar to those inside the training set. </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  20. 20. Questions? June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu
  21. 21. Motivations June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu Source: X-Force® 2008 Trend & Risk Report – January 2009
  22. 22. Outline <ul><li>Motivations </li></ul><ul><li>HMM-Web vs. Web Application Firewalls </li></ul><ul><li>Description of the IDS Scheme </li></ul><ul><li>Noise inside the training set </li></ul><ul><li>Sequences codification </li></ul><ul><li>Experimental Setup </li></ul><ul><li>Experimental Results </li></ul><ul><li>Conclusions </li></ul>June 17, 2009 ICC 2009 - HMMWeb - Davide Ariu

×