AIWAS: The Automatic Identification of Web Attacks System

AIWAS: The Automatic Identification of Web Attacks System

Toan Huynh (University of Alberta, Canada) and James Miller (University of Alberta, Canada)
DOI: 10.4018/jssoe.2012010105

Abstract

A recent report states that 63 percent of documented vulnerabilities exist in Web applications. Hence, Web applications represent an ideal platform for malicious attackers to target. This paper presents an anomaly intrusion detection system (AIWAS) to help system administrators protect their Web applications from these attacks. AIWAS maps each user’s input into an Instance Model (IM). The IM, which contains attackable features of the input, allows machine learning algorithms to classify the input as either benign or malicious. AIWAS then prevents malicious inputs from reaching the protected Web applications. A case study demonstrates the effectiveness of AIWAS against actual attacks.
Article Preview

A-NIDS often utilize machine learning (ML) techniques. Lazarevic et al. (2005), Tavallaee et al. (2010) and Tsai et al. (2009) provide a review of existing A-NIDS. Traditional A-NIDS (Lee & Heinbuch, 2001) concentrate on low-level packet information implying that application specific information is lost (Krugel, 2002). As a result, A-NIDS often have low detection rates for attacks targeting the Web application layer. A new generation of A-NIDS has been proposed to specifically target the Web application layer; a brief overview of these A-NIDS follows.

Kruegel et al. (2003, 2005) presented one of the first A-NIDS designed specifically for Web applications. The system contains six anomaly models and six techniques for estimating the probability of an attack based upon these models. Valeur et al. (2005) present an approach that profiles normal database access performed by Web applications to detect SQL injection attacks on a DBMS. Swaddler (Cova et al., 2007a) extends Kruegel et al. (2003, 2005) by also examining the state of the Web application. Liu et al. (Liu et al., 2009) introduces the SQLProb proxy to detect and remove SQL injection attacks. SQLProb is evaluated using the AMNESA (Halfond & Orso, 2005) attack data set with excellent results.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 9: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 8: 4 Issues (2018): Forthcoming, Available for Pre-Order
Volume 7: 4 Issues (2017)
Volume 6: 4 Issues (2016)
Volume 5: 4 Issues (2015)
Volume 4: 4 Issues (2014)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing