Article Preview
TopIntroduction
Web applications are the primary goal of the computer attackers; over 80% of attacks threaten the Internet and Intranet systems which cause majors and criticisms problems for several institutions (banks, public establishments, big company...). Several security solutions are proposed such as firewalls based on the signatures, prevention systems and encryption devices. But their effectiveness against the threats of web attacks is limited. For better detection of web attacks and intrusions, the detection system should understand the context of the content of information to be processed and they must have the ability to filter content based on their effect on the target application. For this the use of ontologies is very important to improve the detection of intrusions and attacks.
Most signatures based and behavior based approaches confront the big challenges, some of which are described below:
- •
Most existing techniques are based on the signatures that keep the syntactic representation of the attack. It’s easy for an attacker to launch an attack by a change in the syntactic representation of the signature.
- •
Current detection techniques are reactive; attacks are frequently detected by the analysis of system logs. The attack is prevented if its exact signature is recognized by the system otherwise the attack can’t be detected and can compromise system security.
- •
Detection systems based on behavior can detect new and unknown attacks. However, in these systems, a small deviation in the data or in user behavior creates false positives and false negatives.
- •
The statistical techniques used in detection systems basically provide a viable solution for the network layer. This solution isn’t effective at the application layer, because it focuses on the dissemination of characters input and ignores its contextual nature.
- •
Capture the context of inputs and outputs is a difficult task and capture protocol context is also difficult to achieve.
The proposed solution is a response for overcome this problems.
TopState Of The Art
Several detecting approaches of intrusion and attacks have been proposed, these approaches can generally be classified into three different groups. The behavioral approach is to use methods based on the assumption that the exploitation of a vulnerability of a system involves his abnormal use; an intrusion is identified as a deviation from the normal user behavior. The scenario approach, it isn't possible to statistically describe the behavior of an attacker, it’s possible to give rules on its approach. These rules take the form of attack scenarios exploiting system vulnerabilities. There are also approaches based on ontologies.
Scenario Approach (Signature)
It's possible to give rules on his manner to process the attack. These rules take the form of attack scenarios exploiting system vulnerabilities.
T. Lunt used the rules to describe the actions of the attacks. Ilgun et al used the state transition diagrams to model general states of the system and access control violations. Kumar et al used color Petri nets to represent intrusion signatures as sequences of events on the target system. The main advantage of the scenario detection systems is that once the known intrusion patterns are stored, future instances of these intrusions can be detected effectively and efficiently. However, new attacks will likely go unnoticed, leading to unacceptable false negative rate. The signature detection confronts a big challenge, because of the rapid and exponential growth of the variety of attacks and signature rules. Keeping updated threat signatures database is a tedious task. Snort has over 2,500 signature rules. Xu et al. presented an approach for the automatic generation of safety testing using formal models of threats to detect invalid entries.
Duan et al. developed an efficient zombie spam detection system that automatically detects the compromised machine in a network by monitoring outgoing messages. Shar et Tan proposed a solution against Cross-Site Scripting vulnerability of web applications.