Learning DFA representations of HTTP for protecting web applications

Kenneth L. Ingham, Anil Somayaji, John Burge, Stephanie Forrest

Research output: Contribution to journalArticle

58 Citations (Scopus)

Abstract

Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

Original languageEnglish (US)
Pages (from-to)1239-1255
Number of pages17
JournalComputer Networks
Volume51
Issue number5
DOIs
StatePublished - Apr 11 2007
Externally publishedYes

Fingerprint

HTTP
Finite automata
Intrusion detection
World Wide Web
Servers

Keywords

  • Anomaly intrusion detection
  • Finite automata induction
  • Web server security

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Learning DFA representations of HTTP for protecting web applications. / Ingham, Kenneth L.; Somayaji, Anil; Burge, John; Forrest, Stephanie.

In: Computer Networks, Vol. 51, No. 5, 11.04.2007, p. 1239-1255.

Research output: Contribution to journalArticle

Ingham, Kenneth L. ; Somayaji, Anil ; Burge, John ; Forrest, Stephanie. / Learning DFA representations of HTTP for protecting web applications. In: Computer Networks. 2007 ; Vol. 51, No. 5. pp. 1239-1255.
@article{8919bc7ea64f475c8de40339fd5883b9,
title = "Learning DFA representations of HTTP for protecting web applications",
abstract = "Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).",
keywords = "Anomaly intrusion detection, Finite automata induction, Web server security",
author = "Ingham, {Kenneth L.} and Anil Somayaji and John Burge and Stephanie Forrest",
year = "2007",
month = "4",
day = "11",
doi = "10.1016/j.comnet.2006.09.016",
language = "English (US)",
volume = "51",
pages = "1239--1255",
journal = "Computer Networks",
issn = "1389-1286",
publisher = "Elsevier",
number = "5",

}

TY - JOUR

T1 - Learning DFA representations of HTTP for protecting web applications

AU - Ingham, Kenneth L.

AU - Somayaji, Anil

AU - Burge, John

AU - Forrest, Stephanie

PY - 2007/4/11

Y1 - 2007/4/11

N2 - Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

AB - Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

KW - Anomaly intrusion detection

KW - Finite automata induction

KW - Web server security

UR - http://www.scopus.com/inward/record.url?scp=33846369107&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33846369107&partnerID=8YFLogxK

U2 - 10.1016/j.comnet.2006.09.016

DO - 10.1016/j.comnet.2006.09.016

M3 - Article

VL - 51

SP - 1239

EP - 1255

JO - Computer Networks

JF - Computer Networks

SN - 1389-1286

IS - 5

ER -