Learning DFA representations of HTTP for protecting web applications

Kenneth L. Ingham; Anil Somayaji; John Burge; Stephanie Forrest

doi:10.1016/j.comnet.2006.09.016

Learning DFA representations of HTTP for protecting web applications

Kenneth L. Ingham, Anil Somayaji, John Burge, Stephanie Forrest

Research output: Contribution to journal › Article › peer-review

63 Scopus citations

Abstract

Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

Original language	English (US)
Pages (from-to)	1239-1255
Number of pages	17
Journal	Computer Networks
Volume	51
Issue number	5
DOIs	https://doi.org/10.1016/j.comnet.2006.09.016
State	Published - Apr 11 2007
Externally published	Yes

Keywords

Anomaly intrusion detection
Finite automata induction
Web server security

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1016/j.comnet.2006.09.016

Cite this

@article{8919bc7ea64f475c8de40339fd5883b9,

title = "Learning DFA representations of HTTP for protecting web applications",

abstract = "Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).",

keywords = "Anomaly intrusion detection, Finite automata induction, Web server security",

author = "Ingham, {Kenneth L.} and Anil Somayaji and John Burge and Stephanie Forrest",

note = "Funding Information: SF and KI gratefully acknowledge the support of the National Science Foundation (Grants ANIR-9986555, CCR-0331580, and CCR-0311686), Defense Advanced Research Projects Agency (Grants F30602-02-1-0146), and the Santa Fe Institute. AS gratefully acknowledges the support of Natural Sciences and Engineering Research Council of Canada (NSERC) and MITACS. ",

year = "2007",

month = apr,

day = "11",

doi = "10.1016/j.comnet.2006.09.016",

language = "English (US)",

volume = "51",

pages = "1239--1255",

journal = "Computer Networks",

issn = "1389-1286",

publisher = "Elsevier",

number = "5",

}

TY - JOUR

T1 - Learning DFA representations of HTTP for protecting web applications

AU - Ingham, Kenneth L.

AU - Somayaji, Anil

AU - Burge, John

AU - Forrest, Stephanie

N1 - Funding Information: SF and KI gratefully acknowledge the support of the National Science Foundation (Grants ANIR-9986555, CCR-0331580, and CCR-0311686), Defense Advanced Research Projects Agency (Grants F30602-02-1-0146), and the Santa Fe Institute. AS gratefully acknowledges the support of Natural Sciences and Engineering Research Council of Canada (NSERC) and MITACS.

PY - 2007/4/11

Y1 - 2007/4/11

N2 - Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

AB - Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

KW - Anomaly intrusion detection

KW - Finite automata induction

KW - Web server security

UR - http://www.scopus.com/inward/record.url?scp=33846369107&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33846369107&partnerID=8YFLogxK

U2 - 10.1016/j.comnet.2006.09.016

DO - 10.1016/j.comnet.2006.09.016

M3 - Article

AN - SCOPUS:33846369107

SN - 1389-1286

VL - 51

SP - 1239

EP - 1255

JO - Computer Networks

JF - Computer Networks

IS - 5

ER -

Learning DFA representations of HTTP for protecting web applications

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this