O Uso da Transformada de Haar na Detecção de Anomalias no Tráfego Web
Abstract
Today, information in Computer Systems is a valuable asset which is subject to numerous threats. In web traffic, the set of characters contained in HTTP requests sent to a web application is the main data input for malicious sequences that are created for attackers. Intrusion Detection Systems based on the frequency distribution analysis of this character set are used to identify malicious actions. This paper describes an algorithm for detection of web attacks in HTTP traffic based on the Haar Wavelet Transform and the Hard Threshold. The comparison with other algorithms with different well established strategies showed the efficiency of our approach, that obtained high detection rate with low false positives.
References
Alvarez, G. and Petrovic, S. (2003). A new taxonomy of web attacks suitable for efficient encoding. Computers & Security, 22(5):435–449.
Bilen, C. and Huzurbazar, S. (2002). Wavelet-based detection of outliers in times series. Journal of Computational and Graphical Statistics, 11:311–327.
Cappo, C., Schaerer, C., Kozakevicius, A. d. J., Nunes, R. C., and Mozzaquatro, B. A. (2012). Comparison of different threshold values for a wavelet designed attack sensor. In XXXIV Congresso Nac. de Matemática Aplicada e Computacional, pages 360–366.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM Comput. Surv., 41:15:1–15:58.
Daubechies, I. (1992). Ten lectures on wavelets. SIAM, Philadelphia, PA, USA, 1 edition.
Donoho, D. L. and Johnstone, I. M. (1995). Adapting to unknown smoothness via wavelet shrinkage. Journal of the American Statistical Association, 90(432):1200–1224.
Henke, M., Costa, C., dos Santos, E. M., and Souto, E. (2011). Detecção de intrusos usando conjunto de k-nn gerado por subespaços aleatórios. In XI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais.
Huber, P. (1981). Robust Statistics. Wiley, New York.
Ingham, K. L. and Inoue, H. (2007). Comparing anomaly detection techniques for http. In Proceedings of the 10th international conference on Recent advances in intrusion detection, RAID’07, pages 42–62, Berlin, Heidelberg. Springer-Verlag.
Jamdagni, A., Tan, Z., Nanda, P., He, X., and Liu, R. P. (2010). Intrusion detection using gsad model for http traffic on web services. In Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, IWCMC ’10, pages 1193–1197, New York, NY, USA. ACM.
Kiani, M., Clark, A., and Mohay, G. (2008). Evaluation of anomaly based character distribution models in the detection of sql injection attacks. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 47–55.
Kruegel, C., Valeur, F., and Vigna, G. (2004). Intrusion Detection and Correlation Challenges and Solutions. Springer-Verlag TELOS, Santa Clara, CA, USA, 1 edition.
Kruegel, C. and Vigna, G. (2003). Anomaly detection of web-based attacks. In Proceedings of the 10th ACM Conference on Computer and communications security, CCS ’03, pages 251–261, New York, NY, USA. ACM.
Kruegel, C., Vigna, G., and Robertson, W. (2005). A multi-model approach to the detection of web-based attacks. Computer Networks, 48:717–738.
Mallat, S. (2009). A wavelet tour of signal processing. Elsevier/Academic Press, Amsterdam, third edition. The sparse way, With contributions from Gabriel Peyré.
Mamahlodi, M. (2006). What is the chi-square statistic? Connexions Web site. http://cnx.org/content/m13487/1.2/.
Marques, O. and Baillargeon, P. (2005). A multimedia traffic classification scheme for intrusion detection systems. In Information Technology and Applications, 2005. ICITA 2005. Third International Conference on, volume 2, pages 496–501.
Mozzaquatro, B. A., De Azevedo, R. P., Nunes, R. C., Kozakevicius, A. d. J., Schaerer, C., and Cappo, C. (2011). Anomaly-based techniques for web attacks detection. Journal of Applied Computing Research (JACR), 2(2):111–120.
Northcutt, S. and Novak, J. (2002). Network Intrusion Detection. N.R. Pub., 3 edition.
OWASP (2013). The open web application security project - top 10 web application security risks. Disponível em [link]. Acesso em: 02/06/2013.
Robertson, W., Vigna, G., Kruegel, C., and Kemmerer, R. (2006). Using generalization and characterization techniques in the anomaly-based detection of web attacks. In ISOC Symposium on Networks and Distributed Systems Security, San Diego, CA.
Robertson, W. K. (2009). Detecting and Preventing Attacks Against Web Applications. PhD thesis, University of California, Santa Barbara.
Stollnitz, E., DeRose, A., and Salesin, D. (1995). Wavelets for computer graphics a primer 1. Computer Graphics and Applications, IEEE, 15(3):76–84.
Su, Z. and Wassermann, G. (2006). The essence of command injection attacks in web applications. SIGPLAN Not., 41:372–382.
Symantec (2013). Internet security threat report. Technical report. Acesso em: 02/06/2013.
Wang, K. and Stolfo, S. (2004). Anomalous payload-based network intrusion detection. In Jonsson, E., Valdes, A., and Almgren, M., editors, Recent Advances in Intrusion Detection, volume 3224 of LNCS, pages 203–222. Springer.
Bilen, C. and Huzurbazar, S. (2002). Wavelet-based detection of outliers in times series. Journal of Computational and Graphical Statistics, 11:311–327.
Cappo, C., Schaerer, C., Kozakevicius, A. d. J., Nunes, R. C., and Mozzaquatro, B. A. (2012). Comparison of different threshold values for a wavelet designed attack sensor. In XXXIV Congresso Nac. de Matemática Aplicada e Computacional, pages 360–366.
Chandola, V., Banerjee, A., and Kumar, V. (2009). Anomaly detection: A survey. ACM Comput. Surv., 41:15:1–15:58.
Daubechies, I. (1992). Ten lectures on wavelets. SIAM, Philadelphia, PA, USA, 1 edition.
Donoho, D. L. and Johnstone, I. M. (1995). Adapting to unknown smoothness via wavelet shrinkage. Journal of the American Statistical Association, 90(432):1200–1224.
Henke, M., Costa, C., dos Santos, E. M., and Souto, E. (2011). Detecção de intrusos usando conjunto de k-nn gerado por subespaços aleatórios. In XI Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais.
Huber, P. (1981). Robust Statistics. Wiley, New York.
Ingham, K. L. and Inoue, H. (2007). Comparing anomaly detection techniques for http. In Proceedings of the 10th international conference on Recent advances in intrusion detection, RAID’07, pages 42–62, Berlin, Heidelberg. Springer-Verlag.
Jamdagni, A., Tan, Z., Nanda, P., He, X., and Liu, R. P. (2010). Intrusion detection using gsad model for http traffic on web services. In Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, IWCMC ’10, pages 1193–1197, New York, NY, USA. ACM.
Kiani, M., Clark, A., and Mohay, G. (2008). Evaluation of anomaly based character distribution models in the detection of sql injection attacks. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 47–55.
Kruegel, C., Valeur, F., and Vigna, G. (2004). Intrusion Detection and Correlation Challenges and Solutions. Springer-Verlag TELOS, Santa Clara, CA, USA, 1 edition.
Kruegel, C. and Vigna, G. (2003). Anomaly detection of web-based attacks. In Proceedings of the 10th ACM Conference on Computer and communications security, CCS ’03, pages 251–261, New York, NY, USA. ACM.
Kruegel, C., Vigna, G., and Robertson, W. (2005). A multi-model approach to the detection of web-based attacks. Computer Networks, 48:717–738.
Mallat, S. (2009). A wavelet tour of signal processing. Elsevier/Academic Press, Amsterdam, third edition. The sparse way, With contributions from Gabriel Peyré.
Mamahlodi, M. (2006). What is the chi-square statistic? Connexions Web site. http://cnx.org/content/m13487/1.2/.
Marques, O. and Baillargeon, P. (2005). A multimedia traffic classification scheme for intrusion detection systems. In Information Technology and Applications, 2005. ICITA 2005. Third International Conference on, volume 2, pages 496–501.
Mozzaquatro, B. A., De Azevedo, R. P., Nunes, R. C., Kozakevicius, A. d. J., Schaerer, C., and Cappo, C. (2011). Anomaly-based techniques for web attacks detection. Journal of Applied Computing Research (JACR), 2(2):111–120.
Northcutt, S. and Novak, J. (2002). Network Intrusion Detection. N.R. Pub., 3 edition.
OWASP (2013). The open web application security project - top 10 web application security risks. Disponível em [link]. Acesso em: 02/06/2013.
Robertson, W., Vigna, G., Kruegel, C., and Kemmerer, R. (2006). Using generalization and characterization techniques in the anomaly-based detection of web attacks. In ISOC Symposium on Networks and Distributed Systems Security, San Diego, CA.
Robertson, W. K. (2009). Detecting and Preventing Attacks Against Web Applications. PhD thesis, University of California, Santa Barbara.
Stollnitz, E., DeRose, A., and Salesin, D. (1995). Wavelets for computer graphics a primer 1. Computer Graphics and Applications, IEEE, 15(3):76–84.
Su, Z. and Wassermann, G. (2006). The essence of command injection attacks in web applications. SIGPLAN Not., 41:372–382.
Symantec (2013). Internet security threat report. Technical report. Acesso em: 02/06/2013.
Wang, K. and Stolfo, S. (2004). Anomalous payload-based network intrusion detection. In Jonsson, E., Valdes, A., and Almgren, M., editors, Recent Advances in Intrusion Detection, volume 3224 of LNCS, pages 203–222. Springer.
Published
2013-11-11
How to Cite
CAPPO, Cristian; NUNES, Raul Ceretta; MOZZAQUATRO, Bruno Augusti; KOZAKEVICIUS, Alice de Jesus; SCHAERER, Christian.
O Uso da Transformada de Haar na Detecção de Anomalias no Tráfego Web. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 86-99.
DOI: https://doi.org/10.5753/sbseg.2013.19538.
