WebAnalyzer: accurate detection of HTTP attack traces in web server logs

Webanalyzer : Détection Précise D’attaques HTTP dans les Journaux de Serveurs Web

Abstract

This paper presents a tool for detecting attacks against web server, using the analysis of web server log files. The main characteristic of this tool is its accuracy, being able to carefully graduate its analysis according to the actual success of the attacker. This capability is based on the design of a simple yet powerful signature definition language. We demonstrate the accuracy of the tool using a set of log lines representing several attack conditions and attack results.

Résumé

Cet article décrit un outil d’analyse de logs de serveurs http. La caractéristique principale de cet outil est la précision du diagnostic. Cette précision est obtenue à la fois par un découpage fin des lignes de log, et par une description précise des caractéristiques d’attaque recherchées. Les résultats d’analyse sont décrits sur des données synthétiques et des données réelles.

This is a preview of subscription content, access via your institution.

References

  1. [1]

    Almgren (M.),Debar (H.),Dacier (M.), “A Lightweight Tool for Detecting Web Server Attacks”,Proceedings of the 2000 isoc Symposium on Network and Distributed Systems Security, p. 157–170, 2000.

  2. [2]

    Cuppens (F.),Ortalo (R.), “Lambda : A Language to Model a Database for Detection of Attacks”, H. Debar, L. Mé,, S. F. Wu (eds),Lncs 1907 — Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (Raid), Lecture Notes in Computer Science (Lncs), October, 2000.

  3. [3]

    Curry (D.),Debar (H.),Feinstein (B.), “The Intrusion Detection Message Exchange Format”,Ietf Intrusion Detection Exchange Format Working Group, Internet Draft, January, 2004. Expires July 8, 2004.

  4. [4]

    Debar (H.),Dacier (M.),Wespi (A.), “A Revised Taxonomy for Intrusion-Detection Systems”,Annales des Télécommunications,55, no 7–8, juillet–août 2000.

  5. [5]

    Goland (Y.),Whitehead (E.),Faizi (A.),Carter (S.),Jensen (D.), “Http Extensions for Distributed Authoring —Webdav”,Rfc 2518, February, 1999. Proposed standard.

  6. [6]

    Handley (M.),Kreibich (C),Paxson (V.), “Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics”, Proceedings of the 10thUsenix Security Symposium, Washington,Dc, August, 2001.

  7. [7]

    Johns (M. S.), “Identification Protocol”,Rfc 1413, February, 1993. Proposed standard.

  8. [8]

    Kruegel (C),Vigna (G.),Robertson (W.), “A multi-model approach to the detection of web-based attacks”Computer Networks, July, 2005. Elsevier.

  9. [9]

    Low (W. L.),Lee (J.),Teoh (P.), “Didafit: Detecting Intrusions in DAtabases Through Fingerprinting Transactions”, 4th International Conference On Enterprise Information Systems (Iceis 2002), pp. 121–128, 2002.

  10. [10]

    Low (W. L.),Lee (S. Y.),Wong (P. Y), “Learning Fingerprints For A Database Intrusion Detection System”, 7th European Symposium on Research in Computer Security (Esorics 2002), pp. 264–280, 2002.

  11. [11]

    Michel (C), (L.), “ADeLe : An Attack Description Language for Knowledge-Based Intrusion Detection”, Proceedings of the 16th International Conference on Information Security (Ifip/sec 2001), pp. 353–365, June 2001.

  12. [12]

    Network Working Group, Hypertext Transfer Protocol —Http/1.0,Rfc 1945,Ietf, May 1996.

  13. [13]

    Pouzol (J.-R),Ducassé (M.), “From Declarative Signature to Misuse ids”, 4th International Conference on Recent Advances in Intrusion Detection (Raid′01), Lecture Notes in Computer Science (Lncs), W.Lee, , L., A.Wespi (eds),No 2212, Springer, Davis,Ca, usa, October, 2001.

  14. [14]

    Ptacek (T. H.),Newsham (T.), “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”,Secure Networks, Inc, 1998.

  15. [15]

    Roesch (M.), “Snort — Lightweight Intrusion Detection for Networks”, Proceedings ofLisa′99,Usenix Association, Seattle, Washington,Usa, pp. 229–238, Nov, 1999.

  16. [16]

    Vigna (G.),Robertson (W),Kher (V.),Kemmerer (R.), “A Stateful Intrusion Detection System for World-Wide Web Servers”, Proceedings of the Annual Computer Security Applications Conference (Acsac 2003), Las Vegas,Nv, pp. 34–43, December, 2003.

Download references

Author information

Affiliations

Authors

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Debar, H., Tombini, E. WebAnalyzer: accurate detection of HTTP attack traces in web server logs. Ann. Télécommun. 61, 682–704 (2006). https://doi.org/10.1007/BF03219929

Download citation

Key words

  • Internet security
  • Web server
  • Intrusion detection
  • Data analysis

Mots clés

  • Sécurité Internet
  • Serveur web
  • Détection intrusion
  • Analyse de données