A Learning-Based Approach to the Detection of SQL Attacks
Web-based systems are often a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the Internet at large, creating easily-exploitable entry points for the compromise of entire networks.
Web-based applications often rely on back-end database servers to manage application-specific persistent state. The data is usually extracted by performing queries that are assembled using input provided by the users of the applications. If user input is not sanitized correctly, it is possible to mount a variety of attacks that leverage web-based applications to compromise the security of back-end databases. Unfortunately, it is not always possible to identify these attacks using signature-based intrusion detection systems, because of the ad hoc nature of many web-based applications. Signatures are rarely written for this class of applications due to the substantial investment of time and expertise this would require.
We have developed an anomaly-based system that learns the profiles of the normal database access performed by web-based applications using a number of different models. These models allow for the detection of unknown attacks with reduced false positives and limited overhead. In addition, our solution represents an improvement with respect to previous approaches because it reduces the possibility of executing SQL-based mimicry attacks.
KeywordsIntrusion Detection Machine Learning Web Attacks Data bases
Unable to display preview. Download preview PDF.
- 1.libAnomaly project homepage, http://www.cs.ucsb.edu/~rsg/libAnomaly
- 2.Almgren, M., Debar, H., Dacier, M.: A lightweight tool for detecting web server attacks. In: Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA (February 2000)Google Scholar
- 5.Burzi, F.: Php-nuke website (2005), http://phpnuke.org/
- 6.CERT/CC. Code Red Worm Exploiting Buffer Overflow In IIS Indexing Service DLL. Advisory CA-2001-19 (July 2001)Google Scholar
- 9.Forrest, S.: A Sense of Self for UNIX Processes. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 1996, pp. 120–128 (1996)Google Scholar
- 11.Kruegel, C., Toth, T., Kirda, E.: Service Specific Anomaly Detection for Network Intrusion Detection. In: Symposium on Applied Computing (SAC), March 2002. ACM Scientific Press, New York (2002)Google Scholar
- 14.Liljenstam, M., Nicol, D., Berk, V., Gray, R.: Simulating realistic network worm traffic for worm warning system design and testing. In: Proceedings of the ACM Workshop on Rapid Malcode, Washington, DC, pp. 24–33 (2003)Google Scholar
- 15.Mahoney, M., Chan, P.: Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks. In: Proceedings of the 8th International Conference on Knowledge Discovery and Data Mining, Edmonton, Alberta, Canada, pp. 376–385 (2002)Google Scholar
- 16.Portnoy, L., Eskin, E., Stolfo, S.: Intrusion Detection with Unlabeled Data Using Clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, PA (November 2001)Google Scholar
- 17.Security Focus Homepage (2002), http://www.securityfocus.com/
- 18.Stolcke, A., Omohundro, S.: Hidden Markov Model Induction by Bayesian Model Merging. In: Advances in Neural Information Processing Systems (1993)Google Scholar
- 19.Stolcke, A., Omohundro, S.: Inducing probabilistic grammars by bayesian model merging. In: International Conference on Grammatical Inference (1994)Google Scholar
- 20.Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 2002, pp. 54–73 (2002)Google Scholar
- 21.Vigna, G., Robertson, W., Kher, V., Kemmerer, R.A.: A Stateful Intrusion Detection System for World-Wide Web Servers. In: Omondi, A.R., Sedukhin, S.G. (eds.) ACSAC 2003. LNCS, vol. 2823, pp. 34–43. Springer, Heidelberg (2003)Google Scholar
- 22.Wagner, D., Soto, P.: Mimicry Attacks on Host-Based Intrusion Detection Systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington DC, USA, November 2002, pp. 255–264 (2002)Google Scholar
- 23.Warrender, C., Forrest, S., Pearlmutter, B.A.: Detecting intrusions using system calls: Alternative data models. In: IEEE Symposium on Security and Privacy, pp. 133–145 (1999)Google Scholar
- 24.Watchfire. AppShield Web Intrusion Prevention (2005), http://www.watchfire.com/products/appshield/default.aspx