Cooperative Intrusion Detection for Web Applications

  • Nathalie Dagorn
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4301)


This contribution involves cooperative information systems, and more precisely interorganizational systems (IOS). Indeed, experience of real enterprises shows that most IOS interoperate today over the Web. To “ensure” security of these IOS on the Web (in particular, security of the applications they are made of), various hardware and software protection can be employed. Our work falls into the field of intrusion detection, and covers more precisely intrusion detection for Web applications. Several misuse-based intrusion detection systems (IDSs) were developed recently for Web applications, whereas, to our knowledge, only one anomaly-based Web IDS exists and works effectively to date. This one was unfortunately conceived disregarding any kind of cooperation. In previous work, we improved it to gain in sensitivity and specificity. This paper describes a cooperation feature added to the IDS, so that it is able to perform an alarm correlation with other detectors, allowing coo-perative intrusion detection, as well as an event correlation to detect distributed attacks. The first experiments in real environment show encouraging results.


Bayesian Network Intrusion Detection Anomaly Detection Intrusion Detection System Configuration File 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Almgren, M., Debar, H., Dacier, M.: A Lightweight tool for monitoring web server logs. In: Network and Distributed System Security Symposium (NDSS 2000), San Diego, CA (February 2000)Google Scholar
  2. 2.
    Amami, M., Thévenot, J.: L’Internet marchand: caractérisation et positionnements stratégiques. Systèmes d’Information et Management 5(1), 5–40 (2000)Google Scholar
  3. 3.
    Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Chichester (2001), available at:
  4. 4.
    Aubert, B.A., Dussart, A.: Systèmes d’Information Inter-Organisationnels. Rapport Bourgogne. CIRANO (March 2002)Google Scholar
  5. 5.
    Axelsson, S.: The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection. In: 6th ACM Conference on Computer and Communications Security (1999)Google Scholar
  6. 6.
    Ben Amor, N., Benferhat, S., Elouedi, Z.: Réseaux Bayésiens naïfs et arbres de décision dans les systèmes détection d’intrusions. Technique et Science Informatiques (2006)Google Scholar
  7. 7.
    Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker, 2nd edn. Addison-Wesley Professional, Reading (2003)Google Scholar
  8. 8.
    Dagorn, N.: Détection d’intrusion pour les applications Web. Master’s Degree Dissertation in Computer Science. University of Nancy1, France (June 2006)Google Scholar
  9. 9.
    Dagorn, N.: Intrusion Detection for Web Applications (short version). In: Secrypt International Conference (Secrypt 2006), Setubal, Portugal (August 2006)Google Scholar
  10. 10.
    Dagorn, N.: Intrusion Detection for Web Applications. In: IADIS International Conference on WWW/Internet (ICWI 2006), Murcia, Spain (October 2006)Google Scholar
  11. 11.
    Dagorn, N.: La sécurité des systèmes d’information coopérants - Proposition d’un système de détection d’anomalie pour les applications Web. Ph.D. dissertation in Management Sciences and Computer Science. Universities of Nancy2 (France) and Luxembourg (Luxembourg) (in progress)Google Scholar
  12. 12.
    Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format. Internet Draft IETF (January 27, 2005) (expires: September 17, 2006),
  13. 13.
    Debar, H., Tombini, E.: WebAnalyzer: Détection précise d’attaques contre les serveurs http. In: 4th Conference on Security and Network Architectures (SAR 2005), Batz sur Mer, France (June 2005)Google Scholar
  14. 14.
    Froehlicher, T.: La dynamique de l’organisation relationnelle: conventions et réseaux sociaux au regard de l’enchevêtrement des modes de coordination. Finance Contrôle Stratégie. Economica (2000) Google Scholar
  15. 15.
    Froehlicher, T., Kuhn, A., Schmidt, G.: Compétences relationnelles et métamorphoses des organisations. Eska (2001)Google Scholar
  16. 16.
    Gu, G., Fogla, P., Dagon, D., Lee, W.: Measuring Intrusion Detection Capability: An Information-Theoretic Approach. In: Symposium on Information, Computer and Communications Security (ASIACCS 2006), Taipei, Taiwan, pp. 90–101. ACM Press, New York (2006)CrossRefGoogle Scholar
  17. 17.
    Ibrahim, M.: Interorganizational Systems From Different Perspectives. In: Conference of Information Science (Infwet 2003). Eindhoven, Netherland (November 2003)Google Scholar
  18. 18.
    Julisch, K.: Clustering Intrusion Detection Alarms to Support Root Cause Analysis. ACM Transactions on Information and System Security 6(4) (November 2003)Google Scholar
  19. 19.
    Julisch, K.: Using Root Cause Analysis to Handle Intrusion Detection Alarms. Ph.D. dissertation. University of Dortmund, Germany (2003)Google Scholar
  20. 20.
    Kruegel, C., Mutz, D., Robertson, W., Valeur, F.: Bayesian Event Classification for Intrusion Detection. In: 19th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  21. 21.
    Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation – Challenges and Solutions. In: Advances in Information Security 14. Springer, Heidelberg (2005)Google Scholar
  22. 22.
    Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5), 717–738 (2005)CrossRefGoogle Scholar
  23. 23.
    Lehtinen, R.: Computer Security Basics, 2nd edn. O’Reilly Media, Sebastopol (2006)Google Scholar
  24. 24.
    Qin, X.: A Probabilistic-Based Framework for INFOSEC Alert Correlation. Ph.D. dissertation. College of Computing, Georgia Institute of Technology, USA (August 2005)Google Scholar
  25. 25.
    Reix, R.: Systèmes d’information et management des organisations. Quatrième édn. Vuibert (June 2002)Google Scholar
  26. 26.
    Scambray, J., Shema, M., Sima, C.: Hacking Exposed Web Applications, 2nd edn. Mcgraw-Hill Osborne Media, New York (2006)Google Scholar
  27. 27.
    Sharma, P.: The effects of interorganizational systems on process and structure in buyer-seller exchange. Ph.D. dissertation. University of Nebraska–Lincoln, Lincoln, NE (2000)Google Scholar
  28. 28.
    SMILE: Structural Modeling, Inference and Learning Engine,
  29. 29.
    Valdes, A., Skinner, K.: Adaptive, Model-based Monitoring for Cyber Attack Detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  30. 30.
    Web Application Security Consortium,
  31. 31.
    Wood, M., Erlinger, M.: Intrusion Detection Message Exchange Requirements. Internet-Draft draft-ietf-idwg-requirements-10 (October 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Nathalie Dagorn
    • 1
  1. 1.Laboratory of Algorithmics, Cryptology and Security (LACS)University of LuxembourgLuxembourgLuxembourg

Personalised recommendations