Specification-Based Intrusion Detection Using Sequence Alignment and Data Clustering
- 632 Downloads
In this paper, we present our work on specification-based intrusion detection. Our goal is to build a web application firewall which is able to learn the normal behaviour of an application (and/or the user) from the traffic between a client and a server. The model learnt is used to validate future traffic. We will discuss later in this paper, the interactions between the learning phase and the exploitation phase of the generated model expressed as a set of regular expressions. These regular expressions are generated after a process of sequence alignment combined to BRELA (Basic Regular Expression Learning Algorithm) or directly by the later. We also present our multiple sequence alignment algorithm called AMAA (Another multiple Alignment Algorithm) and the usage of data clustering to improve the generated regular expressions. The detection phase is simulated in this paper by generating data which represent a traffic and using a pattern matcher to validate them.
KeywordsPositive security Sequence alignment Data clustering Web application firewall Specification-based ids
This work is a part of the RoCaWeb project carried at Kereval and Telecom-Bretagne and financed as a RAPID project by the DGA-MI. We would like to thank Alain Ribault, Constant Chartier, Fr?d?ric Majorczyk and Yacine Tamoudi.
- 2.Bartoli, A., Davanzo, G., De Lorenzo, A., Mauri, M., Medvet, E., Sorio, E.: Automatic generation of regular expressions from examples with genetic programming. In: Proceedings of the 14th Annual Conference Companion on Genetic and Evolutionary Computation, pp. 1477–1478. ACM (2012)Google Scholar
- 8.Jokar, P., Nicanfar, H., Leung, V.C.M.: Specification-based intrusion detection for home area networks in smart grids. In: 2011 IEEE International Conference on Smart Grid Communications (SmartGridComm), pp. 208–213. IEEE (2011)Google Scholar
- 10.Li, Y., Krishnamurthy, R., Raghavan, S., Vaithyanathan, S., Jagadish, H.V.: Regular expression learning for information extraction. In: Proceedings of the Conference on Empirical Methods in Natural Language Processing, pp. 21–30. Association for Computational Linguistics (2008)Google Scholar
- 11.Li, Z., Sanghi, M., Chen, Y., Kao, M.-Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: 2006 IEEE Symposium on Security and Privacy, 15 p. IEEE (2006)Google Scholar
- 12.Mouelhi, T.: Testing and Modeling Security Mechanisms in Web Applications. Theses, Institut National des Télécommunications (2010)Google Scholar
- 13.Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226–241. IEEE (2005)Google Scholar
- 16.Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (idps). NIST Spec. Publ. 800(2007), 94 (2007)Google Scholar
- 20.Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: ACM SIGSOFT Software Engineering Notes, vol. 28, pp. 88–97. ACM (2003)Google Scholar