O uso da Transformada de Haar na Detecção de Anomalias no Tráfego Web C. Cappo 1 R. C. Nunes 2 B. Mozaquattro 2 A. Kozakevicius 2 C. Schaerer 1 1 Facultad Politécnica, Universidad Nacional de Asunción, Paraguay 2 Centro de Tecnología Universidade Federal de Santa María, RS, Brasil XIII Brazilian Symposium on Information and Computer Systems Security
Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Outline Introduction 1 Motivation Anomaly detection Our approach to detect anomalies in web applications 2 Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection Experiments and Results 3 Dataset & Attacks Results Conclusions and future Work 4 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 2
Introduction Our approach to detect anomalies in web applications Motivation Experiments and Results Anomaly detection Conclusions and future Work Outline Introduction 1 Motivation Anomaly detection Our approach to detect anomalies in web applications 2 Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection Experiments and Results 3 Dataset & Attacks Results Conclusions and future Work 4 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 3
Introduction Our approach to detect anomalies in web applications Motivation Experiments and Results Anomaly detection Conclusions and future Work Motivation Internet has become a habitual tool used by millions of people in the world. The use of web applications, such as, blogs, news, social networks, webmails, e-commerce , among may others, has become conventional. Protecting these applications from attacks is a critical issue. The number of new vulnerabilities discovered in 2012 were 5291 and web-based attacks increased by almost a third in 2012 ( according to Symantec Internet Security Threat Report, 2013 - Vol 18 ) One form of protection is to use Intrusion Detection System (IDS). There are two main approaches in detection algorithms IDS design: signature-based and anomaly-based . We focus on the design of anomaly-based detection algorithms. C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 4
Introduction Our approach to detect anomalies in web applications Motivation Experiments and Results Anomaly detection Conclusions and future Work Outline Introduction 1 Motivation Anomaly detection Our approach to detect anomalies in web applications 2 Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection Experiments and Results 3 Dataset & Attacks Results Conclusions and future Work 4 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 5
Introduction Our approach to detect anomalies in web applications Motivation Experiments and Results Anomaly detection Conclusions and future Work Anomaly-based approach The analysis is based on the observation of any substantial variation of any specific characteristic with respect to the commonly determined behavior. A significant deviation from usual behavior is considered an anomaly, and so an attack. Does not need the knowledge of previous attack pattern. Can potentially detect novel attacks. C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 6
Introduction Our approach to detect anomalies in web applications Motivation Experiments and Results Anomaly detection Conclusions and future Work Anomaly Detection in Web Application In the context of web application this approach has the following advantages: No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity (ex. zero-day attack) Custom-developed web applications protection skill. C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 7
Introduction Our approach to detect anomalies in web applications Motivation Experiments and Results Anomaly detection Conclusions and future Work Anomaly Detection in Web Application In the context of web application this approach has the following advantages: No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity (ex. zero-day attack) Custom-developed web applications protection skill. We focus in anomaly-based algorithms to detect attack against web applications . C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 8
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Outline Introduction 1 Motivation Anomaly detection Our approach to detect anomalies in web applications 2 Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection Experiments and Results 3 Dataset & Attacks Results Conclusions and future Work 4 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 9
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Characteristics(1) The detector analyzes the HTTP requests sending to the web application [IP] - - [TS] "GET /page.php?p=calAcad HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=allnews HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=trabajo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=mapsite HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=admision HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=materias HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=examenes HTTP/1.1" .. The data analyzed for the anomaly detection is the URL Query String of the HTTP request. C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 10
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Characteristics(2) The data model is based in the character distribution of the URL Query String. Our method requires only a few normal data for frequency enhancement. The principal detection algorithm is based only in current data. The principal hypothesis is that attacks perturbs significantly the frequency of some characters. We apply the bidimensional Discrete Wavelet Transform (DWT), particularly the Haar Wavelet Transform, to detect the anomalies in character frequency distribution. C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 11
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Modeling the anomaly using the character distribution A window analyzed without attacks (a) (b) 0 14 Frequency Frequency 18 12 16 14 10 12 50 10 8 8 ASCII 6 6 4 2 100 4 0 50 2 100 250 150 200 150 0 ASCII 150 0 50 100 150 200 250 200 100 50 HTTP Request 250 HTTP Request 0 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 12
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Modeling the anomaly using the character distribution A window analyzed with two attacks (a) (b) 0 14 Frequency Frequency 18 12 16 14 10 12 50 10 8 8 ASCII 6 6 4 2 100 4 0 50 2 100 250 150 200 150 0 ASCII 150 0 50 100 150 200 250 200 100 50 HTTP Request 250 HTTP Request 0 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 13
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Outline Introduction 1 Motivation Anomaly detection Our approach to detect anomalies in web applications 2 Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection Experiments and Results 3 Dataset & Attacks Results Conclusions and future Work 4 C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 14
Introduction Main characteristics Our approach to detect anomalies in web applications Wavelet Transform Theory Experiments and Results Wavelet Algorithm for attack Detection Conclusions and future Work Wavelets - Introduction The wavelet transform extracts information from the analyzed data in different resolution levels. Describes a signal in terms of a coarse overall shape plus a family of details. In the bidimensional case, the input data is given as a matrix and the 2D Discrete Wavelet Transformation consists in performing the 1D wavelet transform in all rows and then in all columns. C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer 15
Recommend
More recommend