Recently, the security threat on web application is increasing rapidly and especially open source web applications are becoming popular target of web server hacking. And more, there was a worm which spread via web application vulnerabilities. Web appl...
Recently, the security threat on web application is increasing rapidly and especially open source web applications are becoming popular target of web server hacking. And more, there was a worm which spread via web application vulnerabilities. Web application attack uses the vulnerability not in web server itself, but in structural, logical, code errors. The majority flaws in web applications are caused by unvalidating the user input. But, it is difficult to detect various abnormal user inputs by pattern matching method.
In this thesis, we propose a profile based anomaly detection mechanism against web application attacks. Web application profile is a prepared normal activity record that extracted from normal activities and it can stand for the characteristics of web applications.
The proposed anomaly detection algorithm consist of four categories. The first is detection with a profile identifier and the second is detection with parameter type and the third is detection with parameter length and the fourth is detection with bi-gram distance. These algorithms are used together in implementation with the precedence described order.
We implemented the proxy and embedded filtering module on the Redhat Linux 9.0, and experimented and analyzed on Apache web server focused on two aspects: the effectiveness of the proposed profiling method and the usefulness of the detection method. It was verified that the number of profile record is relatively smaller than the number of request in our experiment. And the property of easy adaptiveness of the proposed detection algorithm, the false positive error rate is decreased with small increase of profile record.
Finally, future work will be aimed at extension of the proposed prototype for applying to real environment.