An Invariant-Based Approach for Detecting Attacks Against Data in Web Applications

RRABIDS (Ruby on Rails Anomaly Based Intrusion Detection System) is an application level intrusion detection system (IDS) for applications implemented with the Ruby on Rails framework. The goal of this intrusion detection system is to detect attacks against data in the context of web applications. This anomaly based IDS focuses on the modelling of the normal application profile using invariants. These invariants are discovered during a learning phase. Then, they are used to instrument the web application at source code level, so that a deviation from the normal profile can be detected at run-time. This paper illustrates on simple examples how the approach detects well-known categories of web attacks that involve a state violation of the application, such as SQL injections. Finally, an assessment phase is performed to evaluate the accuracy of the detection provided by the proposed approach.

Download Full-text

Using response action with intelligent intrusion detection and prevention system against web application malware

Information Management & Computer Security ◽

10.1108/imcs-02-2013-0007 ◽

2014 ◽

Vol 22 (5) ◽

pp. 431-449 ◽

Cited By ~ 8

Author(s):

Ammar Alazab ◽

Michael Hobbs ◽

Jemal Abawajy ◽

Ansam Khraisat ◽

Mamoun Alazab

Keyword(s):

Intrusion Detection ◽

Intrusion Detection System ◽

Web Application ◽

Web Applications ◽

Detection Efficiency ◽

Detection System ◽

Content Type ◽

Novel Approach ◽

Prevention System ◽

Intrusion Detection And Prevention

Purpose – The purpose of this paper is to mitigate vulnerabilities in web applications, security detection and prevention are the most important mechanisms for security. However, most existing research focuses on how to prevent an attack at the web application layer, with less work dedicated to setting up a response action if a possible attack happened. Design/methodology/approach – A combination of a Signature-based Intrusion Detection System (SIDS) and an Anomaly-based Intrusion Detection System (AIDS), namely, the Intelligent Intrusion Detection and Prevention System (IIDPS). Findings – After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system. Research limitations/implications – Data limitation. Originality/value – The contributions of this paper are to first address the problem of web application vulnerabilities. Second, to propose a combination of an SIDS and an AIDS, namely, the IIDPS. Third, this paper presents a novel approach by connecting the IIDPS with a response action using fuzzy logic. Fourth, use the risk assessment to determine an appropriate response action against each attack event. Combining the system provides a better performance for the Intrusion Detection System, and makes the detection and prevention more effective.

Download Full-text

A Closer Look at Intrusion Detection System for Web Applications

Security and Communication Networks ◽

10.1155/2018/9601357 ◽

2018 ◽

Vol 2018 ◽

pp. 1-27 ◽

Cited By ~ 6

Author(s):

Nancy Agarwal ◽

Syed Zeeshan Hussain

Keyword(s):

Intrusion Detection ◽

Intrusion Detection System ◽

Web Applications ◽

Detection System ◽

Web Traffic ◽

Comprehensive Overview ◽

Web Based ◽

Efficient System ◽

Detection Systems ◽

Web Attacks

Intrusion Detection System (IDS) acts as a defensive tool to detect the security attacks on the web. IDS is a known methodology for detecting network-based attacks but is still immature in monitoring and identifying web-based application attacks. The objective of this research paper is to present a design methodology for efficient IDS with respect to web applications. In this paper, we present several specific aspects which make it challenging for an IDS to monitor and detect web attacks. The article also provides a comprehensive overview of the existing detection systems exclusively designed to observe web traffic. Furthermore, we identify various dimensions for comparing the IDS from different perspectives based on their design and functionalities. We also propose a conceptual framework of a web IDS with a prevention mechanism to offer systematic guidance for the implementation of the system. We compare its features with five existing detection systems, namely, AppSensor, PHPIDS, ModSecurity, Shadow Daemon, and AQTRONIX WebKnight. This paper will highly facilitate the interest groups with the cutting-edge information to understand the stronger and weaker sections of the domain and provide a firm foundation for developing an intelligent and efficient system.

Download Full-text

Perancangan dan Implementasi Instrusion Detection System di Jaringan Universitas Diponegoro

Jurnal Teknologi dan Sistem Komputer ◽

10.14710/jtsiskom.3.2.2015.171-178 ◽

2015 ◽

Vol 3 (2) ◽

pp. 171

Author(s):

Dyakso Anindito Nugroho ◽

Adian Fatchur Rochim ◽

Eko Didik Widianto

Keyword(s):

Operating System ◽

Network Security ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Web Application ◽

Detection System ◽

Monitoring Network ◽

Final Project ◽

Security Device ◽

The Web

The use of information technology gives the advantage of open access for its users, but a new problem arises that there is a threat from unauthorized users. Intrusion Detection System (IDS) is applied to assist administrator to monitoring network security. IDS displays illegal access information in a raw form which is require more time to read the detected threats. This final project aims to design an IDS with web application which is made for pulling information on IDS sensor database, then processing and representing them in tables and graphs that are easy to understand. The web application also has IpTables firewall module to block attacker's IP address. The hardware used is Cisco IPS 4240, two computers Compaq Presario 4010F as client and gateway, and Cisco Catalyst 2960 switch. The software used is Ubuntu 12.0 LTS Precise operating system, BackTrack 5 R1 operating system, PHP 5.4 programming language, MySQL 5 database, and web-based system configuration tool Webmin. Testing is done using several BackTrack applications with the aim of Cisco IPS 4240 is capable of detecting accordance with the applicable rules. Each events of any attack attempt or threat was obtained from IDS sensor database in XML form. XML file is sent using Security Device Event Exchange (SDEE) protocol. The web application is tested by looking at the output tables and graphs that displays the appropriate results of sensor detection. This study generated an intrusion detection system that is easier to monitor. Network packets copied by the Cisco 2960 switch and then forwarded to the sensor. Intruder detection is done by Cisco IPS 4240 sensor. Log detection processed by the web application into tables and graphs. Intrusion detection systems are intended to improve network security.

Download Full-text

Online Database Intrusion Detection System Based on Query Signatures

Journal of University of Human Development ◽

10.21928/juhd.v3n1y2017.pp282-287 ◽

2017 ◽

Vol 3 (1) ◽

pp. 282

Author(s):

Alaa Khalil Alhadithy ◽

Awezan Aso Omar

Keyword(s):

Intrusion Detection ◽

Intrusion Detection System ◽

Web Application ◽

High Efficiency ◽

Detection System ◽

Major Type ◽

Before And After ◽

Web Application System ◽

The Web ◽

Database Intrusion Detection

SQL injection (SQLI) is a major type of attack that threatens the integrity, confidentiality and authenticity or functionality of any database driven web application. It allows the attacker to gain unauthorized access to the back-end database by exploiting the vulnerabilities within the system in order to commit an attack and access resources. Database Intrusion Detection System (DIDS) is the defense against SQLI that is used as a detection and prevention technique to protect any database driven web application. In this paper a proposed system is presented to protect the web application from SQLI. This proposed system uses a new technique of signature- based detection. It depends on secure hash algorithm (SHA-1), which is used to check the signature for the submitted queries and to decide whether these queries are valid, or not. The proposed system can distinguish and prevent hacking attempts by detecting the attacker, blocking his/her request, and preventing him/her from accessing the web application again. The proposed system was tested using Sqlmapproject attacking tool. Sqlmapproject was used to attack the web application (built using PHP and MySQL server) before and after protection. The results show that the proposed system works correctly and it can protect the web application system with good performance and high efficiency.

Download Full-text

A Signature-Based Intrusion Detection System for Web Applications based on Genetic Algorithm

Proceedings of the 9th International Conference on Security of Information and Networks - SIN '16 ◽

10.1145/2947626.2951964 ◽

2016 ◽

Cited By ~ 3

Author(s):

Robert Bronte ◽

Hossain Shahriar ◽

Hisham M. Haddad

Keyword(s):

Genetic Algorithm ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Web Applications ◽

Detection System

Download Full-text

Web Application Intrusion Detection System for Input Validation Attack

2008 Third International Conference on Convergence and Hybrid Information Technology ◽

10.1109/iccit.2008.338 ◽

2008 ◽

Cited By ~ 13

Author(s):

YongJoon Park ◽

JaeChul Park

Keyword(s):

Intrusion Detection ◽

Intrusion Detection System ◽

Web Application ◽

Detection System ◽

Input Validation

Download Full-text

Analisis Perbandingan Kinerja Snort Dan Suricata Sebagai Intrusion Detection System Dalam Mendeteksi Serangan Syn Flood Pada Web Server Apache

Respati ◽

10.35842/jtir.v15i2.343 ◽

2020 ◽

Vol 15 (2) ◽

pp. 6

Author(s):

Lukman Lukman ◽

Melati Suci

Keyword(s):

Network Security ◽

Intrusion Detection ◽

Intrusion Detection System ◽

Detection System ◽

Denial Of Service ◽

Web Server ◽

Attack Detection ◽

Web Servers ◽

Server Software ◽

The Web

INTISARIKeamanan jaringan pada web server merupakan bagian yang paling penting untuk menjamin integritas dan layanan bagi pengguna. Web server sering kali menjadi target serangan yang mengakibatkan kerusakan data. Salah satunya serangan SYN Flood merupakan jenis serangan Denial of Service (DOS) yang memberikan permintaan SYN secara besar-besaran kepada web server.Untuk memperkuat keamanan jaringan web server penerapan Intrusion Detection System (IDS) digunakan untuk mendeteksi serangan, memantau dan menganalisa serangan pada web server. Software IDS yang sering digunakan yaitu IDS Snort dan IDS Suricata yang memiliki kelebihan dan kekurangannya masing-masing. Tujuan penelitian kali ini untuk membandingkan kedua IDS menggunakan sistem operasi linux dengan pengujian serangan menggunakan SYN Flood yang akan menyerang web server kemudian IDS Snort dan Suricata yang telah terpasang pada web server akan memberikan peringatan jika terjadi serangan. Dalam menentukan hasil perbandingan, digunakan parameter-parameter yang akan menjadi acuan yaitu jumlah serangan yang terdeteksi dan efektivitas deteksi serangan dari kedua IDS tersebut.Kata kunci: Keamanan jaringan, Web Server, IDS, SYN Flood, Snort, Suricata. ABSTRACTNetwork security on the web server is the most important part to guarantee the integrity and service for users. Web servers are often the target of attacks that result in data damage. One of them is the SYN Flood attack which is a type of Denial of Service (DOS) attack that gives a massive SYN request to the web server.To strengthen web server network security, the application of Intrusion Detection System (IDS) is used to detect attacks, monitor and analyze attacks on web servers. IDS software that is often used is IDS Snort and IDS Suricata which have their respective advantages and disadvantages.The purpose of this study is to compare the two IDS using the Linux operating system with testing the attack using SYN Flood which will attack the web server then IDS Snort and Suricata that have been installed on the web server will give a warning if an attack occurs. In determining the results of the comparison, the parameters used will be the reference, namely the number of attacks detected and the effectiveness of attack detection from the two IDS.Keywords: Network Security, Web Server, IDS, SYN Flood, Snort, Suricata.

Download Full-text