On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.

WEB DDoS Attack Detection Method Based on Semisupervised Learning

Since the services on the Internet are becoming increasingly abundant, all walks of life are inextricably linked with the Internet. Simultaneously, the Internet’s WEB attacks have never stopped. Relative to other common WEB attacks, WEB DDoS (distributed denial of service) will cause serious damage to the availability of the target network or system resources in a short period of time. At present, most researches are centered around machine learning-related DDoS attack detection algorithms. According to previous studies, unsupervised methods generally have a high false positive rate, while supervisory methods cannot handle large amount of network traffic data, and the performance is often limited by noise and irrelevant data. Therefore, this paper proposes a semisupervised learning detection model combining spectral clustering and random forest to detect the DDoS attack of the WEB application layer and compares it with other existing detection schemes to verify the semisupervised learning model proposed in this paper. While ensuring a low false positive rate, there is a certain improvement in the detection rate, which is more suitable for the WEB application layer DDoS attack detection.

Detecting Web Attacks Based on Clustering Algorithm and Multi-branch CNN

Abstract—This paper proposes and develops a web attack detection model that combines a clustering algorithm and a multi-branch convolutional neural network (CNN). The original feature set was clustered into clusters of similar features. Each cluster of similar features was generalized in a convolutional structure of a branch of the CNN. The component feature vectors are assembled into a synthetic feature vector and included in a fully connected layer for classification. Using K-fold cross-validation, the accuracy of the proposed method 98.8%, F1-score is 98.9% and the improvement rate of accuracy is 1.479%.Tóm tắt—Bài báo đề xuất và phát triển mô hình phát hiện tấn công Web dựa trên kết hợp thuật toán phân cụm và mạng nơ-ron tích chập (CNN) đa nhánh. Tập đặc trưng ban đầu được phân cụm thành các nhóm đặc trưng tương ứng. Mỗi nhóm đặc trưng được khái quát hoá trong một nhánh của mạng CNN đa nhánh để tạo thành một vector đặc trưng thành phần. Các vector đặc trưng thành phần được ghép lại thành một vector đặc trưng tổng hợp và đưa vào lớp liên kết đầy đủ để phân lớp. Sử dụng phương pháp kiểm thử chéo trên mô hình đề xuất, độ chính xác đạt 98,8%, F1-score đạt 98,8% và tỉ lệ cải tiến độ chính xác là 1,479%.

Detecting web attacks using random undersampling and ensemble learners

Class imbalance is an important consideration for cybersecurity and machine learning. We explore classification performance in detecting web attacks in the recent CSE-CIC-IDS2018 dataset. This study considers a total of eight random undersampling (RUS) ratios: no sampling, 999:1, 99:1, 95:5, 9:1, 3:1, 65:35, and 1:1. Additionally, seven different classifiers are employed: Decision Tree (DT), Random Forest (RF), CatBoost (CB), LightGBM (LGB), XGBoost (XGB), Naive Bayes (NB), and Logistic Regression (LR). For classification performance metrics, Area Under the Receiver Operating Characteristic Curve (AUC) and Area Under the Precision-Recall Curve (AUPRC) are both utilized to answer the following three research questions. The first question asks: “Are various random undersampling ratios statistically different from each other in detecting web attacks?” The second question asks: “Are different classifiers statistically different from each other in detecting web attacks?” And, our third question asks: “Is the interaction between different classifiers and random undersampling ratios significant for detecting web attacks?” Based on our experiments, the answers to all three research questions is “Yes”. To the best of our knowledge, we are the first to apply random undersampling techniques to web attacks from the CSE-CIC-IDS2018 dataset while exploring various sampling ratios.