Highly available, fault-tolerant, parallel dataflows
SIGMOD '04 Proceedings of the 2004 ACM SIGMOD international conference on Management of data
A multi-model approach to the detection of web-based attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
An anomaly-driven reverse proxy for web applications
Proceedings of the 2006 ACM symposium on Applied computing
Multi-module vulnerability analysis of web-based applications
Proceedings of the 14th ACM conference on Computer and communications security
Detecting Shrew HTTP Flood Attacks for Flash Crowds
ICCS '07 Proceedings of the 7th international conference on Computational Science, Part I: ICCS 2007
TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems
IEICE - Transactions on Information and Systems
Journal of Computer Security - Best papers of the Sec Track at the 2006 ACM Symposium
A multi-model approach to the detection of web-based attacks
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
From Intrusion Detection to Intrusion Detection and Diagnosis: An Ontology-Based Approach
SEUS '09 Proceedings of the 7th IFIP WG 10.2 International Workshop on Software Technologies for Embedded and Ubiquitous Systems
Swaddler: an approach for the anomaly-based detection of state violations in web applications
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
A hybrid, stateful and cross-protocol intrusion detection system for converged applications
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
A distributed multi-approach intrusion detection system for web services
Proceedings of the 3rd international conference on Security of information and networks
A novel intrusion detection system based on hierarchical clustering and support vector machines
Expert Systems with Applications: An International Journal
HengHa: data harvesting detection on hidden databases
Proceedings of the 2010 ACM workshop on Cloud computing security workshop
BLOCK: a black-box approach for detection of state violation attacks towards web applications
Proceedings of the 27th Annual Computer Security Applications Conference
Intrusion detection system for securing geographical information system web servers
W2GIS'04 Proceedings of the 4th international conference on Web and Wireless Geographical Information Systems
A learning-based approach to the detection of SQL attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
COTS diversity based intrusion detection and application to web servers
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
SIPAD: SIP-VoIP Anomaly Detection using a Stateful Rule Tree
Computer Communications
| Hi-index | 0.00 |
Web servers are ubiquitous, remotely accessible, and oftenmisconfigured. In addition, custom web-based applicationsmay introduce vulnerabilities that are overlookedeven by the most security-conscious server administrators.Consequently, web servers are a popular target for hackers.To mitigate the security exposure associated with webservers, intrusion detection systems are deployed to analyzeand screen incoming requests. The goal is to perform earlydetection of malicious activity and possibly prevent moreserious damage to the protected site. Even though intrusiondetection is critical for the security of web servers, the intrusiondetection systems available today only perform verysimple analyses and are often vulnerable to simple evasiontechniques. In addition, most systems do not provide sophisticatedattack languages that allow a system administratorto specify custom, complex attack scenarios to be detected.This paper presents WebSTAT, an intrusion detection systemthat analyzes web requests looking for evidence of maliciousbehavior. The system is novel in several ways. First ofall, it provides a sophisticated language to describe multi-stepattacks in terms of states and transitions. In addition,the modular nature of the system supports the integratedanalysis of network traffic sent to the server host, operatingsystem-level audit data produced by the server host, andthe access logs produced by the web server. By correlatingdifferent streams of events, it is possible to achieve more effectivedetection of web-based attacks.