[go: up one dir, main page]
Skip to main content
SpringerLink
Log in

URL query string anomaly sensor designed with the bidimensional Haar wavelet transform

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

In this paper, the 2D Haar wavelet transform is the proposed analysis technique for HTTP traffic data. Web attacks are detected by two threshold operations applied to the wavelet coefficients of the 2D transform: one based on their median and the other on the best approximation method. The two proposed algorithms are validated through an extensive number of simulations, including comparisons with well-established techniques, confirming the effectiveness of the designed sensor.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

References

  1. Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)

    Article  Google Scholar 

  2. Cavnar, W., Trenkle, J.: n-gram-based text categorization. In: SDAIR, pp. 161–175 (1994)

  3. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–58 (2009)

    Article  Google Scholar 

  4. CVE-2001-0500, C.: (2011). http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500. Accessed Dec 2011

  5. Damashek, M.: Gauging similarity with n-grams: language-independent categorization of text. Science 5199, 843–848 (1995)

    Article  Google Scholar 

  6. Daubechies, I.: Ten Lectures on Wavelets. Society for Industrial and Applied Mathematics, Philadelphia, PA (1992)

    Book  MATH  Google Scholar 

  7. Donoho, D., Johnstone, I.: Ideal spatial adaptation via wavelet shrinkage. Biometrika 81, 425–455 (1994). doi:10.1093/biomet/81.3.425

    Article  MATH  MathSciNet  Google Scholar 

  8. Donoho, D., Johnstone, I.: Adapting to unknown smoothness via wavelet shrinkage. J. Am. Stat. Assoc. 90, 1200–1224 (1995)

    Article  MATH  MathSciNet  Google Scholar 

  9. Ficco, M., Coppolino, L., Romano, L.: A weight-based symptom correlation approach to sql injection attacks. In: Fourth Latin-American Symposium on Dependable Computing, 2009. LADC ’09, pp. 9–16 (2009). doi:10.1109/LADC.2009.14

  10. Fonseca, J., Vieira, M., Madeira, H.: The web attacker perspective—a field study. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), pp. 299–308 (2010). doi:10.1109/ISSRE.2010.21

  11. Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

  12. Ghosh, A., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: USENIX Workshop on Intrusion Detection and Network Monitoring, pp. 51–62 (1999)

  13. Grané, A., Veiga, H.: Wavelet-based detection of outliers in financial time series. Comput. Stat. Data Anal. 54(11), 2580–2593 (2010). doi:10.1016/j.csda.2009.12.010

    Article  MATH  Google Scholar 

  14. Huang, C.T., Thareja, S., Shin, Y.J.: Wavelet-based real time detection of network traffic anomalies. I. J. Netw. Secur. 6(3), 309–320 (2008)

    Google Scholar 

  15. Ingham, K.L.: Anomaly detection for http intrusion detection: algorithm comparisons and the effect of generalization on accuracy. Ph.D. thesis, University of New Mexico (2007)

  16. Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. RAID’07, pp. 42–62. Springer, Berlin (2007)

  17. Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning dfa representations of http for protecting web applications. Comput. Netw. 51, 1239–1255 (2007)

    Article  MATH  Google Scholar 

  18. Jamdagni, A., Tan, Z., Nanda, P., He, X., Liu, R.P.: Intrusion detection using gsad model for http traffic on web services. In: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, IWCMC ’10, pp. 1193–1197. ACM, New York, NY (2010). doi:10.1145/1815396.1815669

  19. Kiani, M., Clark, A., Mohay, G.: Evaluation of anomaly based character distribution models in the detection of sql injection attacks. In: Third International Conference on Availability, Reliability and Security, 2008. ARES 08, pp. 47–55 (2008). doi:10.1109/ARES.2008.123

  20. Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions. Springer-Verlag TELOS, Santa Clara, CA (2004)

    Google Scholar 

  21. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, pp. 251–261. ACM, New York, NY (2003). doi:10.1145/948109.948144

  22. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48, 717–738 (2005). doi:10.1016/j.comnet.2005.01.009

    Article  Google Scholar 

  23. Krueger, T., Gehl, C., Rieck, K., Laskov, P.: Tokdoc: a self-healing web application firewall. In: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC ’10, pp. 1846–1853. ACM, New York, NY (2010). doi:10.1145/1774088.1774480

  24. Krügel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of the 2002 ACM Symposium on Applied Computing, SAC ’02, pp. 201–208. ACM, New York, NY (2002). doi:10.1145/508791.508835

  25. Lu, W., Ghorbani, A.A.: Network anomaly detection based on wavelet analysis. EURASIP J. Adv. Signal Process 4, 1–16 (2009). doi:10.1155/2009/837601

    Google Scholar 

  26. Mahalanobis, P.: On the generalized distance in statistics. Proc. Natl. Inst. Sci. Calcutta 12, 49–55 (1936)

    Google Scholar 

  27. Mallat, S.: A Wavelet Tour of Signal Processing, 3rd edn. Elsevier/Academic Press, Amsterdam (2009). The sparse way, With contributions from Gabriel Peyré

  28. Mozzaquatro, B., Azevedo, R.P., Nunes, R., Kozakevicius, A., Cappo, C., Schaerer, C.: Anomaly-based techniques for web attacks detection. J. Appl. Comput. Res. 2(2), 112–120 (2011)

    Google Scholar 

  29. OWASP, T.O.W.A.S.P.: Top 10 web application security risks (2010). http://www.owasp.org/index.php/Top10

  30. Patcha, A., Park, J.M.: An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput. Netw. 51(12), 3448–3470 (2007). doi:10.1016/j.comnet.2007.02.001

  31. Pearson, K.: On a criterion that a given system of deviations from the probable in the case of correlated system of variables is duch that it can be reasonably supposed to have arisen from random sampling. Philos. Mag. 50, 157–175 (1900)

    Article  MATH  Google Scholar 

  32. Rieck, K., Laskov, P.: Detecting Unknown Network Attacks Using Language Models, Lecture Notes in Computer Science, vol. 4064, pp. 74–90. Springer, Berlin (2006). doi:10.1007/11790754_5

  33. Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceeding of the Network and Distributed System Security Symposium (NDSS). San Diego, CA (2006)

  34. Robertson, W.K.: Detecting and preventing attacks against web applications. Ph.D. thesis, University of California, Santa Barbara (2009)

  35. Scambray, J., Liu, V., Sima, C.: Hacking Exposed Web Applications. Mc Graw Hill, New York (2011)

    Google Scholar 

  36. Singh, G., Masseglia, F., Fiot, C., Marascu, A., Poncelet, P.: Data mining for intrusion detection: from outliers to true intrusions. In: Theeramunkong, T., Kijsirikul, B., Cercone, N., Ho, T.B. (eds.) Advances in Knowledge Discovery and Data Mining. Lecture Notes in Computer Science, vol. 5476, pp. 891–898. Springer, Berlin (2009)

    Chapter  Google Scholar 

  37. Song, Y., Keromytis, A., Stolfo, S.: Spectrogram: a mixture-of-markov-chains model for anomaly detection in web traffic. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS) San Diego, pp. 121–135. Internet Society (2009)

  38. Sriraghavan, R., Lucchese, L.: Data processing and anomaly detection in web-based applications. In: IEEE Workshop on Machine Learning for Signal Processing, 2008. MLSP 2008, pp. 187–192 (2008). doi:10.1109/MLSP.2008.4685477

  39. Stollnitz, E., DeRose, A., Salesin, D.: Wavelets for computer graphics: a primer 1. IEEE Comput. Graph. Appl. 15(3), 76–84 (1995). doi:10.1109/38.376616

    Article  Google Scholar 

  40. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. SIGPLAN Not. 41, 372–382 (2006). doi:10.1145/1111320.1111070

    Article  Google Scholar 

  41. Vulnerabilities, C.C., Exposures: common vulnerabilities and exposures (2011). http://www.cve.mitre.org. Accessed Dec 2011

  42. Wagner, R., Fontoura, L.M., Nunes, R.C.: Tailoring rational unified process to contemplate the SSE-CMM. In: Latin American Conference on Informatics, CLEI 2011. Quito, Equador (2011)

  43. Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID), pp. 226–248 (2006)

  44. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, vol. 3224, pp. 203–222. Springer, Berlin (2004)

    Chapter  Google Scholar 

  45. Yates, F.: Contingency table involving small numbers and the \(\chi ^2\) test. Suppl J R Stat Soc 1(2), 217–235 (1934)

    Article  MATH  Google Scholar 

  46. Zhou, Z., Zhongwen, C., Tiecheng, Z., Xiaohui, G.: The study on network intrusion detection system of snort. In: 2010 2nd International Conference on Networking and Digital Society (ICNDS), vol. 2, pp. 194–196 (2010). doi:10.1109/ICNDS.2010.5479341

Download references

Acknowledgments

The first author is supported by CNPq Postdoctoral Fellowship under number 201457/2010-5.

Author information

Authors and Affiliations

  1. Technology Center, Federal University of Santa María, Av. Roraima, 1000, Santa María, RS, 97105-900, Brazil

    Alice Kozakevicius, Bruno A. Mozzaquatro & Raul Ceretta Nunes

  2. Polytechnic School, National University of Asunción, San Lorenzo, Paraguay

    Cristian Cappo & Christian E. Schaerer

Authors
  1. Alice Kozakevicius
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cristian Cappo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bruno A. Mozzaquatro
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Raul Ceretta Nunes
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Christian E. Schaerer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Cristian Cappo.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kozakevicius, A., Cappo, C., Mozzaquatro, B.A. et al. URL query string anomaly sensor designed with the bidimensional Haar wavelet transform. Int. J. Inf. Secur. 14, 561–581 (2015). https://doi.org/10.1007/s10207-015-0276-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-015-0276-y

Keywords

Search

Navigation