Abstract
In this paper, the 2D Haar wavelet transform is the proposed analysis technique for HTTP traffic data. Web attacks are detected by two threshold operations applied to the wavelet coefficients of the 2D transform: one based on their median and the other on the best approximation method. The two proposed algorithms are validated through an extensive number of simulations, including comparisons with well-established techniques, confirming the effectiveness of the designed sensor.
Similar content being viewed by others
References
Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secure Comput. 1(1), 11–33 (2004)
Cavnar, W., Trenkle, J.: n-gram-based text categorization. In: SDAIR, pp. 161–175 (1994)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 1–58 (2009)
CVE-2001-0500, C.: (2011). http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0500. Accessed Dec 2011
Damashek, M.: Gauging similarity with n-grams: language-independent categorization of text. Science 5199, 843–848 (1995)
Daubechies, I.: Ten Lectures on Wavelets. Society for Industrial and Applied Mathematics, Philadelphia, PA (1992)
Donoho, D., Johnstone, I.: Ideal spatial adaptation via wavelet shrinkage. Biometrika 81, 425–455 (1994). doi:10.1093/biomet/81.3.425
Donoho, D., Johnstone, I.: Adapting to unknown smoothness via wavelet shrinkage. J. Am. Stat. Assoc. 90, 1200–1224 (1995)
Ficco, M., Coppolino, L., Romano, L.: A weight-based symptom correlation approach to sql injection attacks. In: Fourth Latin-American Symposium on Dependable Computing, 2009. LADC ’09, pp. 9–16 (2009). doi:10.1109/LADC.2009.14
Fonseca, J., Vieira, M., Madeira, H.: The web attacker perspective—a field study. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), pp. 299–308 (2010). doi:10.1109/ISSRE.2010.21
Forrest, S., Hofmeyr, S., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120–128 (1996)
Ghosh, A., Schwartzbard, A., Schatz, M.: Learning program behavior profiles for intrusion detection. In: USENIX Workshop on Intrusion Detection and Network Monitoring, pp. 51–62 (1999)
Grané, A., Veiga, H.: Wavelet-based detection of outliers in financial time series. Comput. Stat. Data Anal. 54(11), 2580–2593 (2010). doi:10.1016/j.csda.2009.12.010
Huang, C.T., Thareja, S., Shin, Y.J.: Wavelet-based real time detection of network traffic anomalies. I. J. Netw. Secur. 6(3), 309–320 (2008)
Ingham, K.L.: Anomaly detection for http intrusion detection: algorithm comparisons and the effect of generalization on accuracy. Ph.D. thesis, University of New Mexico (2007)
Ingham, K.L., Inoue, H.: Comparing anomaly detection techniques for http. In: Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection. RAID’07, pp. 42–62. Springer, Berlin (2007)
Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning dfa representations of http for protecting web applications. Comput. Netw. 51, 1239–1255 (2007)
Jamdagni, A., Tan, Z., Nanda, P., He, X., Liu, R.P.: Intrusion detection using gsad model for http traffic on web services. In: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, IWCMC ’10, pp. 1193–1197. ACM, New York, NY (2010). doi:10.1145/1815396.1815669
Kiani, M., Clark, A., Mohay, G.: Evaluation of anomaly based character distribution models in the detection of sql injection attacks. In: Third International Conference on Availability, Reliability and Security, 2008. ARES 08, pp. 47–55 (2008). doi:10.1109/ARES.2008.123
Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions. Springer-Verlag TELOS, Santa Clara, CA (2004)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS ’03, pp. 251–261. ACM, New York, NY (2003). doi:10.1145/948109.948144
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48, 717–738 (2005). doi:10.1016/j.comnet.2005.01.009
Krueger, T., Gehl, C., Rieck, K., Laskov, P.: Tokdoc: a self-healing web application firewall. In: Proceedings of the 2010 ACM Symposium on Applied Computing, SAC ’10, pp. 1846–1853. ACM, New York, NY (2010). doi:10.1145/1774088.1774480
Krügel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of the 2002 ACM Symposium on Applied Computing, SAC ’02, pp. 201–208. ACM, New York, NY (2002). doi:10.1145/508791.508835
Lu, W., Ghorbani, A.A.: Network anomaly detection based on wavelet analysis. EURASIP J. Adv. Signal Process 4, 1–16 (2009). doi:10.1155/2009/837601
Mahalanobis, P.: On the generalized distance in statistics. Proc. Natl. Inst. Sci. Calcutta 12, 49–55 (1936)
Mallat, S.: A Wavelet Tour of Signal Processing, 3rd edn. Elsevier/Academic Press, Amsterdam (2009). The sparse way, With contributions from Gabriel Peyré
Mozzaquatro, B., Azevedo, R.P., Nunes, R., Kozakevicius, A., Cappo, C., Schaerer, C.: Anomaly-based techniques for web attacks detection. J. Appl. Comput. Res. 2(2), 112–120 (2011)
OWASP, T.O.W.A.S.P.: Top 10 web application security risks (2010). http://www.owasp.org/index.php/Top10
Patcha, A., Park, J.M.: An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput. Netw. 51(12), 3448–3470 (2007). doi:10.1016/j.comnet.2007.02.001
Pearson, K.: On a criterion that a given system of deviations from the probable in the case of correlated system of variables is duch that it can be reasonably supposed to have arisen from random sampling. Philos. Mag. 50, 157–175 (1900)
Rieck, K., Laskov, P.: Detecting Unknown Network Attacks Using Language Models, Lecture Notes in Computer Science, vol. 4064, pp. 74–90. Springer, Berlin (2006). doi:10.1007/11790754_5
Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceeding of the Network and Distributed System Security Symposium (NDSS). San Diego, CA (2006)
Robertson, W.K.: Detecting and preventing attacks against web applications. Ph.D. thesis, University of California, Santa Barbara (2009)
Scambray, J., Liu, V., Sima, C.: Hacking Exposed Web Applications. Mc Graw Hill, New York (2011)
Singh, G., Masseglia, F., Fiot, C., Marascu, A., Poncelet, P.: Data mining for intrusion detection: from outliers to true intrusions. In: Theeramunkong, T., Kijsirikul, B., Cercone, N., Ho, T.B. (eds.) Advances in Knowledge Discovery and Data Mining. Lecture Notes in Computer Science, vol. 5476, pp. 891–898. Springer, Berlin (2009)
Song, Y., Keromytis, A., Stolfo, S.: Spectrogram: a mixture-of-markov-chains model for anomaly detection in web traffic. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS) San Diego, pp. 121–135. Internet Society (2009)
Sriraghavan, R., Lucchese, L.: Data processing and anomaly detection in web-based applications. In: IEEE Workshop on Machine Learning for Signal Processing, 2008. MLSP 2008, pp. 187–192 (2008). doi:10.1109/MLSP.2008.4685477
Stollnitz, E., DeRose, A., Salesin, D.: Wavelets for computer graphics: a primer 1. IEEE Comput. Graph. Appl. 15(3), 76–84 (1995). doi:10.1109/38.376616
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. SIGPLAN Not. 41, 372–382 (2006). doi:10.1145/1111320.1111070
Vulnerabilities, C.C., Exposures: common vulnerabilities and exposures (2011). http://www.cve.mitre.org. Accessed Dec 2011
Wagner, R., Fontoura, L.M., Nunes, R.C.: Tailoring rational unified process to contemplate the SSE-CMM. In: Latin American Conference on Informatics, CLEI 2011. Quito, Equador (2011)
Wang, K., Parekh, J., Stolfo, S.: Anagram: A content anomaly detector resistant to mimicry attack. In: Recent Adances in Intrusion Detection (RAID), pp. 226–248 (2006)
Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) Recent Advances in Intrusion Detection, Lecture Notes in Computer Science, vol. 3224, pp. 203–222. Springer, Berlin (2004)
Yates, F.: Contingency table involving small numbers and the \(\chi ^2\) test. Suppl J R Stat Soc 1(2), 217–235 (1934)
Zhou, Z., Zhongwen, C., Tiecheng, Z., Xiaohui, G.: The study on network intrusion detection system of snort. In: 2010 2nd International Conference on Networking and Digital Society (ICNDS), vol. 2, pp. 194–196 (2010). doi:10.1109/ICNDS.2010.5479341
Acknowledgments
The first author is supported by CNPq Postdoctoral Fellowship under number 201457/2010-5.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kozakevicius, A., Cappo, C., Mozzaquatro, B.A. et al. URL query string anomaly sensor designed with the bidimensional Haar wavelet transform. Int. J. Inf. Secur. 14, 561–581 (2015). https://doi.org/10.1007/s10207-015-0276-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-015-0276-y