Loading...

Web driven alert verification

Najafi, A ; Sharif University of Technology

787 Viewed
  1. Type of Document: Article
  2. DOI: 10.1109/ISCISC.2014.6994044
  3. Abstract:
  4. A web attack is an attack against a web server through the HTTP Protocol. By analyzing known web attacks, we find out that each one has its own behavior. Vestiges of their behavior could be detected in non-body parts of the HTTP Protocol. Such information can be used to verify web alerts generated by Web Application Firewalls (WAFs) and Web Intrusion Detection Systems (Web IDSs). In this paper, we propose a method to verify web alerts generated by mentioned sensors. The goal of the alert verification component is to eliminate or tag alerts that do not represent successful attacks. Our approach is based on analyzing HTTP Transaction metadata, including Request method, Request Headers, Status Code, and Response Headers. We implemented an alert verification module, reconfigured ModSecurity, modified a subset of the OWASP ModSecurity Core Rule Set, and developed knowledge-base of web attack vectors to evaluate our method. We show that our approach significantly reduces false and non-relevant alerts with quite low processing overhead, thus enhances the quality of the results
  5. Keywords:
  6. Alert verification ; Computer crime ; Computer system firewalls ; Hypertext systems ; Internet protocols ; Intrusion detection ; Knowledge based systems ; Security of data ; Social networking (online) ; World Wide Web ; HTTP protocols ; Intrusion Detection Systems ; Web application firewalls ; Web attacks ; HTTP
  7. Source: 2014 11th International ISC Conference on Information Security and Cryptology, ISCISC 2014 ; Sep , 2014 , p. 180-185
  8. URL: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6994044