Loading...
- Type of Document: M.Sc. Thesis
- Language: Farsi
- Document No: 46936 (19)
- University: Sharif University of Technology
- Department: Computer Engineering
- Advisor(s): Jalili, Rasoul
- Abstract:
- With the growing deployment of host and network intrusion detection systems, analyzing generated alerts from these systems becomes critically important and challenging due to its complexity and high amount of data. A perfect intrusion detection system would be able to identify all the attacks without raising any false and non-relevant alarms. Unfortunately, false alarms are commonplace in intrusion detection systems. Non-relevant alerts, which are associated with attacks that were not successful, are also common. The process of identifying false and non-relevant alerts is called alert verification. Also nowadays, web applications are widely used in critical and important roles (e.g., government and electronic banking). Due to many reasons such as public accessibility to web servers, complexity and variety of web applications, low programmers’ security knowledge and experience, web applications are highly vulnerable. According to these two challenges, after deep analysis of structure and behavior of HTTP protocol, known web attack logics, tools and techniques of executing these attacks in one hand and alert correlation approaches in other hand, we propose a method based on prerequisite-consequence approach to verify alerts. The proposed method is based on analyzing non-body part of HTTP messages, including request method, response status code, request headers, and response headers. By analyzing this information, we try to detect failure of reported attacks in order to verify input alerts. we implemented an alert verification module, and developed knowledge-base of web attack vectors to evaluate our method. The proposed method has been evaluated by executing known web applications attacks in operational Environment. The results show that this method, called Web driven alert verification, efficiently detects false and non-relevant positives, produced by web intrusion detection systems, without removing true-alerts, and with low memory and CPU usage
- Keywords:
- Alert Correlation ; Intrusion Detection System ; Web Application ; Firewall System (Computer) ; Alert Verification ; Web Attack
- محتواي کتاب
- view