Web Application Security:An Anomaly Detection Approach via On-line PCA

• Main Authors: Shuan-Hao Guo, 郭宣皞
• Other Authors: Yuh-Jye Lee
• Format: Others
• Language: en_US
• Published: 2009
• Online Access: http://ndltd.ncl.edu.tw/handle/41622107246254097635

碩士 === 國立臺灣科技大學 === 資訊工程系 === 97 === Internet has been grown rapidly and changed our lives greatly. In recent years, web applications have become tremendously popular and developed widely to provide services, such as medical, financial, military, and education. As the use of web application for important services has increased, the number of attacks against them have grown as well. Web-based vulnerabilities present a significant portion of the security exposure of computer networks. To detect known web-based attacks, misuse intrusion detection systems are configured with a large number of signatures. Unfortunately, a great amount of web-related vulnerabilities disclosed daily make system manager hard to keep the signatures updated. Therefore, the system can not defend against the novel attacks. In addition, web-based vulnerabilities usually depend on the programming errors of the specific applications. Hence, anomaly intrusion detection systems are introduced to overcome the disadvantage of misuse intrusion detection systems. They learn the normal behavior of the users of the web applications so that novel attacks can be detected yet. Basically, previous researches of anomaly detection system were focusing their detection methodologies based on analyzing the characteristics of normal requests, and use some features to describe them, such as the length of the parameter values, normal distribution of characters in the parameter values, etc. There is no researches propose an reasonable method that can combine these features appropriately. In thesis, we propose an anomaly detection approach based on On-line PCA. Ideally, the use of variance of features with different parameters allows the system to perform better combination and increase the detection effectiveness. The system derives automatically the profiles associated with web application from the analyzed requests. Hence, it can be deployed in very different web application environments without time-consuming tuning. We evaluate our approach by computing the detection rate and false positive rate of the system and acquire satisfied results.