Interleaving-Oriented Correlation Finding for Web Mimicry Attacks based on Conditional Random Fields

• Main Authors: En-Sih Liou, 劉恩賜
• Other Authors: Hanhn-Ming Lee
• Format: Others
• Language: en_US
• Published: 2009
• Online Access: http://ndltd.ncl.edu.tw/handle/51970792570403973910

碩士 === 國立臺灣科技大學 === 資訊工程系 === 97 === Web mimicry attacks lead anomaly-based web application intrusion detection to be evaded through insertion of meaningless or irrelevant characters. In this study, we propose Interleaving-Oriented Correlation Finding (IOCF) in order to against the Web Mimicry attacks. IOCF intends to segment HTTP requests into token sequences and models the token correlation in order to identify web mimicry attacks based on Conditional Random Fields (CRFs). CRFs is a widespread algorithm for solving sequence labeling problem and therefore robust for capturing the high dependency among different tokens in token sequence. Since CRF relaxes strong independence assumptions with previewed probabilistic sequence analysis methods (e.g. HMM), it is capable to capture long term dependency among observed sequences of token for improving the detection capability of Web Mimicry attacks. The proposed method just needs to inspect HTTP request, and is easier to plug in existing intrusion detection system for identifying subtle web attacks. The datasets are from “ECML/PKDD 2007’s Analyzing Web Traffic challenge”, public datasets for web application attacks detection for evaluation. The experimental result shows that the proposed system performs well in both web mimicry attacks and general web application attacks detection even in heavy interleaving cases.