Upload
venkatesan-sathish
View
15.906
Download
0
Tags:
Embed Size (px)
Citation preview
1
CHAPTER 1
INTRODUCTION
1.1 THREE TIER ARCHITECTURE
Web Sphere Application Server provides the application logic layer in
a three tier architecture, enabling client components to interact with data
resources and legacy applications. Collectively, three tier architectures are
programming models that enable the distribution of application
functionality across three independent systems. Client components running
on local workstations (tier one) Processes running on remote servers
(tier two) A discrete collection of databases, resource managers, and
mainframe applications (tier three) These tiers are logical tiers. They
might or might not be running on the same physical server.
1.1.1 FIRST TIER
Responsibility for presentation and user interaction resides with the
first tier components. These client components enable the user to interact
with the second tier processes in a secure and intuitive manner. Web Sphere
Application Server supports several client types. Clients do not access the
third tier services directly. For example, a client component provides a form
on which a customer orders products. The client component submits this
order to the second-tier processes, which check the product databases and
perform tasks that are needed for billing and shipping.
1.1.2 SECOND TIER
The second tier processes are commonly referred to as the
application logic layer. These processes manage the business logic of
the application, and are permitted access to the third tier services. The
2
application logic layer is where most of the processing work occurs.
Multiple client components can access the second tier processes
simultaneously so this application logic layer must manage its own
transactions.
1.1.3 THIRD TIER
The third tier services are protected from direct access by the client
components residing within a secure network. Interaction must occur
through the second tier processes.
1.2 INTRODUCTION ABOUT THE SYSTEM
Web based attacks have recently become more diverse, as
attention has shifted from attacking the front-end to exploiting
vulnerabilities of the web applications in order to corrupt the back-end
database system (e.g., SQL injection attacks ). A plethora of Intrusion
Detection Systems (IDS) currently examine network packets individually
within both the web server and the database system. However, there is
very little work being performed on multi tiered Anomaly Detection (AD)
systems that generate models of network behavior for both web and database
network interactions. In such multi tiered architectures, the back-end
database server is often protected behind a firewall while the web servers are
remotely accessible over the Internet. Unfortunately, though they are
protected from direct remote attacks, the back-end systems are susceptible
to attacks that use web requests as a means to exploit the back-end. To
protect multi-tiered web services, Intrusion detection systems (IDS) have
been widely used to detect known attacks by matching misused traffic
patterns or signatures. A class of IDS that leverages machine learning can
also detect unknown attacks by identifying abnormal network traffic that
deviates from the so called normal behavior previously profiled during the
3
IDS training phase. Individually, the web IDS and the database IDS can
detect abnormal network traffic sent to either of them. However found that
these IDS cannot detect cases wherein normal traffic is used to attack the
web server and the database server. For example, if an attacker with non
admin privileges can log in to a web server using normal-user access
credentials, he/she can find a way to issue a privileged database query by
exploiting vulnerabilities in the web server. Neither the web IDS nor the
database IDS would detect this type of attack since the web IDS would
merely see typical user login traffic and the database IDS would see only the
normal traffic of a privileged user. This type of attack can be readily
detected if the database IDS can identify that a privileged request from the
web server is not associated with user-privileged access. Unfortunately,
within the current multi threaded web server architecture, it is not feasible
to detect or profile such causal mapping between web server traffic and DB
server traffic since traffic cannot be clearly attributed to user sessions.
1.3 DOUBLE GUARD DETECTION
In this project present Double Guard, a system used to detect
attacks in multi tiered web services. Our approach can create normality
models of isolated user sessions that include both the web front end (HTTP)
and back end (File or SQL ) network transactions. To achieve this, employ a
lightweight virtualization technique to assign each users web session to a
dedicated container, an isolated virtual computing environment. We use the
container I D to accurately associate the web request with the subsequent DB
queries. Thus, Double Guard can build a causal mapping profile by taking
both the web sever and DB traffic into account. We have implemented our
Double Guard container architecture using Open VZ , and performance testing
shows that it has reasonable performance overhead and is practical for most
web applications .It also provides an isolation that prevents future session-
hijacking attacks. With in a lightweight virtualization environment we ran
4
many copies of the web server instances in different containers so that each
one was isolated from the rest. containers can be easily instantiated and
destroyed, we assigned each client session a dedicated container so that, even
when an attacker may be able to compromise a single session, the damage is
confined to the compromised session other user sessions remain unaffected by
it. Using our prototype we show that, for websites that do not permit content
modification from users, there is a direct causal relationship between the
requests received by the front end web server and those generated for the
database backend. In fact we show that this causality mapping model can be
generated accurately and without prior knowledge of web application
functionality .
1.4 CONTAINERS AND LIGHT WEIGHT VIRTUALIZATION
Virtualization is the act of making a set of processes believe that it
has a dedicated system to itself. There are a number of approaches being taken
to the virtualization problem, with Xen, VMWare, and User-mode Linux being
some of the better known options. Those are relatively heavy weight
solutions, however, with a separate kernel being run for each virtual machine.
Often, that is exactly the right solution to the problem; running independent
kernels gives strong separation between environments and enables the running
of multiple operating systems on the same hardware.
Full virtualization and para virtualization are not the only approaches
being taken, however. An alternative is lightweight virtualization, generally
based on some sort of container concept. With containers, a group of
processes still appears to have its own dedicated system, but it is really
running in a specially isolated environment. All containers run on top of the
same kernel. With containers, the ability to run different operating systems is
lost, as is the strong separation between virtual systems.
5
Double guard might not want to give root access to processes running within a
container environment. On the other hand, containers can have considerable
performance advantages, enabling large numbers of them to run on the same
physical host.
1.5 OBJECTIVE
In this project, propose an efficient IDS system called as Double
Guard system that models the network behavior for multilayered web
applications of user sessions across both front-end web(HTTP) requests
and back end database(SQL) queries .
1.6 EXISTING SYSTEM
Intrusion detection system currently examine network packets
individually within both the web server and the database system.However
there is very little work being performed on multi-tiered Anomaly
Detection system that generate models of network behavior for both web
and database interactions In such muti tiered architectures ,the back end
database server is often protected behind a firewall while the web servers
are remotely accessible over the internet. unfortunately, though they are
protected from direct remote attacks, the back-end systems are susceptible
to attacks that use web request as a means to exploit the back end.web IDS
would merely see typical user login traffic and database IDS see normal
traffic of privileged user. It detect the intrusions or vulnerabilities by
statically analyzing the source code or executables.
1.6.1 CLASSIC 3 TIER MODEL
In the existing system The communication between the web server
and the database server is not separated, and hardly Understand the
relationships among them. if Client 2 is malicious and takes over the web
6
server, all subsequent database transactions become suspect, as well as the
response to the client.
Figure 1.6.1 Classic 3 tier architecture
1.6.2 LIMITATION OF EXISTING SYSTEM
In the existing system , Traffic in multi cast is used by the hostile.Both
the web and the database servers are vulnerable.Attacks are come from the
web clients.they launch appplication layer attacks to compromise the web
servers they connec t ing to . The attackers can bypass the web server to
directly attack the database server. Attackers may take over the web server
after the attack, and that afterwards they can obtain full control of the web
server to launch subsequent attacks.Attackers could modify the application
logic of the web applications, eavesdrop or hijack other users web requests,
or intercept and modify the database queries to steal sensitive data
beyond their privileges.
7
1.7 PROPOSED SYSTEM
In Double guard detection using both front end and back end
detection.Some previous approaches have detected intrusions or
vulnerabilities by statically analyzing the source code or executables.others
dynamically track the information flow to unterstand taint propagations and
detect intrusions. In double guard,the new container based web server
architecture enables us to separate the different information flows by each
sessions by using light weight virtualization. With in a light weight
virtualization environment we ran many copies of web server instances in
different containers so that each one isolated from the rest.it separate
different information flow from the each session.this provides a means of
tracking the information flow from the web server to the database server for
each session. It is possible to initialize the thousand of container on a
single machine.
Double guard detect sql injection attacks by taking the structure
of the web request and database queries without looking into the values
of input parameter. In our Double Guard ,we utilize the container ID to
separate session traffic as a way of extracting and identifying casual
relationship between web server request and database query event. Our
approach dynamically generates new containers and recycles used ones.
As a result a single physical server can run continuously and serve all
web requests. However, from a logical perspective, each session is
assigned to a dedicated web server and isolated from other sessions.
Since initialize each virtualized container using a read only clean
template, can guarantee that e ac h session will be served with a clean
web server instance at initialization.
T h i s s y s t e m choose to separate communications at the
session level so that a single user always deals with the same web server.
8
Sessions can represent different users to some extent, and we expect the
communication of a single user to go to the same dedicated web server,
thereby allowing us to identify suspect behavior by both session and user.
If detect abnormal behavior in a session, will treat all traffic within this
session as tainted.
1.7.1 ADVANTAGES
Prevent The proposed system is well correlated model that provides an
effective mechanism to different type of attacks and also more accurate. The
proposed system will also create a causal mapping profile by taking both the
web server and DB traffic into account. It also provides a better
characterization for anomaly detection with the correlation of input streams
because the intrusion sensor has a more precise normality model that detects
a wider range of threats. Containers are easily assigned and destroyed . Each
client session are assigned to separate container. If suppose attacker
compromise a single session the damage is confined to the compromised
session other session are unaffected. If suppose traffic occurred only
particular user session will affected and also easily find who is attacker.
9
CHAPTER 2
LITERATURE SURVEY
2.1 [27] Toward Automated Detection of Logic Vulnerabilities in Web
Applications V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna,
Proc. Usenix security symp 2010.
The Web applications are the most common way to make
services and data available on the Internet. Unfortunately, with the
increase in the number and complexity of these applications, there has
also been an increase in the number and complexity of vulnerabilities.
Current techniques to identify security problems in web applications
have mostly focused on input validation flaws. This paper focused on
logic vulnerabilities. Application logic vulnerabilities are an important
class of defects that are the result of faulty application logic. These
vulnerabilities are specific to the functionality of particular web
applications, and, thus, they are extremely difficult to characterize and
identify. In this paper, we propose a first step toward the automated
detection of application logic vulnerabilities. We developed a tool, called
Waler, based on our ideas, and we applied it to a number of web
applications, finding previously-unknown logic vulnerabilities.Our
approach a composition of dynamic analysis and symbolic model
checking to identify invariants that are a part of the intended program
specification, but are not enforced on all paths in the code of a web
application. We implemented the proposed approaches in a tool, called
Waler, that analyzes servlet based web applications. We used Waler to
identify a number of previously unknown application logic vulnerabilities
in several real world applications and in a number of senior
undergraduate projects. To the best of our knowledge, Waler is the first
tool that is able to automatically detect complex web application logic
10
flaws without the need for a substantial human (annotation) effort or the
use of ad hoc, manually specified heuristics.This paper used the technique
jpf and dikon tools used. We evaluated the effectiveness of our system in
detecting logic vulnerabilities four real world applications, namely, Easy
JSP Forum, JspCart GIMS and JaCoB. The first application that we
analyzed is the Easy JSP Forum application, a community forum written
in JSP.The second application that we analyzed is the Global Internship
Management System (GIMS) Using Waler, we found that many of the
pages in the application do not have sufficient protection from
unauthorized Access.The third application is JaCoB, a community
message board application that supports posting and viewing of
messages by registered users. For this program, our tool neither found
any vulnerabilities nor did it generate any false alert. The fourth test
application is JspCart, which is a typical online store. Waler identified a
number of pages in its administrative interface that can be accessed by
unauthorized users. In JspCart, all pages available to an admin user are
protected by checks that examine the User object in the session.
2.2 [31] Anomaly Detection of Web-Based Attacks .C. Kruegel and G.
Vigna Proc. 10th ACM Conf. Computer and Comm. Security (CCS ’03),
Oct. 2003
Web servers and web based applications are popular attack targets.
In order to detect known web based attacks, misuse detection systems
are equipped with a large number of signatures. Unfortunately, it is
difficult to keep up with the daily disclosure of web related
vulnerabilities, and, in addition, vulnerabilities may be introduced by
installation-specific web based applications. Therefore, misuse detection
systems should be complemented with anomaly detection systems. This
paper presents an intrusion detection system that uses a number of
11
different anomaly detection techniques to detect attacks against web
servers and web based applications. The system to perform focused
analysis and produce a reduced number of false positives. In this paper two
models are used .in this first model are named as training mode .it is
based on user behavior analysis attack behavior is varies from normal user
behavior this mode generate normal user profile created. Second mode
called as detection mode here malicious score calculating and reported
anomalous queries based upon anomalous score .anomaly score is less
than 1.detection mode also responsible for structure of the queries. This
paper introduces a novel approach to perform anomaly detection, using
as input HTTP queries containing parameters. The work presented here
is novel in several ways. First of all, to the best of our knowledge, this is
the first anomaly detection system specifically tailored to the detection
of web based attacks. Second, the system takes advantage of
application correlation between server side programs and parameters
used in their invocation. Third the parameter characteristics (e.g.,
length and structure) are learned from input data. The ultimate goal is
to be able to perform anomaly detection in real time for web sites that
process millions of queries per day with virtually no false alarms.
2.3 [44] Database Intrusion Detection Using Weighted Sequence Mining.
A. Srivastava, S. Sural, and A.K. MajumdarJ. Computers.
vol. 1,no. 4, pp. 8-17, 2006.
Data mining has attracted a lot of attention due to increased
generation, transmission and storage of high volume data and an
imminent need for extracting useful information and knowledge from
them. database stores valuable information of an application, its security
has started getting attention. An intrusion detection system (IDS) is used
to detect potential violations in database security. In every database,
12
some of the attributes are considered more sensitive to malicious
modifications compared to others.We propose an algorithm for finding
dependencies among important data items in a relational database
management system. Any transaction that does not follow these
dependency rules are identified as malicious. show that this algorithm
can detect modification of sensitive attributes quite accurately.
In this paper, propose a new approach for database intrusion
detection using a data mining technique which takes the sensitivity of the
attributes into consideration in the form of weights.This paper proposed
two types of technique first one weighted data dependency rule mining
here sensitive data are classified into 3 types high sensitive, medium
sensitive and low sensitive.this approach allocate the weights of each
operation like read and write.compare level of security and weights of
operation are added based upon that score how the data protected
decided.second method is E-r model for representing attribute sensitivities
The model consists of a collection of basic objects called entities, and
relationships among these entities. We add a new symbol ’*’ to the
existing set of symbols to represent the sensitivity of an attribute.
Repeated use of this symbol (more number of symbols in attributes) makes
an attribute more sensitive as compared to others.Main aim of this
project minimize the loss suffered from database owner. Currently,
sensitive attributes are identified at the design level. In future, we plan to
use Role Based Access Control (RBAC) administered databases for
finding out sensitive attributes dynamically.
13
The proposed database intrusion detection system generates more
rules as compared to non weighted approach. There is a need for a
mechanism to find out which of these new rules are useful for detecting
malicious transactions. Such a mechanism helps in discarding redundant
rules. We plan to use some learning mechanism to filter out extra rules
generated by our approach.
2.4 [29] Efficiently Tracking Application Interactions Using Lightweight
Virtualization Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia Proc.
First ACM Workshop Virtual Machine Security,2008.
The prevailing uses of computers in our everyday life give rise to
many new challenges, including system security, data protection, and
intrusion analysis. Towards that direction, recent research has provided
two new powerful tools: 1) virtualized execution environments and 2)
the monitoring, inspection, and/or logging of system activities via
system call monitoring. In this paper, we introduce a novel general-
purpose framework that unifies the two mechanisms and models as
transactions the interactions of applications harnessing the resource
efficiency and isolation provided by lightweight virtualization
environments (VEs)Our approach maintains the VE and system integrity,
having as primarily focused on the interactions among VEs and system
resources including the file system, memory, and network.
Only events that are pertinent to the integrity of an application and
its interactions with the operating system are recorded. We attempt to
minimize the system overhead both in terms of system events we have to
store and the resources required. Even though we cannot provide
application replay, we keep enough information for a wide range of
other uses, including system recovery and information tracking among
others. As a proof of concept, we have implemented a prototype based on
14
Open VZ, a lightweight virtualization tool. Our preliminary results
show that, com- pared to state of the art event recording systems, we can
reduce the amount of event recorded per application by almost an order
of magnitude. This paper presented a framework for tracking application
interactions using a lightweight virtualization tool combined with a
stackable file system. Our goal was to reduce the amount of system calls
recorded for each application while maintaining full tracking information
of the application interactions. To that end, we introduced an
architecture that can scale with the number of applications and record
data over a large period of time. Our approach maintains application
integrity and offers the ability to utilize the recorded information for a
wide range of other uses. This includes system recovery and information
tracking among others. Although this is the first step, we believe our
approach to be the first that can provide a practical and efficient
approach to application tracking and a potential mechanism to record
all system events as database transactions without preventive storage and
monitoring overhead.
2.5 [33] Fast and Automated Generation of Attack
Signatures: A Basis for Building Self-Protecting Servers Liang and Sekar
SIGSAC:Proc. 12th ACM Conf. Computer and Comm. Security, 2005.
The past few years have witnessed an alarming increase in
largescale attacks: automated attacks carried out by large numbers of hosts
on the Internet. These may be the work of worms, zombies, or large numbers
of hackers running attack scripts. Such attacks have the following
characteristics: they originate from many different hosts, target a non-
negligible fraction of vulnerable hosts on the Internet, and are repetitive.
Buffer overflow attacks (or more generally, attacks that exploit memory
errors in C/C++ programs) are the most popular choice in these attacks, as
15
they provide substantial control over a victim host. For instance, virtually
every worm known to date has been based on this class of attacks. Our
approach, called COVERS, uses a forensic analysis of a victim servers
memory to correlate attacks to inputs received over the network, and
automatically develop a signature that characterizes inputs that carry
attacksThe signatures tend to capture characteristics of the underlying
vulnerability (e.g., a message field being too long) rather than the
characteristics of an attack, which makes them effective against variants of
attacks. Our approach introduces low overheads (under 10does not require
access to source code of the protected server, and has successfully
generated signatures for the attacks studied in our experiments, without
producing false positives. Since the signatures are generated in tens of
milliseconds, they can potentially be distributed quickly over the Internet to
filter out (and thus stop) fast spreading worms. Another interesting aspect
of our approach is that it can defeat guessing attacks reported against
address-space randomization and instruction set randomization techniques.
Finally, it increases the capacity of servers to withstand repeated attacks by
a factor of 10 or more.In this paper we presented a new approach, called
COVERS, for protecting servers from repetitive buffer overflow attacks,
such as those due to worms and zombies. Our approach combines off the
shelf attack detection techniques with a forensic analysis of the victim server
memory to correlate attacks to inputs received from the network, and
automatically generates signatures to filter out future attack instances. This
improves the ability of victim applications to withstand attacks by one to
two orders of magnitude. As compared to previous techniques. COVERS
introduces minimal overheads of under 10we showed that covers signatures
capture the characteristics of underlying vulnerabilities, thereby providing
protection against attack variants that exploit the same vulnerability. In
contrast with previous approaches, which required many attack samples to
16
produce signatures that are sufficiently general to stop polymorphic attacks,
our approach is able to generate signatures from a just a single attack
instance. This is because of the use of a 4-step approach that allows
COVERS to localize the source of attacks to a small part of an input
message. We believe that other signature generation techniques, which often
employ more powerful algorithms at the signature generation step, can derive
significant benefit by incorporating our correlation and input context
identification steps. The signatures generated by COVERS can be
distributed and deployed at other sites over the Internet. This deployment
can take the form of an inline filter at the network layer. As a proof of this
concept, we recently implemented a Snort plug in that filters out network
flows that match the signatures generated by COVERS.
2.6 [34] Polygraph: Automatically Generating Signatures for Polymorphic
Worms,” J. Newsome, B. Karp, and D.X. Song Proc. IEEE Symp. Security
and Privacy, 2005.
Content signature based intrusion detection systems (idses) are easily
evaded by polymorphic worms, which vary their payload on every infection
attempt. in this paper, we present polygraph, a signature generation system
that successfully produces signatures that match polymorphic worms.
polygraph generates signatures that consist of multiple disjoint content
substrings. in doing so, polygraph leverages our insight that for a real
world exploit to function properly multiple invariant substrings must often
be present in all variants of a payload. we contribute a definition of the
polymorphic signature generation problem; propose classes of signature
suited for matching polymorphic worm payloads; and present algorithms for
automatic generation of signatures in these classes. our evaluation of these
algorithms on a range of polymorphic worms demonstrates that polygraph
produces signatures for polymorphic worms that exhibit low false negatives
17
and false positives signature classes for polymorphic worms are three types
conjunction signatures, token subsequence signatures and bayes
s ignatures. polygraph must meet several design goals for producing
signatures such as signature quality. efficient signature generation efficient
signature matching generation of small signature sets robustness against
noise and multiple worms robustness against evasion and subversion the
growing consensus in the security community is that polymorphic worms
portend the death of content based worm quarantine that no sensitive and
specific signatures may exist for worms that vary their content significantly
on every infection. we have shown, on the contrary, that content-based
filtering holds great promise for quarantine of polymorphic worms and
moreover, that polygraph can derive sensitive and specific signatures for
polymorphic worms automatically.
signature generation problem for polymorphic worms; provided
examples that illustrate the presence of invariant content in polymorphic
worms; proposed conjunction, token-subsequence, and bayes signatures
classes that specifically target matching polymorphic worms invariant
content; and offered and evaluated polygraph, a suite of algorithms that
automatically derive signatures in these classes. our results indicate that
even in the presence of misclassified noise flows, and multiple worms,
polygraph generates high-quality signatures. we conclude that the rumors of
the demise of content-based filtering for worm quarantine are decidedly
exaggerated.
2.7 [35] B. Parno, J.M. McCune, D. Wendlandt, D.G. Andersen, and A.
Perrig, “CLAMP: Practical Prevention of Large-Scale Data Leaks,”
Proc. IEEE Symp. Security and Privacy, 2009.
Providing online access to sensitive data makes web servers lucrative
targets for attackers. A compromise of any of the web servers scripts,
18
applications, or operating system can leak the sensitive data of millions of
customers. Un fortunately, systems for stopping data leaks require
considerable effort from application developers, hindering their adoption In
this work, we investigate how such leaks can be prevented with minimal
developer effort. We propose CLAMP, an architecture for preventing data
leaks even in the presence of web server compromises or SQL injection
attacks. CLAMP protects sensitive data by enforcing strong access control
on user data and by isolating code running on behalf of different users. By
focusing on minimizing developer effort, we arrive at an architecture that
allows developers to use familiar operating systems, servers, and scripting
languages, while making relatively few changes to application code less
than50 lines in our applications.Clamp uses 5 techniques such as
Identifying a Users Sensitive Data ,Data Access Policies ,Read
Restrictions Write Restrictions and Authentication ClassesWe developed
the CLAMP architecture to isolate the large and complex web server and
scripting environments from a small trusted computing base that provides
user authentication and data access control. In this work, we have
investigated techniques to secure LAMP applications against a large number
of threats while requiring minimal changes to existing applications. We
developed the CLAMP architecture to isolate the large and complex web
server and scripting environments from a small trusted computing base that
pro- vides user authentication and data access control. CLAMP occupies a
point in the web security design space notable for its simplicity for the web
developer. Our proof of concept implementation indicates that porting
existing LAMP applications to CLAMP requires a minimal number of
changes, and the prototype can handle millions of SSL sessions per day.
19
2.8 [49]A Stateful Intrusion Detection System for World-Wide Web Servers
G. Vigna, W.K. Robertson, V. Kher, and R.A. Kemmerer Proc. Ann.
Computer Security Applications Conf. (ACSAC ’03), 2003.
Web servers are ubiquitous, remotely accessible, and often
misconfigured. In addition, custom web based applications may introduce
vulnerabilities that are overlooked even by the most security-conscious
server administrators. Consequently, web servers are a popular target for
hackers. To mitigate the security exposure associated with web servers,
intrusion detection systems are deployed to analyze and screen incoming
requests. The goal is to perform early detection of malicious activity
and possibly prevent more serious damage to the protected site. Even
though intrusion detection is critical for the security of web servers, the
intrusion detection systems available today only perform very simple
analyses and are often vulnerable to simple evasion techniques. This paper
presents webstat, an intrusion detection system that analyzes web
requests looking for evidence of malicious behavior. The system is novel
in several ways. First of all, it provides a sophisticated language to
describe multistep attacks in terms of states and transitions. In addition,
the modular nature of the system supports the integrated analysis of
network traffic sent to the server host, operating system-level audit data
produced by the server host, and the access logs produced by the web
server. By correlating different streams of events, it is possible to
achieve more effective detection of web based attacks.This paper
presented an approach for stateful intrusion detection, called Web
STAT. The approach is implemented by extending the STAT framework
to create a sensor that performs detection of web based attacks. Web
STAT is novel in that it provides a sophisticated language for describing
multi step attacks in terms of states and transitions, and these
20
descriptions are automatically compiled into dynamically linked libraries,
which has a number of advantages in terms of flexibility and
extensibility. Web STAT also operates on multiple event streams and is
able to correlate both network level and operating system level events
with entries contained in server logs. This supports more effective
detection of web based attacks and generates a reduced number of false
positives.
2.9 [41] An Efficient Black-Box Technique for Defeating Web
Application Attacks R. Sekar Proc. Network and Distributed System
Security Symp. (NDSS), 2009.
Over the past few years, injection vulnerabilities have become the
primary target for remote exploits. SQL injection, command injection,
and cross site scripting are some of the popular attacks that exploit
these vulnerabilities. Taint tracking has emerged as one of the most
promising approaches for defending against these exploits, as it supports
accurate detection (and prevention) of popular injection attacks.
However, practical deployment of taint tracking defenses has been
hampered by a number of factors, including: (a) high performance
overheads (often over 100% ), (b) the need for deep instrumentation,
which has the potential to impact application robustness and stability,
and (c) specificity to the language in which an application is written.
In order to overcome these limitations, we present a new technique
in this paper called taint inference. This technique does not require any
source code or binary instrumentation of the application to be protected;
instead, it operates by intercepting requests and responses from this
application. For most web applications, this interception may be
achieved using network layer interposition or library interposition. We
21
then develop a class of policies called syntax and taint aware policies that
can accurately detect and/or block most injection attacks. An
experimental evaluation shows that our techniques are effective in
detecting a broad range of attacks on applications written in multiple
languages (including PHP, Java and C), and impose low performance
overheads (below 5% )
In this paper, we presented a new approach for accurate detection of
common types of attacks launched on web applications. Our approach
relies on a new technique for inferring taint propagation by passively
observing inputs and outputs of a protected application. We then
presented a new policy frame work that enables policies to be specified
in a language neutral manner. As compared to previous works, our
approach does not require extensive instrumentation of the applications to
be protected. It is robust, and can easily support applications written in
many different languages (Java/C/C++/PHP), and on many platforms
(Apache/IIS/Tomcat). It is able to detect many types of command
injection attacks, as well as cross-site scripting within a single
framework, and using very few policies. It introduces significantly lower
overheads (typically less than 5% as compared to previous approaches.
2.10 [52] Intrusion Detection via Static Analysis D. Wagner and
D. DeanProc. Symp. Security and Privacy (SSP ’01), May 2001.
One of the primary challenges in intrusion detection is modelling
typical application behavior, so that we can recognize attacks by their
atypical effects without raising too many false alarms. We show how
static analysis may be used to automatically derive a model of application
behavior. The result is a host based intrusion detection system with three
advantages a high degree of automation, protection against a broad class
22
of attacks based on corrupted code, and the elimination of false alarms.
We report on our experience with a prototype implementation of this
technique.Our approach constrains the system call trace of a programs
execution to be consistent with the programs source code. We assume
that the program was written with benign intent. This approach deals
with attacks (such as buffer overflows) that cause a program to behave in
a manner inconsistent with its authors intent. These are the most
prevalent security problems. We have successfully applied static
program analysis to intrusion detection our approach is automatic:
the programmer or system administrator merely needs to run our tools
on the program at hand. All other automatic approaches to intrusion
detection to date have been based on statistical inference, leading to
many false alarms; in contrast, our approach is provably sound when
the alarm goes off, something has definitely gone wrong. Nonetheless,
we can immediately detect if a program behaves in an impossible
(according to its source) way, thus detecting intrusions that other systems
miss. strategic combination of static analysis and dynamic monitoring.
This combination yields better results than either method alone and
presents a promising new approach to the intrusion detection problem.
23
CHAPTER 3
REQUIREMENT SPECIFICATION
3.1 HARDWARE SPECIFICATION
• System : Pentium IV 2.4 GHz
• Hard Disk : 160 GB
• Monitor : 15 VGA color
• Keyboard : 110 keys enhanced
• Ram : 1GB
3.2 SOFTWARE SPECIFICATION
• O/S : Windows XP.
• Language : Java.
• IDE : NetBeans 6.9.1
• Data Base : MySql
3.2.1 JAVA
Java is a programming language originally developed by James
Gosling at Sun Microsystems (now a subsidiary of Oracle Corporation) and
released in 1995 as a core component of Sun Microsystems' Java platform. The
language derives much of its syntax from C and C++ but has a simpler object
model and fewer low-level facilities. Java applications are typically compiled to
byte code (class file) that can run on any Java Virtual Machine (JVM)
regardless of computer architecture. Java is a general-purpose, concurrent,
class-based, object-oriented language that is specifically designed to have as
few implementation dependencies as possible. It is intended to let application
developers "write once, run anywhere." Java is currently one of the most
24
popular programming languages in use, particularly for client-server web
applications. The original and reference implementation Java compilers, virtual
machines, and class libraries were developed by Sun from 1995. As of May
2007, in compliance with the specifications of the Java Community Process,
Sun relicensed most of its Java technologies under the GNU General Public
License. Others have also developed alternative implementations of these Sun
technologies, such as the GNU Compiler for Java and GNU Class path.
3.2.1.1 JAVA PLATFORM
One characteristic of Java is portability, which means that computer
programs written in the Java language must run similarly on any
hardware/operating-system platform. This is achieved by compiling the Java
language code to an intermediate representation called Java byte code, instead
of directly to platform specific machine code. Java byte code instructions are
analogous to machine code, but are intended to be interpreted by a virtual
machine (VM) written specifically for the host hardware. End-users commonly
use a Java Runtime Environment (JRE) installed on their own machine for
standalone Java applications, or in a Web browser for Java applets.
Standardized libraries provide a generic way to access host-specific features
such as graphics, threading, and networking.
Registration of various objects, files and hints into layer is pretty central
to the way Net Beans based applications handle communication between
modules. This page summarizes the list of such extension points defined by
modules with API. Context menu actions are read from the layer folder
Loaders/text/x-ant+ xml/Actions. Key maps folder contains subfolders for
individual key maps ( Emacs, JBuilder, and Net Beans). The name of key map
can be localized. Use "System File System. Localizing Bundle" attribute of your
folder for this purpose. Individual key map folder contains shadows to actions.
25
Shortcut is mapped to the name of file. Emacs shortcut format is used, multi
keys are separated by space chars ("C-X P" means Ctrl+X followed by P).
"Current Key map" property of "Key maps" folder contains original (not
localized) name of current key map.
This folder contains registration of shortcuts. It’s supported for
backward compatibility purpose only. All new shortcuts should be registered in
"Key maps/Net Beans" folder. Shortcuts installed INS Shortcuts folder will be
added to all key maps, if there is no conflict. It means that if the same shortcut
is mapped to different actions in Shortcut folder and current key map folder
(like Key map/Net Beans), the Shortcuts folder mapping will be ignored.
XML layer contract for registration of server plug-in and instances that
implement optional capabilities of server plug-in. Plug-in with server-specific
deployment descriptor files should declare the full list in XML layer as
specified in the document plugin-layer-file.html from the above link.Source
files must be named after the public class they contain, appending the suffix
.java, for example, HelloWorldApp.java. It must first be compiled into byte
code, using a Java compiler, producing a file named Hello World App. class.
Only then can it be executed, or 'launched'. The Java source file may only
contain one public class but can contain multiple classes with less than public
access and any number of public inner classes.
A class that is not declared public may be stored in any .java file. The
compiler will generate a class file for each class defined in the source file. The
name of the class file is the name of the class, with .class appended. For class
file generation, anonymous classes are treated as if their name were the
concatenation of the name of their enclosing class, and an integer.The keyword
public denotes that a method can be called from code in other classes, or that a
class may be used by classes outside the class hierarchy. The class hierarchy is
related to the name of the directory in which the .java file is located.
26
The keyword static in front of a method indicates a static method,
which is associated only with the class and not with any specific instance of that
class. Only static methods can be invoked without a reference to an object.
Static methods cannot access any class members that are not also static. The
keyword void indicates that the main method does not return any value to the
caller method.
The method name "main" is not a keyword in the Java language. It is
simply the name of the method the Java launcher calls to pass control to the
program. Java classes that run in managed environments such as applets and
Enterprise JavaBeans do not use or need a main () method. A Java program may
contain multiple classes that have main methods, which means that the VM
needs to be explicitly told which class to launch from.
The main method must accept an array of String objects. By
convention, it is referenced as args although any other legal identifier name can
be used. Since Java 5, the main method can also use variable arguments, in the
form of public static void main (String.args[]) allowing the main method to be
invoked with an arbitrary number of String arguments. The effect of this
alternate declaration is semantically identical (the args parameter is still an array
of String objects), but allows an alternative syntax for creating and passing the
array.
The Java launcher launches Java by loading a given class (specified on
the command line or as an attribute in a JAR) and starting its public static void
main(String[]) method. Stand-alone programs must declare this method
explicitly. The String [] args parameter is an array of String objects containing
any arguments passed to the class. The parameters to main are often passed by
means of a command line. Printing is part of a Java standard library: The
System class defines a public static field called out.
27
3.2.2 NET BEANS
The Net Beans Platform is a reusable framework for simplifying the
development of Java Swing desktop applications. The Net Beans IDE bundle
for Java SE contains what is needed to start developing Net Beans plug-in and
Net Beans Platform based applications; no additional SDK is required.
Applications can install modules dynamically. Any application can include the
Update Center module to allow users of the application to download digitally
signed upgrades and new features directly into the running application.
Reinstalling an upgrade or a new release does not force users to download the
entire application again.
The platform offers reusable services common to desktop applications,
allowing developers to focus on the logic specific to their application. Among
the features of the platform are:
User interface management (e.g. menus and toolbars)
User settings management
Storage management (saving and loading any kind of data)
Window management
Wizard framework (supports step-by-step dialogs)
Net Beans Visual Library
Integrated Development Tools
28
CHAPTER 4
METHODOLOGY
4.1 CREATE CONTAINER MODEL
All network traffic from both legitimate users and adversaries, is
received intermixed at the same web server. If an attacker compromises the
web server, he/she can potentially affect all future sessions (i.e., session
hijacking). As signing each session to a dedicated web server is not a
realistic option, as it will deplete the web server resources. To achieve
similar confinement while maintaining a low performance and resource
overhead, we use lightweight virtualization. In our design, we make use of
lightweight process containers referred to as containers as ephemeral,
disposable servers for client sessions. It is possible to initialize thousands of
containers on a single physical machine, and these virtualized containers can
be discarded, reverted, or quickly reinitialized to serve new sessions. A
single physical web server runs many containers, each one an exact copy of
the original web server.
Our approach dynamically generates new containers and recycles
used ones. As a result, a single physical server can run continuously and
serve all web requests. However, from a logical perspective, each session is
assigned to a dedicated web server and isolated from other sessions. Since we
initialize each virtualized container using a read-only clean template, we can
guarantee that each session will be served with a clean web server instance
at initialization, We choose to separate communications at the session level
so that a single user always deals with the same web server. Sessions can
represent different users to some extent, and we expect the communication
of a single user to go to the same dedicated web server, thereby allowing us
to identify suspect behavior by both session and user. If we detect abnormal
behavior in a session, we will treat all traffic within this session as tainted.
29
If an attacker compromises a vanilla web server, other sessions
communications can also be hijacked. In our system, an attacker can only
stay within the web server containers that he/she is connected to, with no
knowledge of the existence of other session communications. We can thus
ensure that legitimate sessions will not be compromised directly by an
attacker.
4.2 BUILDING NORMALITY MODEL
Normality model depicts how communications are categorized as
sessions and how database transactions can be related to a corresponding
session. Client2 will only compromise the VE 2 and the corresponding
database transaction set T2 will be the only affected section of data within the
database. This container based and session separated web server
architecture not only enhances the security performances but also provides
us with the isolated information flows that are separated in each container
session. It allows us to identify the mapping between the web server requests
and the subsequent DB queries, and to utilize such a mapping model to detect
abnormal behaviors on a session/client level. In typical three-tiered web
server architecture. The web server receives HTTP requests from user clients
and then issues SQL queries to the database server to retrieve and update
data. These SQL queries are causally dependent on the web request hitting
the web server.
Even if we knew the application logic of the web server and were
to build a correct model, it would be impossible to use such a model to
detect attacks within huge amounts of concurrent real traffic unless we had
a mechanism to identify the pair of the HTTP request and SQL queries that
are causally generated by the HTTP request. However, within our container
based web servers, it is a straightforward matter to identify the causal
pairs of web requests and resulting SQL queries in a given session.
30
Moreover as traffic can easily be separated by session, it becomes possible for
us to compare and analyze the request and queries across different sessions.
Figure 4.2 Webserver instances running in containers.
Double guard system put sensors at both sides of the servers. At
the web server, our sensors are deployed on the host system and cannot be
attacked directly since only the virtualized containers are exposed to
attackers. Our sensors will not be attacked at the database server either
assume that the attacker cannot completely take control of the database
server. In fact, we assume that our sensors cannot be attacked and can
always capture correct traffic information at both ends. Once we build the
mapping model, it can be used to detect abnormal behaviors. If there exists
any request or query that violates the normality model within a session,
then the session will be treated as a possible of attack.
31
In double guard prototype, choose to assign each user session into a
different container however this was a design decision. For instance can
assign a new container per each new IP address of the client. In
Our prototype used 15 minitues time out due to resource constraints of our test
server.
32
CHAPTER 5
SYSTEM DESIGN
5.1 STATIC MODEL
static website can build an accurate model of the mapping
relationships between web requests and database queries since the links are
static and clicking on the same link always returns the same information.
However, some websites (e.g., blogs , forums) allow regular users with non
administrative privileges to update the contents of the served data. This
creates tremendous challenges for IDS system training because the HTTP
requests can contain variables in the passed parameters.For example, instead
of one to one mapping, one web request to the web server usually invokes
a number of SQL queries that can vary depending on type of the request
and the state of the system. Some requests will only retrieve data from the
web server instead of invoking database queries, meaning that no queries will
be generated by these web requests . In other cases, one request will invoke
a number of database queries.
All communications from the clients to the database are separated by
a session. Assign each session with a unique session ID. Double Guard
normalizes the variable values in both HTTP requests and database
queries, preserving the structures of the requests and queries. To achieve this
Double Guard substitutes the actual values of the variables with symbolic
values.
33
5.2 MAPPING RELATIONS
In Double guard classify the four possible mapping patterns. Since
the request is at the origin of the data flow treat each request as the
mapping source. In other word , the mappings in the model are always in the
form of one request to a query set rm TO Qn.
5.2.1 DETERMINISTIC MAPPING
This is the most common and perfectly matched pattern. That is
to Say that web request rm appears in all traffic with the SQL queries set
Qn.For any session in the testing phase with the request rm, the absence of
a query set Qn matching the request indicates a possible intrusion. On
the other hand, if Qn is present in the session traffic without the
corresponding rm, this may also be the sign of an intrusion. In static
websites this type of mapping comprises the majority of cases since the
same results should be returned for each time a user visits the same link .
Figure 5.2.1 Deterministic mapping using session ID of the container (VE).
HTTP Web
Req A
HTTP
Web Req
B
Session 1
(VE1)
Session 2(VE 2)
Session 3(VE 3)
Session 4(VE 4)
Session 5(VE 5)
SQL
QUERY X
SQL
QUERY Y
34
5.2.2 EMPTY QUERY SET
In special cases, the SQL query set may be the empty set. This
implies that the web request neither causes nor generates any database
queries. For example, when a web request for retrieving an image GIF file
from the same web server is made, a mapping relationship does not exist
because only the web requests are observed. This type of mapping is called
rm assign empty. During the testing phase, we keep these web requests
together in the set EQS.
5.2.3 NO MATCHED REQUEST
In some cases, the web server may periodically submit queries to the
database e server in order to conduct some scheduled tasks, such as cron jobs
for archiving or backup. This is not driven by any web request, similar to
the reverse case of the Empty Query Set mapping pattern. These queries
can not match up with any web requests, and we keep these unmatched
queries in a set NMR. During the testing phase, any query within set
NMR is considered legitimate. The size of NMR depends on web server
logic, but it is typically small.
5.2.4 NON DETERMINISTIC MAPPING
The same web request may result in different SQL query sets based
on input parameters or the status of the webpage at the time the web
request is received. In fact, these different SQL query sets do not appear
randomly, and there exists a candidate pool of query sets. Each time that the
same type of web request arrives, it always matches up with one (and only
one) of the query sets in the pool. it is difficult to identify traffic that
matches this pattern. This happens only within dynamic websites, such as
blogs or forum sites. Decrypts the file.
35
5.3 STATIC MODEL BUILDING ALGORITHM
In the case of a static website, the nondeterministic mapping does
not exist as there are no available input variables or states for static content.
We can easily classify the traffic collected by sensors into three patterns in
order to build the mapping model As the traffic is already separated by
session, we begin by iterating all of the sessions from 1 to N.
Require: Training Data set, Threshold t
Ensure: The Mapping Model for static website
1: for each session separated traffic Ti do
2: Get different HTTP requests r and DB queries q in this session
3: for each different r do
4: if r is a request to static file then
5: Add r into set EQS
6: else
7: if r is not in set REQ then
8: Add r into REQ
9: Append session ID i to the set ARr with r as the key
10: for each different q do
11: if q is not in set SQL then
12: Add q into SQL
13: Append session ID i to the set AQq with q as the key
14: for each distinct HTTP request r in REQ do
15: for each distinct DB query q in SQL do
16: Compare the set ARr with the set AQq
17: if ARr AQq and CardinalityAR assign to t then
18: Found a Deterministic mapping from r to q
19: Add q into mapping model set MSr of r
20: Mark q in set SQL
36
21: else
22: Need more training sessions
23: return False
24: for each DB query q in SQL do
25: if q is not marked then
26: Add q into set NMR
27: for each HTTP request r in REQ do
28: if r has no deterministic mapping model then
29: Add r into set EQS
30: return True
Some web requests that could appear separately are still present as a
unit. During the training phase, we treat them as a single instance of web
requests bundled together unless we observe a case when either of them
appears separately Our next step is to decide the other two mapping
patterns by assembling a white list for static file requests, including JPG,
GIF, CSS, etc. HTTP requests for static files are placed in the EQS set.
The remaining requests are placed in REQ. I f we cannot find any matched
queries for them, they will also be placed in the EQS set. In addition, all
remaining queries in SQL will be considered as No Matched Request cases
and placed into NMR.
In t h i s algorithm that takes the input of training data set and builds
the mapping model for static websites. For each unique HTTP request and
database query, the algorithm assigns a hash table entry, the key of the entry
is the request or query itself, and the value of the hash entry is AR for the
request or AQ for the query, respectively.
37
The algorithm generates the mapping model by considering all three
mapping patterns that would happen in static websites. The algorithm below
describes the training process. session ID provided by the container (VE) in
order to build the deterministic mapping between http requests and the
database requests.
5.4 TESTING FOR STATIC WEBSITES
Once the normality model is generated, it can be employed for
training and detection of abnormal behavior. During the testing phase,
each session is compared to the normality model. We begin with each
distinct web request in the session and, since each request will have only
one mapping rule in the model, we simply compare the request with that
rule The testing phase algorithm is as follows If the rule for the request is
Deterministic Mapping we test whether Q is a subset of a query set of the
session. If so, this request is valid, and we mark the queries in Q.otherwise
abnormal. the rule is Empty Query Set then the request is not
considered to be abnormal. For the remaining unmarked database queries,
we check to see if they are in the set NMR. If so, we mark the query as such
Any untested web request or unmarked database query is considered to be
abnormal.
5.5 MODELING OF DYNAMIC PATTERNS
Dynamic web pages allow users to generate the same web query with
different parameters. Additionally, dynamic pages often use POST rather
than GET methods to commit user inputs. Based on the web servers
application logic, different inputs would cause different database queries.
For example, to post a comment to a blog article, the web server would
first query the database to see the existing comments. If the users comment
differs from previous comments, then the web server would automatically
38
generate a set of new queries to insert the new post into the back-end
database . Otherwise, the webs ever would reject the input in order to prevent
duplicated comments from being posted (i.e., no corresponding SQL query
would be issued). In such cases, even assigning the same parameter values
would cause different set of queries, depending on the previous state of the
web site. Likewise, this nondeterministic mapping case (i.e., one-to-many
mapping) happens even after we normalize all parameter values to extract
the structures of the web requests and queries. Since the mapping can
appear differently in different cases, it becomes difficult to identify all of the
one to many mapping patterns for each web request. Moreover, when
different operations occasionally overlap at their possible query set, it
becomes even harder for us to extract the one-to-many mapping for each
operation by comparing matched requests and queries across the sessions.
Since the algorithm for extracting mapping patterns in static pages no longer
worked for the dynamic pages, we created another training method to build
the model. First, we tried to categorize all of the potential single (atomic)
operations on the web pages. For instance, the common possible operations
for users on a blog website may include reading an article, posting a new
article, leaving a comment, visiting the next page, etc. All of the operations
that a p p e a r within one session are permutations of these operations. If we
could build a mapping model for each of these basic operations, then we
could compare web requests to determine the basic operations of the session
and obtain the most likely set of queries mapped from these operations . If
these single operation models could not cover all of the requests and queries
in a session, then this would indicate a possible intrusion .
39
CHAPTER 6
RESULTS AND DISCUSSION
6.1 SCREENSHOTS
Figure 6.1 Home page
Figure 6.2 Login page
40
Figure 6.3: Allocating c ontainers
Figure 6.4: User login status
41
Figure 6 . 5 : User register informations
Figure 6.6: Status of the model
42
Figure 6.7: Logout session
43
CHAPTER 7
CONCLUSION AND FUTURE WORK
7.1 CONCLUSION
Double guard detection presented an intrusion detection system
that builds models of normal behavior for multi tiered web applications
from both front end web (HTTP) requests and back-end database
(SQL) queries. Unlike previous approaches that correlated or
summarized alerts generated by independent IDSs, Double Guard forms
a container-based IDS with multiple input streams to produce alerts.
We have shown that such correlation of input streams provides a
better characterization of the system for anomaly detection because
the intrusion sensor has a more precise normality model that detects a
wider range of threats.
This system achieved this by isolating the flow of information
from each web server session with a lightweight virtualization.
Furthermore, we quantified the detection accuracy of our approach
when we attempted to model static and dynamic web requests with the
back end file system and database queries. For static websites, we built
a well-correlated model, which our experiments proved to be effective
at detecting different types of attacks.
44
7.2 FUTURE WORK
In future propose our system by developing efficient method
of detecting SQL query poisoning attack ,buffer over flow
attack.Double Guard, all of the user input values are normalized so as to
build a mapping model based on the structures of HTTP requests and DB
queries. Once the malicious user inputs are normalized, Double Guard
cannot detect attacks hidden in the values. These attacks can occur even
without the databases. Double Guard offers a complementary approach to
those research approaches of detecting web attacks based on the
characterization of input values. Our assumption is that an attacker can
obtain “full control” of the web server thread that he/she connects to. That
is, the attacker can only take over the web server instance running in its
isolated container. Our architecture ensures that every client be defined by
the IP address and port container pair, which is unique for each session.
DoubleGuard is not designed to mitigate DDoS attacks. These attacks can
also occur in the server architecture without the back-end database.In
future detect Vulnerabilities Due to Improper Input Processing and
distributed Dos attack.
45
CHAPTER 8
REFERENCES
[1] V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna, “Toward
Automated Detection of Logic Vulnerabilities in Web Applications,”
Proc. USENIX Security ymp., 2010.
[2] G. Vigna, W.K. Robertson, V. Kher, and R.A. Kemmerer, “A Stateful
Intrusion Detection System for World-Wide Web Servers,” Proc. Ann.
Computer Security Applications Conf. (ACSAC ’03), Oct.2003.
[3] C. Kruegel and G. Vigna, “Anomaly Detection of Web-Based Attacks,”
Proc. 10th ACM Conf. Computer and Comm. Security (CCS ’03), Oct. 2003.
[4] Liang and Sekar, “Fast and Automated Generation of Attack
Signatures: A Basis for Building Self-Protecting Servers,” SIGSAC:
Proc. 12th ACM Conf. Computer and Comm. Security, 2005.
[5] Y. Hu and B. Panda, “A Data Mining Approach for Database
Intrusion Detection,” Proc. ACM Symp. Applied Computing (SAC),
H. Haddad, A. Omicini, R.L. Wainwright, and L.M. Liebrock, eds., 2004.
[6] Y. Huang, A. Stavrou, A.K. Ghosh, and S. Jajodia, “Efficiently
Tracking Application Interactions Using Lightweight Virtualization,”
Proc. First ACM Workshop Virtual Machine Security, 2008.
[7] H.-A. Kim and B. Karp, “Autograph: Toward Automated Distributed Worm
Signature Detection,” Proc. USENIX Security Symp., 2004.
[8] R. Sekar, “An Efficient Black-Box Technique for Defeating Web
Application Attacks,” Proc. Network and Distributed System Security
Symp. (NDSS), 2009
46
[9] A. Srivastava, S. Sural, and A.K. Majumdar, “Database Intrusion
Detection Using Weighted Sequence Mining,” J. Computers, vol. 1,
no. 4, pp. 8-17, 2006.
[10] D. Wagner and D. Dean, “Intrusion Detection via Static Analysis,” Proc.
Symp. Security and Privacy (SSP ’01), May 2001.