Fuzzy Detection of Destructive Attacks on Web Applications Based on Hidden Markov Models Ensemble
Subject Areas : Information Technology in Engineering Design (ITED) Journal
Keywords:
Abstract :
Abstract This paper presents a system, which detects malicious HTTP request and obtains the lowest falsepositive rate with high detection rate. For this purpose, each extracted feature of a HTTP request is modeled by multiple hidden Markov models as a classifier ensemble. HMMs outputs of an ensemble are fused to produce a probabilistic value, showing normalcy of corresponding feature. In this system, instead of a threshold, a fuzzy inference is applied to produce a flexible decision boundary. So, fuzzy sets and rules of decision module are formed manually; next, output of each HMM ensemble is converted into a fuzzy value with respect to fuzzy sets. Finally, a fuzzy inference engine uses these values to produce output that indicates whether the HTTP request is normal or abnormal. Experiments show that this approach is flexible and has acceptable accuracy in detecting requests close to the decision boundary, and false-positive rate is 0.79%.
1. Rfc2616, “hypertext transfer protocol,” http/١.١, pp. 29-30. 2. R. Auger et al, “Web security threat classification,” Web Application Security Consortium, 2004. 3. I. Corona, G. Giacinto, C.Mazzariello, F. Roli, and C. Sansone, “Information fusion for computer security: State of the art and open issues,” Information Fusion, Vol. 10, Issue 4, pp. 274–284, 2009. 4. R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, “Mcpad: A multiple classifier system for accurate payload-based anomaly detection,” Computer Networks, The International Journal of Computer and Telecommunications Networking, Vol. 53, Issue 3, pp. 864–881, 2009. 5. I. Corona, D. Ariu,and G. Giacinto, “HMM-Web: a framework for the detection of attacks against Web applications,” IEEE international conference on Communications, Dresden, Germany, 2009. 6. Yong zhong Li, Yang Ge, Xu Jing, and Zhao Bo, “A New Intrusion Detection Method Based on Fuzzy HMM,” ICIEA, IEEE Conference on, 3rd, pp. 36-39, 2008. 7. L.E. Baum, and J.A. Egon, “An inequality with applications to statistical estimation for probabilistic function of a markov process and to a model for ecology,” Bullettin American Metereology Society, Vol. 73, No. 3, pp. 360-363, 1967. 8. L.R. Rabiner, “A tutorial on hidden markov models and selected applications in speech recognition,” Proceedings of the IEEE, Vol. 77, Issue 2, pp. 257-286, 1989. 9. C. Kruegel, G. Vigna, and W. Robertson, “A multi-model approach to the detection of web-based attacks,” Computer Networks, Vol. 48, Issue 5, pp. 717–738, 2005. 10. Dau Xuan Hoang, and Minh Ngoc Nguyen, “A program-based anomaly intrusion detection scheme using multiple detection engines and fuzzy inference,” Journal of Network and Computer Applications, Vol. 32, Issue 6, November 2009. 11. Estevez Tapiador, Garcia Teodoro, and Diaz Verdejo, “Detection of Web-based Attacks through Markovian Protocol Parsing”, 10th IEEE Symposium on Computers and Communications, pp. 457-462, 2005. 12. R.O. Duda, P.E. Hart, and D.G. Stork, “Pattern Classification,” Wiley, pp. 10-40, 2000. 13. Ajith Abraham, Ravi Jain, “Soft Computing Models for Network Intrusion Detection Systems”, Classification and Clustering for Knowledge Discovery Studies in Computational Intelligence, Vol. 4, pp. 191-207, 2005. 14. Ghmm: General hidden markov model library, http://ghmm.org/, pp. 82. های مخفی مارکوف گروهی های تحت وب مبتنی بر مدل های مخرب به برنامه تشخیص فازی حمله 87 15. J.E. Dickerson, J. Juslin, O. Koukousoula, and J.A. Dickerson, “Fuzzy Intrusion Detection,” IFSA World Congress and 20th NAFIPS International Conference on, Vol. 3, pp. 1506-1510, Vancouver, Canada, 2001. 16. J. Gomez, F. Gonzalez, and D. Dasgupta, “An Immuno-Fuzzy Approach to Anomaly Detection,” Fuzzy Systems, 12th IEEE International Conference on, Vol. 2, pp. 1219-1224, 2003. 17. L.A. Zadeh, “Fuzzy sets,” in the Information and Control Journal, Vol. 8, page 338, 1965. 18. E. Cox, “Fuzzy fundamentals”, Spectrum, IEEE, Vol. 29, No. 10, page 58, 1992. 19. milw0rm, Web application and HTTP attacks published database, www.milw0rm.com
_||_