A Grammatical Inference Approach to Language-Based Anomaly Detection in XML

Abstract: Abstract-False-positives are a problem in anomaly-based intrusion detection systems. To counter this issue, we discuss anomaly detection for the eXtensible Markup Language (XML) in a language-theoretic view. We argue that many XML-based attacks target the syntactic level, i.e. the tree structure or element content, and syntax validation of XML documents reduces the attack surface. XML offers so-called schemas for validation, but in real world, schemas are often unavailable, ignored or too general. In this work… Show more

“…We apply the concept of function distinguishable languages [61] for our inference algorithm [103]. Kumar et al [100] argue that VPA can be learned in a query learning setting that differs from our setting in the problem definition.…”

“…We argue that XML-based attacks preferably exploit syntactic inconsistencies to cause insecure interpretation, i.e., unexpected tree structure or element content that leads to an insecure state. Therefore, we give an overview of our proposed language-based anomaly detection approach for XML-based interaction [103]. Detecting anomalous syntax can reduce the attack surface of XML processing systems on the client-and service-side.…”

“…The algorithm converges for a large class of XML in practice when given enough training examples. A detailed description of the algorithm is presented in [103], and an example is shown in Fig. 12.…”

“…10 An XML document is abstracted as a stream of SAX events, where the lexical data type system reduces actual text contents to a finite number of data types the language class of some string between two tags is unknown and learnability properties are affected. We therefore introduce a lexical data type system in Lampesberger [103] for abstracting content by data types. XSD provides a rich set of data types [189], where every data type has a semantic value space and a lexical space, i.e., allowed strings over the Unicode character set.…”

“…For detailed information we direct the reader to Lampesberger [103]. Inference of an automaton as a reference model for detecting anomalous syntax in XML is done in three steps:…”

Monitoring of Client-Cloud Interaction

“…We apply the concept of function distinguishable languages [61] for our inference algorithm [103]. Kumar et al [100] argue that VPA can be learned in a query learning setting that differs from our setting in the problem definition.…”

“…We argue that XML-based attacks preferably exploit syntactic inconsistencies to cause insecure interpretation, i.e., unexpected tree structure or element content that leads to an insecure state. Therefore, we give an overview of our proposed language-based anomaly detection approach for XML-based interaction [103]. Detecting anomalous syntax can reduce the attack surface of XML processing systems on the client-and service-side.…”

“…The algorithm converges for a large class of XML in practice when given enough training examples. A detailed description of the algorithm is presented in [103], and an example is shown in Fig. 12.…”

“…10 An XML document is abstracted as a stream of SAX events, where the lexical data type system reduces actual text contents to a finite number of data types the language class of some string between two tags is unknown and learnability properties are affected. We therefore introduce a lexical data type system in Lampesberger [103] for abstracting content by data types. XSD provides a rich set of data types [189], where every data type has a semantic value space and a lexical space, i.e., allowed strings over the Unicode character set.…”

“…For detailed information we direct the reader to Lampesberger [103]. Inference of an automaton as a reference model for detecting anomalous syntax in XML is done in three steps:…”

Monitoring of Client-Cloud Interaction

Correct Software in Web Applications and Web Services

Technologies for Web and cloud service interaction: a survey