Incorporation of Application Layer Protocol Syntax into Anomaly Detection

Düssel, Patrick; Gehl, Christian; Laskov, Pavel; Rieck, Konrad

doi:10.1007/978-3-540-89862-7_17

Cited by 19 publications

(15 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Anomaly detection mechanisms employ a model of legitimate network traffic (Xie and Yu 2009)-and treat unlikely traffic patterns as attacks. For Fraction of all connections of all clients that specified HTTP header field Content-Type as any text variant the detection of SQL-injection, cross-site-scripting (XSS), and PHP file-inclusion (L/RFI), traffic can be modeled based on HTTP header and query string information using HMMs (Ariu et al 2011), n-gram models (Wressnegger et al 2013), general kernels (Düssel et al 2008), or other models (Robertson and Maggi 2010). Anomaly-detection mechanisms were investigated, from centroid anomaly-detection models (Kloft and Laskov 2012) to setting hard thresholds on the likelihood of new HTTP requests given the model, to unsupervised learning of support-vector data description (SVDD) models (Düssel et al 2008, Görnitz et al 2013.…”

Section: Discussion and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Dick

Scheffer

2016

Mach Learn

View full text Add to dashboard Cite

We focus on the problem of detecting clients that attempt to exhaust server resources by flooding a service with protocol-compliant HTTP requests. Attacks are usually coordinated by an entity that controls many clients. Modeling the application as a structuredprediction problem allows the prediction model to jointly classify a multitude of clients based on their cohesion of otherwise inconspicuous features. Since the resulting output space is too vast to search exhaustively, we employ greedy search and techniques in which a parametric controller guides the search. We apply a known method that sequentially learns the controller and the structured-prediction model. We then derive an online policy-gradient method that finds the parameters of the controller and of the structured-prediction model in a joint optimization problem; we obtain a convergence guarantee for the latter method. We evaluate and compare the various methods based on a large collection of traffic data of a web-hosting service.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

“…A great variety of heuristic and principled approaches is used. In our study, we represent this family of approaches by SVDD which has been used successfully for several related computer-security problems (Düssel et al 2008;Görnitz et al 2013). Prior work generally uses smaller feature sets.…”

Section: Reference Methodsmentioning

confidence: 99%

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Dick

Scheffer

2016

Mach Learn

View full text Add to dashboard Cite

show abstract

“…In contrast to previous applications of anomaly detection to web attack detection, e.g. [8,22,7,2,3,20], our method not only detects, but reacts to such attacks. We have developed a prototype of a reverse proxy called TokDoc which implements the idea of mangling coupled with anomaly detection.…”

Section: Introductionmentioning

confidence: 93%

TokDoc

Krueger

Gehl

Rieck

et al. 2010

Proceedings of the 2010 ACM Symposium on Applied Computing

Self Cite

View full text Add to dashboard Cite

The growing amount of web-based attacks poses a severe threat to the security of web applications. Signature-based detection techniques increasingly fail to cope with the variety and complexity of novel attack instances. As a remedy, we introduce a protocol-aware reverse HTTP proxy TokDoc (the token doctor), which intercepts requests and decides on a per-token basis whether a token requires automatic "healing". In particular, we propose an intelligent mangling technique, which, based on the decision of previously trained anomaly detectors, replaces suspicious parts in requests by benign data the system has seen in the past. Evaluation of our system in terms of accuracy is performed on two realworld data sets and a large variety of recent attacks. In comparison to state-of-the-art anomaly detectors, TokDoc is not only capable of detecting most attacks, but also significantly outperforms the other methods in terms of false positives. Runtime measurements show that our implementation can be deployed as an inline intrusion prevention system. General TermsSecurity

show abstract

“…Their algorithm learns a finite automaton representation from tokenized web request headers. Düssel et al [53] detect deviating web request headers using support vector machines (SVM), where feature extraction and SVM kernel incorporate application layer syntax. Spectrogram [173] reassembles bidirectional TCP network streams between client and service, and multiple Markov chains evaluate URIs in HTTP GET requests or message bodies in HTTP POST requests.…”

Section: Anomaly Detection In Web Interactionmentioning

confidence: 99%

Monitoring of Client-Cloud Interaction

Lampesberger

Rady

2015

Correct Software in Web Applications and Web Services

View full text Add to dashboard Cite

When a client consumes a cloud service, computational liabilities are transferred to the service provider in accordance to the cloud paradigm, and the client loses some control over software components. One way to raise assurance about correctness and dependability of a consumed service and its software components is monitoring. In particular, a monitor is a system that observes the behavior of another system, and observation points that expose the target system's state and state changes are required. Due to the cloud paradigm, popular techniques for monitoring such as code instrumentation are often not available to the client because of limited visibility, lack of control, and black-box software components. Based on a literature review, we identify potential observation points in today's cloud services. Furthermore, we investigate two cloud-specific monitoring applications based on our ongoing research. While service level agreement (SLA) monitoring ensures that agreed-upon conditions between clients and providers are met, language-based anomaly detection monitors the interaction between client and cloud for misuse attempts.

show abstract

Incorporation of Application Layer Protocol Syntax into Anomaly Detection

Cited by 19 publications

References 17 publications

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

Learning to control a structured-prediction decoder for detection of HTTP-layer DDoS attackers

TokDoc

Monitoring of Client-Cloud Interaction

Contact Info

Product

Resources

About