Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Riera, Tomás Sureda; Higuera, Juan-Ramón Bermejo; Higuera, Javier Bermejo; Herraiz, José-Javier Martínez; Sicilia, Juan Antonio

doi:10.3390/su12124945

Cited by 22 publications

(11 citation statements)

References 169 publications

(146 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The isolation forest (iForest) [34,35] is an anomaly detection model based on decision trees which, recently, is appearing in several case studies of anomaly detection in the business [36], industrial [37], and virtual security [38,39] areas. Briefly, the iForest method provides a non-parametric density estimate of the data.…”

Section: Introductionmentioning

confidence: 99%

Extended Isolation Forests for Fault Detection in Small Hydroelectric Plants

Santis

Costa

2020

Sustainability

View full text Add to dashboard Cite

Maintenance in small hydroelectric plants is fundamental for guaranteeing the expansion of clean energy sources and supplying the energy estimated to be necessary for the coming years. Most fault diagnosis models for hydroelectric generating units, proposed so far, are based on the distance between the normal operating profile and newly observed values. The extended isolation forest model is a model, based on binary trees, that has been gaining prominence in anomaly detection applications. However, no study so far has reported the application of the algorithm in the context of hydroelectric power generation. We compared this model with the PCA and KICA-PCA models, using one-year operating data in a small hydroelectric plant with time-series anomaly detection metrics. The algorithm showed satisfactory results with less variance than the others; therefore, it is a suitable candidate for online fault detection applications in the sector.

show abstract

Section: Introductionmentioning

confidence: 99%

Extended Isolation Forests for Fault Detection in Small Hydroelectric Plants

Santis

Costa

2020

Sustainability

View full text Add to dashboard Cite

show abstract

“…There are four basic scores that determine the content of the confusion matrix: In this paper, we use two metrics derived from the confusion matrix: Recall, and Precision. The Recall (R)-or True Positive Rate (TPR), Sensitivity or Detection Rate [7]indicates the proportion of actual positives correctly classified and can be calculated using the following equation:…”

Section: Theoretical Background and Related Workmentioning

confidence: 99%

“…The Precision (P)-or Positive Predicted Value (PPV) [7]-indicates the proportion of predicted positive that is truly positive. Precision is defined as the ratio of correctly predicted attacks to the predicted size of the attacks and can be calculated using the following equation:…”

Section: Theoretical Background and Related Workmentioning

confidence: 99%

“…Unfortunately, AIDS tend to generate a high rate of false alarms since defining and updating the normal behaviors' profiles is not an easy task. Indeed, it is a serious challenge that has raised numerous research efforts [6][7][8]. At any rate, anomaly detection has the potential to detect unknown attacks, which makes AIDS a natural complement of SIDS in hybrid systems [9] able to detect known and 0-day attacks [8].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

et al. 2022

View full text Add to dashboard Cite

Signature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.

show abstract

“…Several works combine static analysis tools with machine learning techniques for automatic detection of security vulnerabilities in web applications reducing the number of false positives [52,53]. Other approximations are based in attacks and anomalies detection using machine learning techniques [54].…”

Section: Related Workmentioning

confidence: 99%

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Tudela

Higuera

et al. 2020

Applied Sciences

Self Cite

View full text Add to dashboard Cite

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.

show abstract

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Cited by 22 publications

References 169 publications

Extended Isolation Forests for Fault Detection in Small Hydroelectric Plants

Extended Isolation Forests for Fault Detection in Small Hydroelectric Plants

On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attacks

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

Contact Info

Product

Resources

About