| 研究生: | 莊家裕 Juang, Jia-Yu | 
|---|---|
| 論文名稱: | 以建立使用者請求模型為基礎的網站入侵偵測系統之設計與實作 A Design and Implementation of Web Application IDS Based on Modeling User Requests | 
| 指導教授: | 賴溪松 Laih, Chi-Sung | 
| 學位類別: | 碩士 Master | 
| 系所名稱: | 電機資訊學院 - 電腦與通信工程研究所 Institute of Computer & Communication Engineering | 
| 論文出版年: | 2008 | 
| 畢業學年度: | 96 | 
| 語文別: | 英文 | 
| 論文頁數: | 89 | 
| 中文關鍵詞: | 網站應用程式 、入侵偵測系統 | 
| 外文關鍵詞: | IDS, Web application | 
| 相關次數: | 點閱:57 下載:2 | 
| 分享至: | 
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 | 
近年來,隨著全球網際網路及動態網頁技術的發展,各種網站應用程式也隨之興起,也產生各式各樣的網站服務,如:網路拍賣、網路相簿和部落格...等等。而針對網路應用程式進行攻擊的事件也越來越多,根據Gartner Group的調查,大約有75%的網路攻擊事件是與網路應用程式相關,這也顯示出網站應用程式已經成為駭客的主要攻擊目標。由於網站是屬於公開存取的架構,任何人都可以經由80埠與網站連結,因此傳統資安設備,如:防火牆,並無法做有效之偵測與防範,一般的入侵偵測系統也無法有效分析應用層之資訊。此外,由於網站架構與網站應用程式的多樣性,也產生出各種多變的攻擊手法,以signature為基礎的入侵偵測系統也無法有效地利用建構signature的方式進行偵測。
    因此,此篇論文中將設計出使用異常偵測為基礎之網站應用程式入侵測系統來保護特定的網站。根據OWASP Top Ten計畫所做的調查顯示,目前最嚴重的網站應用程式之弱點為XSS和injection flaw,這些弱點所對應之攻擊手法會利用HTTP request URL中的參數來傳遞惡意攻擊字串,以攻擊網站應用程式之弱點來達到攻擊的目的。因此,本論文研究以request URL參數做為特徵之異常偵測演算法,且實作至所設計之網站應用程式入侵偵測系統中。最後,我們進行實驗來測試我們的系統, 測試結果證明,本系統能有效偵測到目前最嚴重之網站應用程式攻擊。
In recent years, as a result of develop rapidly of the World Wide Web and CGI programs, there has been great progress in the development of web applications. And all kinds of web service are developed as well, such as online shopping, web album, Blog, and so on. However, the attack events which aim at web application have become more and more frequent. According to the survey of Gartner Group, almost 75% of the internet attack events are related to web applications. The result reveals that web applications have already become the targets of hackers. Due to websites are open to public access and everyone connects to websites through port 80, traditional security equipments, like firewall, can not work effectively. And general IDS are unable to analyze application layer’s information. Besides, because of the diversity of websites and web applications, various attack techniques are devised. Therefore, signature-based IDS are unable to detect web application attacks effectively through update its signature incessantly.
  For the reason above, we develop web application intrusion detection system (WAIDS) architecture to protect specific website. According to OWASP Top Ten Project, the most critical web application vulnerabilities are XSS and injection flaw. These kinds of attacks always inject malicious strings to web applications through attributes in HTTP requests in order to exploit the vulnerabilities of the web applications. Thus, in this thesis we focus on studying a number of anomaly detection algorithms which consider different features of attributes in HTTP request and implementation them to proposed WAIDS architecture. Finally, we make experiments to verify the proposed system can detect the most critical attacks efficiently.
[1]	D. Balzarotti, M. Cova and V. Felmetsger and G. Vigna, “Multi-Module Vulnerability Analysis of Web-based Applications,” Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007, pp.25-35.
[2]	H. B. Chen, “Identifying Critical Web Application Attacks  Using Risk Assessment Based on Fuzzy Algorithm,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July, 2008.
[3]	M. Cova, D. Balzarotti, V. Felmetsger and G. Vigna, “Swaddler: An approach for the anomaly-based detection of state violations in web applications,” Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), 2007, pp. 63-86.
[4]	J. M. Estévez-Tapiador, P. García-Teodoro and J. E. Díaz-Verdejo, “Detection of web-based attacks through markovian protocol parsing,” Proceedings of 10th IEEE Symposium on Computers and Communications (ISCC), 2005, pp. 457-462.
[5]	J. M. Estévez-Tapiador, P. García-Teodoro and J. E. Díaz-Verdejo, “Measuring normality in HTTP traffic for anomaly-based intrusion detection,” Elsevier Computer Networks, Vol. 45, Issue 2, 2004, pp. 175–193.
[6]	R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” RFC2616, [Online]. Available: http://www.w3.org/Protocols/rfc2616/rfc2616.html, 1999.
[7]	R. Heady, G. Luger, A. Macabe and M. Servilla, “The architecture of a network level intrusion detection system,” Technical Report CS90-20, Department of Computer Science, University of New Mexico, Aug. 1990.
[8]	Y. W. Huang, F. Yu, C. Hang, C.H, Tsai, D.T. Lee and S.Y. Kuo, “Securing web application code by static analysis and runtime protection,” Proceedings of the 13th International Conference on World Wide Web (WWW), 2004, pp. 40-52.
[9]	K. Ingham, A. Somayaji, S. Forrest and J. Burge, “Learning DFA representations of HTTP for protecting web applications,” Elsevier Computer Networks, Volume 51, Issue 5, 2007, pp.1239-1255.
[10]	C. Kruegel and G. Vigna, “Anomaly detection of web-based attacks,” Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 251–261.
[11]	C. Kruegel, G. Vigna and W. Robertson, “A multi-model approach to the detection of web-based attacks,” Elsevier Computer Networks, Vol. 48, Issue 5, 2005, pp. 717–738.
[12]	S. Kals, E. Kirda, C. Kruegel and N. Jovanovic, “SecuBat: a web vulnerability scanner,” Proceedings of the 15th International Conference on World Wide Web, 2006, pp. 247-256.
[13]	B. Livshits and M. Lam, “Finding security vulnerabilities in java applications with static analysis,” Proceedings of the USENIX Security Symposium, 2005, pp. 271-286.
[14]	M. Mahoney and P. Chan, “Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks,” Proceedings of the 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2002, pp. 376-385.  
[15]	B. Mukherjee, L. T. Heberlein and K. N. Levitt, “Network intrusion detection,” IEEE Network, Vol. 8, No. 3, 1994, pp:26-41.
[16]	A. Patcha and J. M. Park, “An overview of anomaly detection techniques: existing solutions and latest technological trends,” Elsevier Computer Networks, Vol. 51, Issue 12, 2007, pp. 3448–3470. 
[17]	W. Robertson, G. Vigna, C. Kruegel and R.A. Kemmerer, “Using generalization and characterization techniques in the anomaly-based detection of web attacks,” Proceedings of the Network and Distributed System Security (NDSS) Symposium, 2006.
[18]	G. I. Saktion, “A Design and Implementation of Web Application IDS based on Client-Server Response Correlation,” Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science, July, 2008.
[19]	D. Scott and R. Sharp, “Abstracting Application-Level Web Security,” Proceedings of 11th ACM International World Wide Web Conference, 2002, pp. 396 - 407.
[20]	G. Vigna and R. A. Kemmerer, “NetSTAT: a network-based intrusion detection approach,” Proceedings of the 14th Annual Computer Security Conference, 1998, pp.25. 
[21]	G. Vigna, W. Robertson, V. Kher and R. Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers,” Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC), 2003, pp. 34-43.
[22]	K. Wang and S. J. Stolfo, “Anomalous payload-based network intrusion detection,” Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004, pp. 203–222. 
[23]	Acunetix Web Vulnerability Scanner, http://www.acunetix.com
[24]	Bro, http://bro-ids.org
[25]	Chaosreader, http://www.brendangregg.com/chaosreader.html
[26]	Gartner Group, http://www.gartner.com 
[27]	N-Stalker, http://www.nstalker.com
[28]	Nikto, http://www.cirt.net/code/nikto.shtml 
[29]	Open Web Application Security Project (OWASP), “OWASP top 10, The Ten            Most Critical Web Application Security Vulnerability 2007 Update,” [Online]. Available: http://www.owasp.org/images/e/e8/OWASP_Top_10_2007.pdf, 2007
[30]	Paros Proxy, http://www.parosproxy.org 
[31]	phpBB http://www.phpbb.com/
[32]	SitePoint, http://www.sitepoint.com 
[33]	Snort, http://www.snort.org 
[34]	Web Application Security Statistics Project,    http://www.webappsec.org/projects/statistics
[35]	Web Application Security Consortium (WASC), “Web Application Security Consortium: Threat Classification,” [Online]. Available: http://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0