網際網路的迅速發展提供我們更精采及方便的生活。網頁應用程式的迅速發展同時也提供給我們生活上更多的便利，例如在娛樂、教育、金融、醫藥等產業。隨著網頁服務之運用的擴張，相對的攻擊程式也越來越多。網頁應用程式的弱點已經成為攻擊者所專注的攻擊目標。為了偵測此攻擊行為，入侵偵測系統應用了一些特徵比對方法來偵測已知的攻擊。因為網頁攻擊行為日新月異，所以網站管理者必須每天不斷地更新攻擊特徵或規則。但是很不幸的，這些動作似乎很困難、導致入侵偵測系統沒有辦法對於新的攻擊做有效的偵測與防禦。另外，網頁應用程式的安全性是和一般網路的安全系統差別在於大部分的問題都是因為程式撰寫過程的錯誤，也因此在防禦上更是雪上加霜了。為了克服傳統入侵偵測系統也就是誤用偵測方法的缺點，異常偵測方法透過訓練系統之正常行為可以迅速的發現新的攻擊行為。
我們最主要專注的研究在於應用我們所開發的網站入侵偵測系統來偵測網頁應用程式的攻擊行為。基本上，以前的研究學者都以使用者請求的資訊例如request header，使用者透過統一資源定位器(URL)輸入之參數等當作偵測分析的重點。從來沒有任何一位研究學者在設計入侵偵測的系統與方法中針對伺服器之回應參數做分析與探討。在此論文中，我們提出一個基於使用者與伺服器回應之關聯性的異常偵測方法。理想上，使用者從特殊的請求上可以得到特定及可預期的回應，若非如此，必定有輸入或輸出的異常存在。此外，若伺服器的回應出現比平常不穩定的狀態，我們可以初步認定伺服器有被攻擊的跡象。所以我們可以利用此伺服器回應之異常資訊來偵測出該系統是否被入侵。我們從計算誤報率和偵測率來評估此系統的偵測效能以及實驗結果來證明我們所提出的方法是有效的偵測出網頁應用程式的攻擊。

Internet has been grown rapidly and offered more and more capabilities in every aspect of our life. Web applications have become very popular and developed widely to provide services such as entertainment, education, financial, medical, etc. As the use of web services has increased, the numbers of attacks that exploit them have grown as well. Web applications represent highly vulnerable attack avenues. To detect web-based attacks, intrusion detection systems (IDSs) are configured with a number of signatures to detect known attacks. Unfortunately, a large number of new vulnerabilities discovered daily that make system managers hard to keep the signatures updated, hence many novel attacks are not able to be detected. In addition, web applications security is different from traditional system security, because the problems almost depend on the programming bugs. To overcome the drawback of misuse detection systems, anomaly detection systems are applied to learn the normal behavior of the system so that new attacks can be discovered immediately.
We concentrate our research on detecting web-based attacks with our system named Web Application Intrusion Detection System (WAIDS). Basically, previous researches were focusing their detection methodologies based on analyzing the user’s request information such as request header, input parameter through Uniform Resource Location (URL), etc. There is no researches propose an intrusion detection methodologies based on analyzing the parameters from server response. In this thesis, we propose an anomaly based detection technique based on client-server response correlation parameter. Ideally, a user will obtain an expected response of a specific request, otherwise, there must be something irregular within the input or output. Moreover, if the server response performs abnormal than usual, it can indicate attacks. Therefore we can get advantage from this situation that our system is able to detect the unbalance phenomenon of web server from its response information. We evaluate our approaches to assess the detection effectiveness by computing the false positive and detection rate of the system and obtain satisfied results.

[1]M. Almgren, H. Debar and M. Dacier, “A lightweight tool for detecting web server attacks,” Proceedings of the Network and Distributed System Security Symposium (NDSS 2000), pp. 157–170, February 2000.
[2]R. Auger et al., “Web security threat classification,” Web Application Security Consortium, 2004.
[3]D. Chaboya, R. Raines, R. Baldwin and B. Mullins, “Network intrusion detection: Automated and manual methods prone to attack and evasion,” IEEE Security and Privacy, pp. 36-43, 2006.
[4]M. Cova, D. Balzarotti, V. Felmetsger and G. Vigna, “Swaddler: An approach for the anomaly-based detection of state violations in web applications,” The 10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007), pp. 63-86, August 2007.
[5]L. Dusseault, “HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV),” IETF RFC 4918, June 2007.
[6]M. Egele, M. Szydlowski, E. Kirda and C. Kruegel, “Using static program analysis to aid intrusion detection,” Proceedings of Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), pp. 17-36, November 2006.
[7]J.M. Estévez-Tapiador, P.G. Teodoro and J.E.D. Verdejo, “Measuring normality in HTTP traffic for anomaly-based intrusion detection,” Computer Networks, pp. 175-193, June 2004.
[8]R. Fielding, J. Gettys, J. Mogul, H. Frystyk Nielsen, L. Masinter, P. Leach and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP/1.1,” IETF RFC 2616, June 1999.
[9]J.J. Garcia-Adeva and J.M. Pikatza-Atxa, “Intrusion detection in web applications using text mining,” The International Journal of Engineering Applications of Artificial Intelligence, pp. 555-566, June 2007.
[10]Y. Goland et al., “HTTP extensions for distributed authoring—WEBDAV,” IETF RFC 2518, February 1999.
[11]R. Heady, G. Luger, A. Maccabe and M. Servilla, “The architecture of a network level intrusion detection system,” Technical Report, Computer Science Department, University of New Mexico, August 1990.
[12]K. Holtman et al., “Transparent content negotiation in HTTP,” IETF RFC 2295, March 1998.
[13]Y-W. Huang, F.Yu, C. Hang, C-H. Tsai, D-T. Lee and S-Y. Kuo, “Securing web application code by static analysis and runtime protection,” Proceedings of the 13th International Conference on World Wide Web, pp. 40-50, 2004.
[14]K. Ingham, A. Somayaji, S. Forrest and J. Burge, “Learning DFA representations of HTTP for protecting web applications,” Computer Networks, vol. 51, pp.1239-1255, 2007.
[15]H.S. Javits and A. Valdes, “The NIDES statistical component: Description and justification,” Technical Report, SRI International, Computer Science Laboratory, 1993.
[16]S. Kals, E. Kirda, C. Kruegel and N. Jovanovic, “SecuBat: A web vulnerability scanner,” Proceedings of the 15th International Conference on World Wide Web, pp. 247-256, 2006.
[17]A. Kang, A. Wiesmann, A. Russell, A. Klein, A. van der Stock, B. Greidanus, C. Todd, D. Grundy, D. Endler, D. Piliptchouk, D. Groves, D. Browne, E. Keary, E. Arroyo, F. Lemmon, G. McKenna, H. Lockhart, I. By-Gad, J. Poteet, J.P. Arroyo, K.K. Mookhey, K. McLaughlin, M. Curphey, M. Eizner, M. Howard, M. Simonsson, N. Krawetz, N. Tranter, R. Endres, R. Stirbei, R. Parke, R. Hansen, R. McNamara, S. Taylor, S. Huseby, T. Smith, and W. Hau, “A Guide to Building Secure Web Applications and Web Services,” The Open Web Application Security Project, v.2.0 Black Hat Edition, July 27, 2005.
[18]R. Khare et al., “Upgrading to TLS Within HTTP/1 .1,” IETF RFC 2817, May 2000.
[19]C. Kruegel and G. Vigna, “Anomaly detection of web-based attacks,” Proceedings of 10th ACM Conference Computer and Communication Security (CCS '03), pp. 251-261, Oct. 2003.
[20]C. Kruegel, G. Vigna and W. Robertson, “A multi-model approach to the detection of web-based attacks,” Computer Networks, 48(5), pp.717-738, August 2005.
[21]C. Kruegel, T. Toth and E. Kirda, “Service specific anomaly detection for network intrusion detection,” Proceedings of the 2002 ACM Symposium on Applied Computing (SAC 2002), pp. 201-208, 2002.
[22]M.V. Mahoney and P.K. Chan, “Learning nonstationary models of normal network traffic for detecting novel attacks,” Proceedings of the 8th ACM International Conference on Knowledge Discovery and Data Mining (SIGKDD), pp. 376-385, 2002.
[23]M.V. Mahoney and P.K. Chan, “PHAD: Packet header anomaly detection for identifying hostile network traffic,” Technical Report, Florida Institute of Technology, 2001.
[24]J.D. Meier, A. Mackman, S. Vasireddy, M. Dunner, R. Escamilla and A. Murukan, “Improving web application security—threats and countermeasures,” Microsoft Corporation, 2003.
[25]R.B. Miller, “Response time in man-computer conversational transactions,” Proceedings of AFIPS Fall Joint Computer Conference, vol. 33, pp. 267-277, 1968.
[26]T.M. Mitchell, “Machine Learning,” The McGraw-Hill Companies, Inc., Portland, 1997.
[27]B. Mukherjee, L. Heberlein, and K. Levitt, “Network intrusion detection,” IEEE Network, 8(3), pp. 26-41, May/June 1994.
[28]J.Nielsen, “Usability Engineering,” Morgan Kaufmann Publishers Inc., San Francisco, 1994.
[29]H. Nielsen et al, “An HTTP Extension Framework,” IETF RFC 2774, February 2000.
[30]A. Patcha and J-M. Park, “An overview of anomaly detection techniques: Existing solutions and latest technological trends,” Computer Networks, 51(12), pp. 3448–3470, 2007.
[31]V. Paxson, “Bro: A system for detecting network intruders in real-time,” Computer Networks, 31(23-24), pp. 2435-2463, December 1999.
[32]W. Robertson, G. Vigna, C. Kruegel and R.A. Kemmerer, “Using generalization and characterization techniques in the anomaly based detection of web attacks,” Proceedings of Network and Distributed System Security Symposium Conference, 2006.
[33]M. Roesch, “Snort - lightweight intrusion detection for networks,” Proceedings of the 13th Systems Administration Conference, pp. 229-238, 1999.
[34]R.J. Roiger, M.W. Geatz, “Data Mining – A Tutorial-Based Primer,” Addison-Wesley, Inc., 2003.
[35]K. Sallhammar, B.E. Helvik, S.J. Knapskog, “Towards a stochastic model for integrated security and dependability evaluation,” IEEE Conference on Availability, Reliability and Security (ARES), pp. 156-165, 2006.
[36]D. Scott and R. Sharp, “Abstracting application-level web security,” Proceedings of 11th ACM International World Wide Web Conference, pp. 396 – 407, 2002.
[37]J. Shanmugam and M. Ponnavaikko, “A solution to block cross site scripting vulnerabilities based on service oriented architecture,” The 6th Annual IEEE/ACIS International Conference on Computer and Information Science (ICIS 2007), pp. 861-866, July 2007.
[38]G. Vigna and R.A. Kemmerer, “NetSTAT: a network-based intrusion detection system,” Journal of Computer Security, 7(1), pp. 37–71, 1999.
[39]K. Wang and S.J. Stolfo, “Anomalous payload-based network intrusion detection,” Proceedings of the 7th International Symposium of Recent Advances in Intrusion Detection (RAID 2004), pp. 203-222, September 2004.
[40]K. Wang, G. Cretu and S.J. Stolfo, “Anomalous payload-based worm detection and signature generation,” Proceedings of the 8th International Symposium of Recent Advances in Intrusion Detection (RAID 2005), pp. 227-246, September 2005.
[41]Symantec Internet Security Threat Report. Trends for January – July 07. Volume XII. Symantec Enterprise Security, September 2007.
[42]Trend Micro Threat Report. 2008 Threat and Technology Forecast. Trend Micro Incorporated, 2008.
[43]AccessDiver, http://www.accessdiver.com.
[44]Acunetix, http://www.acunetix.com.
[45]Chaosreader, http://www.brendangregg.com/chaosreader.html.
[46]Gartner Inc., http://www.gartner.com.
[47]HackAlert, http://www.armorize.com.tw.
[48]IETF WEBDAV Working Group, http://ftp.ics.uci.edu/pub/ietf/webdav.
[49]Internet World Stats, http://www.internetworldstats.com/stats.htm.
[50] phpBB, http://www.phpbb.com.
[51]Sitepoint, http://www.sitepoint.com.
[52]SPADE - Silicon Defense, http://www.silicondefense.com/software/spice.
[53]Tcpdump, http://www.tcpdump.org.