隨著Web 2.0技術的發展日益普及化，現今網站的內容設計上更加地多樣化，更加地強調與使用者之間的互動性、參與性和共享性。網站所提供的平台與服務概念漸漸地取代傳統的商業模式，例如電子媒體、網路商店和電子E政府等都與傳統的運作模式有所不同。因此，人們對網站的依賴將會越來越重，而網站本身會帶來龐大的利益，對於攻擊者而言，是相當具有引誘性的。
傳統網路型入侵偵測系統無法從既有的特徵資料庫去有效的對新型態的攻擊手法作偵測和比對，因此，當攻擊的手法不斷的變化，則入侵偵測系統只能持續更新攻擊特徵來對攻擊作偵測和比對。為了能因應這樣的問題，而發展了網頁應用程式入侵偵測系統(Web Application Intrusion Detection System)。雖然網頁應用程式入侵系統可以偵測到網頁應用程式的攻擊型態，但並無法對所偵測的攻擊區分危險層級。然而，區分危險層級對未來防護相同類型的攻擊手法對於網站管裡者卻是非常重要得。
在本論文中，我們在網頁應用程式入侵偵測系統裡，加入了風險評估(Risk Assessment)的觀念。我們設計與實作一個系統，對所偵測到的攻擊事件做危險性的分級，使網站管理者能優先處理較為嚴重的攻擊事件。本研究中，我們首先探討攻擊事件相關的風險因素，如網頁應用程式攻擊型態、網頁應用程式功能。接著將這些風險因素輸入到模糊演算法中來評估攻擊事件的風險層級。最後，我們分別對兩個不同性質的網站，即BBS(phpBB)及E-Commerce(ZenCart)做風險評估的探討。實驗結果顯示，我們所提的方法可以幫助網頁應用程式入侵偵測系統，對所偵測到的攻擊事件，根據不同的網站性質所設定的風險層級，加以區別出攻擊事件的危險性程度，使網站管理者能對評估的風險結果作出合適的分析

The growth and popularity of Web 2.0 techniques have allowed web-based applications to become more interesting and interactive. It has changed traditional services into e-services such as e-news, e-commerce, e-government etc. In the future, people’s lifestyle will depend more heavily on these interactive websites. Therefore, many attackers are attracted to compromise these applications for illicit benefits. The safety of web applications is a serious problem faced by System Administrators.
Network-based Intrusion Detection System (NIDS) traditionally configured with a large amount of signatures are not effective at detecting web application attacks because they are unable to detect new attacks. Moreover, the diversity of input attacking strings and new vulnerabilities causes System Administrators great difficulty in keeping signatures updated. Therefore, an anomaly-based Web Application IDS may resolve the drawbacks of current traditional NIDS.
The Web application IDS can detect web application attacks, but does not assign severity level of those attacks. However, this information may be paramount for the administrator to ascertain the severity and prioritize remediation to prevent future similar attacks.
For the reason above, we apply to the concept of risk assessment to design and implement a system to support Web Application IDSs in identifying critical web application attacks. Thus, administrators can respond to attacks based on severity level. We use the risk factors associated with attack events by evaluating the attack type, functionality inherent in the web application as input to a fuzzy algorithm to determine severity.
Finally, we evaluate and verify our system on two types of websites. Our evaluation shows our system can identify critical web application attacks. We can also customize severity levels within the fuzzy algorithm to match the requirements for various environments. Thus, administrators can analyze the results and respond appropriately to these attack events.

[1]G. V. Andre Arnes, Fredrik Valeur and R. A. Kemmerer,"Using hidden markov models to evaluate the risk of intrusions", In Proceedings of the International
Symposium on the Recent Advances in Intrusion Detection (RAID 2006), Page(s): 145–164. Springer-Verlag, 2006.
[2]J. Chen, P. Zhong, and T. Cook, "Detecting Web Content Function Using Generalized Hidden Markov Model",5th International Conference on Machine Learning and Applications (ICMLA'06), Page(s):279-284, 2006.
[3]Neil Desai, "IDS correlation of VA data and IDS alerts".
http://www.securityfocus.com/infocus/1708, June 2003.
[4]G. Eschelbeck and M. Krieger, "Eliminating noise from intrusion detection systems", Information Security Technical Report, Page(s):26-33,2003.
[5]J.M. Estévez,P. García, J.E. Díaz, "Detection of Web-based Attacks through Markovian Protocol Parsing",10th IEEE Symposium on Computers and
Communications (ISCC’05), Page(s):457-462. 2005.
[6]Wei Fan, Wenke Lee, Salvatore J. Stolfo, and Matthew Miller, "A Multiple
Model Cost-Sensitive Approach for Intrusion Detection", In Proc. ECML 2000,
11th European Conference on Machine Learning, Barcelona, Catalonia, Spain, Page(s):142-154,May 31 - June 2, 2000.
[7]R.Gula, "Correlating ids alerts with vulnerability information",technical report, Tenable Network Security, Dec. 2002.
[8]Wenke Lee, Wei Fan, Matthew Miller, Sal Stolfo, and Erez Zadok, "Toward
Cost-Sensitive Modeling for Intrusion Detection and Response", North Carolina
State University, Page(s): 5-22, 2000.
[9]Zhi-tang Li, Jie Lei, Li Wang, Dong Li, "Assessing Attack Threat by the Probability of Following Attacks", International Conference on Networking, Architecture, and Storage (NAS 2007), Page(s): 91-100.
[10][proxy]K. Ingham, A. Somayaji, S. Forrest and J. Burge, "Learning DFA representations of HTTP for protecting web applications",Elsevier Computer Networks, Volume 51, Issue 5, pp.1239-1255, 2007.
[11] S. J. Y. Jared Holsopplea and M. Suditb, "Tandi: Threat assessment of network data and information".In Multisensor, Multisource Information Fusion: Architectures, Algorithms, and Applications 2006,Proc.of SPIE Vol. 6242, pp. 62420O.1-62420O.12, 2006.
[12] J.Y.Juang,"A Design and Implementation of Web Application IDS Based on
Modeling User Requests", Institute of Computer and Communication, National
Cheng Kung University, Tainan, Taiwan, R.O.C., Thesis for Master of Science,
July, 2008.
[13]C. Kruegel and W. Robertson, "Alert verification: Determining the success of intrusion attempts", In Workshop of the Detection of Intrusions and Malware and
Vulnerability Assessment (DIMVA 2004).
[14]C. Kruegel, G. Vigna, "Anomaly detection of web based attacks",Conference on Computer and Communications Security, Proceedings of the 10th ACM conference on Computer and communications security, Page(s):251-261, 2003.
[15]C. Kruegel, and R. A. Kemmerer, "Using Generalization and Characterization Techniques in the Anomaly-based web attacks", In the Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS),2006.
[16]C. Kruegel, G. Vigna, W. Robertson, "A Multimodel Approach to the Detection of Web-based Attacks", In the Journal of Computer Networks. Vol.48, Page(s): 717 - 738 , No.5, 2005.
[17]D.H. Lee, D. Park, "An Efficient Algorithm for Fuzzy Weighted Average", Fuzzy Sets and Systems 87 (1997) 39–45.
[18]Kelly D. Moses and Stephan F. Hooker,"Development of Quantitative Cost and Schedule Risk Analysis Process", Proceedings of the 18th International Conference on Systems Engineering (ISCEng’05), Page(s):382 - 387 .
[19]E.W.T. Ngai, F.K.T.Wat, "Fuzzy Decision Support System for Risk Analysis in E-Commerce Development", Decision Support Systems 40 (2005) 235–255, ELSEVIER
[20]Animesh Patcha, Jung-Min Park, "An overview of anomaly detection techniques: Existing solutions and latest technological trends”, Computer & Network, Volume 51, Issue 12, Page(s): 3448-3470 , 22 August 2007.
[21]P. A. Porras, M. W. Fong, and A. Valdes, "A missionimpact- based approach to infosec alarm correlation",In Proceedings of the International Symposium on the Recent Advances in Intrusion Detection(RAID 2002), Page(s):95-114, Springer-Verlag, 2002.
[22]Jeevan Perera, PhD, JD, Jerry Holsomback, "An Integrated Risk Management
Tool and Process", Aerospace, 2005 IEEE Conference 5-12 March, Page(s):129 – 136
[23]G. I. Saktion, "A Design and Implementation of Web Application IDS based
on Client-Server Response Correlation",Institute of Computer and Communication, National Cheng Kung University, Tainan, Taiwan, R.O.C, Thesis for Master of Science, July, 2008.
[24]D. Scott and R. Sharp, "Abstracting Application-Level Web Security", Proceedings of 11th ACM International World Wide Web Conference, 2002, pp. 396 - 407.
[25]Gary Stonebumer, Alice Goguen, and Alexis Feringa, "Risk management
guide for information technology systems", special publication 800-30, 2002
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
[26] H. Z. E. C. Vaibhav Mehta, Constantinos Bartzis and
J. Wing. "Ranking attack graphs", In Proceedings of the International Symposium on the Recent Advances in Intrusion Detection (RAID 2006), Page(s):127–144. Springer-Verlag.
[27]Anita Vorsterand Les Labuschagne, "A framework for comparing different information security risk analysis methodologies",Proceedings of the 2005 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries, Page(s): 95 – 103.
[28] Huaqiang Wei, Deb Frinke, Olivia Carter, and Chris Ritter, "Cost-Benefit
analysis for Network Intrusion Detection Systems", CSI 28th Annual Computer
Security Conference, October 29-31, 2001.
[29] L. W. D. L. Zhi-tang Li, Jie Lei and Y. ming Ma, "Towards identifying true threat from network security data", In Pacific-Asia Workshop on Intelligence and Security Informatics (PAISI 2007), pages 160–171. Springer-Verlag.
[30] CORAS IST-2000-25031 Web Site, 2003.
http://www.nr.no/coras
[31]OCTAVE (Operationally Critical Threat, Asset, and Vulnerability), http://www.cert.org/octave/
[32] OWASP Attack Category,
http://www.owasp.org/index.php/Category:Attack
[33] OWASP Risk Rating Methodology ,
http://www.owasp.org/index.php/How_to_value_the_real_risk
[34] Sitepoint,
http://www.sitepoint.com/
[35]Standards Australia and Standards New Zealand, AS/NZS 4360:2004 risk management 2004
[36] Web Application Security Consortium (WASC), WASC 24 Attack Threat Classification.2004
http://www.webappsec.org/projects/threat/v1/WASC-TC-v1_0.pdf
[37] PHPBB, http://www.phpbb.com/
[38] Zen Cart, open source online store management system.
http://www.zencart.com/
[39]賴溪松、鍾沛源、郭憲銘,Web Application委外之資訊安全作業程序
網頁功能防護與查核表(草案),2007年12月