Abstract:
Web applications are popular attack targets. Misuse detection systems use signature databases to detect known attacks. However, it is difficult to keep the database up to date with the rate of discovery of vulnerabilities. They also cannot detect zero-day attacks. By contrast, anomaly detection systems learn the normal behavior of the system and monitor its activity to detect any deviations from the normal. Any such deviations are flagged as anomalous. This thesis presents an anomaly
detection system for web-based applications. The anomaly detection system monitors the attribute value pairs of successful HTTP requests received by webserver applications and automatically creates parameter profiles. It then uses these profiles to detect anomalies in the HTTP requests. Customized profiles help reduce the number of false positives. Automatic learning ensures that the system can be used with different kinds of web application environments, without the necessity for manual configuration. The results of the detection are also visualized, which enable the system administrator to quickly understand the state of the system and respond accordingly.
