Profile-based Web Application Security System

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 10 months ago)

65 views

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

Profile
-
based Web Application Security
System


2006
-
2
-
20

Kyungtae Kim

High Performance Computing Lab at Postech

2
nd

Joint Workshop between Security Research Labs

in Korea and Japan

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

2
/17

Contents


Introduction


Related Works


Application
-
Level Web Security Policies


Anomaly Detection of Web
-
based Attacks


Problem Definition


Proposed Idea


Dynamic Model Organization


Detection Models


Applying Methods


Conclusion & Future Works

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

3
/17

Introduction


Application
-
level
w
eb
attack


Uses
vulnerabilities in the code of a
w
eb

applicati
on
.


Can’t be covered by traditional method.


Unvalidated input : Most critical vulnerability



Cross Site Scripting (XSS) : Attacker uses trusted
application/company to reflect malicious code to
end
-
user.


Buffer Overflows : Attacker attempts to store
more data in a buffer than there is memory
allocated for it


Injection Attacks : Attacker relays malicious code
in form variables or URL.

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

4
/17

[1] Policy
-
based Web Application Firewall
*

Related Works (1/3)

* David Scott and Richard Sharp,

Specifying and Enforcing Application
-
Level Web Security Policies

, 2003 IEEE

Specifies the policy

Translates the SPDL
into server
-
side code

Filters the HTTP
messages between the
web
-
server and client

Automates the policy
creation

(not fully automated)


Policy : defining validation rules (length, type, etc.)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

5
/17


Anomaly detection method


profile
-
based


using

positive models
(models for normal behavior)


Operation of positive models


Training phase : determining the characteristics of
normal events


Detection phase : assessing the anomaly of a event,
reporting anomalous events

[2] Multi
-
model Approach
*

(1/2)


Related Works (2/3)

* Christopher Kruegel, Giovanni Vigna ,

A multi
-
model approach to the detection
of web
-
based attacks

, 2005

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

6
/17


Multi
-
model


Widening the coverage of detection


Preventing attacker’s manipulation avoiding specific model


Detection models


Attribute Length


Attribute Character Distribution


Structural Inference


Token Finder


Attribute Presence or Absence


Attribute Order


Anomaly score (for each attribute)


Derived from the probability values returned by the
models



[2] Multi
-
model Approach
(2/2)


Related Works (3/3)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

7
/17

Problem Definition


Shortcomings of Related Works


[1]Policy
-
based


Not automated method


Too simple policy


[2]
Multi
-
model Approach


Applying all models to all attributes


Low speed


Ignoring each attribute’s characteristics


Problem Definition


Proposing new application
-
level web security
system that uses automated method and
operates on real time.


2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

8
/17

Web Server

Web Application

DB

User

Application
-
level firewall

(Filtering GET, POST
request)

System Overview


Method: profile
-
based anomaly detection


Target : application
-
level web attack (especially, input
manipulation)


Goal : high speed, low false positive rate


Operation : application
-
level firewall on server’s gateway



Proposed Idea (1/8)

Server

s Gateway

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

9
/17

Dynamic Model Organization
-

Necessity


Each attribute has its own characteristics.


Some model can disturb the division of normal/
abnormal value of specific attribute.


ex> User ID has dynamic character distribution, and
some normal values are misjudged to anomaly.


(‘aaaa’ vs ‘<script>’)


On most of the attributes, small set of models are
important for detection.


Deciding set of models in advance


Faster

detection

Proposed Idea (2/8)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

10
/17


Training phase


Making
statistics

of each attribute of each URL


Determining
model sets

based on the statistics








Detection phase


Finding statistics and model set for the URL, and
applying that models

12.2 4.3

6

0

5 2.1

21.3 6.2

32.1 11.6

Length, Character Composition

Value Range

Length, Token Finder

Length, Character Distribution

Length , Character Composition, Structural Inference

Dynamic Model Organization
-

Method

statistics
(profile)

Model sets

len μ

len σ



URL1

attribute1

attribute2

attribute3

URL2

attribute1

attribute2

Proposed Idea (3/8)

Target URL :

URL1?attribute1=value1&attribute2=value2&…

Applying
l
ength and
c
haracter
c
omposition model

Applying
value range model

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

11
/17

Detection Models (1/2)


Length (similar with [2])


Character Distribution (similar with [2])


Structural Inference (similar with [2])


Token Finder (similar with [2])


Character Composition


Value Range





Proposed Idea (4/8)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

12
/17

Detection Models (2/2)


Character Composition


Training phase


Measuring normal frequency of each set


Deciding the expected type of each attribute





Detection phase


Calculating probability of deviation from normal
frequency


Using chi
-
square test( )


Value range


Applying when the expected type is integer


Checking the attribute

s range of values

Part(0)

Part(1)

Part(2)

Part(3)

Part(4)

Number

Alphabet

Special
Character

Unprintable

Others

0~9

A~Z a~z

< > . / ;


Proposed Idea (5/8)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

13
/17

Applying Methods (1/3)


Length


Enabled to all string attribute.


Token Finder


Enabled when the attribute is composed with
small set of tokens.


Character Composition


Disabled when token finder model is enabled
or there are too many special characters and
unprintable characters.

Proposed Idea (6/8)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

14
/17

Applying Methods (2/3)


Value range


Enabled when the expected type is number.


Character Distribution


Enabled when token finder model is disabled and
the attribute allows special character and the mean
of length is larger than threshold.


Structural Inference


Enabled when the number of states are less
than threshold.


Enabled when the length is dynamic and
token
finder model is disabled and the attribute allows
special character.

Proposed Idea (7/8)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

15
/17

Applying Methods (3/3)


Training phase


Profiling value of each attribute of each URL


Determining each attribute

s model set


Detection phase


Calculating each model

s probability of
abnormality


Multiplying the probability and making
anomaly score


Filtering, modifying or passing the request
according to anomaly score

Proposed Idea (8/8)

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

16
/17

Conclusion & Future Works


Unvalidated input is web application’s
most critical vulnerability.


Policy
-
based or signature
-
based systems
are not automated methods, and multi
-
model based anomaly detection can’t
operate on real time.


I introduced profile
-
based web application
security system that gets high speed with
dynamic model organization.


Future works are optimizing and
evaluating my system.

2006 2
nd

Joint Workshop between Security Research Labs in JAPAN and KOREA

17
/17

Thank you!


Q & A