A Survey of Tools and Techniques for Web Attack Detection – CyberSecLabs

A Survey of Tools and Techniques for Web Attack Detection – CyberSecLabs

A Survey of Tools and Techniques for Web Attack Detection – CyberSecLabs

Introduction

Web attacks consist of kinds of attacks to websites and web applications to steal sensitive information, to possibly disrupt web based service systems and even to take control of the web systems. In order to defend against web attacks, many tools and techniques have been developed and deployed in web systems for monitoring, detecting and preventing web attacks. It is a necessary to survey and evaluate existing techniques and tools for the monitoring and detection of web attacks because this information can be used for selecting suitable techniques and tools for web attack monitoring and detection for specific websites and web application.

Along with the fast growing of the Internet and the global World Wide Web, websites and web applications (referred to as web applications from now on) have also grown very strongly and have become one of the most popular and essential applications on the Internet [1][2].

Web applications are used in almost all areas of social life, such as business, commerce, finance (banking), manufacturing, sports, entertainment, and social communications. Because of their popularity and importance, websites and web applications are also subject to many types of dangerous and sophisticated attacks and intrusions, aiming to steal sensitive information, disrupt operations, or take control of web systems.Types of popular attacks on websites and web applications (referred to as web attacks from now on) can be listed as SQLi (SQL injection), XSS (cross-site scripting), CMDi (command injection), path-traversal, defacements, and DoS/DDoS [1][2].

Web attacks can result inserious consequences to web applications,websites and users. These attacks allow attackers to (i) bypass the web application’s authentication system, (ii) perform illegitimate modifications to the database and content of web pages, (iii) extract sensitive data from web application’s database, (iv) steal valuable information from web application servers and user browsers, and (v) take control of web application and database servers [3].

Common web vulnerabilities and attacks

According to OWASP, the reason that attackers can perform various types of web attacks is because they exploit the types of security holes that exist in websites and web applications [1]. OWASP periodically publishes a list of security vulnerabilities, and the most recent list of web vulnerabilities is released in 2017. Table I lists the OWASP Top 10 Web Security Vulnerabilities in 2017 [1].

  • A1-Injection: The code injection error allows the insertion and execution of various types of malicious code, such as SQL, OS, and LDAP.
  • A2-Broken Authentication: Weak application authentication or session authentication failure that allows the theft of passwords, encryption keys, or impersonation/user session hijacking
  • A3-Sensitive Data Exposure: This error allows the theft of sensitive data because they is not properly protected, or by inappropriate measures
  • A4-XML External Entities (XXE): Error handling XML files allows execution of malicious code embedded in externally referenced XML files
  • A5-Broken Access Control: Weak access control error allows unauthorizedaccess to functionality, or data, like accessing other users’ accounts, viewing sensitive files…
  • A6-Security Misconfig-uration: mproper security configuration error, such asinsecure default configuration, incomplete orspecial configuration…
  • A7-Cross-Site Scripting (XSS): XSS code injection error allows HTML or JavaScript code to be inserted to steal sensitive data from web users’ browsers
  • A8-Insecure Deserialization: Unsafe deserialization can lead to remote code execution, replay attacks, or privilege escalation
  • A9-Using Components with Known Vulnerabilities: Components, libraries containing known vulnerabilities used in applications and running with application privileges can be easily exploited to attack the system
  • A10-Insufficient Monitoring &Logging: Inadequate monitoring and logging, linked with poor incident response,, allow further system attacks, while maintaining persistence, pivoting tomore systems, and tampering, extracting, ordestroying data

Tools and techniques for web attack monitoring and detection

  • Tools and solutions for web attackmonitoring and detection
    • Web Monitoring of VNCS
    • Web Application Monitoring Software of Nagios
    • ModSecurity
  • Techniques for detecting web attacks
    • Detection based on signatures and rules
    • Detection based on anomaly

Machine learning base model for detecting web attacks

  • Collect the training dataset, including normal Uniform Resource Indicators (URIs) and attacked URIs
  • The training dataset is preprocessed to select and extract classification feature
  • Training dataset in the form of the training matrix is used in the training step to build aclassifier
  • URIs are extracted from log data
  • Each testing URI is preprocessed using the same procedure as it is done on the training URI
  • The constructed Classifier is used to classify the URI’s vector

Refferences

[1]. OWASP, Open Web Application SecurityProject, http://www.owasp.org, accessed 1.2021

[2]. Hoàng Xuân Dậu, An toàn ứng dụng web và cơsở dữ liệu, Học viện Công nghệ Bưu Chính ViễnThông, 2017.

[3]. Hoang, X.D. Detecting Common Web AttacksBased on Machine Learning Using Web Log.K.-U. Sattler et al. (Eds.): ICERA 2020, LNNS178, pp. 311–318, 2021

4]. VNCS – Giải pháp giám sát website tập trung,http://vncs.vn/portfolio/giai-phap-giam-sat-websites-tap-trung, accessed 1.2021.

[5]. Nagios Web Application Monitoring Software,https://www.nagios.com/solutions/web-application-monitoring/, accessed 1.2021.

[6]. Site24x7, Website Defacement Monitoring,https://www.site24x7.com/monitor-webpagedefacement.html, accessed 1.2021.

[7]. Mod Security, https://www.modsecurity.org,accessed 1.2021.

[8]. Snort IDS, http://www.snort.org, accessed1.2021.

[9]. Abhishek Kumar Baranwal, Approaches todetect SQL injection and XSS in webapplications, EECE 571B, Term Survey Paper,University of British Columbia, Canada, 2012.

[10].OWASP ModSecurity Core Rule Set,

https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project,accessed 1.2021.

[11].Kemalis, K. and T. Tzouramanis. SQL-IDS:A Specification-based Approach forSQLinjection Detection. SAC’08. Fortaleza,Ceará, Brazil, ACM (2008), pp. 2153-2158