Moving towards Positive Security Model for Web Application Firewall
The proliferation of web application and the pervasiveness of mobile technology make web-based attacks even more attractive and even easier to launch. Web Application Firewall (WAF) is an intermediate tool between web server and users that provides comprehensive protection for web application. WAF is a negative security model where the detection and prevention mechanisms are based on predefined or user-defined attack signatures and patterns. However, WAF alone is not adequate to offer best defensive system against web vulnerabilities that are increasing in number and complexity daily. This paper presents a methodology to automatically design a positive security based model which identifies and allows only legitimate web queries. The paper shows a true positive rate of more than 90% can be achieved.
[1] T. Scholte, D. Balzarotti, and E. Kirda, "Have things changed now? An
empirical study on input validation vulnerabilities in web applications,"
Computers & Security, vol. 31, no. 3, pp. 344-356, May 2012.
[2] OWASP, "OWASP Top 10 Application Security Risks - 2010," OWASP
The Open Web Application Security Project, Tech. Rep., 2010.
[3] WhiteHat Security, "WhiteHatWebsite Security Statistic Report -Winter
2011," WhiteHat Security, Tech. Rep., 2011.
[4] Symantec Corp., "Symantec Internet Security Threat Report," Symantec
Inc., Tech. Rep., 2011.
[5] H. T. Nguyen, C. Torrano-Gimenez, G. Alvarez, S. Petrovi'c, and
K. Franke, "Application of the Generic Feature Selection Measure in
Detection of Web Attacks," in Computational Intelligence in Security
for Information Systems, ser. Lecture Notes in Computer Science, vol.
6694. Springer, 2011, pp. 25-32.
[6] M. F. Abdollah, A. H. Yaacob, S. Shahib, I. Mohamad, and M. F.
Iskandar, "Revealing the Influence of Feature Selection for Fast Attack
Detection," International Journal of Computer Science and Network
Security, vol. 8, no. 8, pp. 107-115, 2007.
[7] A. Moosa, "Artificial Neural Network based Web Application Firewall
for SQL Injection," World Academy of Science, Engineering and Technology,
no. 64, pp. 12-21, 2010.
[8] V. Alarcon-Aquino, C. A. Oropeza-Clavel, J. Rodriguez-Asomoza,
O. Starostenko, and R. Rosas-Romero, Intrusion Detection and Classification
of Attacks in High-Level Network Protocols Using Recurrent
Neural Networks. Springer Netherlands, 2010, pp. 129-134.
[9] A. H. Yaacob, I. K. T. Tan, S. F. Chien, and H. K. Tan, "ARIMA Based
Network Anomaly Detection," in 2010 Second International Conference
on Communication Software and Networks, no. 1. Ieee, 2010, pp. 205-
209.
[10] A. Gulve, "Survey On Intrusion Detection System," International Journal
Of, vol. 4, no. 1, pp. 7-13, 2011.
[11] A. Razzaq, A. Hur, M. Masood, K. Latif, H. F. Ahmad, and H. Takahashi,
"Foundation of Semantic Rule Engine to Protect Web Application
Attacks," in Autonomous Decentralized Systems (ISADS), 2011 10th
International Symposium on. Ieee, 2011, pp. 95-102.
[12] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and
T. Berners-Lee, "RFC 2616, Hypertext Transfer Protocol - HTTP/1.1,"
1999.
[13] F. S. Rietta and G. Way, "Application layer intrusion detection for
SQL injection," in Proceedings of the 44th annual southeast regional
conference on ACMSE 44. ACM Press, 2006, p. 531.
[14] S. Stankovic and D. Simic, "A Holistic Approach to Securing Web
Applications," Journal of Computing, vol. 2, no. 1, pp. 16-20, Jan. 2010.
[15] R. Koch, "Towards Next-Generation Intrusion Detection," in Cyber
Conflict (ICCC), 2011 3rd International, 2011, pp. 1-18.
[16] D. Bates, A. Barth, and C. Jackson, "Regular expressions considered
harmful in client-side XSS filters," in Proceedings of the 19th international
conference on World wide web - WWW -10. New York, New
York, USA: ACM Press, Apr. 2010, p. 91.
[17] O. Maor and A. Shulman, "SQL Injection Signature Evasion Whitepaper,"
2004.
[18] C. Torrano-Gimenez, A. Perez-Villegas, and G. Alvarez, "A Selflearning
Anomaly-Based Web Application Firewall," in Computational
Intelligence in Security for Information Systems, ser. Advances in
Intelligent and Soft Computing, A. Herrero, P. Gastaldo, R. Zunino,
and E. Corchado, Eds. Springer Berlin / Heidelberg, 2009, vol. 63, pp.
85-92.
[19] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and
E. Vázquez, "Anomaly-based network intrusion detection: Techniques,
systems and challenges," Computers & Security, vol. 28, no. 1-2, pp.
18-28, Feb. 2009.
[20] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, "Toward
developing a systematic approach to generate benchmark datasets for
intrusion detection," Computers & Security, vol. 31, no. 3, pp. 357-374,
2012.
[1] T. Scholte, D. Balzarotti, and E. Kirda, "Have things changed now? An
empirical study on input validation vulnerabilities in web applications,"
Computers & Security, vol. 31, no. 3, pp. 344-356, May 2012.
[2] OWASP, "OWASP Top 10 Application Security Risks - 2010," OWASP
The Open Web Application Security Project, Tech. Rep., 2010.
[3] WhiteHat Security, "WhiteHatWebsite Security Statistic Report -Winter
2011," WhiteHat Security, Tech. Rep., 2011.
[4] Symantec Corp., "Symantec Internet Security Threat Report," Symantec
Inc., Tech. Rep., 2011.
[5] H. T. Nguyen, C. Torrano-Gimenez, G. Alvarez, S. Petrovi'c, and
K. Franke, "Application of the Generic Feature Selection Measure in
Detection of Web Attacks," in Computational Intelligence in Security
for Information Systems, ser. Lecture Notes in Computer Science, vol.
6694. Springer, 2011, pp. 25-32.
[6] M. F. Abdollah, A. H. Yaacob, S. Shahib, I. Mohamad, and M. F.
Iskandar, "Revealing the Influence of Feature Selection for Fast Attack
Detection," International Journal of Computer Science and Network
Security, vol. 8, no. 8, pp. 107-115, 2007.
[7] A. Moosa, "Artificial Neural Network based Web Application Firewall
for SQL Injection," World Academy of Science, Engineering and Technology,
no. 64, pp. 12-21, 2010.
[8] V. Alarcon-Aquino, C. A. Oropeza-Clavel, J. Rodriguez-Asomoza,
O. Starostenko, and R. Rosas-Romero, Intrusion Detection and Classification
of Attacks in High-Level Network Protocols Using Recurrent
Neural Networks. Springer Netherlands, 2010, pp. 129-134.
[9] A. H. Yaacob, I. K. T. Tan, S. F. Chien, and H. K. Tan, "ARIMA Based
Network Anomaly Detection," in 2010 Second International Conference
on Communication Software and Networks, no. 1. Ieee, 2010, pp. 205-
209.
[10] A. Gulve, "Survey On Intrusion Detection System," International Journal
Of, vol. 4, no. 1, pp. 7-13, 2011.
[11] A. Razzaq, A. Hur, M. Masood, K. Latif, H. F. Ahmad, and H. Takahashi,
"Foundation of Semantic Rule Engine to Protect Web Application
Attacks," in Autonomous Decentralized Systems (ISADS), 2011 10th
International Symposium on. Ieee, 2011, pp. 95-102.
[12] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and
T. Berners-Lee, "RFC 2616, Hypertext Transfer Protocol - HTTP/1.1,"
1999.
[13] F. S. Rietta and G. Way, "Application layer intrusion detection for
SQL injection," in Proceedings of the 44th annual southeast regional
conference on ACMSE 44. ACM Press, 2006, p. 531.
[14] S. Stankovic and D. Simic, "A Holistic Approach to Securing Web
Applications," Journal of Computing, vol. 2, no. 1, pp. 16-20, Jan. 2010.
[15] R. Koch, "Towards Next-Generation Intrusion Detection," in Cyber
Conflict (ICCC), 2011 3rd International, 2011, pp. 1-18.
[16] D. Bates, A. Barth, and C. Jackson, "Regular expressions considered
harmful in client-side XSS filters," in Proceedings of the 19th international
conference on World wide web - WWW -10. New York, New
York, USA: ACM Press, Apr. 2010, p. 91.
[17] O. Maor and A. Shulman, "SQL Injection Signature Evasion Whitepaper,"
2004.
[18] C. Torrano-Gimenez, A. Perez-Villegas, and G. Alvarez, "A Selflearning
Anomaly-Based Web Application Firewall," in Computational
Intelligence in Security for Information Systems, ser. Advances in
Intelligent and Soft Computing, A. Herrero, P. Gastaldo, R. Zunino,
and E. Corchado, Eds. Springer Berlin / Heidelberg, 2009, vol. 63, pp.
85-92.
[19] P. García-Teodoro, J. Díaz-Verdejo, G. Maciá-Fernández, and
E. Vázquez, "Anomaly-based network intrusion detection: Techniques,
systems and challenges," Computers & Security, vol. 28, no. 1-2, pp.
18-28, Feb. 2009.
[20] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, "Toward
developing a systematic approach to generate benchmark datasets for
intrusion detection," Computers & Security, vol. 31, no. 3, pp. 357-374,
2012.
@article{"International Journal of Information, Control and Computer Sciences:63958", author = "Asrul H. Yaacob and Nazrul M. Ahmad and Nurul N. Ahmad and Mardeni Roslee", title = "Moving towards Positive Security Model for Web Application Firewall", abstract = "The proliferation of web application and the pervasiveness of mobile technology make web-based attacks even more attractive and even easier to launch. Web Application Firewall (WAF) is an intermediate tool between web server and users that provides comprehensive protection for web application. WAF is a negative security model where the detection and prevention mechanisms are based on predefined or user-defined attack signatures and patterns. However, WAF alone is not adequate to offer best defensive system against web vulnerabilities that are increasing in number and complexity daily. This paper presents a methodology to automatically design a positive security based model which identifies and allows only legitimate web queries. The paper shows a true positive rate of more than 90% can be achieved.
", keywords = "Intrusion Detection System, Positive Security Model,
Web application Firewall", volume = "6", number = "12", pages = "1771-6", }
