DOI QR코드

DOI QR Code

Anomaly Detection Scheme of Web-based attacks by applying HMM to HTTP Outbound Traffic

HTTP Outbound Traffic에 HMM을 적용한 웹 공격의 비정상 행위 탐지 기법

  • 최병하 (단국대학교 일반대학원 컴퓨터학과) ;
  • 최승교 (강원대학교 컴퓨터공학과) ;
  • 조경산 (단국대학교 소프트웨어학과)
  • Received : 2011.12.16
  • Accepted : 2012.02.11
  • Published : 2012.05.31

Abstract

In this paper we propose an anomaly detection scheme to detect new attack paths or new attack methods without false positives by monitoring HTTP Outbound Traffic after efficient training. Our proposed scheme detects web-based attacks by comparing tags or javascripts of HTTP Outbound Traffic with normal behavioral models which apply HMM(Hidden Markov Model). Through the verification analysis under the real-attacked environment, we show that our scheme has superior detection capability of 0.0001% false positive and 96% detection rate.

본 논문은 HTTP Outbound Traffic의 감시를 통해 다양한 웹 공격의 침입 경로에 대응하고, 학습 효율성을 높여 변종 또는 새로운 기법을 이용한 비정상 행위에 대한 오탐을 낮춘 기법을 제안한다. 제안 기법은 HMM(Hidden Markov Model)을 적용하여 HTML 문서속의 태그와 자바스크립트의 학습을 통한 정상 행위 모델을 생성한 후, HTTP Outbound Traffic속의 정보를 정상 행위 모델과 비교하여 웹 공격을 탐지한다. 실제 침입된 환경에서의 검증 분석을 통해, 제안기법이 웹 공격에 대해 0.0001%의 오탐율과 96%의 우수한 탐지능력을 보임을 제시한다.

Keywords

References

  1. Wang Qinquan, Piao ZaiLin, "Research on Network Attack and Detection Methods," Procs. of Education Technology and Computer Science (ETCS), pp. 630-633, Mar. 2010.
  2. Justin Crist, "Web base Attacks," SANS Instutute, Jan. 2008.
  3. ByungHa Choi, Kyungsan Cho, "An Efficient Detection Scheme of Web-based Attacks through monitoring HTTP Outbound Traffics," Journal of The Korea Society of Computer and Information, Vol. 16, No 1, pp. 125-132, Jan. 2010. https://doi.org/10.9708/jksci.2011.16.1.125
  4. Ahn LAB, http://core.ahnlab.com/261
  5. Gill-Han Kim, Hyung-Woo Lee, "False Alarm Minimization Technology using SVM in Intrusion Prevention System," Journal of Korea Society for Internet Infromation, Vol .7, No. 3, pp. 119-132, Jun. 2006.
  6. Dong-Jin Shin, Hae-Sool Yang, "Design and Implementation of an Intrusion Detection System based on Outflow Traffic Analysis," The Journal of the Korea Contents Association, Vol. 9, No. 4,pp. 131-141, Apr. 2009. https://doi.org/10.5392/JKCA.2009.9.4.131
  7. Karen Scarfone, Paul Hoffman, "Guidelines on Firewalls and Firewall Policy," National Institute of Standards and Technology, Sep. 2009.
  8. Ha-Na Yoon, Taesu Kim and Hyung-Woo Lee, "Design and Implementation of Web Attack Detection System Based on Audit Data," Procs. of Korea Society for Internet Infromation, Vol. 20, pp. 295-298, Dec. 2009.
  9. Varun chandola, Arindam Banerjee and Vipin Kuma "Anomaly Detection : A Survey," ACM Computing Surveys (CSUR), Vol. 41 Issue 3, Jul. 2009.
  10. Jae-young Chang, Han-joon Kim and Jongmyoung Park, "An Outlier Cluster Detection Technique for Real-time Network Intrusion Detection Systems," Journal of Korean Society for Internet Infromation, Vol. 8, No. 6, pp. 43-53 , Dec. 2007.
  11. Seongchul Park, Juntae Kim, "Improvement of Network Intrusion Detection Rate by Using LBG Algorithm Based Data Mining," Journal of Intelligence and Information Systems Vol. 15, No. 4, pp. 23-35, Dec. 2009.
  12. Muna Mhammad T. Jawhar, Monica Mehrotra, "Design Network Intrusion Detection System using hybrid Fuzzy-Neural Network," International Journal of Computer Science and Security, Vol. 4, Issue 3, Jul. 2010.
  13. Sang-Jun Han, Sung-Bae Cho, "Intrusion Detection Using Multiple Measure Modeling and Integration," Procs. of Korean Information Science Society, Vol. 29, No. 2, pp. 523-525, Dec. 2002.
  14. Igino Corona, Davide Ariu and Giorgio Giacinto "HMM-Web: a framework for the detection of attacks against Web applications," Procs. of ICC '09. IEEE International Conference, pp. 1-6, Jun. 2009.
  15. Hyung-deuck Moon, Ja-young Koo "Recognition of Conducting Motion using HMM," Journal of The Korea Society of Computer and Information, Vol. 9, No 1, pp. 25-30, Jan. 2004.
  16. Sang-Jun Han, Sung-Bae Cho, "Effective Intrusion Detection using Evolutionary Neural Networks," Journal of KIISE : Information Networking Vol. 32, No. 3, pp. 279-432, Jun. 2005.