• Journal of Internet Computing and Services
• /
• v.11 no.6
• /
• pp.73-86
• /
• 2010

In proportion to the rapid increase in the number of Web users, web attack techniques are also getting more sophisticated. Therefore, we need not only to detect Web attack based on the log analysis but also to extract web attack events from audit information such as Web firewall, Web IDS and system logs for detecting abnormal Web behaviors. In this paper, web attack detection system was designed and implemented based on integrated web audit data for detecting diverse web attack by generating integrated log information generated from W3C form of IIS log and web firewall/IDS log. The proposed system analyzes multiple web sessions and determines its correlation between the sessions and web attack efficiently. Therefore, proposed system has advantages on extracting the latest web attack events efficiently by designing and implementing the multiple web session and log correlation analysis actively.

• Journal of KIISE:Information Networking
• /
• v.30 no.1
• /
• pp.97-116
• /
• 2003

Frequency of attacks on web services and the resulting damage continue to grow as web services become popular. Techniques used in web service attacks are usually different from traditional network intrusion techniques, and techniques to protect web services are badly needed. Unfortunately, conventional intrusion detection systems (IDS), especially those based on known attack signatures, are inadequate in providing reasonable degree of security to web services. An application-level IDS, tailored to web services, is needed to overcome such limitations. The first step in developing web application IDS is to analyze known attacks on web services and characterize them so that anomaly-based intrusion defection becomes possible. In this paper, we classified known attack techniques to web services by analyzing causes, locations where such attack can be easily detected, and the potential risks.

• Journal of Advanced Navigation Technology
• /
• v.14 no.5
• /
• pp.725-736
• /
• 2010

Nowadays, followed the internet service contents increasing makes also increase attack case on the web system. Usually web attack use mixed many kinds of attack mechanism for successfully attack to the server system. These increasing of the kinds attack mechanism, however web attack defence mechanism is not follow the spread of the attack. Therefore, for the defends web application, web attack should be categorizing and analysing for the effective defense. In this paper, we analyze web attack specification evidence and behavior system that use for effective expressions what we proposed. Also, we generate web attack scenario, it is for using verification of our proposed expressions.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.11 no.4
• /
• pp.2149-2170
• /
• 2017

Application-layer Distributed Denial-of-Service (DDoS) attack is one of the leading security problems in the Internet. In recent years, the attack strategies of application-layer DDoS have rapidly developed. This paper introduces a new attack strategy named Path Vulnerabilities-Based (PVB) attack. In this attack strategy, an attacker first analyzes the contents of web pages and subsequently measures the actual response time of each webpage to build a web-resource-weighted-directed graph. The attacker uses a Top M Longest Path algorithm to find M DDoS vulnerable paths that consume considerable resources when sequentially accessing the pages following any of those paths. A detection mechanism for such attack is also proposed and discussed. A finite-state machine is used to model the dynamical processes for the state of the user's session and monitor the PVB attacks. Numerical results based on real-traffic simulations reveal the efficiency of the attack strategy and the detection mechanism.

• Journal of the Korea Society of Computer and Information
• /
• v.21 no.7
• /
• pp.1-8
• /
• 2016

Nowadays, distributed denial of service (DDoS) attacks on web sites reward attackers financially or politically because our daily lifes tightly depends on web services such as on-line banking, e-mail, and e-commerce. One of DDoS attacks to web servers is called HTTP-GET flood attack which is becoming more serious. Most existing techniques are running on the application layer because these attack packets use legitimate network protocols and HTTP payloads; that is, network-level intrusion detection systems cannot distinguish legitimate HTTP-GET requests and malicious requests. In this paper, we propose a practical detection technique against HTTP-GET flood attacks, based on the access behavior of inline objects in a webpage using NetFlow data. In particular, our proposed scheme is working on the network layer without any application-specific deep packet inspections. We implement the proposed detection technique and evaluate the ability of attack detection on a simple test environment using NetBot attacker. Moreover, we also show that our approach must be applicable to real field by showing the test profile captured on a well-known e-commerce site. The results show that our technique can detect the HTTP-GET flood attack effectively.

• Convergence Security Journal
• /
• v.8 no.3
• /
• pp.1-8
• /
• 2008

The pattern matching part of Intrusion Detection System based on misuse-detection mechanism needs much processing time and resources, and it has become a bottleneck in system performance. Moreover, it derives denial-of-service attack. In this paper, we propose (1) framework architecture that is strong against denial-of-service attack and (2) efficient pattern matching method especially for web server system. By using both of these 2 methods, we can maintain web server system efficiently secure against attacks including denial-of-service.

• KSII Transactions on Internet and Information Systems (TIIS)
• /
• v.8 no.7
• /
• pp.2512-2531
• /
• 2014

We propose a new Distributed Denial of Service (DDoS) defense mechanism that protects http web servers from application-level DDoS attacks based on the two methodologies: whitelist-based admission control and busy period-based attack flow detection. The attack flow detection mechanism detects attach flows based on the symptom or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. The stress is measured by the time interval during which a given client makes the server busy, referred to as a client-induced server busy period (CSBP). We also need to protect the servers from a sudden surge of attack flows even before the malicious flows are identified by the attack flow detection mechanism. Thus, we use whitelist-based admission control mechanism additionally to control the load on the servers. We evaluate the performance of the proposed scheme via simulation and experiment. The simulation results show that our defense system can mitigate DDoS attacks effectively even under a large number of attack flows, on the order of thousands, and the experiment results show that our defense system deployed on a linux machine is sufficiently lightweight to handle packets arriving at a rate close to the link rate.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.31 no.3
• /
• pp.365-371
• /
• 2021

With the rapid growth in Internet users, web applications are becoming the main target of hackers. Most previous WAFs (Web Application Firewalls) target every single HTTP request packet rather than the overall behavior of the attacker, and are known to be difficult to detect new types of attacks. In this paper, we propose a web attack detection system based on user behavior using machine learning to detect attacks of unknown patterns. In order to define user behavior, we focus on features excluding areas where an attacker can camouflage as a normal user. The experimental results shows that by using the path and query information to define users' behaviors, best results for an accuracy of 99% with Decision forest.

• Journal of the Korea Society of Computer and Information
• /
• v.12 no.1 s.45
• /
• pp.161-168
• /
• 2007

Web attack uses structural, logical and coding error or web application rather than vulnerability to Web server itself. According to the Open Web Application Security Project (OWASP) published about ten types of the web application vulnerability to show the causes of hacking, the risk of hacking and the severity of damage are well known. The detection ability and response is important to deal with web hacking. Filtering methods like pattern matching and code modification are used for defense but these methods can not detect new types of attacks. Also though the security unit product like IDS or web application firewall can be used, these require a lot of money and efforts to operate and maintain, and security unit product is likely to generate false positive detection. In this research profiling method that attracts the structure of web application and the attributes of input parameters such as types and length is used, and by installing structural database of web application in advance it is possible that the lack of the validation of user input value check and the verification and attack detection is solved through using profiling identifier of database against illegal request. Integral security management system has been used in most institutes. Therefore even if additional unit security product is not applied, attacks against the web application will be able to be detected by showing the model, which the security monitoring log gathering agent of the integral security management system and the function of the detection of web application attack are combined.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.13 no.2
• /
• pp.115-125
• /
• 2003

As Web services are generally open for external uses and not filtered by Firewall, these result in attacker's target. Web attacks which exploit vulnerable web-applications and malicious users' requests cause economical and social problems. In this paper, we are modelling general web service usages based on user-web-session and detect anomal usages with Bayesian estimation method. Finally we propose SAD(Session Anomaly Detection) for detection unknown web attacks. To evaluate SAD, we made an experiment on attack simulation with web vulnerability scanner, whisker. The results show that the detection rate of SAD is over 90%, which is influenced by several features such as size of window or training set, detection filter method and web topology.