Development of a Hybrid Web Application Firewall to Prevent Web Based Attacks Adem Tekerek
Cemal Gemci
Omer Faruk Bay
Gazi University Ankara, TURKEY
[email protected]
Cymsoft Bilişim Teknolojileri Ankara, TURKEY
[email protected]
Gazi University Ankara, TURKEY
[email protected]
Abstract— Firewall and intrusion detection systems are used by the purposes of preventing information loss and weakness on internet and providing security for web applications. However attacks to web applications do not only come from network layer. Web applications use Hyper Text Transfer Protocol (HTTP) and attacks come from this protocol to web pages. Tools used for providing security on network layer become inefficient for HTTP attacks. These attacks to web applications can be prevented by detection of HTTP. In this study, a hybrid web application firewall is developed by using proposed signature based detection and anomaly detection methods, to prevent attacks by detection of HTTP requests. Index Terms—Web Application Security, Anomaly Detection. Signature Base Detection
I. INTRODUCTION Web applications have become prestige of institutions. Attacks against web applications are increasing and services provided on the internet are growing up progressively. Web applications have become prior target of attacks recently because of web application security is ignored by lack of interest, awareness and using secure software development techniques. Approximately 70% of web based attacks are successful. Even if traditional firewalls prevent network layer attacks successfully, they are not effective on web based attacks to web applications [1]. Thus there is a security need for web applications in terms of preventing information loos and weakness on internet which is not a secure environment. Web applications use Hyper Text Transfer Protocol (HTTP) that attacks also come from. There are many studies related to detection of HTTP traffic and revealing anomaly requests. There are groups like Web Application Security Consortium that develop security standards for World Wide Web (WWW). Another similar group is Thinking Stone that developed Mod Security which is an open source module for Apache web server. Mod Security implements signature based detection so it is effective for known types of attack but it is not for zero-day attacks [2 - 5]. A system that examines and analyzes attacks continuously by using CLF – Common Log File in web server has been proposed by Almgren, Debar and Dacier [6]. In this proposed approach, HTTP requests were analyzed by applying a series of anomaly detection processes on log records. However, these processes are limited with HTTP requests and responses.
On the other hand Valeur, at al. [7] took web applications into consideration as critical and non-critical, and suggested a structure working like Proxy process by directing HTTP requests to different web servers defined as normal or anomaly. The impact of the attacks was decreased by allowing web servers to run only non-critical applications. SQL strings were logged by using libmysqlclient library in Mysql database in order to prevent SQL attacks by determining anomaly requests by Valeur, Mutz, and Vigna [8]. They developed a tool named LibAnomaly that aims to determine anomaly requests. Using of LibAnomaly tool, they detected the attacks by processing the SQL strings in log file. Kruegel, et al. [9] obtained anomaly score from the parameters of request type, request length and load distribution. According to their approach, if the request length is longer than the average length of the request then the probability of being an attack of that request is high. They developed a prototype in order to detect DNS attacks by analyzing HTTP and DNS traffic. One of the other approaches of detecting web attacks is character distribution method that stated by Kruegel and Vigna [10] indicating that character distribution of attack requests is different from the character distribution of normal requests. In the study, query parameters were used as data source. Session Anomaly Detection - SAD is another study conducted by Cho and Cha [12] related to anomaly detection. It was considered that web page series wanted by users have similar properties. SAD reveals web sessions from log records, composes profiles for certain request orders, and makes calculations. In this study, a hybrid method is proposed by conducting HTTP requests, signature based detection, and anomaly detection. Signature based detection is blocking the requests including attacks by using signature blacklist against to common attacks types. Anomaly request detection is a detection of requests that is not appropriate for standard HTTP request standard. This manuscript consists of five sections. In section 2, design of the proposed system is explained. In section 3, results and discussion are presented. In section 4, conclusion is given.
DESIGN OF A WEB APPLICATION FIREWALL SYSTEM
100 80 60 40 20 0
ONE TWO THREE FOUR FIVE SIX SEVEN EGIHT NINE TEN ELEVEN TWELVE THIRTEEN FOURTEEN FIFTEEN SIXTEEN SEVENTEEN EIGHTEEN NINETEEN TWENTY
Detection process can be implemented by using signature based detection and anomaly detection in HTTP requests. Even though anomaly request detection is effective for zero day attacks, this method works slower than the other methods. In this study, by using signature based detection and anomaly detection models, a hybrid method which works faster is developed. Anomaly request detection was performed according to request length, number of requests and letter frequency analysis. Block diagram of the proposed model is given in Figure 1.
HTTP REQUEST COUNT ANOMALY DETECTION
Request Number
II.
Request Repeating Count
Fig 2: Request counts of repeating
Analysis of Request Length: Requests coming to web site have a certain structure according to web application’s architecture. One of the feature of request structure is request length. Request values of memory overflow and cross site scripting attacks are bigger than normal requests. An evaluation by Kruegel and Vigna, mean and variance values were used. Fig 1: Block diagram of the hybrid firewall model
As shown in the Figure 1, signature based detection and anomaly detection processes are applied respectively before the HTTP request sent by client reaches to the web server. The request is executed while everything looks normal or blocked if it is detected as an attack. The steps of the request detection are applied as in Section 2.1. A. Anomaly Detection In anomaly detection, normal behavior of web application is obtained generally by the help of statistical methods [15]. Additionally anomaly score which is important information in anomaly based detection methods is used. Success ratio of the system increases if parameters of anomaly score calculation are well-chosen. In anomaly detection; analysis of request count, analysis of request length, and analysis of request frequency methods were used. Analysis of Request Count: As different users can send same requests from different places, normal requests are continuously repeated according to visiting count of web site. Repeating probability of the attack requests is lower than normal requests. Request counts of repeating up to 20 are given in Figure 2. According to the figure 2, probability of being attack repeating in small numbers is higher than being attack repeating in big numbers. According to developed application, requests which repeat more than 15 are not attack.
P = Probability μ = Mean (Mean values of requests) σ = Variance (Variance values of requests) l = Length (Length values of detected request) p=
(
)
With the developed application, values shown in Figure 3 were obtained. According to formula, 0 value of HTTP request length shows the anomaly limit value. If probability value of being anomaly for each request is smaller than anomaly value of the request that length value is 0 then request is defined as anomaly. 400
Request Length Anomaly Detection
300 200 100 0 1 2 3 4 5 6 7 8 9 1011121314151617181920 Request lenght
Request Lenght Anomaly
Fig 3: Request Length Anomaly Detection
Analysis of Request Frequency: Character frequency values of requests are determined by the help of character distribution model. Letter frequency values of characters that form normal
requests coming to web application are higher than letter frequency values of anomaly requests. ASCII characters are used in character distribution. Letter frequency analysis is a technique used generally in cryptanalysis methods. In this study, letter frequency analysis was conducted so as to detect total number of each character from requests and avarage value. If such a request as index.php?secim=9&mid=50 is used, the frequency and avarage values of letters of this expression are obtained. While frequency values indicate number of each letter for all requests, avarage values are found by dividing total values of each character by count of request.
Frequency
Average Frequency of Requests
1,2 1,0 0,8 0,6 0,4 0,2 0,0
xss = new Dictionary() { {"&cmd”}, {"exec"}, {"concat"}, {"../"}, {"”}, }; SQL Injection, Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Bot attacks can be prevent with the signature detection. Preventing SQL Injection, XSS, CSRF requires separation of untrusted data from active browser content. HTTP requests which contain attacks can be prevented by using the keywords defined above. III.
1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97 Request Number Fig 4: Average Frequency of Requests
When frequency values of 100 requests that sent to web application are sorted from smallest to largest, requests with avarage frequency values that smaller than 0.9 are determined as anomaly. Avarage frequency values of evaluated requests are shown in Figure 4. B. Signature Base Detection Signature base detection is also known as misused detection [16]. Signature based systems generally work faster but they are effective against to attacks only existing in signature database. Intrusion detection systems and antivirus programs work generally in signature based detection [17]. When a new attack method is developed, it is necessary to update signature database according to attack technique in order to make the system effective. Otherwise it will be ineffective against to the attacks. Signature definitions of wellknown web attacks like SQL Injection and XSS (Cross Site Scripting) are shown below. sqlInjection = new Dictionary() { {"delete,from"}, {"select,from"}, {"drop,table"}, {"union,select"}, {"update,set"}, };
RESULTS AND DISCUSSION
In signature based detection, requests from clients are firstly signature detected by forming signature list for known attack types. If there is no attack in signature detection, request anomaly detection is performed. Analysis of Request Count, Analysis of Request Length and Analysis of Request Frequency were conducted in anomaly detection. When anomaly is detected from each method in anomaly detection, request is considered as anomaly and prevented. Obtained results according to three different anomaly request detection types that were conducted to detected requests are given in Table 1. According to request frequency detection, requests with letter frequency value higher than 0.9 were detected as normal requests. When Request Frequency column was examined in Table 1, since request frequency means of requests in 8th, 9th, and10th rows are bigger than 0.9, these are normal and the others are anomaly. According to request number analysis, anomaly requests did not continue after 15 repetitions. This evaluation can also be seen in Figure 2. Repeating counts of 8th, 9th, and10th requests are higher than 15 which is a limit value to request number column. TABLE 1. AN EXAMPLE OF VALUES OF REQUEST ANOMALY DETECTION
1
Request Number of Length of Frequency Request Request < 27 0,9 < 15 < 22 0,64161 1
2
0,37869
1
18
3
0,32735
1
25
4
0,45522
11
2
5
0,45271
13
17
6
1,07040
25
63
7
1,04880
109
85
Order
57 8 1,07036 187 In request length analysis, a request is determined as anomaly when anomaly probability of a request is smaller than
probability of a request with 0 value of character number. As it is shown in Figure 3, there is direct proportion between request character length and probability of being anomaly for the request. IV.
CONCLUSION
Many studies are conducted in order to secure web applications security needs. In this study, a hybrid system was developed by using signature based detection and anomaly request detection. Since both signature based detection and anomaly request detection methods were used in this developed system, deficient properties of the two methods were removed. Signature based detection works faster however it is not effective against to zero day attacks. On the other hand anomaly detection method is effective against to zero day attacks. REFERENCES [1] [2] [3] [4]
[5]
[6]
[7] [8] [9]
[10]
[11]
[12] [13]
G. Namit, S. Abakash, S. Dheeraj “Web Application Firewall”. CS499: B. Tech Project Final Report, 2008. Internet: “Web Uygulama Güvenlik Duvarı Tercih Rehberi”, http://www.cozumpark.com/blogs/gvenlik/archive/2009/10/03/ web-uygulama-g-venlik-duvar-tercih-rehberi.aspx, 2012. Internet: “PCI Security Standart Council”, https://www.pcisecuritystandards.org/documents/information_s upplement_6.6.pdf, 2012. T. Hironao, H. Farooq Ahmed, M. Kinji, ”Application for Aotunomous Multi Layer Cache System to Web Application Firewall”, 2011 Tenth International Symposium on Autonomous Decentralized Systems, 2011. M. Auxilia, D. Tamilselvan, “Anomaly Detection Using Negative Security Model in Web Application”,2010 International Conference on Computer Information Systems and Industrial Management Application (CISIM). 2012. M. Almgren, H. Debar and M. Dacier, “A Lightweight Tool for Detecting Web Server Attacks”. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security, Z¨urich, 2000. F. Valeur, G. Vigna, C. Kruegel and E. Kirda, “An Anomalydriven Reverse Proxy for Web Applications”. Proceedings of the 2006 ACM symposium on Applied computing, Dijon, 2006. 8. F. Valeur, D. Mutz, and G. Vigna, "A Learning-Based Approach to the Detection of SQL Attacks", in Proc. DIMVA, 2005, pp.123-140. Kruegel C., Toth, T. and Kirda E.., Service Specific Anomaly Detection for Network Intrusion Detection. Proceedings of Symposium on Applied Computing(SAC). ACM Scientific Press, March 2002. Kruegel C., Vigna G., (2003), Anomaly Detection of WebBased Attacks, Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS '03) ACM Press Washington, DC. pp. 251-261. Vigna G. , Robertson W. , Kher V. , and Kemmerer R.A. , A Stateful Intrusion Detection System for World-Wide Web Servers, Proceedings of the Annual Computer Security Applications Conference (ACSAC) 34-43 Las Vegas, NV December 2003. Cho S., Cha S., SAD:Web Session Anomaly Detection Based on Parameter Estimation, Computers & Security, Volume 23, Issue 4, June 2004, pp. 312-319. Kruegel C., Vigna G., (2003), Anomaly Detection of WebBased Attacks, Proceedings of the 10th ACM Conference on
Computer and Communication Security (CCS '03) ACM Press Washington, DC. pp. 251-261. [14] Vigna G. , Valeur F., and Kemmerer R.A., Designing and Implementing A Family of Intrusion Detection Systems, Proceedings of the European Conference on Software Engineering (ESEC) Helsinki, Finland September 2003. [15] H. Takçı, T. Akyüz, İ. Soğukpınar, "Web Atakları için Metin Tabanlı Anormallik Tespiti (WAMTAT)", Gazi Üniv. Müh. Mim. Fak. Der. Cilt 22, No 2, 247-253, 2007. [16] Roesch, M. Snort—lightweight intrusion detection for networks. In 13th Systems Administration Conference—LISA ’99 (1999), pp. 229–238. http://www.usenix.org/events/lisa99/roesch.html Accessed 30 June 2002.
[17] Moore, D., Paxson, V., Savage, S., Shannon, C., Stanıford, S., And Weaver, N. Inside The Slammer Worm. Ieee Security And Privacy 01, 4 (2003), 33–39.
