Hackers of India

Automated Classification of Web-Application Attacks for Intrusion Detection

By  Aneet Kumar Dutta  on 06 Mar 2020 @ Nullcon

Abstract

In today’s information-driven society and economy, web fac-ing applications are the most common way to run information dissemination, banking, e-commerce, etc. Web applications are frequently targeted by attackers through intelligently crafted Http requests to exploit vulnerabilities existing in the application, front-end, and the web-clients. Some of the most frequent such attacks are SQL Injection, Cross-Site Scripting, Path-traversal, Command Injection, Cross-site request forgery etc. Detecting these attacks upfront and blocking them, or redirecting the request to a honey-pot could be a way to prevent web applications from being exploited. In this work, we developed a number of machines learn- ing models for detecting and classifying http requests into normal, and various types of attacks. Currently, the models are applied as an ensemble on the http server logs, to classify and build data analytics on the http requests received by any web server in order to garner threat intelligence, and threat landscape. We also implemented an online log-analysis version that analyzes logs every 15 seconds to classify http requests in the recent 15 seconds. However, it can also be used as a web application firewall to block the http requests based on the classification results. We also have implemented an intrusion protection mechanism by redirecting http requests classified upfront as malicious towards a web honeypot. We compare various existing signature-based, regular expression based, and machine learning-based techniques against our models for detection and classification of http based attacks, and show that our methods achieve better performance over existing techniques.