Web-based systems are a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While infrastructure components are usually developed by experienced programmers with solid security skills, application-specific code is often developed by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the whole Internet, creating easily-exploitable entry points for the compromise of entire networks. Unfortunately, existing signature-based intrusion detection solutions are not sufficient because Web-applications often implement custom, site-specific services for which there is no known signature or model.
The goal of this research is to develop intrusion detection tools that use novel anomaly detection techniques to autonomously learn the normal behavior of web-based systems. These tools will enable the detection of known and unknown attacks against both standard and custom-developed web-based applications without requiring expert knowledge. This effort is developing a multi-stream, multi-model anomaly detection approach to provide a more effective characterization of the behavior of web-based applications. The use of multiple anomaly models applied to different event streams (such as network packets, web requests, and system calls) allows for the creation of rich, multi-dimensional profiles that characterize different aspects of the behavior of web applications.
These intrusion detection tools have the potential of providing early warning against novel attacks and can be easily deployed on existing systems without requiring substantial security expertise. As a consequence, these tools will substantially improve the security of a wide range of critical applications.
