O uso da Transformada de Haar na Deteco de Anomalias no Trfego Web - - PowerPoint PPT Presentation

O uso da Transformada de Haar na Detecção de Anomalias no Tráfego Web

• C. Cappo1
• R. C. Nunes2
• B. Mozaquattro2

A. Kozakevicius2

• C. Schaerer1

1Facultad Politécnica,

Universidad Nacional de Asunción, Paraguay

2Centro de Tecnología

Universidade Federal de Santa María, RS, Brasil

XIII Brazilian Symposium on Information and Computer Systems Security

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

2

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Motivation Anomaly detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

3

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world. The use of web applications, such as, blogs, news, social networks, webmails, e-commerce, among may others, has become conventional. Protecting these applications from attacks is a critical issue.

The number of new vulnerabilities discovered in 2012 were 5291 and web-based attacks increased by almost a third in 2012 (according to Symantec Internet Security Threat Report, 2013 - Vol 18)

One form of protection is to use Intrusion Detection System (IDS). There are two main approaches in detection algorithms IDS design: signature-based and anomaly-based. We focus on the design of anomaly-based detection algorithms.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

4

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Motivation Anomaly detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

5

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Motivation Anomaly detection

Anomaly-based approach

The analysis is based on the observation of any substantial variation of any specific characteristic with respect to the commonly determined behavior. A significant deviation from usual behavior is considered an anomaly, and so an attack. Does not need the knowledge of previous attack pattern. Can potentially detect novel attacks.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

6

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity (ex. zero-day attack) Custom-developed web applications protection skill.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

7

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity (ex. zero-day attack) Custom-developed web applications protection skill.

We focus in anomaly-based algorithms to detect attack against web applications.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

8

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

9

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Characteristics(1)

The detector analyzes the HTTP requests sending to the web application [IP] - - [TS] "GET /page.php?p=calAcad HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=allnews HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=trabajo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=mapsite HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=admision HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=materias HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=examenes HTTP/1.1" .. The data analyzed for the anomaly detection is the URL Query String of the HTTP request.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

10

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Characteristics(2)

The data model is based in the character distribution of the URL Query String. Our method requires only a few normal data for frequency

• enhancement. The principal detection algorithm is based
• nly in current data. The principal hypothesis is that

attacks perturbs significantly the frequency of some characters. We apply the bidimensional Discrete Wavelet Transform (DWT), particularly the Haar Wavelet Transform, to detect the anomalies in character frequency distribution.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

11

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Modeling the anomaly using the character distribution

A window analyzed without attacks

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 18 Frequency (a) ASCII HTTP Request Frequency 50 100 150 50 100 150 200 250 ASCII HTTP Request (b) 2 4 6 8 10 12 14

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

12

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Modeling the anomaly using the character distribution

A window analyzed with two attacks

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 18 Frequency (a) ASCII HTTP Request Frequency 50 100 150 50 100 150 200 250 ASCII HTTP Request (b) 2 4 6 8 10 12 14

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

13

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

14

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Wavelets - Introduction

The wavelet transform extracts information from the analyzed data in different resolution levels. Describes a signal in terms of a coarse overall shape plus a family of details. In the bidimensional case, the input data is given as a matrix and the 2D Discrete Wavelet Transformation consists in performing the 1D wavelet transform in all rows and then in all columns.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

15

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

One-Dimensional Wavelet Transform (TW1D)

The TW1D is stated as following: considering the initial input data a vector cJ,s, s = 0, ..., MJ − 1 at the finest level J, with MJ = 2J points, we have the following relations for p levels, when j = J, J − 1, ..., J − p : cj−1,i =

2N−1

• k=0

Lkcj,2i+k, i = 0, ..., Mj−1 − 1, (1) dj−1,i =

2N−1

• k=0

Hkcj,2i+k, i = 0, ..., Mj−1 − 1, (2)

Definition Considering the orthonormal family of Wavelet Functions, the TW1D is defined by high pass and low pass filters of size 2N, L and H respectively.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

16

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

One-Dimensional Wavelet Transform (TW1D)

Vector cj−1,i contains the coarser information and the vector dj−1,i contains the wavelets coefficients, both with Mj−1 = Mj/2 points. We consider using the Haar wavelet family (N = 1). The filters are given by L0 =

1 √ 2, L1 = 1 √ 2, H0 = 1 √ 2 and

H1 = − 1

√ 2.

We use the Haar transform because:

Simple and fast algorithms Without boundary problems Ideal compact support (shortest support) considering the importance of preserving the anomalies location.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

17

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

TW1D example

• 1

1 2 3

• 1

1 Value Samples interval Original Signal

• 0.4

0.0 0.4

• 1

1 Value Approximation coefficients - 1 level

• 0.1

0.0 0.1

• 1

1 Wavelets coefficients - 1 level

• 0.4

0.0 0.4

• 1

1 Value Approximation coefficients - 2 level

• 0.1

0.0 0.1

• 1

1 Wavelet coefficients - 2 nivel

• 0.4

0.0 0.4

• 1

1 Value Samples interval Aproximation coefficients - 3 nivel

• 0.1

0.0 0.1

• 1

1 Samples interval Wavelet coefficients - 3 nivel

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

18

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Algorithm 1: Decomposition

Input : C[1..M] 1 while M > 1 do 2 DecompositionStep(C) 3 M ← M

2

4 end 5 return

Algorithm 2: DecompositionStep

Input : C[1..M] 1 C′ ← 0 2 for i ← 1 to M

2 do

3 C′[i] ← (C[2i − 1] + C[2i])/ √ 2 4 C′[ M

2 + i] ← (C[2i − 1] − C[2i])/

√ 2 5 end 6 C ← C′ 7 return

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

19

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Bi-Dimensional Wavelet Transform (TW2D)

Algorithm 3: TW2D

Input : X[1..h, 1..h] 1 while h > 1 do 2 for row ← 1 to h do 3 DecompositionStep(X[row, 1..h]) 4 end 5 for col ← 1 to h do 6 DecompositionStep(X[1..h, col]) 7 end 8 h ← h

2

9 end 10 return X

L H L H L H 2

c

TW1D Por linhas TW1D por colunas 2

d

cc dc 2 2 2 2 cd dd

Figura : TW2D scheme for one transformation level

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

20

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

TW2D example

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

21

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Thresholding Operation

This operation is used to select the most significant wavelet coefficient and to discard irrelevant informations. Usually the threshold operation is used for signal denoising. We use the threshold value λ as limit of normal wavelet coefficients. When |dk(j)| > λ, the position k associated for the level j is considered anomalous. For compute the threshold value we use the Universal Threshold, given by λ = σ

• 2log(T), where σ and T are the

standard deviation and number, respectively, of the wavelet coefficients.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

22

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

23

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Data Model

The character frequency associated to data collected from the web server is organized in the input matrix. The input matrix is defined by Xrc, 0 ≤ r ≤ 255 and 1 ≤ c ≤ m, where the value m is the number of the

• requests. For experiments we use m = 256.

Request (1-m)

ASCII Char (0-255) 255 1 m . . . . . . f . . . . c r frequency f of character r in the request c

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

24

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Detection with TW2D

A analyzed window with one attack

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 18

Frequency a)

ASCII HTTP Request

Frequency

50 100 150 50 100 150 200 250 ASCII HTTP Request

b)

2 4 6 8 10 12 14 A1

A TW2D of the analyzed window above

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 abs(Coefficient)

a)

ASCII HTTP Request abs(Coefficient) 50 100 150 200 250 50 100 150 200 250 ASCII HTTP Request

b)

2 4 6 8 10 12 14 (cc) (cd) (dc) (dd)

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

25

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Anomaly Detection Scheme

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

26

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Pre-detection

Weight computation for each character ci, i = 0..255 for k preprocess windows. fj(ci) is the frequency of character ci in window j. p(ci) =

• 1

k

j=1 fj(ci)

, k

j=1 fj(ci) > 0

1 , k

j=1 fj(ci) = 0

i = 0..255 (3)

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

27

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Detection: Anomaly Detection Algorithm

Frequency enhancement phase according to weights computed in predetection phase. f ∗(ci) =

• f(ci) + p(ci) ∗ CTE

, f(ci) > 0 , f(ci) = 0 i = 0..255 (4) The TW2D generates four blocks of coefficients: approximation block (cc) and 3 coefficients blocks (cd, dc, dd). When the wavelet coefficient (of any block) is greater than λ, then its associate request is considered anomalous. λ is computed for each coefficient block using the Universal Threshold Value λ = σ ·

• 2log(T). In this work we compute the

σ approximation as mean of the absolute deviation from the median (named ad). σ = 1

N

N

i=1 |di − med(G)|, i = 1 . . . T where

med(G) is the median of wavelets coefficients |di| > 0 of block G.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

28

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Anomaly Detection Algoritm

The algorithm is summarized below Input The matrix X; Step 1 Frequency Enhancement; Step 2 Apply the TW2D of X one level; Step 3 For each subband (cd, dc, dd) to compute a threshold limit λ ; Step 4 For each subband (cd, dc, dd) to mark the position x, y if |dxy| > λ ; Step 5 If the position x, y was marked in almost two subband then it correspond to attack.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

29

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Effect of Frequency enhancement (example)

Without enhancement With enhancement

50 100 150 200 250 50 100 150 200 250 5 10 15 20 25 Frequency A S C I I C h a r a c t e r Request HTTP Frequency 50 100 150 200 250 50 100 150 200 250 5 10 15 20 25 30 Frequency A S C I I C h a r a c t e r Request HTTP Frequency

Pos Attack 10 /page.php?p=%2e%2e%2f%2e%2e%2f/../../../../../../etc/passwd 25 /page.php?p=%2e%2e%2f%2e%2e%2f/../../../../../etc/passwd 36 /page.php?p=xxxxxxxxxxxxxxxxxxx 74 /page.php?p=../../../../../../../../../../../etc/passwd%00 100 /page.php?p=http://www.manchenumerique.fr/voeux2008/rss.txt?? 212 /page.php?p=../../../../../../../etc/passwd%00 246 /page.php?p=../../../../../../../etc/passwd%00

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

30

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Dataset & Attacks Results

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

31

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Dataset & Attacks Results

Dataset for experiments

The dataset contains queries sent by clients to a web server in log format, for instance:

170.51.19.9 - - [11/Jan/2010:20:41:19 -0300] "GET /page.php?p=calAcad HTTP/1.1" 200.

The data collected corresponding to three months web traffic of Polytechnic School web server The total number of request was 59248 and 232 the total number of processed windows. The attacks were manually inserted in the dataset and included the following attacks: Directory Traversal, Code-Red and Cross Site Scripting attack (XSS), FileInclusion, SQLInjection and OSInjection .

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

32

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Dataset & Attacks Results

Kind of attacks inserted in the database

Attack Example Quant. FileInclusion /page.php?p=http://www.manchenumerique.fr/voeux2008/rss.txt?? 1 CodeRed /page.php?p=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 2 Directory Traversal /page.php?p=../../../../../../etc/passwd%00 8 XSS /page.php?p=<scr<script>ipt>alert(document.cookie)</script> 5 SQLInjection /page.php?p=gd_index and 1 = 1 5 OSInjection /page.php?p=/bin/ping 1 Total 22

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

33

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Dataset & Attacks Results

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

Experiments and Results Dataset & Attacks Results

4

Conclusions and future Work

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

34

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Dataset & Attacks Results

Comparison results between with and without enhancement

Attack Total Without Enhancement With Enhancement FileInclusion 1 1 CodeRed 2 2 2 Directory Traversal 8 8 8 XSS 5 2 5 SQLInjection 5 5 OSInjection 1 1 TP 22 12 22 FP 4 Precision(P) 100% 85% Recall(R) 55% 100% FMeasure 71% 92% FP = False Positive TP = True Positive FN= False Negative P =

TP TP+FP

R =

TP TP+FN

FMeasure = 2∗R∗P

R+P

Number of windows for predetection phase: 4 = 1024 requests

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

35

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work Dataset & Attacks Results

Comparison results with others anomaly algorithms

The algorithms considered here for comparison require normal data for training phase.

Attack Total TW2D with enhancement 6BIN MD NGRAM FileInclusion 1 1 1 1 CodeRed 2 2 2 2 Directory Traversal 8 8 8 6 8 XSS 5 5 5 5 SQLInjection 5 5 5 5 OSInjection 1 1 1 1 TP 22 22 10 20 22 FP 4 26 21 231 Precision(P) 85% 28% 48% 9% Recall(R) 100% 46% 91% 100% FMeasure 92% 34% 63% 16% 6BIN: Person χ2 test [Kruegel and Vigna 2003] [Kruegel et al. 2005] MD: Mahalanobis distance [Wang and Stolfo 2004] NGRAM: Algorithm based in ngram analysis [Ingham and Inoue 2007]. We had considered 2-gram to 10-gram and we put best results here. A request is anomalous if it have less than 95% normal ngrams. Number of windows for predetection phase: 4 = 1024 requests. For others algorithms we use 1024 requests for training phase.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

36

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work

Conclusions and future Work

We have showed an algorithm based in Haar Wavalet Transform with a frequency enhancement preprocess. The threshold used in the algorithm attack detection is adapted to analyzed data. This is a local adaptive threshold. The frequency preprocess phase permits to identify more subtle attacks. This improves the sensor performance. Our method outperformed other traditional anomaly methods that analyze character frequency distribution. In a future work, we will analyze the behavior of proposed algorithm in other databases. We will extend the analysis to HTTP POST request and HTTP header fields. Finally we will test our algorithm with other sort of web attack.

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

37

Introduction Our approach to detect anomalies in web applications Experiments and Results Conclusions and future Work

Questions? Thanks for your attention!!

Cristian Cappo (ccappo@pol.una.py)

• C. Cappo,R.C.Nunes, B. Mozaquattro, A. Kozakevicius and C. Schaerer

38