A modular architecture for the analysis of HTTP payloads based on Multiple Classifiers Davide Ariu [email protected]Giorgio Giacinto [email protected]Department of Electric and Electronic Engineering University of Cagliari Pattern Recognition and Applications Group http://prag.diee.unica.it Group This research was sponsored by the Autonomous Region of Sardinia through a grant financed with the ”Sardinia PO FSE 2007‐2013” funds and provided according to the L.R. 7/2007 Napoli, 17 Giugno 2011
Transcript
A modular architecture for the analysis of HTTP payloads based
Pattern Recognition and Applications Group http://prag.diee.unica.it
Group This research was sponsored by the Autonomous Region of Sardinia through a grant financed with the ”Sardinia PO FSE 2007‐2013” funds and provided according to the L.R. 7/2007
Napoli, 17 Giugno 2011
Outline
• Motivations
• The proposed system
• Experimental Setup and Results
• Conclusions
2 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
The objective
Design of an anomaly based Intrusion Detection System for the protection of Web Servers and Applications.
The HTTP traffic toward the web servers is inspected by a multiple classifier system.
3 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
Why Web Applications?
4 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
Why Anomaly Detection?
5 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
6 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
7 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
Request Line
A legitimate Payload...
GET /pra/ita/home.php HTTP/1.1 Host: prag.diee.unica.it Accept: text/*, text/html User-Agent: Mozilla/4.0
8 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
Request Line
Request Headers
...and some attacks
• Long Request Buffer Overflow HEAD / aaaaaaa…aaaaaaaaaaaa
• URL Decoding Error GET /d/winnt/sys32/cmd.exe?/c+dir HTTP/1.0 Host: www Connection: close
9 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
Why Payload Analysis?
• Detection of Web-based attacks based on the – Analysis of the Request-Line
• Allows detecting only attacks that exploit input-validation flows e.g. Spectrogram ([Song,2009]), HMM-Web ([Corona,2009])
– HTTP Payload Analysis • Takes into account the whole HTTP-request, and thus it can (in principle) detect any kind of attack
10 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
SOA - Payload Analysis
• Payl [Wang,2004] – n-grams to represent byte statistics
• McPAD [Perdisci,2009] – Ensemble of one-class SVM trained on ν-grams
• Spectrogram [Wang,2009] – Ensemble of Markov Chains to analyze the request-Line
• HMMPayl [Ariu,2011] – Ensemble of HMM to analyze sequences of bytes from
the whole payload
None of the above techniques represented the structure of the payload
11 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
The proposed system Basic Idea
• We propose to take into account the structure of HTTP payloads – For each line of the payload, an ensemble of HMM is used to model the sequences of bytes.
– The final decision is obtained by using the HMM outputs as features. The payload is thus classified by a one-class classifier trained on the outputs of the HMM ensembles.
12 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
The proposed system A scheme
13 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
HMM Ensemble Request‐Line
HMM Ensemble User‐Agent
HMM Ensemble Host
HMM Ensemble Accept‐Encoding
HMM Ensemble Accept‐Language 0.62
‐1
0.53
0.34
0.49
One‐Class Classifier
Output Score or
Class‐Label
IDS
GET /pra/index.php HTTP/1.1 Host: prag.diee.unica.it User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate
HTTP Payload
Missing Features
• Each request typically does not contain all the headers
– Training phase: the value of the feature related to a missing header has been set to the average value
– Testing phase: the value of the feature related to a missing header has been set to -1
14 Pattern Recognition and Applications Group http://prag.diee.unica.it
Group
Experimental Setup - 1
• 2 Datasets of “Real” legitimate traffic – DIEE, collected at the University of Cagliari
– GT, collected at Georgia Tech
15 Pattern Recognition and Applications Group http://prag.diee.unica.it
