Web Application Security

Similar documents
Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Anomaly Detection of Web-based Attacks

Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

System Specification. Author: CMU Team

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Information Technology Policy

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Intelligent. Data Sheet

What is Web Security? Motivation

Detection and mitigation of Web Services Attacks using Markov Model

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

5 Simple Steps to Secure Database Development

INTRUSION DETECTION SYSTEM FOR WEB APPLICATIONS WITH ATTACK CLASSIFICATION

Web App Security Audit Services

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

How to Build a Trusted Application. John Dickson, CISSP

CSCE 465 Computer & Network Security

(WAPT) Web Application Penetration Testing

Barracuda Intrusion Detection and Prevention System

Columbia University Web Security Standards and Practices. Objective and Scope

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

IDS / IPS. James E. Thiel S.W.A.T.

How To Protect A Network From Attack From A Hacker (Hbss)

Preprocessing Web Logs for Web Intrusion Detection

Application Security: What Does it Take to Build and Test a Trusted App? John Dickson, CISSP Denim Group

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Secure Code Development

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Vulnerability-Focused Threat Detection: Protect Against the Unknown

B database Security - A Case Study

Web Forensic Evidence of SQL Injection Analysis

Challenges of Automated Web Application Scanning

Check list for web developers

On-Premises DDoS Mitigation for the Enterprise

IBM Protocol Analysis Module

How To Prevent Hacker Attacks With Network Behavior Analysis

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Protecting a Moving Target: Addressing Web Application Concept Drift

Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Common Criteria Web Application Security Scoring CCWAPSS

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Basic & Advanced Administration for Citrix NetScaler 9.2

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Attack and Penetration Testing 101

Last Updated: July STATISTICA Enterprise Server Security

Rational AppScan & Ounce Products

WHITEPAPER. Nessus Exploit Integration

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

CSC574 - Computer and Network Security Module: Intrusion Detection

Securing Outlook Web Access (OWA) 2013 with NetScaler AppFirewall

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Guidelines for Web applications protection with dedicated Web Application Firewall

SURVEY OF INTRUSION DETECTION SYSTEM

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Reference Architecture: Enterprise Security For The Cloud

Intrusion Detection for Grid and Cloud Computing

Guidance Regarding Skype and Other P2P VoIP Solutions

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

FortiWeb 5.0, Web Application Firewall Course #251

The Challenge of a Comprehensive Network Protection. Introduction

Intruders & Intrusion Hackers Criminal groups Insiders. Detection and IDS Techniques Detection Principles Requirements Host-based Network-based

The Security Organization p. 1 Anecdote p. 2. Introduction

Sample Report. Security Test Plan. Prepared by Security Innovation

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Java Program Vulnerabilities

CS Computer and Network Security: Intrusion Detection

Organizations Should Implement Web Application Security Scanning

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Outline Intrusion Detection CS 239 Security for Networks and System Software June 3, 2002

Testing Web Applications for SQL Injection Sam Shober

Magento Security and Vulnerabilities. Roman Stepanov

Introducing IBM s Advanced Threat Protection Platform

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

The Cyber Threat Profiler

White Paper. McAfee Web Security Service Technical White Paper

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Passing PCI Compliance How to Address the Application Security Mandates

Taxonomy of Intrusion Detection System

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

External Network & Web Application Assessment. For The XXX Group LLC October 2012

WSF: An HTTP-level Firewall for Hardening Web Servers

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Intrusion Detection Systems

Integrating Barracuda Web Application Firewall

Transcription:

Web Application Security Richard A. Kemmerer Reliable Software Group Computer Science Department University of California Santa Barbara, CA 93106, USA http://www.cs.ucsb.edu/~rsg www.cs.ucsb.edu/~rsg/

Why are web applications important? Web has become a ubiquitous application delivery medium Easy to develop, deploy, and access web applications Pervasive: deployed by virtually all companies, institutions, and organizations Critical: access/manage sensitive information (e.g., health records, financial information, personal data) Open: widely accessible through firewalls Dynamic: change frequently 2

Web application attacks Web-related security flaws represent a substantial fraction of all reported security flaws Cross-site site scripting Buffer overflows SQL injection Command execution Exploitation of weak cookies Sniffing of unencrypted sensitive information Bypassing client-side validation Misuse of hidden form fields Result: web-based based applications are vulnerable and have become a popular attack target 3

Intrusion detection systems (IDS) Examine a time-ordered stream of events from a set of domains Network (e.g., packets, streams) Host (e.g., system calls, audit records) Application (e.g., syslog, HTTP access logs) Look for event sequences that represent attacks Misuse detection Use signatures to characterize bad events Reliably low false positive rates Poor generalization Anomaly detection Use models to characterize good events Traditionally have higher false positive rates Sensitive to novel, unforeseen attacks 4

Learning-based detection Generate models of normal behavior using a history of attack-free samples Models associated with features in a particular domain Models limited in scope to samples observed during training period Potential to capture tighter, installationspecific behaviors Use limited to subset of software functionality Patterns of user behavior 5

Anomaly detection phases 6

Web-based based anomaly detection Examines web requests sent from clients to server Application to be executed Application parameters (attribute names and values) Example GET /cgi-bin/show.cgi?sid=12345&file=images/ =12345&file=images/foo.pngfoo.png Applies statistical models to each attribute of each application in two phases Learning phase: Builds profiles of normal behavior for each application parameter Detection phase: Detects deviations from learned profile 7

Web-based based anomaly detection Examines web requests sent from clients to server Application to be executed Application parameters (attribute names and values) Example GET /cgi-bin/show.cgi?sid=12345&file=images/ =12345&file=images/foo.pngfoo.png Applies statistical models to each attribute of each application in two phases Learning phase: Builds profiles of normal behavior for each application parameter Detection phase: Detects deviations from learned profile 8

Web-based based anomaly detection Examines web requests sent from clients to server Application to be executed Application parameters (attribute( names and values) Example GET /cgi-bin/show.cgi? bin/show.cgi?sid=12345& =12345&file=images/ =images/foo.png Applies statistical models to each attribute of each application in two phases Learning phase: Builds profiles of normal behavior for each application parameter Detection phase: Detects deviations from learned profile 9

Web-based based anomaly detection Examines web requests sent from clients to server Application to be executed Application parameters (attribute names and values) Example GET /cgi-bin/show.cgi?sid=12345&file=images/ images/foo.png Applies statistical models to each attribute of each application in two phases Learning phase: Builds profiles of normal behavior for each application parameter Detection phase: Detects deviations from learned profile 10

Detection models used Length Character distribution Structural inference Token set Frequency Interval Invocation order 11

Observation Length model Many string lengths are either fixed in size or vary over a small l range Model attempts to approximate actual (unknown) distribution of string s lengths Weak bound results in significant tolerance to variations Chebyshev inequality p(l) = p( x - μ > l - μ ) = σ 2 (l - μ) 2 12

String character distribution model Observation Many strings take values that have similar character distributions Model creates idealized character distribution (ICD) for strings observed during the training phase Anomaly score calculated using variant of Pearson Chi-squared test 13

Anomaly score aggregation Multiple models per event imply a need for score combination The simple approach (weighted summation) cannot represent dependencies between models When one feature is anomalous, another feature may be expected to be anomalous as well An anomalous feature might indicate that the quality of another model output increases Dependencies can be represented using Bayesian decision networks 14

Bayesian network example 15

Technology transfer to WebLoc Web application security module that ISVs can integrate with their web-based based offerings Detects and reports/blocks attacks that are Generic Specific to each web application deployment Sophisticated site-specific specific detection algorithms Customizes detection to particular configurations and sites using g multi- model learning Responds to changes in the web site and performs necessary retraining Aggressive reduction of the impact of false positives Reduces false positives by capturing inter-model dependencies using Bayesian analysis Intelligent reporting using attack aggregation to reduce the cost t of false positives Requires minimal expertise to deploy, configure, and maintain 16

Architecture Interposed between clients and web application Inspects HTTP requests and responses Option to report or block 17

Architecture Interposed between clients and web application Inspects HTTP requests and responses Option to report or block 18

Questions? 19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information