See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/237149746

Intrusion Detection for Web Application: An Analysis

Article  in  International Journal of Scientific and Engineering Research · January 2013

CITATION READS
1 581

1 author:

Palanivel Kuppusamy
Pondicherry University
43 PUBLICATIONS   106 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Mobile Computing View project

Smart Education View project

All content following this page was uploaded by Palanivel Kuppusamy on 27 January 2015.

The user has requested enhancement of the downloaded file.

 International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 1824
ISSN 2229-5518

Intrusion Detection for Web Application: An

Analysis
N.Sakthipriya, K.Palanivel

Abstract— Web applications are becoming the dominant way to provide access to online services and also a valuable target for security
attacks. As the use of web applications for critical services has increased, the sophistication of attacks against these applications has
grown as well. To protect web applications several intrusion detection systems have been proposed. In this paper, several techniques
which are meant for detection of web application related attacks and their advantages and disadvantages are presented. Furthermore, the
common web application attacks which are vulnerable to the web application are discussed. Finally, this study concludes with an analysis
of challenges to overcome for the detection of web application attack that still remain to be resolved.

Index Terms— Web Application, Intrusion Detection, Attacks, Tools

——————————  ——————————

1 INTRODUCTION

T HE Internet services and use of web applications are in-

creasing tremendously around the world. But unfortu-
nately it has been found easy to disturb the functionality
2 COMMON WEB APPLICATION ATTACKS

of Internet by attacking its infrastructure taking advantage of 2.1 SQL Injection

Internet services and protocols. The vulnerability of web ap-

IJSER
plication has attracted the attention of malicious hackers to The SQL Injection attack is abusing Web pages which allow
exploit and access to sensitive information which might lead users to enter text in form fields which are used for database
to enormous gain. The security of web-based applications queries. Hackers can enter a disguised SQL query, which
should be addressed by means of careful design and thorough changes the nature of the query. Hence the queries can be
security testing. Unfortunately, this is often not the case. For used to access the connected database and change or delete its
this reason, security conscious development methodologies data.
should be complemented by an intrusion detection infrastruc-
ture that is able to identify the attacks and provide early warn-
ing about suspicious activity. Intrusion detection is the process
of monitoring events occurring in a system and reporting
them accurately to the proper authority when the suspicious
activity occurs. There are two main types of intrusion detec-
tion methods. The one is anomaly detection which is based on
finding deviations from normal user behavior are considered
intrusive. The next one is misuse detection, it characterized as
a’ pattern’ or ‘signature’ that IDS looks for. Pattern or signa-
ture might be a static string or a set sequence of actions.
The Intrusion detection system provides the following:
• Monitoring and analyzing of user and system activity.
• Auditing of system configurations and vulnerabilities.
• Assessing the integrity of the files and critical system. Fig (1): SQL Injection Attack
• Statistical analysis of activity patterns.
• Abnormal activity analysis.
• Operating system audit. 2.2 Cross Site Scripting

Cross site scripting is an attack targeted towards the hosting

web application underlying OS, and often back-end database.
An attacker will often attack web application that does not
————————————————
filter scripts from form fields submitted to web application.
• N.Sakthipriya is currently pursuing master’s degree program in Computer
Science &Engineering in Pondicherry University, Pondicherry, and India Attackers are often able to insert code which gets exe-
PH-09488549639. E-mail: [email protected] cuted by the user’s browser. This code will attempt to steal
• K.Palanivel is currently working as System Analyst in Pondicherry Uni- browser cookies that include banking session data, password
versity, Pondicherry, India, and PH-09488824888. E-mail:
[email protected]
etc. Session cookies are then used by the attacker to emulate a
legitimate user session to a banking site, email account, etc.

IJSER © 2013
http://www.ijser.org
International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 1825
ISSN 2229-5518

2.5 Cross Site Request Forgery

Cross site request forgery is an attack which forces an end user

to execute unwanted actions on a web application in which
legitimate user is currently authenticated. With the help of
email an attacker may force the users of a web application to
execute actions of the attacker’s choosing. A successful CSRF
exploits can compromise end user and operation in case of
normal user. If the targeted user is the administrator account,
this can compromise the entire web application. The malicious
website causes a user’s browser to send a request to a trusta-
Fig (2): XSS Attack Hijack Scenario ble site. The trustable site sees a valid and authenticated re-
quest from the browser and does what is asked.
2.3 Session Hijack

Session hijacking attack is mainly aimed at the web server

side. An attacker takes over the web server and therefore hi-
jacks all subsequent legitimate user sessions to launch attacks.
By hijacking other user sessions, the attacker can listen in,
send spoofed replies and drop user requests. There are two
types of session hijacking.
• Active session hijacking.

IJSER
• Passive session hijacking.
Active session hijacking involves hijacking an already au- Fig (4): CSRF Attack Scenario
thenticated session. The original user has logged in his ac-
count profile and then the attacker steals the cookies to hijack
the active session and then disconnect the original user from 2.6 Sophisticated HTTP attacks
the server.
In passive session hijacking, attackers does not hijack ac- Sophisticated HTTP attacks are among the most popular hack-
tive session instead they capture the login credentials while ing techniques. Hacker’s mainly target HTTP requests and
the original user is trying to establish a new connection with manipulates or modifies the requests to cause the requisite
the server and the attacker is sitting silently on the same net- damage. The attacks are usually performed using HTTP port
work and recording the login credentials. 80 or other HTTP communication.
Sophisticated HTTP attacks result in easy access into the
web server for the hacker, allowing him to cause immense
damage. Hackers can delete information, steal data, or add
info. They can cause interminable harm to a website. If a web-
site gets affected, it can result in serious damage to its online
business, spoil the website’s image, or cause the financial loss
to the business.

2.7 Buffer Overflow

A buffer overflow is an exploit that takes advantage of a pro-

gram that is waiting for an input of the user. There are two
types of buffer overflow attacks:
 Stack based attack
Fig (3): Session Hijacking
 Heap based attack
Heap based attacks flood the memory space reserved for a
2.4 Remote Code Execution
program, and it is a rarely used for performing such an attack
due to its difficulty.
This vulnerability allows an attacker to run arbitrary, system
Stack-based buffer overrun, the program being exploited
level code on the vulnerable server and retrieve any needed
uses a memory object known as a stack to store user input.
information contained therein. Improper coding errors lead to
this type of vulnerability.

IJSER © 2013
http://www.ijser.org
International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 1826
ISSN 2229-5518

3.5 TRIPWIRE

Tripwire is a software security and data integrity tool useful

for monitoring and alerting on specific file changes on a range
of systems.
It functions as a host based intrusion detection system but
preferably attempting to detect intrusions at the network in-
terface level, it detects changes to file system objects. It is use-
ful for detecting intrusions after the event. It can also serve
many other purposes such as change management, integrity
assurance and policy compliance.

4 RELATED WORKS
Many researchers have introduced various techniques to de-
fend against various attacks.
Fig (5): stack based buffer overflow attack
3 TOOLS FOR IDS C. Kruegel and G. Vigna [6], presented an intrusion detection
system that uses a number of different anomaly detection
3.1 SNORT techniques to detect attacks against web servers and web
based application. The system correlates the server side pro-
Snort is open source intrusion detection and prevention sys- grams referenced by client queries with the parameter con-
tem excels at traffic analysis and packet logging on IP net- tained in the queries. The system derives automatically the

IJSER
work. Combining the benefits of signature, protocol and parameter profiles associated with web application data.
anomaly based inspection. Through protocol analysis, various
pre-processors, snort detects a large number of worms, port M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna [1], they
scans, vulnerability exploiting attempts and other suspicious present Swaddler, a novel approach to anomaly based detec-
behavior. Snort uses a rule based language to describe traffic tion of attacks against web application. Swaddler analyzes the
that it should collect or pass and a modular detection engine. internal state of web application and learns the relationship
between the applications critical execution points and the ap-
3.2 OSSEC plication internal state. Swaddler is able to identify the attacks
that attempt to bring an application an inconsistent anomalous
OSSEC is an open source Host based Intrusion Detection sys- state such as a violation of the intended workflow of web ap-
tem that performs log analysis, policy monitoring, root kit plication
detection, file integrity checking, real time alerting and active
response. Because of its powerful log analysis engine, ISPs, G. Vigna, W.K. Robertson, V. Kher, and R.A. Kemmerer [8],
several universities and data centers are running OSSEC to presented WebSTAT, an intrusion detection system that ana-
monitor and analyze their firewall, web server and authentica- lyzes web requests looking for malicious behavior and it pro-
tion logs. vides a sophisticated language to describe multi-step attack in
terms of the states and transaction. It operates on multiple
3.3 SQUIL event streams and it is able to correlate both network and op-
erating system level events with entries contained in the serv-
SQUIL’s main component is an intuitive GUI that provides er logs.
access to real-time events, session data and raw packet cap-
tures. It facilitates the practice of network security monitoring M. Auxilia, D. Tamilselvan [2], proposed a negative security
and event driven analysis. model based on misuse of web application is used. This nega-
tive security model provides a web application firewall engine
3.4 OSSIM with a rule set, to ensure censorious protection across every
web architecture. WAF’s are deployed to establish an increase
OSSIM is an open source Security Information and Event external security layer to detect and prevent attacks before
Management comprising a collection of tools designed to as- they reach web applications.
sist network administrators in computer security, intrusion
detection and prevention system. It also provides a strong cor- G. Vigna, F. Valeur, D. Balzarotti, W.K. Robertson, C. Kruegel,
relation engine with low, mid and high level visualization in- and E. Kirda [7], proposed the system composed of a web
terfaces as well as reporting and incident managing tools. based anomaly detection system, a reverse HTTP proxy and a
anomaly database detection system. The serially composing a
web based anomaly detector and a SQL query anomaly detec-
IJSER © 2013
http://www.ijser.org
International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 1827
ISSN 2229-5518

tor increase the detection rate of the system. To address the

system’s capacity for producing false positives, they addition-
ally present an approach to provide differentiated access to a
website based on the anomaly score associated with web re-
quests.

Meixing Le, Angelos Starou, Bret ByungHoon Kang [9] , pro-

posed Double Guard an IDS system that models the network
behavior of user sessions across both back end database, by
monitoring both web subsequent database requests, the sys-
tem able to find attacks that independent IDS would not be
able to identify. That quantifies the limitations of any multi-
tier IDS in terms of training sessions and functionality cover-
age

Juan Jose Garcia Adeva, Juan Manuel Pikatza Atxa [3], Intru-
sion detection software component based on text mining tech-
niques attempts to detect either unauthorized access or misus-
ing a web application and by using text categorization, it is
capable of learning the characteristics of both normal and ma-
licious user behavior from log entries generated by web appli-
cation server and therefore the detection of misuse in a web
application is achieved.

IJSER
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel,
Giovanni Vigna [5], proposed a novel approach to identifica-
tion of class of application logic vulnerabilities, in the context
of web application is presented. And this approach uses a
composition of dynamic analysis and symbolic model check-
ing to identify invariants that are a part of the intended pro-
gram specification but are not enforced on all paths in the
code of a web application.

Christopher Krueger, Giovanni Vigna, William Robertson [4],

presented an intrusion detection system proposed that uses a
number of different anomaly detection techniques to detect
attacks against web servers and web based application. The
system analyzes client queries that reference server side pro-
gram and create models for a wide range of different features
of queries. The system derives automatically the parameter
profiles associated with the web applications and relationships
between queries from analyzing data.

R. Sekar [10], presented a new technique called taint inference

and it operates by intercepting requests and responses from
this application. For web applications, this interception may
be achieved using network layer interposition or library inter-
position. They developed a class of policies called syntax and
taint aware policies that can accurately detect and block the
most injection attacks.

IJSER © 2013
http://www.ijser.org
International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 1828
ISSN 2229-5518

Table 1: Analysis of various intrusion detection techniques

Sl.
Title Advantage Disadvantage Attack class
No
Header data of GET request are
Support detection of new attacks Buffer overflow, Direc-
Anomaly Detection of Web not taken into account its rely
1 and cannot be evaded by at- tory traversal, cross
on web access logs, attacks that
based attacks tempting to hide malicious code site scripting, Input
compromise the security of the
inside a string. validation & Code Red
web server.
Swaddler : An approach for Detect the attacks that cannot be
the anomaly detection of identified by examining the ex- Workflows violation
2 Vulnerable to mimicry attack.
state violations in web ap- ternal flow of request and re- attacks.
plication sponse.
The expressiveness of the lan- Web crawler, Pattern
A stateful Intrusion Detec- guage allows the attack modeler matching, Cookie
Vulnerable to denial of service
3 tion system for Word Wide to describe timing relationship Stealing, Buffer over-
attacks.
Web Servers and this approach is one to detect flow, Document root

IJSER
more complex attacks. escape.
Provided a rule set for detecting
the attacks , HTTP attacks, SQL
Anomaly detection using Does not provide a unique rule
HTTP traffic can be monitored in injection, Cross site
4 Negative security model in for detection of all attacks.
real time in order to detect and scripting.
web Application.
prevent attacks from reaching
web applications.
Reducing errors in the When the attack is detected it
anomaly based detection of does not block anomalous re- SQL injection, Com-
web based attacks through quest immediately but its at- mand injections, In-
Vulnerable to distributed DOS
5 tempt to serve them through a
the combined analysis of attack. formation tampering,
web server with restricted access
web requests and SQL que- to sensitive information thereby Cross site scripting.
ries. reducing the false positive.
The causal mapping can identify
Double Guard : Detecting the attack even in normal net- Cross site scripting attack is Privilege escalation,
work traffic, 100 % detection possible, Vulnerable to mimicry Hijack future session
6 Intrusions in multi-tier web
accuracy with 0 % & 0.6% false attack, Not designed to mitigate attack, Injection attack,
application
positive for static and dynamic DDOS attacks. Direct DB attack
web page.
Log information generated by
Intrusion detection in web The system cannot detect the
the system does not need any
new attack; Focus only on ac-
7 application using text min- particular format, Does not re- Access control.
cess control, The false positive
ing quire any explicit programming
is high.
for machine learning.
Toward Automated detec- They focused on the fact that
Application logic vul-
many invariants that relate to Vulnerabilities identification is
8 tion of logic vulnerabilities nerabilities (authoriza-
import concepts of web applica- limited.
in web applications tion)
tions were not identified
A multi model approach to The reduced number of false Relies on web access logs, Buffer overflow, Direc-
positives, able to detect a high The direct instrumentation of tory traversal, cross
9 the detection of web based
percentage of attacks with a very web servers introduces un- site scripting, Code
attacks
limited number of false positives. wanted delay. Red, Input validation.
SQL injection, Com-
An Efficient Black box tech- Effective in detecting a broad
A false negative may occur due mand injection, Path
range of attacks on application
10 nique for defeating web to parsing error, policy error or traversals, crosses site
written in multiple languages,
application Attacks incompleteness. scripting.
Low overheads.
IJSER © 2013
http://www.ijser.org
International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May-2013 1829
ISSN 2229-5518

On Dependable and Secure Computing, Vol. 9, NO. 4, July/August 2012.

5 CONCLUSION [10] R. Sekar,” An Efficient Black box Technique for Defeating Web Appli-
cation Attacks”, Proc. Network and Distributed system security
The undeniable existence of vulnerabilities in the web applica- sump.(NDSS),2009.
tion prevails the attacker to exploit through various attacks. In
order to detect the existence of attacks, the Intrusion detection [11] http://www.ossec.net/
system has been emerged. However, there are still many chal-
lenges to overcome because of the occurrence of new attacks. [12] http://www.snort.org/
This study presents a survey of various techniques for defend-
ing against various attacks. Our review finds that the existing [13] http://sguil.sourceforge.net/
techniques have its relative merits accompanied by a set of
demerits. [14] http://www.tripwire.com/
From this analysis, it is inferred that the data com-
plexity of application has been increased, the web application
adapted to multi-tier design. As discussed above, the Intrusion
detection model for multi-tier web application need a proper
input validation mechanism as a additional defense for detect-
ing attack such as cross site script attack and this challenge is
yet to be resolved.

REFERENCES

IJSER
[1] M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna, “Swaddler: An
Approach for the Anomaly-Based Detection of State Violations in Web
Applications,” Proc. Int’l Symp. Recent Advances in Intrusion Detection
(RAID ’07), 2007.
.
[2] M. Auxilia, D.Tamilselvan, “Anomaly Detection Using Negative Secu-
rity Model in Web Application,”IEEE 2010.

[3] Juan Jose Garcia Adeva, Juan Manuel Pikatza Atxa,” Intrusion Detec-
tion in web applications using text mining,” Journal of Artificial Intelli-
gence - Elsevier 2006.

[4] Christopher Kruegel, Giovanni Vigna, William Robertson,” A multi

model approach to the detection of web based attacks”, Journal of Com-
puter Networks - Elsevier 2005.

[5] Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, Gio-

vanni Vigna,”Towards Automated detection of logic vulnerabilities in
web applications “, USENIX Security'10 Proceedings of the 19th USENIX
conference on Security, 2010

[6] C. Kruegel and G. Vigna, “Anomaly Detection of Web-Based Attacks,”

Proc. 10th ACM Conf. Computer and Comm. Security (CCs’03), Oct. 2003.

[7] G. Vigna, F. Valeur, D. Balzarotti,W.K. Robertson, C. Kruegel, and E.

Kirda, “Reducing Errors in the Anomaly-Based Detection of Web-Based
Attacks through the Combined Analysis of Web Requests and SQL Que-
ries,” J. Computer Security, vol. 17, no. 3, pp. 305-329, 2009.

[8] G. Vigna, W.K. Robertson, V. Kher, and R.A. Kemmerer, “A Stateful

Intrusion Detection System for World-Wide Web Servers,” Proc. Ann.
Computer Security Applications Conf. (ACSAC ’03), 2003.

[9] Meixing Le, Angelos Starou, Bret ByungHoon Kang,” Double Guard:
Detecting Intrusions in Multitier Web Applications,” IEEE Transactions

IJSER © 2013
http://www.ijser.org

View publication stats