Protect Web Servers Research Articles

Anomaly detection for weblog data analysis using weighted PCA technique

Many methods have been developed to protect web servers against attacks. Anomaly detection methods rely on generic user models and application behavior, which interpret departures as indications of potentially dangerous behavior from the established pattern. However, due to a lack of evaluations and comparisons of various anomaly detection techniques, engineers may still decide which detection methods should not be used. Furthermore, even if engineers use an unusual detection technique, re-implementation will take a lifetime. We offer a comprehensive analysis and evaluation of six existing log-based detection techniques, including three monitored and three unchecked modes, as well as an open toolkit that allows for simple reuse, to address these problems. The different anomalies are detected with weighted PCA techniques. There are four datasets BGL, Liberty, Spirit & Thunderbird, which are used. The weighted PCA is compared with traditional KNN methods. The weighted PCA provided better results as compared to the KNN algorithm.

Security vulnerabilities related to web-based data

In this digital era, organizations and industries are moving towards replacing websites with web applications for many obvious reasons. With this transition towards web-based applications, organizations and industries find themselves surrounded by several threats and vulnerabilities. One of the largest concerns is keeping their infrastructure safe from attacks and misuse. Web security entails applying a set of procedures and practices, by applying several security principles at various layers to protect web servers, web users, and their surrounding environment. In this paper, we will discuss several attacks that may affect web-based applications namely: SQL injection attacks, cookie poisoning, cross-site scripting, and buffer overflow. Additionally, we will discuss detection and prevention methods from such attacks.

Network anomaly detection for protecting web services from the application layer bandwidth flooding attack

Web servers are generally situated in an efficient server center where these servers associate with the outside Web straightforwardly through spines. In the interim, the application layer Bandwidth flooding attack (ALBFA) assaults are basic dangers to the Web, especially to those business web servers. As of now, there are a few strategies intended to deal with the ALBFA assaults, however the greater part of them can't be utilized as a part of substantial spines. In this paper, we propound another technique namely BFADM to identify ALBFA assaults. Our work separates itself from past techniques by considering ALBFA assault discovery in overwhelming spine movement. Moreover, the recognition of ALBFA assaults is effortlessly deceived by streak swarm activity. Keeping in mind the end goal to beat this issue, our propounded technique develops a Constant Recurrence Vector and genuine opportune describes the movement as an arrangement of models. By looking at the entropy of ALBFA assaults and blaze swarms, these models can be utilized to perceive the genuine ALBFA assaults. We coordinate the above discovery standards into a modularized resistance design, which comprises of a head-end sensor, an identification module and an activity channel. With a quick ALBFA discovery speed, the channel is equipped for letting the true blue demands through however the assault movement is ceased.

Suspicious Score Based Mechanism to Protect Web Servers against Application Layer Distributed Denial of Service Attacks

Suspicious Score Based Mechanism to Protect Web Servers against Application Layer Distributed Denial of Service Attacks

Protecting Web Servers from Client based Attacks

Protecting Web Servers from Client based Attacks

Protecting Web Servers from Distributed Denial of Service Attacks

This thesis developed a novel architecture and adaptive methods to detect and block Distributed Denial of Service attacks with minimal punishment to legitimate users. A real time scoring algorithm differentiated attackers from legitimate users

An integrated method for real time and offline web robot detection

AbstractRecent academic and industry reports confirm that web robots dominate the traffic seen by web servers across the Internet. Because web robots crawl in an unregulated fashion, they may threaten the privacy, function, performance, and security of web servers. There is therefore a growing need to be able to identify robot visitors automatically, in offline and in real time, to assess their impact and to potentially protect web servers from abusive bots. Yet contemporary detection approaches, which rely on syntactic log analysis, finding statistical variations between robot and human traffic, analytical learning techniques, or complex software modifications may not be realistic to implement or remain effective as the behavior of robots evolve over time. Instead, this paper presents a novel detection approach that relies on the differences in the resource request patterns of web robots and humans. It rationalizes why differences in resource request patterns are expected to remain intrinsic to robots and humans despite the continuous evolution of their traffic. The performance of the approach, adoptable for both offline and real time settings with a simple implementation, is demonstrated by playing back streams of actual web traffic with varying session lengths and proportions of robot requests.

Smart Detection and Classification of Application-Layer Intrusions in Web Directories

The Republic of Croatia homepage and directory of Croatian web servers (www.hr) attracts several thousand visitors daily, which makes it the target of various attacks. In order to lower the risk from such attacks, we propose a concept for an intrusion detection system and a classifier of detected intrusions. We first examined the concepts of existing intrusion detection systems and combined their individual benefits into a concept best suited for protecting web services on the application layer. The proposed concept uses machine learning techniques for both intrusion detection and classification. Intrusion detection, observed through analysis of requests, is implemented by a feed-forward neural network, while intrusion classification is done using self-organizing maps. The case study and preliminary evaluation is presented on the Republic of Croatia homepage (www.hr), followed by guidelines for further research.

DDoS defense system for web services in a cloud environment

Recently, a new kind of vulnerability has surfaced: application layer Denial-of-Service (DoS) attacks targeting web services. These attacks aim at consuming resources by sending Simple Object Access Protocol (SOAP) requests that contain malicious XML content. These requests cannot be detected on the network or transportation (TCP/IP) layer, as they appear as legitimate packets. Until now, there is no web service security specification that addresses this problem. Moreover, the current WS-Security standard induces crucial additional vulnerabilities threatening the availability of certain web service implementations. First, this paper introduces an attack-generating tool to test and confirm previously reported vulnerabilities. The results indicate that the attacks have a devastating impact on the web service availability, even whilst utilizing an absolute minimum of attack resources. Since these highly effective attacks can be mounted with relative ease, it is clear that defending against them is essential, looking at the growth of cloud and web services. Second, this paper proposes an intelligent, fast and adaptive system for detecting against XML and HTTP application layer attacks. The intelligent system works by extracting several features and using them to construct a model for typical requests. Finally, outlier detection can be used to detect malicious requests. Furthermore, the intelligent defense system is capable of detecting spoofing and regular flooding attacks. The system is designed to be inserted in a cloud environment where it can transparently protect the cloud broker and even cloud providers. For testing its effectiveness, the defense system was deployed to protect web services running on WSO2 with Axis2: the defacto standard for open source web service deployment. The proposed defense system demonstrates its capability to effectively filter out the malicious requests, whilst generating a minimal amount of overhead for the total response time.

Protecting Web Services Against XPath Injection Attacks Using SVM Tree Kernel

In recent years, the injection attacks are the most common application layer attacks currently being used on the Internet. The growing acceptance of XML technologies for documents and protocols make the web application uncovered and exploited by hackers. XPath is a language used for querying XML document. XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. In this paper, we proposed an SVM learning based approach to protect web services against the XPath injection attacks. We have implemented a kernel based on trees and incorporate it to the libSVM tool. To proceed, we extract all possible sub trees from the xpath parse tree request, then we find the similarity between two structures by summing the similarity of their substructures. The architecture of our proposed solution is compounded of two principals modules: the learning engine and the predictor one. Before a treatment of incoming XPath queries, an Aspect oriented Programming interceptor component is invoked to intercept this query and submit it to the SVM engine predictor.

User and Machine Authentication and Authorization Infrastructure for Distributed Wireless Sensor Network Testbeds

The intention of an authentication and authorization infrastructure (AAI) is to simplify and unify access to different web resources. With a single login, a user can access web applications at multiple organizations. The Shibboleth authentication and authorization infrastructure is a standards-based, open source software package for web single sign-on (SSO) across or within organizational boundaries. It allows service providers to make fine-grained authorization decisions for individual access of protected online resources. The Shibboleth system is a widely used AAI, but only supports protection of browser-based web resources. We have implemented a Shibboleth AAI extension to protect web services using Simple Object Access Protocol (SOAP). Besides user authentication for browser-based web resources, this extension also provides user and machine authentication for web service-based resources. Although implemented for a Shibboleth AAI, the architecture can be easily adapted to other AAIs.

A Defensive OTP-Based Mechanism against Application Layer DDoS Attacks

In this paper, we present the design and implementation of OTP-DEF, a kernel extension to protect web servers against application layer DDoS attacks. OTP-DEF provides authentication by using OTP-based tests, which is different from other systems that use graphical tests. First of all, according to the load of web server, an OTP-DEF web-server should fall into one of three following modes: normal, suspected attack or confirmed attack mode, and the OTP-DEF authentication mechanism shall only be activated when web-server is in suspected attack mode. Secondly, we use OTP as our puzzle, which can automatically change at the certain time interval. It makes our proposal can defend socially-engineered attack, copy attacks, replay attacks and Brute-Force Attack. Thirdly, OTP-DEF uses an intermediate stage to identify the IP addresses that ignore the test, and persistently bombard the server with requests despite repeated failures at solving the puzzles. These machines are zombies because their intent is to congest the server. Once these machines are identified, OTP-DEF blocks their requests, turns the tests off, and allows access to legitimate users who are unable or unwilling to solve tests. Finally, OTP-DEF requires no modifications to client software.

Using Aspect Programming to Secure Web Applications

As the Internet users increase, the need to protect web servers from malicious users has become a priority in many organizations and companies. Writing crosscutting functions in complex software should take advantage of the modularity offered by new software development approaches. With AspectOriented Programming (AOP), separating concerns when designing an application fosters reuse, parameterization and maintenance. In this paper, we design a security aspect called AProSec for detecting SQL injection and Cross Scripting Site (XSS), that are common attacks in web servers. We experimented this aspect with AspectJ language and JBoss AOP. By this experimentation, we show the advantage of runtime platforms such as JBoss AOP for changing security policies at runtime. Finally, we describe related work on security and AOP.

A robust IP packets filtering mechanism for protecting Web server from DDoS attacks

Distributed denial of service (DDoS) attacks exploit the availability of Web servers, resulting in the severe loss of their connectivity. We present a robust IP packets filtering mechanism which combines the detection and filtering engine together to protect Web Servers from DDoS Attacks. The mechanism can detect DDoS attacks by inspecting inbound packets with an IP address database, and filter out lower priority IP addresses to preserve the connection for valid users by monitoring the queues status. We use the Netfilter's technique, a framework inside the Linux 2. 4. X, to implement it on a Web server. Also, we evaluate this mechanism and analyze the influence of some important parameters on system performance. The experimental results show that this mechanism is effective against DDoS attacks.

WebSOS: an overlay-based system for protecting web servers from denial of service attacks

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human–centric interface, and the extensibility inherent in many browsers through downloadable “applets.” We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system, by using reverse Graphic Turing Tests. Furthermore, our system makes it easy for service providers to charge users, providing incentives to a commercial offering of the service. Users can dynamically decide whether to use the WebSOS overlay, based on the prevailing network conditions. Our prototype requires no modifications to either servers or browsers, and makes use of Graphical Turing Tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We then extend this system with a credential-based micropayment scheme that combines access control and payment authorization in one operation. Turing tests ensure that malicious code, such as a worm, cannot abuse a user’s micropayment wallet. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.

Kernel-based control of persistent web server connections

Several overload admission control architectures have been developed to protect web servers from overload. Some of these architectures base their admission decision on information found in the HTTP header. In this context, persistent connections represent a challenging problem since the HTTP header of the first request does not reveal any information about the resource consumption of the requests that might follow on the same connection. In this paper, we present an architecture that prevents uncontrollable server overload caused by persistent connections. We evaluate our approach by various experiments.