CT-ISG: Multi-Model Anomaly Detection for Web-Based Applications

CT-ISG：基于 Web 应用程序的多模型异常检测

• 批准号: 0524853
• 负责人: Giovanni Vigna
• 金额: $ 45万
• 依托单位: University of California-Santa Barbara
• 依托单位国家: 美国
• 项目类别: Continuing grant
• 财政年份: 2005
• 资助国家: 美国
• 起止时间: 2005-08-15 至 2010-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0524853&HistoricalAwards=false
• 关键词: CT; ISG; Multi; Model; Anomaly

Proposal ID: 0524853Title: Multi-Model Anomaly Detection for Web-based ApplicationsPI: Giovanni VignaWeb-based systems are a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While infrastructure components are usually developed by experienced programmers with solid security skills, application-specific code is often developed by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the whole Internet, creating easily-exploitable entry points for the compromise of entire networks. Unfortunately, existing signature-based intrusion detection solutions are not sufficient because Web-applications often implement custom, site-specific services for which there is no known signature or model.The goal of this research is to develop intrusion detection tools that use novel anomaly detection techniques to autonomously learn the normal behavior of web-based systems. These tools will enable the detection of known and unknown attacks against both standard and custom-developed web-based applications without requiring expert knowledge. This effort is developing a multi-stream, multi-model anomaly detection approach to provide a more effective characterization of the behavior of web-based applications. The use of multiple anomaly models applied to different event streams (such as network packets, web requests, and system calls) allows for the creation of rich, multi-dimensional profiles that characterize different aspects of the behavior of web applications.These intrusion detection tools have the potential of providing early warning against novel attacks and can be easily deployed on existing systems without requiring substantial security expertise. As a consequence, these tools will substantially improve the security of a wide range of critical applications.

提案ID：0524853标题：基于Web的应用程序的多模型异常检测PI：Giovanni Vigna基于Web的系统由基础设施组件(如Web服务器和数据库)和特定于应用程序的代码(如嵌入HTML的脚本和服务器端应用程序)组成。虽然基础设施组件通常由具有扎实安全技能的经验丰富的程序员开发，但特定于应用程序的代码通常是由几乎没有安全培训的程序员开发的。结果，易受攻击的Web应用程序被部署并提供给整个互联网，为整个网络的危害创造了易于利用的入口点。遗憾的是，现有的基于特征的入侵检测解决方案是不够的，因为Web应用程序经常实现定制的、特定于站点的服务，而这些服务没有已知的特征或模型。本研究的目标是开发入侵检测工具，使用新的异常检测技术来自主学习基于Web的系统的正常行为。这些工具将能够检测针对标准和定制开发的基于Web的应用程序的已知和未知攻击，而不需要专业知识。这项工作正在开发一种多流、多模型的异常检测方法，以更有效地表征基于Web的应用程序的行为。使用应用于不同事件流(如网络数据包、Web请求和系统调用)的多个异常模型，可以创建丰富的多维配置文件，这些配置文件表征Web应用程序行为的不同方面。这些入侵检测工具具有针对新型攻击提供早期预警的潜力，并且可以轻松部署在现有系统上，而不需要大量的安全专业知识。因此，这些工具将大大提高各种关键应用程序的安全性。