To read the full version of this content please select one of the options below:

SensorWebIDS: a web mining intrusion detection system

C.I. Ezeife (School of Computer Science, University of Windsor, Windsor, Canada)
Jingyu Dong (Amazon.com, Seattle, Washington, USA)
A.K. Aggarwal (School of Computer Science, University of Windsor, Windsor, Canada)

International Journal of Web Information Systems

ISSN: 1744-0084

Article publication date: 4 April 2008

Abstract

Purpose

The purpose of this paper is to propose a web intrusion detection system (IDS), SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment.

Design/methodology/approach

SensorWebIDS has three main components: the network sensor for extracting parameters from real‐time network traffic, the log digger for extracting parameters from web log files and the audit engine for analyzing all web request parameters for intrusion detection. To combat web intrusions like buffer‐over‐flow attack, SensorWebIDS utilizes an algorithm based on standard deviation (δ) theory's empirical rule of 99.7 percent of data lying within 3δ of the mean, to calculate the possible maximum value length of input parameters. Association rule mining technique is employed for mining frequent parameter list and their sequential order to identify intrusions.

Findings

Experiments show that proposed system has higher detection rate for web intrusions than SNORT and mod security for such classes of web intrusions like cross‐site scripting, SQL‐Injection, session hijacking, cookie poison, denial of service, buffer overflow, and probes attacks.

Research limitations/implications

Future work may extend the system to detect intrusions implanted with hacking tools and not through straight HTTP requests or intrusions embedded in non‐basic resources like multimedia files and others, track illegal web users with their prior web‐access sequences, implement minimum and maximum values for integer data, and automate the process of pre‐processing training data so that it is clean and free of intrusion for accurate detection results.

Practical implications

Web service security, as a branch of network security, is becoming more important as more business and social activities are moved online to the web.

Originality/value

Existing network IDSs are not directly applicable to web intrusion detection, because these IDSs are mostly sitting on the lower (network/transport) level of network model while web services are running on the higher (application) level. Proposed SensorWebIDS detects XSS and SQL‐Injection attacks through signatures, while other types of attacks are detected using association rule mining and statistics to compute frequent parameter list order and their maximum value lengths.

Keywords

Citation

Ezeife, C.I., Dong, J. and Aggarwal, A.K. (2008), "SensorWebIDS: a web mining intrusion detection system", International Journal of Web Information Systems, Vol. 4 No. 1, pp. 97-120. https://doi.org/10.1108/17440080810865648

Publisher

:

Emerald Group Publishing Limited

Copyright © 2008, Emerald Group Publishing Limited