Ontology for attack detection: An intelligent approach to web application security

摘要

Conventional detection techniques struggle to keep up with the inherent complexity of web application design and hence the ever growing variety of attacks that can exploit it. Security frameworks modeled using an ontological approach are a promising new line of defense that can be highly effective in detecting zero day and sophisticated web application attacks because they can capture the context of the contents of information such as HTML pages or in-line scripts and have the ability to filter these contents by taking into consideration their consequences to the target applications. The goal of this article is to demonstrate how an ontology-engineering methodology may be systematically applied for designing and evaluating such security systems. A detailed ontological model is shown that caters to the generalized working of web applications, the underlying communication protocols and attacks. More specifically the proposed ontological model because it captures the context can not only detect HTTP protocol specification attacks but also helps focus only on specific portions of the request and response where a malicious script is possible. The model also captures the context of important attacks, the various technologies used by the hackers, source, target and vulnerabilities exploited by the attack, impact on system components and controls for mitigation. A comprehensive and best metrics suite for ontology evaluation has been used for assessing the quality of proposed model which includes correctness, accuracy, consistency, soundness, task orientation, completeness, conciseness, expandability, reusability, clarity, integrity, efficiency and expressiveness. The proposed model ranked well against the above mentioned metrics. Moreover a prototype attack detection system based upon the proposed model showed improved performance and detection rate and low rate of false positives while detecting OWASP's top ten listed web attacks.