SensorWebIDS: a web mining intrusion detection system

Purpose of this Paper: Paper proposes a web intrusion detection system, SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment. Design Approach: SensorWebIDS has three main components: the Network Sensor for extracting parameters from real-time network traffic, the Log Digger for extracting parameters from web log files and the Audit Engine for analyzing all web request parameters for intrusion detection. To combat web intrusions like buffer-over-flow attack, SensorWebIDS utilizes an algorithm based on standard deviation (σ) theory’s empirical rule of 99.7% of data lying within 3σ of the mean, to calculate the possible maximum value length of input parameters. Association rule mining technique is employed for mining frequent parameter list and their sequential order to identify intrusions. Findings: Experiments show that proposed system has higher detection rate for web intrusions than SNORT and mod Security for such classes of web intrusions like cross site scripting, SQL-Injection, session hijacking, cookie poison, denial of service, buffer overflow, and probes attacks. Research Limitations: Future work may extend the system to detect intrusions implanted with hacking tools and not through straight HTTP requests or intrusions embedded in non-basic resources like multimedia files and others, track illegal web users with their prior web access sequences, implement minimum and maximum values for integer data, and automate the process of pre-processing training data so that it is clean and free of intrusion for accurate detection results Practical Implications: Web service security, as a branch of network security, is becoming more important as more business and social activities are moved on-line