Comparison of different threshold values for a wavelet designed - - PowerPoint PPT Presentation

Comparison of different threshold values for a wavelet designed attack sensor

• C. Cappo1
• C. Schaerer1
• A. Kozakevicius2
• R. Ceretta2
• B. Mozaquattro2

1Polytechnic School,

National University of Asunción, Paraguay

2Technology Center

Federal University of Santa María, RS, Brasil

CNMAC 2012 - XXXIV Congresso Nacional de Matemática Aplicada e Computacional

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world. The use of web applications such as: blogs, news, social networks, webmails, e-commerce, among may others, has become conventional.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world. The use of web applications such as: blogs, news, social networks, webmails, e-commerce, among may others, has become conventional. To protect these applications from attacks is a critical issue.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world. The use of web applications such as: blogs, news, social networks, webmails, e-commerce, among may others, has become conventional. To protect these applications from attacks is a critical issue. One form of protection is to use Intrusion Detection System (IDS).

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world. The use of web applications such as: blogs, news, social networks, webmails, e-commerce, among may others, has become conventional. To protect these applications from attacks is a critical issue. One form of protection is to use Intrusion Detection System (IDS). There are two main approaches in detection algorithms IDS design: signature-based and anomaly-based.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Motivation

Internet has become a habitual tool used by millions of people in the world. The use of web applications such as: blogs, news, social networks, webmails, e-commerce, among may others, has become conventional. To protect these applications from attacks is a critical issue. One form of protection is to use Intrusion Detection System (IDS). There are two main approaches in detection algorithms IDS design: signature-based and anomaly-based. We focus on the design of anomaly-based detection algorithms.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly-based approach

The analysis is based on the observation of any substantial variation of any specific characteristic with respect to the commonly determined behavior.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly-based approach

The analysis is based on the observation of any substantial variation of any specific characteristic with respect to the commonly determined behavior. A significant deviation from usual behavior is considered an anomaly, and so an attack.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly-based approach

The analysis is based on the observation of any substantial variation of any specific characteristic with respect to the commonly determined behavior. A significant deviation from usual behavior is considered an anomaly, and so an attack. Does not need the knowledge of previous attack pattern.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly-based approach

The analysis is based on the observation of any substantial variation of any specific characteristic with respect to the commonly determined behavior. A significant deviation from usual behavior is considered an anomaly, and so an attack. Does not need the knowledge of previous attack pattern. Can potentially detect novel attacks.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity. Custom-developed web applications protection skill.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Motivation Anomaly detection

Anomaly Detection in Web Application

In the context of web application this approach has the following advantages:

No requirement of a priori knowledge of the web-application. Capacity of self adaptation to periodic maintenance of the web applications in focus. Polymorphic and unknown attacks detection capacity. Custom-developed web applications protection skill.

We focus in anomaly-based algorithms for detect attack against web applications.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Characteristics(1)

Web attacks Detection using Anomaly-based Detection Technique. Presented in the Journal of Applied Computing Research

The detector analyzes the HTTP requests sending to the web application [IP] - - [TS] "GET /page.php?p=calAcad HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=allnews HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=trabajo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=mapsite HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=admision HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=materias HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=examenes HTTP/1.1" ..

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Characteristics(1)

Web attacks Detection using Anomaly-based Detection Technique. Presented in the Journal of Applied Computing Research

The detector analyzes the HTTP requests sending to the web application [IP] - - [TS] "GET /page.php?p=calAcad HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=allnews HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=trabajo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=mapsite HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=admision HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=ingeInfo HTTP/1.1" .. [IP] - - [TS] "GET /page.php?p=materias HTTP/1.0" .. [IP] - - [TS] "GET /page.php?p=examenes HTTP/1.1" .. The data analyzed for the anomaly detection is the URL Query String of the HTTP request.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Characteristics(2)

The data model is based in the character distribution of the URL Query String. This method does not require training data (without attacks). We consider the Discrete Wavelet Transform (DWT), particularly the bidimensional discrete wavelet transform.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Modeling the anomaly using the character distribution

A analyzed window without attacks

50 100 150 200 250 50 100 150 200 250 1 2 3 4 5 6

Frequency a)

ASCII HTTP Request

Frequency

50 100 150 50 100 150 200 250 ASCII HTTP Request

b)

1 2 3 4 5 6

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Modeling the anomaly using the character distribution

A analyzed window with two attacks

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 18

Frequency a)

ASCII HTTP Request

Frequency

50 100 150 50 100 150 200 250 ASCII HTTP Request

b)

2 4 6 8 10 12 14 A1 A2

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Wavelets - Introduction

The wavelet transform extracts information from the analyzed data in different resolution levels. Describes a signal in terms of a coarse overall shape plus a family of details. In the bidimensional case, the input data is given as a matrix and the 2D Discrete Wavelet Transformation consists in performing the 1D wavelet transform in all rows and then in all columns.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

One-Dimensional Wavelet Transform (TW1D)

The TW1D is stated as following: considering the initial input data a vector cJ,s, s = 0, ..., MJ − 1 at the finest level J, with MJ = 2J points, we have the following relations for p levels, when j = J, J − 1, ..., J − p : cj−1,i =

2N−1

• k=0

Lkcj,2i+k, i = 0, ..., Mj−1 − 1, (1) dj−1,i =

2N−1

• k=0

Hkcj,2i+k, i = 0, ..., Mj−1 − 1, (2)

Definition Considering the orthonormal family of Wavelet Functions, its is defined by high pass and low pass filters of size 2N, L and H respectively.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

One-Dimensional Wavelet Transform (TW1D)

This vector cj−1,i : the coarser information and the vector dj−1,i : the wavelets coefficients, both with Mj−1 = Mj/2 points.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

One-Dimensional Wavelet Transform (TW1D)

This vector cj−1,i : the coarser information and the vector dj−1,i : the wavelets coefficients, both with Mj−1 = Mj/2 points. We consider use the Haar wavelet family (N = 1). The filters are given by L0 =

1 √ 2, L1 = 1 √ 2, H0 = 1 √ 2 and

H1 = − 1

√ 2.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

One-Dimensional Wavelet Transform (TW1D)

This vector cj−1,i : the coarser information and the vector dj−1,i : the wavelets coefficients, both with Mj−1 = Mj/2 points. We consider use the Haar wavelet family (N = 1). The filters are given by L0 =

1 √ 2, L1 = 1 √ 2, H0 = 1 √ 2 and

H1 = − 1

√ 2.

We use the Haar transform because:

Simple and fast algorithms Without boundary problems Ideal compact support (shortest support) considering the importance of preserving the anomalies location.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Algorithm 1: Decomposition

Input : C[1..M] 1 while M > 1 do 2 DecompositionStep(C) 3 M ← M

2

4 end 5 return

Algorithm 2: DecompositionStep

Input : C[1..M] 1 C′ ← 0 2 for i ← 1 to M

2 do

3 C′[i] ← (C[2i − 1] + C[2i])/ √ 2 4 C′[ M

2 + i] ← (C[2i − 1] − C[2i])/

√ 2 5 end 6 C ← C′ 7 return Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Bi-Dimensional Wavelet Transform (TW2D)

Algorithm 3: TW2D

Input : X[1..h, 1..h] 1 while h > 1 do 2 for row ← 1 to h do 3 DecompositionStep(X[row, 1..h]) 4 end 5 for col ← 1 to h do 6 DecompositionStep(X[1..h, col]) 7 end 8 h ← h

2

9 end 10 return

Figure : TW2D scheme for one transformation level

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Thresholding Operation

This operation is used to select the most significant wavelet coefficient and to discard irrelevant informations. Usually the threshold operation is used for signal denoising. We use the threshold value λ as limit of normal wavelet coefficients. When |dk(j)| > λ, the position k associated for the level j is considered anomalous. For compute the threshold value we use the Universal Threshold, given by λ = σ

• 2log(T), where σ and T are the

standard deviation and number, respectively, of the wavelet coefficients.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Data Model

The character frequency associated to data collected from the web server is organized in the input matrix. The input matrix is defined by Xrc, 0 ≤ r ≤ 255 and 1 ≤ c ≤ m, where the value m is the number of the requests.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Detection with TW2D

A analyzed window with one attack

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 18

Frequency a)

ASCII HTTP Request

Frequency

50 100 150 50 100 150 200 250 ASCII HTTP Request

b)

2 4 6 8 10 12 14 A1

A TW2D of the analyzed window above

50 100 150 200 250 50 100 150 200 250 2 4 6 8 10 12 14 16 abs(Coefficient)

a)

ASCII HTTP Request abs(Coefficient) 50 100 150 200 250 50 100 150 200 250 ASCII HTTP Request

b)

2 4 6 8 10 12 14 (cc) (cd) (dc) (dd)

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

Attack Detection Algorithm

The TW2D generates four blocks of coefficients: approximation block (cc) and 3 coefficients blocks (cd, dc, dd). When the wavelet coefficient (of any block) is greater than λ, then its associate request is considered anomalous. λ es computed using the Universal Threshold Value proposed by Donoho & Johnstone. It’s multiplied by a correction factor dependent of application analyzed.

The algorithm is summarized below Input The matrix X; Step 1 Apply the TW2D of X one level; Step 2 For each subband (cd, dc, dd) to compute a threshold limit λ ; Step 3 For each subband (cd, dc, dd) to mark the position x, y if |dxy| > λ ; Step 4 If the position x, y was marked in almost two subband then correspond to an attack. Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Our objectives

Evaluate alternatives for computing the threshold value λ used in the algorithm showed before. Obtain a threshold value without a correction factor dependent, which proposed in the previous work.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Alternatives evaluated for threshold value λ

Definition T Is the number of wavelet coefficients and G is the set of of wavelet coefficients of each block considered. κL λ = κ · σ ·

• 2log(T), where κ is the correction parameter

and σ is the standard deviation of wavelet coefficients.

MAD Median Absolute Deviation

λ = ˆ σ ·

• 2log(T)

ˆ σ = 1.4826 · mad mad = γ(|di − γ(G)|), i = 1 . . . T where γ(.) is the median of set

AD Mean of the absolute deviation from the median

λ = ad ·

• 2log(T)

ad = 1

N

N

i=1 |di − µ(G)|, i = 1 . . . T where µ(.) is the mean

• f set

MM Mean of the neighbors of the median

λ = mm ·

• 2log(T)

mm = γl+γr

2

and γl and γr are the neighbors left and right of the median γ

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Outline

1

Introduction Motivation Anomaly detection

2

Our approach to detect anomalies in web applications Main characteristics Wavelet Transform Theory Wavelet Algorithm for attack Detection

3

The paper proposal work Our objectives Experiments and Results

4

Conclusions and future Work

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Dataset for experiments

The dataset contains queries sended by clients to a web server in log format, for instance :

170.51.19.9 - - [11/Jan/2010:20:41:19 -0300] "GET /page.php?p=calAcad HTTP/1.1" 200.

The data collected corresponding to three months web traffic of Polytechnic School web server The total number of request was 59248 and 232 the total number of processed windows. The attacks were manually inserted in the dataset and included the following attacks: Directory Traversal, Code-Red and Cross Site Scripting attack (XSS).

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Detection with the analyzed thresholding methods

Attacks κL κ = 1 κ = 2 κ = 3 κ = 4 κ = 5 MAD AD MM FP TP FP TP FP TP FP TP FP TP FP TP FP TP FP TP 15971 1939 14 2 2 1 15970 1 1934 1 15 1 3 1 1 1 1 2 1 2 15969 2 1934 2 14 2 2 2 2 2 2 2 2 3 15911 3 1934 3 14 3 3 3 3 3 3 2 3 4 15909 4 1934 4 14 4 2 4 4 4 4 2 4 5 15887 5 1874 5 28 5 1 5 5 5 5 5 10 15774 10 1940 10 15 10 2 10 10 10 10 2 10 20 15420 20 1876 20 16 20 1 20 20 20 20 1 20 FP = False Positive TP = True Positive. The best results is obtained with 5L (κ = 5), MAD and AD. They detect all the inserted attacks without False Positives (highlighted in blue) MM detects all the inserted attacks but with some false positives (highlighted in red). Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work Our objectives Experiments and Results

Comparisons of thresholding methods in each subband

Case A = without attack Case B = with five attacks

0.00 2.00 4.00 6.00 8.00 10.00 12.00 50 100 150 200

|di| dc - case A Max value 5L MAD AD MM

0.00 5.00 10.00 15.00 20.00 50 100 150 200

|di| dc - case B Max value 5L MAD AD MM

0.00 2.00 4.00 50 100 150 200

|di| cd - case A Max value 5L MAD AD MM

0.00 5.00 10.00 15.00 20.00 25.00 30.00 50 100 150 200

|di| cd - case B Max value 5L MAD AD MM

0.00 2.00 4.00 50 100 150 200

|di| dd - case A Max value 5L MAD AD MM

0.00 5.00 10.00 15.00 20.00 50 100 150 200

|di| dd - case B Max value 5L MAD AD MM

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work

Conclusions and future Work

We tested four alternatives for the estimation of the threshold value, responsible for the selection of wavelet coefficients associated to attacks. The threshold values computed using the mean absolute deviation (AD) and the median of the absolute deviation (MAD) are similar in effectiveness to κL, avoiding any evaluation of external parameters. The advantage of the AD and κL methods is that they are

• f lower order computational cost.

The MM threshold strategy can be considered an acceptable alternative. In a future work, we will analyze the behavior of these four threshold strategies in other databases.

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor

Introduction Our approach to detect anomalies in web applications The paper proposal work Conclusions and future Work

Thanks for your attention!! Questions?

Cappo,Schaerer,Kozakevicius,Ceretta and Mozaquattro Comparison of threshold values for a wavelet-based attack sensor