1. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System 2006-2-20 Kyungtae Kim High Performance Computing Lab at Postech 2 nd Joint Workshop between Security Research Labs in Korea and Japan

2. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 2/17 Contents  Introduction  Related Works Application-Level Web Security Policies Anomaly Detection of Web-based Attacks  Problem Definition  Proposed Idea Dynamic Model Organization Detection Models Applying Methods  Conclusion & Future Works

3. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 3/17 Introduction  Application-level web attack Uses vulnerabilities in the code of a web applicati on. Can’t be covered by traditional method.  Unvalidated input : Most critical vulnerability Cross Site Scripting (XSS) : Attacker uses trusted application/company to reflect malicious code to end-user. Buffer Overflows : Attacker attempts to store more data in a buffer than there is memory allocated for it Injection Attacks : Attacker relays malicious code in form variables or URL.

4. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 4/17 [1] Policy-based Web Application Firewall * Related Works (1/3) * David Scott and Richard Sharp,“Specifying and Enforcing Application-Level Web Security Policies”, 2003 IEEE Specifies the policy Translates the SPDL into server-side code Filters the HTTP messages between the web-server and client Automates the policy creation (not fully automated)  Policy : defining validation rules (length, type, etc.)

5. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 5/17  Anomaly detection method profile-based using positive models (models for normal behavior)  Operation of positive models Training phase : determining the characteristics of normal events Detection phase : assessing the anomaly of a event, reporting anomalous events [2] Multi-model Approach * (1/2) Related Works (2/3) * Christopher Kruegel, Giovanni Vigna, “A multi-model approach to the detection of web- based attacks”, 2005

6. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 6/17  Multi-model Widening the coverage of detection Preventing attacker’s manipulation avoiding specific model  Detection models Attribute Length Attribute Character Distribution Structural Inference Token Finder Attribute Presence or Absence Attribute Order  Anomaly score (for each attribute) Derived from the probability values returned by the models  [2] Multi-model Approach (2/2) Related Works (3/3)

7. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 7/17 Problem Definition  Shortcomings of Related Works [1]Policy-based  Not automated method  Too simple policy [2] Multi-model Approach  Applying all models to all attributes  Low speed  Ignoring each attribute’s characteristics  Problem Definition Proposing new application-level web security system that uses automated method and operates on real time.

8. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 8/17 Web Server Web Application DB User Application-level firewall (Filtering GET, POST request) System Overview  Method: profile-based anomaly detection  Target : application-level web attack (especially, input manipulation)  Goal : high speed, low false positive rate  Operation : application-level firewall on server’s gateway Proposed Idea (1/8) Server’s Gateway

9. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 9/17 Dynamic Model Organization - Necessity  Each attribute has its own characteristics.  Some model can disturb the division of normal/ abnormal value of specific attribute. ex> User ID has dynamic character distribution, and some normal values are misjudged to anomaly. (‘aaaa’ vs ‘ ’)  On most of the attributes, small set of models are important for detection. Deciding set of models in advance  Faster detection Proposed Idea (2/8)

10. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 10/17  Training phase Making statistics of each attribute of each URL Determining model sets based on the statistics  Detection phase Finding statistics and model set for the URL, and applying that models 12.2 4.3 6 0 5 2.1 21.3 6.2 32.1 11.6 Length, Character Composition Value Range Length, Token Finder Length, Character Distribution Length, Character Composition, Structural Inference Dynamic Model Organization - Method statistics(profile)Model sets len μlen σ… URL1attribute1 attribute2 attribute3 URL2attribute1 attribute2 Proposed Idea (3/8) Target URL : URL1?attribute1=value1&attribute2=value2&… Applying length and character composition model Applying value range model

11. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 11/17 Detection Models (1/2)  Length (similar with [2])  Character Distribution (similar with [2])  Structural Inference (similar with [2])  Token Finder (similar with [2])  Character Composition  Value Range Proposed Idea (4/8)

12. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 12/17 Detection Models (2/2)  Character Composition Training phase  Measuring normal frequency of each set  Deciding the expected type of each attribute Detection phase  Calculating probability of deviation from normal frequency  Using chi-square test( )  Value range Applying when the expected type is integer Checking the attribute ’ s range of values Part(0)Part(1)Part(2)Part(3)Part(4) NumberAlphabet Special Character UnprintableOthers 0~9A~Z a~z. / ; … Proposed Idea (5/8)

13. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 13/17 Applying Methods (1/3)  Length Enabled to all string attribute.  Token Finder Enabled when the attribute is composed with small set of tokens.  Character Composition Disabled when token finder model is enabled or there are too many special characters and unprintable characters. Proposed Idea (6/8)

14. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 14/17 Applying Methods (2/3)  Value range Enabled when the expected type is number.  Character Distribution Enabled when token finder model is disabled and the attribute allows special character and the mean of length is larger than threshold.  Structural Inference Enabled when the number of states are less than threshold. Enabled when the length is dynamic and token finder model is disabled and the attribute allows special character. Proposed Idea (7/8)

15. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 15/17 Applying Methods (3/3)  Training phase Profiling value of each attribute of each URL Determining each attribute ’ s model set  Detection phase Calculating each model ’ s probability of abnormality Multiplying the probability and making anomaly score Filtering, modifying or passing the request according to anomaly score Proposed Idea (8/8)

16. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 16/17 Conclusion & Future Works  Unvalidated input is web application’s most critical vulnerability.  Policy-based or signature-based systems are not automated methods, and multi- model based anomaly detection can’t operate on real time.  I introduced profile-based web application security system that gets high speed with dynamic model organization.  Future works are optimizing and evaluating my system.

17. 2006 2 nd Joint Workshop between Security Research Labs in JAPAN and KOREA 17/17 Thank you! Q & A