Protecting a Moving Target: Addressing Web Application Concept Drift
-
Upload
federico-maggi -
Category
Technology
-
view
151 -
download
0
description
Transcript of Protecting a Moving Target: Addressing Web Application Concept Drift
![Page 1: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/1.jpg)
Protecting a Moving Target:Addressing Web Application Concept DriftThe 12th International Symposium on Recent Advances in Intrusion
Detection 2009
Federico Maggi, William Robertson, Christopher Krügel, Giovanni Vigna
Politecnico di Milano, Univeristy of California Santa Barbara
September 23, 2009
![Page 2: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/2.jpg)
Adapting to changes of the protected web application.
![Page 3: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/3.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 4: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/4.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32
/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 5: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/5.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>
/login/<par1>/<par1-val>/<par2>/<par2-val>.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 6: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/6.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>
.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 7: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/7.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>...
/<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 8: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/8.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>
/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 9: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/9.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 10: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/10.jpg)
Web Application Anomaly DetectionLearning benign HTTP interactions (i.e., requests and responses)
/article/id/32/comment/<par1>/<par1-val>/login/<par1>/<par1-val>/<par2>/<par2-val>.../<component1>/<par1>/<par1-val>/<par2>/<par2-val>/<component2>/<par1>/<par1-val>
Clients
Webserver
Millions of good HTTP messages
![Page 11: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/11.jpg)
Modeling benign HTTP interactions
![Page 12: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/12.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
Models of good messages
M1 MnM2 M3
![Page 13: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/13.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
MnM1 M3M2
Example of models— parameter string length— numeric range— probabilistic grammar of strings— string character distribution
![Page 14: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/14.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
Models of good sessions
M1 MnM2 M3
C1
C3
C2M1
C7 C1
C3M2
C2C10 C7
Mn
![Page 15: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/15.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
M1 MnM3M2
C1
C2
C3M1
C7 C1
C3M2
C2 C5C10
C3
C7Mn
C1
![Page 16: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/16.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
M1 MnM2 M3
C1
C2
C3M1
C7 C1
C3M2
C2 C5C10
C3
C7Mn
C1
![Page 17: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/17.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
Detection of bad messages
M1 MnM2 M3
![Page 18: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/18.jpg)
Modeling benign HTTP interactions
Client
Webserver
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
/<component1>/<par1>/<par1-val>
Client
Webserver
Detection of bad sessions
C1
C2
C3M1
C7 C1
C3M2
C2 C5C10
C3
C7Mn
C1
![Page 19: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/19.jpg)
What if the modeled features change?Note that this is the common problem of anomaly detection, per sé
In practice, what if the protected website suddenly changes?
I site changes means changes in the good behavior,I changes in the good behavior means obsolete training,I obsolete training leads to FP.
![Page 20: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/20.jpg)
What if the modeled features change?Note that this is the common problem of anomaly detection, per sé
In practice, what if the protected website suddenly changes?
I site changes means changes in the good behavior,I changes in the good behavior means obsolete training,I obsolete training leads to FP.
![Page 21: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/21.jpg)
What if the modeled features change?Note that this is the common problem of anomaly detection, per sé
In practice, what if the protected website suddenly changes?I site changes means changes in the good behavior,
I changes in the good behavior means obsolete training,I obsolete training leads to FP.
![Page 22: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/22.jpg)
What if the modeled features change?Note that this is the common problem of anomaly detection, per sé
In practice, what if the protected website suddenly changes?I site changes means changes in the good behavior,I changes in the good behavior means obsolete training,
I obsolete training leads to FP.
![Page 23: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/23.jpg)
What if the modeled features change?Note that this is the common problem of anomaly detection, per sé
In practice, what if the protected website suddenly changes?I site changes means changes in the good behavior,I changes in the good behavior means obsolete training,I obsolete training leads to FP.
![Page 24: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/24.jpg)
What type of changes are we concerned about?Those that affect normality models.
I Request: e.g., new parameters, new domains for parameters,L10N, I18N.
I Example (I18N): 3/12/2009 3:00 PM GMT-08, 3 May 20093:00, now.
I Affect: string length, char distribution, string grammar.I Response: e.g., new DOM nodes, rearrangement of DOM
nodes.I Example (AJAX): several nodes are enriched with client-side
code.I Affect: any tree-based DOM normality models.
I Session: e.g., reordering of paths in a typical session,add/rem. of authentication.
I Example (auth):/site → /auth → /blog/site → /auth → /files
/site → /files|/blog|/auth.I Affect: sequence-based session models.
![Page 25: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/25.jpg)
What type of changes are we concerned about?Those that affect normality models.
I Request: e.g., new parameters, new domains for parameters,L10N, I18N.
I Example (I18N): 3/12/2009 3:00 PM GMT-08, 3 May 20093:00, now.
I Affect: string length, char distribution, string grammar.
I Response: e.g., new DOM nodes, rearrangement of DOMnodes.
I Example (AJAX): several nodes are enriched with client-sidecode.
I Affect: any tree-based DOM normality models.I Session: e.g., reordering of paths in a typical session,
add/rem. of authentication.I Example (auth):
/site → /auth → /blog/site → /auth → /files
/site → /files|/blog|/auth.I Affect: sequence-based session models.
![Page 26: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/26.jpg)
What type of changes are we concerned about?Those that affect normality models.
I Request: e.g., new parameters, new domains for parameters,L10N, I18N.
I Example (I18N): 3/12/2009 3:00 PM GMT-08, 3 May 20093:00, now.
I Affect: string length, char distribution, string grammar.
I Response: e.g., new DOM nodes, rearrangement of DOMnodes.
I Example (AJAX): several nodes are enriched with client-sidecode.
I Affect: any tree-based DOM normality models.
I Session: e.g., reordering of paths in a typical session,add/rem. of authentication.
I Example (auth):/site → /auth → /blog/site → /auth → /files
/site → /files|/blog|/auth.I Affect: sequence-based session models.
![Page 27: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/27.jpg)
What type of changes are we concerned about?Those that affect normality models.
I Request: e.g., new parameters, new domains for parameters,L10N, I18N.
I Example (I18N): 3/12/2009 3:00 PM GMT-08, 3 May 20093:00, now.
I Affect: string length, char distribution, string grammar.I Response: e.g., new DOM nodes, rearrangement of DOM
nodes.I Example (AJAX): several nodes are enriched with client-side
code.I Affect: any tree-based DOM normality models.
I Session: e.g., reordering of paths in a typical session,add/rem. of authentication.
I Example (auth):/site → /auth → /blog/site → /auth → /files
/site → /files|/blog|/auth.I Affect: sequence-based session models.
![Page 28: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/28.jpg)
Is this really an issue?Todays’ websites change pretty often.
Between Jan 29 and Apr 13, 2009, we crawled:I 2,264 websites drawn from Alexa’s Top 500 and googling,I 3,303,816 pages instances total,I 1,390 snapshots for each website.
![Page 29: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/29.jpg)
Is this really an issue?Todays’ websites change pretty often.
Between Jan 29 and Apr 13, 2009, we crawled:I 2,264 websites drawn from Alexa’s Top 500 and googling,I 3,303,816 pages instances total,I 1,390 snapshots for each website.
![Page 30: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/30.jpg)
What type of, and how many, changes have wefound?
I YouTube (dramatic change)I richer interaction to let user rearrange widgets,I this meant lots of new parameters,I lots of req/res/ses changes.
I Yahoo! MailI new parameter for enhaced and localized search,I new valid values for parameters,I not many response changes,
I MySpaceI unfortunately, we found this didn’t change too much.
I All:I 40% have new resource paths,I 30% have new parameters.
We also set up a third, white box analysis (omitted in this talk) ofsource code, to confirm that web applications are subject tosubstantial changes between releases.
![Page 31: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/31.jpg)
What type of, and how many, changes have wefound?
I YouTube (dramatic change)I richer interaction to let user rearrange widgets,I this meant lots of new parameters,I lots of req/res/ses changes.
I Yahoo! MailI new parameter for enhaced and localized search,I new valid values for parameters,I not many response changes,
I MySpaceI unfortunately, we found this didn’t change too much.
I All:I 40% have new resource paths,I 30% have new parameters.
We also set up a third, white box analysis (omitted in this talk) ofsource code, to confirm that web applications are subject tosubstantial changes between releases.
![Page 32: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/32.jpg)
What type of, and how many, changes have wefound?
I YouTube (dramatic change)I richer interaction to let user rearrange widgets,I this meant lots of new parameters,I lots of req/res/ses changes.
I Yahoo! MailI new parameter for enhaced and localized search,I new valid values for parameters,I not many response changes,
I MySpaceI unfortunately, we found this didn’t change too much.
I All:I 40% have new resource paths,I 30% have new parameters.
We also set up a third, white box analysis (omitted in this talk) ofsource code, to confirm that web applications are subject tosubstantial changes between releases.
![Page 33: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/33.jpg)
What type of, and how many, changes have wefound?
I YouTube (dramatic change)I richer interaction to let user rearrange widgets,I this meant lots of new parameters,I lots of req/res/ses changes.
I Yahoo! MailI new parameter for enhaced and localized search,I new valid values for parameters,I not many response changes,
I MySpaceI unfortunately, we found this didn’t change too much.
I All:I 40% have new resource paths,I 30% have new parameters.
We also set up a third, white box analysis (omitted in this talk) ofsource code, to confirm that web applications are subject tosubstantial changes between releases.
![Page 34: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/34.jpg)
What type of, and how many, changes have wefound?
I YouTube (dramatic change)I richer interaction to let user rearrange widgets,I this meant lots of new parameters,I lots of req/res/ses changes.
I Yahoo! MailI new parameter for enhaced and localized search,I new valid values for parameters,I not many response changes,
I MySpaceI unfortunately, we found this didn’t change too much.
I All:I 40% have new resource paths,I 30% have new parameters.
We also set up a third, white box analysis (omitted in this talk) ofsource code, to confirm that web applications are subject tosubstantial changes between releases.
![Page 35: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/35.jpg)
What type of, and how many, changes have wefound?
I YouTube (dramatic change)I richer interaction to let user rearrange widgets,I this meant lots of new parameters,I lots of req/res/ses changes.
I Yahoo! MailI new parameter for enhaced and localized search,I new valid values for parameters,I not many response changes,
I MySpaceI unfortunately, we found this didn’t change too much.
I All:I 40% have new resource paths,I 30% have new parameters.
We also set up a third, white box analysis (omitted in this talk) ofsource code, to confirm that web applications are subject tosubstantial changes between releases.
![Page 36: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/36.jpg)
Effects on a web application anomaly detector?We performed some tests using webanomaly
I Real-world training Q′ and testing datasets Q, Q ∩Q′ = ∅:I 823 unique web applications,I 36,392 unique resource paths,I 16,671 unique parameters,I 58,734,624 HTTP messages;I 1000 real-world attacks.
I We drifted Q, obtaining a known QdriftI 6,749 new session flows,I 6,750 new parameters,I 5,785 modified parameters.
In this way, the set of changes in web application behavior wasexplicitly known.
![Page 37: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/37.jpg)
Effects on a web application anomaly detector?We performed some tests using webanomaly
I Real-world training Q′ and testing datasets Q, Q ∩Q′ = ∅:I 823 unique web applications,I 36,392 unique resource paths,I 16,671 unique parameters,I 58,734,624 HTTP messages;I 1000 real-world attacks.
I We drifted Q, obtaining a known QdriftI 6,749 new session flows,I 6,750 new parameters,I 5,785 modified parameters.
In this way, the set of changes in web application behavior wasexplicitly known.
![Page 38: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/38.jpg)
Effects on a web application anomaly detector?We performed some tests using webanomaly
I Real-world training Q′ and testing datasets Q, Q ∩Q′ = ∅:I 823 unique web applications,I 36,392 unique resource paths,I 16,671 unique parameters,I 58,734,624 HTTP messages;I 1000 real-world attacks.
I We drifted Q, obtaining a known QdriftI 6,749 new session flows,I 6,750 new parameters,I 5,785 modified parameters.
In this way, the set of changes in web application behavior wasexplicitly known.
![Page 39: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/39.jpg)
Details on how we built Qdrift
I New session flows/login /index/index /login/article /article
I new parameters/nav?id=21&mode=text /nav?pk=21&attr=text/all?filter=2009 /all?filter=2009&pag=true/get?id=21 /retrieve?id=21
I modified parameters?date=1944-10-14 ?date=yesterday&fmt=smart
![Page 40: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/40.jpg)
Details on how we built Qdrift
I New session flows/login /index/index /login/article /article
I new parameters/nav?id=21&mode=text /nav?pk=21&attr=text/all?filter=2009 /all?filter=2009&pag=true/get?id=21 /retrieve?id=21
I modified parameters?date=1944-10-14 ?date=yesterday&fmt=smart
![Page 41: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/41.jpg)
Details on how we built Qdrift
I New session flows/login /index/index /login/article /article
I new parameters/nav?id=21&mode=text /nav?pk=21&attr=text/all?filter=2009 /all?filter=2009&pag=true/get?id=21 /retrieve?id=21
I modified parameters?date=1944-10-14 ?date=yesterday&fmt=smart
![Page 42: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/42.jpg)
Details on how we built Qdrift
I New session flows/login /index/index /login/article /article
I new parameters/nav?id=21&mode=text /nav?pk=21&attr=text/all?filter=2009 /all?filter=2009&pag=true/get?id=21 /retrieve?id=21
I modified parameters?date=1944-10-14 ?date=yesterday&fmt=smart
![Page 43: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/43.jpg)
Effects on detection
0.5
0.6
0.7
0.8
0.9
1
0 0.05 0.1 0.15 0.2
Tru
e po
sitiv
e ra
te
False positive rate
Detection accuracy (Q)Detection accuracy (Qdrift)
![Page 44: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/44.jpg)
HTTP responses contain good clues about changes!
I links → potential new resources and parameters,
<a href="/account/retrieve?id=22&type=ext" /><a href="/account/history?aid=446825759916" />
I forms → potential new resources,
<form name="newform" target="/account/newhandler"><!--fields-->
</form>
I fields → potential new parameters and also new values.
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select>
![Page 45: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/45.jpg)
HTTP responses contain good clues about changes!I links → potential new resources and parameters,
<a href="/account/retrieve?id=22&type=ext" /><a href="/account/history?aid=446825759916" />
I forms → potential new resources,
<form name="newform" target="/account/newhandler"><!--fields-->
</form>
I fields → potential new parameters and also new values.
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select>
![Page 46: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/46.jpg)
HTTP responses contain good clues about changes!
I links → potential new resources and parameters,
<a href="/account/retrieve?id=22&type=ext" /><a href="/account/history?aid=446825759916" />
I forms → potential new resources,
<form name="newform" target="/account/newhandler"><!--fields-->
</form>
I fields → potential new parameters and also new values.
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select>
![Page 47: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/47.jpg)
HTTP responses contain good clues about changes!
I links → potential new resources and parameters,
<a href="/account/retrieve?id=22&type=ext" /><a href="/account/history?aid=446825759916" />
I forms → potential new resources,
<form name="newform" target="/account/newhandler"><!--fields-->
</form>
I fields → potential new parameters and also new values.
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select>
![Page 48: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/48.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qi
intercept the corresponding response respiextract parmeters and values from links, forms, fields
at next request qi+1
compare parameter and values to spot legit changes
![Page 49: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/49.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qi
intercept the corresponding response respiextract parmeters and values from links, forms, fields
at next request qi+1
compare parameter and values to spot legit changes
![Page 50: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/50.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qi
intercept the corresponding response respiextract parmeters and values from links, forms, fields
at next request qi+1
compare parameter and values to spot legit changes
![Page 51: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/51.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qiintercept the corresponding response respi
extract parmeters and values from links, forms, fieldsat next request qi+1
compare parameter and values to spot legit changes
![Page 52: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/52.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qiintercept the corresponding response respiextract parmeters and values from links, forms, fields
at next request qi+1
compare parameter and values to spot legit changes
![Page 53: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/53.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qiintercept the corresponding response respiextract parmeters and values from links, forms, fields
at next request qi+1
compare parameter and values to spot legit changes
![Page 54: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/54.jpg)
Parsing HTTP responses to update models
Client Anomaly detector Web app.
qi
Parsing
Li ,Fi
Change or attack?
qi
respirespi
qi+1 qi+1
for each request qiintercept the corresponding response respiextract parmeters and values from links, forms, fields
at next request qi+1compare parameter and values to spot legit changes
![Page 55: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/55.jpg)
Exampleqi = GET /page?id=14
respi =
<a href="/comments/retrieve?id=22&type=ext" /><a href="/archive/yearly?y=2008" />
<form name="newform" target="/account/newhandler">
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select></form>
qi+1 = GET /account/newhandler?new_parameter=1would rise a false positive.
![Page 56: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/56.jpg)
Exampleqi = GET /page?id=14respi =
<a href="/comments/retrieve?id=22&type=ext" /><a href="/archive/yearly?y=2008" />
<form name="newform" target="/account/newhandler">
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select></form>
qi+1 = GET /account/newhandler?new_parameter=1would rise a false positive.
![Page 57: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/57.jpg)
Exampleqi = GET /page?id=14respi =
<a href="/comments/retrieve?id=22&type=ext" /><a href="/archive/yearly?y=2008" />
<form name="newform" target="/account/newhandler">
<input type="text" name="new_parameter" /><select name="subject">
<option>General</option><option>User interface</option><option>Functionality</option><option>New value for ’subject’</option>
</select></form>
qi+1 = GET /account/newhandler?new_parameter=1would rise a false positive.
![Page 58: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/58.jpg)
How do we eliminate false positives?
I new parameters: we create a new model and we train it onvalues, if any.
I new session flows: we just reorder the session sequence.I new values: we can guess the type (e.g., string, token). If not
available, we trust the requests that follows.
![Page 59: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/59.jpg)
How do we eliminate false positives?
I new parameters: we create a new model and we train it onvalues, if any.
I new session flows: we just reorder the session sequence.
I new values: we can guess the type (e.g., string, token). If notavailable, we trust the requests that follows.
![Page 60: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/60.jpg)
How do we eliminate false positives?
I new parameters: we create a new model and we train it onvalues, if any.
I new session flows: we just reorder the session sequence.
I new values: we can guess the type (e.g., string, token). If notavailable, we trust the requests that follows.
![Page 61: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/61.jpg)
Does it work?Results on Qdrift
Change type Anomalies False Positives Reduction
New session flows 6,749 0 100.0%New parameters 6,750 0 100.0%
Modified parameters 5,785 4,821 16.6%
Total 19,284 4,821 75.0%
![Page 62: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/62.jpg)
Does it work?Results on Qdrift
Change type Anomalies False Positives Reduction
New session flows 6,749 0 100.0%New parameters 6,750 0 100.0%
Modified parameters 5,785 4,821 16.6%
Total 19,284 4,821 75.0%
![Page 63: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/63.jpg)
Does it work?Results on Qdrift
Change type Anomalies False Positives Reduction
New session flows 6,749 0 100.0%
New parameters 6,750 0 100.0%Modified parameters 5,785 4,821 16.6%
Total 19,284 4,821 75.0%
![Page 64: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/64.jpg)
Does it work?Results on Qdrift
Change type Anomalies False Positives Reduction
New session flows 6,749 0 100.0%New parameters 6,750 0 100.0%
Modified parameters 5,785 4,821 16.6%
Total 19,284 4,821 75.0%
![Page 65: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/65.jpg)
Does it work?Results on Qdrift
Change type Anomalies False Positives Reduction
New session flows 6,749 0 100.0%New parameters 6,750 0 100.0%
Modified parameters 5,785 4,821 16.6%
Total 19,284 4,821 75.0%
![Page 66: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/66.jpg)
Does it work?Results on Qdrift
Change type Anomalies False Positives Reduction
New session flows 6,749 0 100.0%New parameters 6,750 0 100.0%
Modified parameters 5,785 4,821 16.6%
Total 19,284 4,821 75.0%
![Page 67: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/67.jpg)
Does it work?Results on Qdrift
0.5
0.6
0.7
0.8
0.9
1
0 0.05 0.1 0.15 0.2
Tru
e po
sitiv
e ra
te
False positive rate
Detection accuracy (Q)Detection accuracy (Qdrift)
![Page 68: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/68.jpg)
Does it work?Results on Qdrift
0.5
0.6
0.7
0.8
0.9
1
0 0.05 0.1 0.15 0.2
Tru
e po
sitiv
e ra
te
False positive rate
Detection accuracy (Q)Detection accuracy (Qdrift)
![Page 69: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/69.jpg)
Assumptions, limitations and risks
I AssumptionsI can detect those changes that can be “guessed” from the
responsesI Limitations
I modifications of existing parameters are only partiallydetectable,
I JavaScript and rich client-side code is not analyzed, yet, butwe believe they contain lots of insights!
I RisksI it trusts the application as an oracle,I however, if somebody has already compromised it, we have
another problem :)I right after a change occurs, the very first response is critical,I if somebody manages to tamper with that, models are
poisoned
![Page 70: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/70.jpg)
Assumptions, limitations and risks
I AssumptionsI can detect those changes that can be “guessed” from the
responses
I LimitationsI modifications of existing parameters are only partially
detectable,I JavaScript and rich client-side code is not analyzed, yet, but
we believe they contain lots of insights!I Risks
I it trusts the application as an oracle,I however, if somebody has already compromised it, we have
another problem :)I right after a change occurs, the very first response is critical,I if somebody manages to tamper with that, models are
poisoned
![Page 71: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/71.jpg)
Assumptions, limitations and risks
I AssumptionsI can detect those changes that can be “guessed” from the
responses
I LimitationsI modifications of existing parameters are only partially
detectable,I JavaScript and rich client-side code is not analyzed, yet, but
we believe they contain lots of insights!
I RisksI it trusts the application as an oracle,I however, if somebody has already compromised it, we have
another problem :)I right after a change occurs, the very first response is critical,I if somebody manages to tamper with that, models are
poisoned
![Page 72: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/72.jpg)
Assumptions, limitations and risks
I AssumptionsI can detect those changes that can be “guessed” from the
responsesI Limitations
I modifications of existing parameters are only partiallydetectable,
I JavaScript and rich client-side code is not analyzed, yet, butwe believe they contain lots of insights!
I RisksI it trusts the application as an oracle,I however, if somebody has already compromised it, we have
another problem :)I right after a change occurs, the very first response is critical,I if somebody manages to tamper with that, models are
poisoned
![Page 73: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/73.jpg)
Conclusions
I very simple and effective at reducing FP due to changes;I balance between:
I exposure to model poisoning,I cost of false positives,I cost/feasibility of manual retraining;
I future extensions:
I risk mitigation: update a model only when a change in thecorresponding response is observed at least k times;
I client-side code inspection: todays’ JavaScript libraries performseveral task related to paramters and dynamic DOMconstruction!
![Page 74: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/74.jpg)
Conclusions
I very simple and effective at reducing FP due to changes;
I balance between:I exposure to model poisoning,I cost of false positives,I cost/feasibility of manual retraining;
I future extensions:
I risk mitigation: update a model only when a change in thecorresponding response is observed at least k times;
I client-side code inspection: todays’ JavaScript libraries performseveral task related to paramters and dynamic DOMconstruction!
![Page 75: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/75.jpg)
Conclusions
I very simple and effective at reducing FP due to changes;I balance between:
I exposure to model poisoning,I cost of false positives,I cost/feasibility of manual retraining;
I future extensions:
I risk mitigation: update a model only when a change in thecorresponding response is observed at least k times;
I client-side code inspection: todays’ JavaScript libraries performseveral task related to paramters and dynamic DOMconstruction!
![Page 76: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/76.jpg)
Conclusions
I very simple and effective at reducing FP due to changes;I balance between:
I exposure to model poisoning,I cost of false positives,I cost/feasibility of manual retraining;
I future extensions:
I risk mitigation: update a model only when a change in thecorresponding response is observed at least k times;
I client-side code inspection: todays’ JavaScript libraries performseveral task related to paramters and dynamic DOMconstruction!
![Page 77: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/77.jpg)
Conclusions
I very simple and effective at reducing FP due to changes;I balance between:
I exposure to model poisoning,I cost of false positives,I cost/feasibility of manual retraining;
I future extensions:I risk mitigation: update a model only when a change in the
corresponding response is observed at least k times;
I client-side code inspection: todays’ JavaScript libraries performseveral task related to paramters and dynamic DOMconstruction!
![Page 78: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/78.jpg)
Conclusions
I very simple and effective at reducing FP due to changes;I balance between:
I exposure to model poisoning,I cost of false positives,I cost/feasibility of manual retraining;
I future extensions:I risk mitigation: update a model only when a change in the
corresponding response is observed at least k times;I client-side code inspection: todays’ JavaScript libraries perform
several task related to paramters and dynamic DOMconstruction!
![Page 79: Protecting a Moving Target: Addressing Web Application Concept Drift](https://reader034.fdocuments.net/reader034/viewer/2022051323/5478f72fb37959492b8b45f0/html5/thumbnails/79.jpg)
Questions?