Information Technology Reference
In-Depth Information
6
Conclusions and Future Works
In this paper, we have proposed and implemented a web application scenarios con-
struction and visualization technique to support security administrators in understand-
ing intrusion processes happen on their systems. Unlike previous works on attack
scenarios construction, our work exploits the time constraints between related web
requests and the space constraints (linking relationships) between pages on web appli-
cations to build attack scenarios. As a result, it does not require cause and effect rela-
tionships manually defined in advance like other approaches. This feature helps secu-
rity administrators reduce their effort significantly, especially in large web applica-
tions. On the visualization part, the main benefit our technique provides to security
administrators is that it can display not only individual attacks/alerts but also their
chains of events in a holistic way. In this way, events are positioned in time and space
coordinate systems based on when (time) and where (URL) they execute. Based on a
selected alert in the attack scenario under construction, we classify events into pre-
events (events happen before the event that raises the selected alert), and post-events
(events happen after the event that raises the selected alert). Our assumption in doing
so is that it is more helpful for security administrators to have a clear picture of what
constitute preparation steps (pre-events) and what constitute cleaning steps (post-
events).
Experiment results show the effectiveness of our approach in web application at-
tack understanding for security administrators. By observing the visualization results,
we can have some insights about the attack strategies used by different tools/people
that are not easy to obtain by using traditional methods. In this regard, we believe our
proposed technique is a valuable complementary element to existing web application
IDSs: it offers security administrators meaningful attack scenarios based on individual
attacks detected by other IDSs. The lessons learnt from these attack scenarios can
help administrators to understand more about the whole attacking process. This in-
formation then can be used not only to immediately counter-attack but also to prepare
for future defense strategies.
There are some limits that are not addressed in this work. Firstly, it is the experi-
ments in which we use some automatic tools and invite an expert to generate HTTP
requests and attack a test web application. All of them are somewhat artificial, and as
a result, are not very convincing when compared to a real life scenario. To overcome
this limit, we intend to setup a honey pot to attract real attackers from the Internet to
get more realistic data for later experiments. Secondly, our prototype lacks some
evaluations and feedbacks from real people that may use it in their day to day works,
i.e. security administrators. They can evaluate our work in term of its usability and
usefulness. There are other ways to measure our work though, but they require signif-
icant efforts in executing [23].
There are some ways to extend this work. In this prototype implementation, we just
use the access log from a web server and intrusion records generated by a web appli-
cation IDS to construct and visualize attack scenarios. By adding more related log
data (e.g. error log, database calls log, etc.) and more IDS data (e.g. adding a second
IDS, etc.) for the visualization, our work may offer more useful information. This is
Search WWH ::
Custom Search