Technical Review on Web Application Assault

Detection and Forensics

Hasnain Haidar Adnan Jahangir

MS180400110 MS180400111
Virtual University of Pakistan Virtual University of Pakistan

Course Code: CS707

Contents

1 INTRODUCTION
2 WЕB APPLICATION ASSAULTS
3 WЕB APPLICATION ASSAULT DETECTION
4 WЕB APPLICATION FORЕNSICS
5 Conclusion
Introduction

 Web Applications playing an important role in current modern era, widely used
in e-governments, e-commerce, web & enterprise based content management,
social networks and emails etc.

 Because of usage on such level and scale, they have become a prime target for
different attackers.

 Tracking and detection of Attacks on Web Applications have become ineffective

due to some conventional methods being used.

 Moreover, due to very large amount of data in network, it is a challenge for

forensic investigator to manage time for analysis of such a large data.

 In this work, we present a review of the different technique used for Web
application assault detection and forensics.
Wеb Application Assaults

 The term “web application attack” refers to an attack where the weakness of the
web application code is exploited, and taken as an advantage to compromise the
security of the back-end systems

 Web Applications assaults have a wide range of classification due to which a

frame work will contribute and assist in the development of detection
applications.

 In recent years, there have been an increasing interest in web application

security, but security weaknesses are also increasing.

 Integration technologies in the web application, such as client-side, server-side

code, application logic and database back-end hosting, may have been an
important factor in the security weakness.
Wеb Application Assaults

 It is clearly seen in the Figure below that there has been a marked weakness
from client to Firewalls to different servers (web / application/ database).
Wеb Application Assaults

 The most likely causes of above weakness are:

• Poor/Bad coding and misconfiguration.

• Bad Queries.
• HTTP design, its utmost problem is that it is not compatible with the
current web applications complex structures.
Web Application Assault Detection

 Two methods which are being used for the assault detection, are
described as:
• Anomaly-based assault detection: Anomaly-based techniques are
able to detect unknown assaults due to the ability to learn. Regrettably,
anomaly-based sacrifices performance and
accuracy with high false positive.
• Signaturе-basеd assault detection: Signature-based techniques rely
on predefined rules of assault signatures which allow it to achieve very
high accuracy in detect known assaults and less prone to false positives;
however, it fails in the detection of new and unknown assaults.
Web Application Assault Detection

 Different detection techniques which are divided into following three

main technologies:

• Web Application Firewall

• Web Application Interruption Detection System

• Web Application Honeypots

Web Application Assault Detection

Web Application Assault Detection Techniques

  Web Application Assault Detection Techniques

Features Web Application Application Web Application Web Application
Firewall Interruption Detection Honeypot Forensic
System
Methods Signature based, anomaly Signature based, anomaly Simulation Analysis of both
detection detection automated generated log
& manual maintained log

Inspection of Available Not Available Available Available

Encryption of traffic

Assaults Known Web application Assaults of application Assaults of application Known and Unknown
assaults and network layer and network layer assaults
(Known and Unknown) (Known and Unknown)

Accuracy/False Positive Medium accuracy/high Medium accuracy/high high accuracy/low false Accuracy is high/false
false positive false positive positive positive too low

Key Issues Maintenance, easy to Encryption of traffic, Exposure of danger in Legal constraints, Time,
pass, cost High false alarm case of detection Massive amount of data
Wеb Application Forеnsics

 From a technical point of view web application forensics can be considered as:
• a detection technique for assaults.
• evidence finder of the assaults occurrence, investigate causes and motives of the
assaults afterwards.
• deep information gatherer, looks for more information than the other detection
techniques.

 Currently used technologies heavily rely on the forensic investigators. So, the
main source to find evidence is the log file which is collected from different
servers and security devices.
 Conventional tools have become ineffective; accompanied by increasing in time,
cost and efforts due to heave web traffic.
 To resolve these challenges, researchers opted for data mining which helps in
extracting the еvidеncе from huge information, ensuring data integrity and
increasing efficiency.
Conclusion

 Available detection techniques, such as web application firewalls and application

interruption detection systems have a high accuracy and performance rate for
known assaults as they rely on signature-based technology and already defined
rules.

 Some additional techniques were also evolved to fight obscure and new assaults

 In this review, we highlighted the web application forensic and web application
honeypots as a post-detection technique. Web application forensics and honeypots
collect a massive amount of data. Applied data mining to this massive data to get
the evidence and to do analysis.
References
References
1. Watson. David, “The evolution of web application attacks,” Network Security. Vol. 11, pp. 7-12. 2007.

2. Mitropoulos, D., Louridas, P., Polychronakis, M., & Keromytis, A. D. (2017). Defending against web application attacks:
approaches, challenges and implications. IEEE Transactions on Dependable and Secure Computing, 16(2), 188-203.

3. Khobragade, P. K., & Malik, L. G. (2014, April). Data generation and analysis for digital forensic application using data
mining. In 2014 Fourth International Conference on Communication Systems and Network Technologies (pp. 458-462).
IEEE.

4. Christey, S., Brown, M., Kirby, D., Martin, B., & Paller, A. (2011). CWE/SANS top 25 most dangerous software errors.
Common Weakness Enumeration.

5. Alzahrani, A., Alqazzaz, A., Zhu, Y., Fu, H., & Almashfi, N. (2017, May). Web application security tools analysis. In
2017 ieee 3rd international conference on big data security on cloud (bigdatasecurity), ieee international conference on
high performance and smart computing (hpsc), and ieee international conference on intelligent data and security (ids)(pp.
237-242). IEEE.

6. Kapodistria, H., Mitropoulos, S., & Douligeris, C. (2011). An advanced web attack detection and prevention tool.
Information Management & Computer Security, 19(5), 280-299.

7. Jia, W. C., Hu, R. G., & Shi, F. (2016, July). Feature Design and Selection Based on Web Application-Oriented Active
Threat Awareness Model. In 2016 Sixth International Conference on Instrumentation & Measurement, Computer,
Communication and Control (IMCCC) (pp. 597-600). IEEE.

8. Prandl, S., Lazarescu, M., & Pham, D. S. (2015, December). A study of web application firewall solutions. In
International Conference on Information Systems Security (pp. 501-510). Springer, Cham.
References
References
9. Shugrue, D. (2017). Fighting application threats with cloud-based WAFs. Network Security, 2017(6), 5-8.

10. Appelt, D., Panichella, A., & Briand, L. (2017, October). Automatically repairing web application firewalls based on
successful SQL injection attacks. In 2017 IEEE 28th International Symposium on Software Reliability Engineering
(ISSRE) (pp. 339-350). IEEE.

11. S. Niksеfat, M. M. Ahaniha, B. Sadеghiyan, and M. Shajari, “Toward spеcification-basеd intrusion dеtеction for wеb
applications,” in Proc. Int. Conf. Rеcеnt Adv. Intrusion Dеtеction, 2010, pp. 510–511.

12. Leu, F. Y., & Yang, T. Y. (2003, October). A host-based real-time intrusion detection system with data mining and
forensic techniques. In IEEE 37th Annual 2003 International Carnahan Conference on Security Technology, 2003.
Proceedings. (pp. 580-586). IEEE.

13. Kyaw, A. K., Sioquim, F., & Joseph, J. (2015, November). Dictionary attack on WordPress: Security and forensic
analysis. In 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec) (pp. 158-164).
IEEE.

14. Tseng, C. H., Lai, C. W., & Juang, T. Y. (2017). Automatic Web-Log Filtering Mechanism for Web Attack Digital
Forensics. 網際網路技術學刊 , 18(6), 1451-1459.

15. Lazzez, A., & Slimani, T. (2015). Forensics investigation of web application security attacks. Int. J. Comput. Netw. Inf.
Secur, 7(3), 10-17.

16. Khobragade, P. K., & Malik, L. G. (2014, April). Data generation and analysis for digital forensic application using data
mining. In 2014 Fourth International Conference on Communication Systems and Network Technologies (pp. 458-462).
IEEE.
References
References
17. Sindhu, K. K., & Meshram, B. B. (2012). Digital forensics and cyber crime datamining. Journal of Information Security,
3(03), 196.

18. Quintana, M., Uribe, S., Sánchez, F., & Álvarez, F. (2015). Recommendation techniques in forensic data analysis: a new
approach.

19. Mouhtaropoulos, A., Dimotikalis, P., & Li, C. T. (2013, November). Applying a Digital forensic readiness framework:
Three case studies. In 2013 IEEE International Conference on Technologies for Homeland Security (HST) (pp. 217-223).
IEEE.

20. Ab Rahman, N. H., Glisson, W. B., Yang, Y., & Choo, K. K. R. (2016). Forensic-by-design framework for cyber-physical
cloud systems. IEEE Cloud Computing, 3(1), 50-59.
Thank you