網際網路的快速發展大大地改變了我們的生活。近年來，網頁應用程式受到極大的歡迎，為我們的生活帶來許多的便利，例如在醫療、金融、軍事、教育等領域。隨著網頁應用程式提供的服務範圍增加，針對他的攻擊行為也相對越來越多。網頁應用程式的弱點成為網路安全中相當重要的一環。為了偵測已知的網頁攻擊，利用誤用偵測方式的入侵偵測系統必須保存龐大的攻擊特徵資料。然而，網頁相關的弱點日新月異，系統管理人員必須隨時進行攻擊特徵的更新以保持入侵偵測系統的效果，這是樣的動作是很困難的。而且對於新的攻擊手法，因為沒有攻擊特徵資料，系統就無法做有效的防禦。此外，網頁應用程式的弱點與本身的程式缺失有密切相關，所以不同的網頁程式存在不同的漏洞，要做出效果好又適用於大部份網頁程式的防護特徵是很難辦到的。為了克服這樣的問題，異常偵測方法透過學習網頁應用程式的正常行為達到能夠偵測新的攻擊行為。
基本上，以前研究用於網頁應用程式的異常偵測方法，多是專注於分析正常網頁請求的特性，利用不同的特徵來定義，例如參數值長度、參數值的正常字元分佈等。從來沒有研究人員針對組合這些特徵提出合理的作法。在此論文中，我們提出透過逐次主成份分析之異常偵測方法。理想上，考慮這些特徵對於不同參數的偵測能力，能夠讓他們獲得更好的組合方式，進而提高系統的偵測效果。我們的方法能夠自動分析正常網頁請求的特性。因此，能夠應用在不同的網頁應用程式，而且不需要耗時的額外調整。我們藉由計算實驗上的偵測率和誤判率
來評估系統的效能並證實我們的方法能有效提高偵測攻擊的能力。

Internet has been grown rapidly and changed our lives greatly. In recent years, web applications have become tremendously popular and developed widely to provide services, such as medical, financial, military, and education. As the use of web application for important services has increased, the number of attacks against them have grown as well.
Web-based vulnerabilities present a significant portion of the security exposure of computer networks. To detect known web-based attacks, misuse intrusion detection systems are configured with a large number of signatures. Unfortunately, a great amount of web-related vulnerabilities disclosed daily make system manager hard to keep the signatures updated. Therefore, the system can not defend against the novel attacks. In addition, web-based vulnerabilities usually depend on the programming errors of the specific applications. Hence, anomaly intrusion detection systems are introduced to overcome the disadvantage of misuse intrusion detection systems. They learn the normal behavior of the users of the web applications so that novel attacks can be detected yet.

Basically, previous researches of anomaly detection system were focusing their detection methodologies based on analyzing the characteristics of normal requests, and use some features to describe them, such as the length of the parameter values, normal distribution of characters in the parameter values, etc. There is no researches propose an reasonable method that can combine these features appropriately. In thesis, we propose an anomaly detection approach based on On-line PCA. Ideally, the use of variance of features with different parameters allows the system to perform better combination and increase the detection effectiveness. The system derives automatically the profiles associated with web application from the analyzed requests. Hence, it can be deployed in very different web application environments without time-consuming tuning. We evaluate our approach by computing the detection rate and false positive rate of the system and acquire satisfied results.

[1] In The 18th European Conference on Machine Learning (ECML) and the 11th Eu-
ropean Conference on Principles and Practice of Knowledge Discovery in Databases
(PKDD), Warsaw, Poland, September 2007, http://www.ecmlpkdd2007.org/.
[2] M. Almgren, H. Debar, and M. Dacier. A lightweight tool for detecting web server
attacks. Proceedings of the ISOC Symposium on Network and Distributed Systems
Security, February 2000.
[3] D. Anderson, T. Frivold, A. Tamaru, and A. Valdes. Computer security technology
planning study. Technical report, Next-generation intrusion detection expert system
(NIDES), software users manual, beta-update release. Tech. Rep. SRICSL9507,
Computer Science Laboratory, SRI International, 333 Ravenswood Avenue, Menlo
Park, CA 94025-3493, May 1994.
[4] D. Anderson, T. Frivold, A. Tamaru, and A. Valdes. Detecting unusual program
behavior using the statistical components of nides. Technical report, Tech. Rep.
SRI-CSL-95-06, SRI Computer Science Laboratory, May 1995.
[5] J. P. Anderson. Computer security technology planning study. Technical report,
ESDTR-73-51, United States Air Force, Electronic Systems Division, Oct. 1972.
[6] C. Anley. Advanced sql injection in sql server applications. Technical report, Next
generation security software, 2002.
[7] D. Bolzoni and S. Etalle. Aphrodite: an anomaly-based architecture for false positive
reduction. Technical report, University of Twente, TR-CTIT-06-13, 2006.
[8] D. Bolzoni and E. Zambon. Sphinx: An anomaly-based web intrusion detection
system, 2006. University of Twente.
[9] Y. C. Cheng, C. S. Laih, G. H. Lai, C. M. Chen, and T. Chen. Defending on-line
web application security with user-behavior surveillance. In The Third International
Conference on Availability, Reliability and Security, pages 410–415, 2008.
[10] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms.
MIT press, Cambridge, MA, USA, 1990.
[11] M. Corporation. Common vulnerabilities and exposures. http://cve.mitre.org.
[12] M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An approach for the
anomaly-based detection of state violations in web applications. In Proceedings of the
10th International Symposium on Recent Advances in Intrusion Detection (RAID),
pages 63–86, Queensland, Australia, September 57, 2007.
[13] M. Cova, V. Felmetsger, and G. Vigna. Vulnerability analysis of web-based applications.
Technical report, in Test and Analysis of Web Services, Baresi, L., and
Nitto, E.D. (Eds.) Springer Berlin Heidelberg, 2007, pp. 363-394, ch. IV. Reliability,
Security, and Trust.
[14] National Vulnerability Database, Accessed 2009 July. http://nvd.nist.gov/.
[15] J. M. Estevez-Tapiador, P. Garcia-Teodoro, and J. E. Diaz-Verdejo. Measuring normality
in http traffic for anomaly-based intrusion detection. In Comput. Networks
45, pages 175–193, 2004.
[16] M. Exbrayat. Analyzing web traffic: A boundaries signature approach. In
ECML/PKDD Discovery Challenge 2007, pages 53–64, Warsaw, Poland, September
2007.
[17] M. Exbrayat. Analyzing web traffic: A boundaries signature approach. In
ECML/PKDD Discovery Challenge 2007, pages 53–64, Warsaw, Poland, September
2007.
[18] T. Fawcett. An introduction to roc analysis. Pattern Recognition Letters, 27:861–874,
2006.
[19] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners.
Hypertext transfer protocol http/1.1. Technical report, RFC 2616., June 1999.
[20] S. Forest, S. Hofmeyr, A. Somayaji, and T. Longstaff. A sense of self for unix
processes. In In 1996 IEEE Symposium on Security and Privacy, pages 120–128,
Oakland, CA, USA, May 1996.
[21] M. Fossi. Symantec global internet security threat report:trends for 2008. Technical
report, 2009.
[22] K. Ingham and H. Inoue. Comparing anomaly detection techniques for http. In
Proceedings of the 2007 Conference on Recent Advances in Intrusion Detection, pages
42–62, 2007.
[23] K. Ingham, A. Somayaj, J. Burge, and S. Forrest. Learning dfa representations of
http for protecting web applications. Comput. Networks, 51(5):1239–1255, 2007.
[24] K. L. Ingham. Http-delivered attacks against web servers, 2006. http://www.ipi.
com/HTTP-attacks-JoCN-2006/.
[25] K. L. Ingham. Anomaly detection for http intrusion detection: Algorithm comparisons
and the effect of generalization on accuracy. PhD Dissertation, University of
New Mexico, 2007.
[26] G. Javitz and A. Valdes. The SRI IDES statistical anomaly detector. In 1991 IEEE
Computer Society Symposium on Research in Security and Privacy, pages 316–326,
1991.
[27] D. M. Kienzle and M. C. Elder. Recent worms: a survey and trends. In Proceedings
of the 2003 ACM Workshop on Rapid Malcode, pages 1–10, 2003.
[28] A. Klein. Cross site scripting explained. Technical report, Sanctum Inc., 2002.
[29] C. Kruegel, D. Mutz, F. Valeur, and G. Vigna. On the detection of anomalous system
call arguments. In In ESORICS 2003: 8th European Symposium on Research in
Computer Security, Sophia Antipolis, France, vol. 2808 of Lecture Notes in Computer
Science, pages 326–343. Springer, 2003.
[30] C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proceedings of
the 10th ACM conference on Computer and communications security, pages 251–261,
2003.
[31] C. Kruegel, G. Vigna, and W. Robertson. A multi-model approach to the detection
of web-based attacks. Comput. Networks, pages 717–738, 2005.
[32] T. F. Lunt. Detecting intruders in computer systems. In 1993 Conference on Auditing
and Computer Technology, pages 1–10, 2003.
[33] A. Maccabe, R. Heady, G. Luger, and M. Servilla. The architecture of a network level
intrusion detection system. Technical report, Technical report, Computer Science
Department University of New Mexico, August 1990.
[34] M. V. Mahoney. Network traffic anomaly detection based on packet bytes. In Pro-
ceedings of the 2003 ACM Symposium on Applied computing, pages 346–350, ACM
Press, 2003.
[35] ModSecurity. http://www.modsecurity.org/.
[36] The Open Web Application Security Project (OWASP), Accessed 2009 July.
http://www.owasp.org/index.php.
[37] K. Pachopoulos, D. Valsamou, D. Mavroeidis, and M. Vazirgiannis. Feature extraction
from web traffic data for the application of data mining algorithms in attack
identification. In ECML/PKDD Discovery Challenge 2007, pages 65–70, Warsaw,
Poland, September 2007.
[38] A. Patcha and J.-M. Park. An overview of anomaly detection techniques: Existing
solutions and latest technological trends. Comput. Networks, 51(12):3448–3470, 2007.
[39] V. Paxson. Bro: A system for detecting network intruders in real-time. Proceedings
of the 7th USENIX Security Symposium, January 1998.
[40] W. Robertson, G. Vigan, C. Kruegel, and R. A. Kemmerer. Using generalization
and characterization techniques in the anomaly-based detection of web attacks. In
In Network and Distributed System Security Symposium Conference Proceedings, San
Diego, CA, 2006.
[41] M. Roesch. Snortlightweight intrusion detection for networks. In Proceedings of the
13th USENIX conference on System administration, pages 229–238, 1999.
[42] S. Ross. A first course in probability. Sixth edition. Pearson Hall Publishers, 2003.
[43] I. Ruts and P. Rousseeuw. Computing depth contours of bivariate point clouds.
Journal of Computational Statistics and Data Analysis, 23:153–168, 1996.
[44] SecurityFocus. What is bugtraq?
http://online.securityfocus.com/popups/forums/bugtraq/intro.shtml.
[45] Rajagopal Gaarudapuram Sriraghavan. Data processing for anomaly detection in
web-based applications. Master’s thesis, Oregon State University, Department of
Computer Science, 2008.
[46] E. Tombini and H. Debar. A serial combination of anomaly and misuse idses applied
to http traffic. In 20th Annual Computer Security Applications Conference, 2004.
[47] G. Vigna,W. Robertson, V. Kher, and R.A. Kemmerer. A stateful intrusion detection
system for world-wide web servers. Proceedings of the Annual Computer Security
Applications Conference (ACSAC 2003), pages 34–43, December 2003.
[48] D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems.
In ACM Conference on Computer and Communications Security, 2002.
[49] K. Wang and S. J. Stolfo. Anomalous payload-based network intrusion detection.
In In Recent Advances in Intrusion Detection: 7th International Symposium, RAID
2004, Sophia Antipolis, France, vol. 3224 of Lecture Notes in Computer Science,
pages 203-222. 2004.
[50] C. Warrender, S. Forrest, and B. A. Pearlmutter. Detecting intrusions using system
calls: alternative data models. In Proceedings of the IEEE Symposium on Security
and Privacy, pages 133–145, Oakland, CA, USA, 1999.
[51] The Web Application Security Consortium (WASC). Web application security statistics,
Accessed 2009 July. http://www.webappsec.org/projects/statistics/.
[52] Y.-R. Yeh, Z.-Y. Lee, and Y.-J. Lee. Anomaly detection via over-sampling principal
component analysis. In New Advances in Intelligent Decision Technologies, pages
449–458, 2009.