ONTOLOGY BASED PARADIGM FOR INTRUSION DETECTION IN WEB APPLICATIONS

Abstract

Securing web applications from various types of attacks has become very challenging for security administrators. The security administrator uses web application firewall, access control mechanism, and intrusion detection systems to secure network resources and web application components. The hacker intelligently bypasses security strategies implemented by security administrators. An intrusion detection system (IDS) plays a significant role in network security, which adds an extra layer of security to secure network components. The rapid growth of artificial intelligence using artificial neural networks (ANN), machine learning (ML), ontology engineering, and natural language processing (NLP) plays a vital role in the domain of web security. With the existence of feature selection algorithms and classifiers, machine learning provides a way to develop intelligent IDS to detect unknown attacks. Ontology is a formal way of representing domain knowledge in which their relationships and meaning describe concepts concerning each other. The ontology describes instances, concepts, relations, and attributes. Ontology is helpful for the representation of the relationship between the different entities. This knowledge is easily understandable to people and machines. The main components of ontology include classes, objects, relations, events, and statements. IDSs are mainly classified into two categories: signature and anomaly-based detection mechanism. Signature-based IDSs analyze network traffic and compare it with predefined pattern-based rules for the detection of attacks. These systems produce a higher detection rate (DR) for known attacks, but it provides high false alarm rate (FAR) to classify unknown attacks. On the contrary, anomaly-based IDSs provide higher DR and lower FAR for the classification of unknown attacks. The captured network traffic consists of instances that are associated with the number of features. The presence of a large number of features in machine learning requires more time to learn the model and increases the load on computing resources such as memory and central processing unit (CPU). It also affects the performance of IDS in terms of accuracy, detection rate, and FAR. Therefore, it is necessary to investigate relevant and irrelevant features from the original feature set. The relevant feature subset is useful to improve the classification or detection performance and reduce the model built up time. The presence of reasoning capability in the ontology provides higher performance in intrusion detection. The recent studies in the domain of ontology-based IDS provided a partial solution towards the detection of attacks at the application layer that includes Neptune, back, land, Smurf, ping of death, teardrop, HTTP flood, and Low Orbit Ion Cannon (LOIC)-HTTP with lower detection rate. Some studies in the domain of feature selection based IDS using the machine and deep learning achieved a higher FAR and lower detection rate for detecting web attacks. Several benchmark datasets became publicly available such as HTTP CSIC 2010, CICIDS 2017, and CICDDoS 2019. The availability of these benchmark datasets has encouraged undertaking more investigations and opening up new areas of applications in web application security. Therefore, intelligent IDS play an essential role in the security mechanism to secure web applications. In this thesis work, we focus on detecting web attacks, namely, SQLi, CRLi, XSS, DoS, reflected and exploited DDoS with improved detection rate and FAR. We first develop the ontology model based on the HTTP protocol concept and designed semantic rules to detect HTTP Response splitting attacks, namely, CRLFi, and XSS. The HTTP protocol ontology model achieved a higher detection rate using semantic rules. The HTTP ontology model is reused and extended to detect HTTP Request smuggling attacks, namely, XSS and SQLi. The extended ontology model achieved a higher detection rate using developed semantic rules. The availability of recent benchmark datasets in web application security with a number of network traffic features and the latest attacks encouraged more investigations. The number of network traffic features associated with instances results in the curse of dimensionality in web attack detection. Some of the irrelevant attributes affect the performance of IDS. First, we present an ensemble feature selection method using combinations of filter-based feature selection techniques and threshold mechanism on feature selection technique to obtain reduced features to detect application-level DoS attack. The presented threshold mechanism with filter-based feature selection technique obtained reduced features and achieved higher accuracy and detection rate with PART classifier. The reduced features are used to develop the ontology model and semantic rules. The DoS attack ontology model achieved a higher detection rate for detecting application-level DoS attacks with presented semantic rules. Secondly, we present an ensemble feature selection method using combinations of filter-based feature selection techniques to obtain fewer features for developing the ontology model to detect SQLi, XSS, and brute force attacks. The presented ensemble methods obtained reduced features and achieved higher accuracy and detection rate with the J48 classifier. The obtained reduced features are used and the web attack ontology model is developed. The presented web attack ontology model achieved a higher detection rate for the detection of SQLi. Finally, we present feature selection methods to obtain fewer features and an ontology model to detect the modernistic application layer reflected and exploited DDoS attack. The presented ensemble of feature selection techniques with a selection of top percent features obtained reduced features and achieved higher accuracy and detection rate with J48. The presented DDoS ontology model with developed user defined semantic rules achieved a higher detection rate for detecting the latest DDoS attack that is not covered in recent literature. Based on the findings of the works presented in the thesis, we conclude that the ontology model developed based on HTTP protocol achieved a higher detection rate with developed userdefined semantic rules for detecting CRLFi, XSS, and SQLi attacks. The presented ensemble of filter-based feature selection techniques with the concept of threshold, top-ranked features, and top-ranked percent features obtained reduced features for detecting DoS, web attack, and DDoS. The results of ensemble methods showed that presented ensemble methods demonstrated better performance compared to the individual. Further, we conclude that ensemble methods using a combination of filter-based feature selection techniques are useful in achieving an improved detection rate with reduced features. The obtained features are used to develop ontology models and user-defined semantic rules and achieved a higher detection rate for detecting web attacks at the application level.