Publikation
Detecting SQL-Injection and Cross-Site Scripting Attacks Using Case-Based Reasoning and SEASALT
Jakob Michael Schoenborn; Klaus-Dieter Althoff
In: Thomas Seidl (Hrsg.). Lernen, Wissen, Daten, Analysen. GI-Workshop-Tage "Lernen, Wissen, Daten, Analysen" (LWDA-2021), September 1-3, Munich, Germany, CEUR, 2021.
Zusammenfassung
Since the internet offers a rising amount of services and reachable devices, the amount of criminal activities rises as well. Protective measures such as firewalls and intrusion detection systems are being actively developed. We accompany this development by offering a case-based reasoning approach to detect similar attacks based on previous attacks (cases), starting with cross-site scripting (XSS) and SQL-injection (SQLi). With an instantiation of the SEASALT framework, the foundation for expandability towards further attack vectors, such as authentication testing, can easily be established by adding additional topic agents. Additionally, we propose to distinguish between two different views on network traffic: the request itself, and the traffic overall. The latter enables us to detect timed attacks, e. g, authentication testing by brute-force guessing login credentials, and to identify clients with a suspicious large amount of generated traffic. This paper focuses on the request itself to identify XSS and SQLi attacks - two of the most commonly used attack vectors in the last decade according to the open web application security project (OWASP). As we store cases containing these attacks in our casebases, we are able to detect similar cases. Depending on the use-case, we identified up to 16 relevant attributes, predominantly text attributes. However, the similarity assessment needs improvement to reduce the rate of false-positives.