A Closer Look at Intrusion Detection System for Web Applications
Table 1
Challenges of web IDS.
Characteristics of web application and its traffic
Impact on IDS
Communication Protocol (HTTP/HTTPS)
(i) HTTP communication is carried out in plain text whereas HTTPS communication is encrypted. (ii) NIDS fails in analyzing HTTPS traffic whereas HIDS can handle both HTTP and HTTPS.
Web request
(i) Web requests carry a variety of parameters. (ii) Detection approach highly relies on the type of the values of parameters. e.g. Business logic independent finite values: whitelist approach of SIDS Business logic dependent finite values: anomaly-based approach Fixed format values: the anomaly-based approach or whitelist approach of SIDS Application initialized values: the anomaly-based approach Parameters carrying text data: the blacklist approach of SIDS
Multiple users with multiple roles
(i) Web applications facilitate multiple user interactions through sessions and provide access rights based on user role. (ii) Stateless IDSs are not efficient enough to recognize attacks on session management and authorization policies. (iii) Stateful detection mechanism overcomes the limitation of stateless IDS as it can track and monitor an individual user session.
Continuous Change
(i) Continuous modifications in application source code directly affect the efficiency of IDS. (ii) AIDS requires retraining to accommodate the changes. (iii) Blacklist-based SIDS is not much affected.
Dynamicity
(i) The web application consists of static and dynamic web pages. (ii) The more the dynamic content, the more is the challenging task for IDS
Heterogeneity
(i) Web Applications can be implemented using different server-side languages. (ii) NIDS is independent of programming language whereas HIDS can be designed either general or specific to a particular language.
Automated Requests (Bots)
(i) Scripts can also be designed to issue HTTP requests automatically. (ii) SIDS suits best for detecting scripts designed to automate web-based attacks. (iii) AIDS suits best for detecting scripts designed to mimic human behavior.
AIDS: Anomaly-based Intrusion Detection System.SIDS: Signature-based Intrusion Detection System
