|
| IDS | Contributions |
|
| Almgren et al., 2000 [29] | Presented a module-based SIDS. |
| Kruegel and Giovanni, 2003 [26] | Proposed AIDS exclusively for monitoring web application.
Used statistical modeling techniques to profile features of request parameters. |
| Vigna et al., 2003 [27] | Proposed WebSTAT- an SIDS which is based on the STAT framework.
Specified attack scenarios in terms of states and transitions. |
| Ryotov et al., 2003 [30] | Integrated Access Control module to IDS
Proposed Generic Authorization and Access-control API (GAA-API) to identify an unauthorized operation |
| Tombini et al., 2004 [17] | Proposed HIDS by combining anomaly and misuse detection approach.
Categorized the requests into 3 classes, namely safe, intrusive and unknown class. |
| Kruegel et al., 2005 [22] | Extended the work presented in [26] by providing three additional features to profile the relationship between requests. |
| Robertson et al., 2006) [31] | Overcame the limitation of AIDS approaches of insufficiency in providing attack description
Used generalization technique and regular expressions to group anomalies and infer attack classes respectively. |
| Valeur et al., 2006 [32] | Proposed the concept of data compartmentalization to reduce false positives in AIDS.
User requests are handled based on their anomaly scores. |
| Adeva and Atxa, 2007) [33] | Proposed text mining based SIDS.
Automated the process of signature creation using text categorization. |
| Cova et al., 2007 [28] | Proposed characterization of the internal state of the web application to detect anomalies.
Used both multivariate and univariate models for profiling. |
| Ingham et. al., 2007 [34] | DFA modeling has been used in anomaly detection method
Applied several heuristics measures to anomalous requests to reduce false positives. |
| Dussel et al., 2008 [35] | Incorporated the concept of HTTP protocol into anomaly detection technique.
Adopted one-class support vector machine (OC-SVM) to build the AIDS. |
| Park et al., 2008 [36] | Used Needleman-Wunsch algorithm [37] from bioinformatics to build the AIDS. |
| Maggi et al., 2009 [38] | Proposed AIDS that deals with continuous changes in a web application.
Used HTTP Response data to detect changes. |
| Vigna et al., 2009 [39] | Integrated web-based and database-based anomaly detection systems |
| Song et al., 2009 [40] | Proposed factorized n-gram Markov technique based AIDS that reduces the complexity in n-gram method. |
| Corona et al.,2009 [41] | Used Hidden Markov technique to build AIDS.
Explicitly dealt with noise in training data. |
| Razzaq et al., 2009 [42] | The Bayesian filter is applied to ontology system to mitigate web application attacks. |
| Kruegel et al., 2010 [43] | Presented several healing strategies to recover malicious requests.
Replaced suspicious section in a request with benign data on the basis of previously trained anomaly detectors. |
| Corona et al., 2010 [44] | Extended the work proposed in the study [41] by using statistical models along with HMM model to enhance detection efficiency.
Used clustering technique to identify anomalies. |
| Lin et al., 2010 [45] | Performed comparative analysis on two promiscuous anomaly-based detection algorithms, namely DFA and N-grams in terms of effectiveness and efficiency |
| Lampesberger et al., 2011 [46] | Addressed the tendency of continuous changes in web application
Introduced transductive on-line strategy to train AIDS. |
| Ludinard et al., 2012 [23] | Proposed invariant based anomaly detection model.
Focused on monitoring of violations of the internal state of application |
| Lee et al., 2012 [47] | Used container-based architecture in AIDS.
Mapped HTTP requests to database queries. |
| Wressnegger et al., 2013 [48] | Performed comparative analysis on two learning schemes, namely classification and anomaly detection.
Also defined criteria for selecting the appropriate scheme. |
| Alazab et al., 2014 [16] | Built IIDPS by embedding SIDS with AIDS.
Proposed active response strategy using fuzzy logic
Used DREAD model to assess the risk associated with alerts. |
| Razzaq et al., 2014 [49] | Proposed semantic-based approach that uses ontologies to detect web-based attacks
Provided protocol-based and attack-based ontology model |
| Razzaq et al., 2014 [50] | Suggested how ontology-engineering practices could be applied to design ontology-based systems. |
| Duessel et al., 2016 [51] | Modelled context-aware anomaly detection system by using cn-gram method. |
| Marek Zachara, 2016 [52] | Proposed HIDS and used weighted-graph as an anomaly method.
Misuse detection component uses attack patterns provided by different websites contributing to the detection process. |
|
