|
IDS | Contributions |
|
Almgren et al., 2000 [29] | Presented a module-based SIDS. |
Kruegel and Giovanni, 2003 [26] | Proposed AIDS exclusively for monitoring web application. Used statistical modeling techniques to profile features of request parameters. |
Vigna et al., 2003 [27] | Proposed WebSTAT- an SIDS which is based on the STAT framework. Specified attack scenarios in terms of states and transitions. |
Ryotov et al., 2003 [30] | Integrated Access Control module to IDS Proposed Generic Authorization and Access-control API (GAA-API) to identify an unauthorized operation |
Tombini et al., 2004 [17] | Proposed HIDS by combining anomaly and misuse detection approach. Categorized the requests into 3 classes, namely safe, intrusive and unknown class. |
Kruegel et al., 2005 [22] | Extended the work presented in [26] by providing three additional features to profile the relationship between requests. |
Robertson et al., 2006) [31] | Overcame the limitation of AIDS approaches of insufficiency in providing attack description Used generalization technique and regular expressions to group anomalies and infer attack classes respectively. |
Valeur et al., 2006 [32] | Proposed the concept of data compartmentalization to reduce false positives in AIDS. User requests are handled based on their anomaly scores. |
Adeva and Atxa, 2007) [33] | Proposed text mining based SIDS. Automated the process of signature creation using text categorization. |
Cova et al., 2007 [28] | Proposed characterization of the internal state of the web application to detect anomalies. Used both multivariate and univariate models for profiling. |
Ingham et. al., 2007 [34] | DFA modeling has been used in anomaly detection method Applied several heuristics measures to anomalous requests to reduce false positives. |
Dussel et al., 2008 [35] | Incorporated the concept of HTTP protocol into anomaly detection technique. Adopted one-class support vector machine (OC-SVM) to build the AIDS. |
Park et al., 2008 [36] | Used Needleman-Wunsch algorithm [37] from bioinformatics to build the AIDS. |
Maggi et al., 2009 [38] | Proposed AIDS that deals with continuous changes in a web application. Used HTTP Response data to detect changes. |
Vigna et al., 2009 [39] | Integrated web-based and database-based anomaly detection systems |
Song et al., 2009 [40] | Proposed factorized n-gram Markov technique based AIDS that reduces the complexity in n-gram method. |
Corona et al.,2009 [41] | Used Hidden Markov technique to build AIDS. Explicitly dealt with noise in training data. |
Razzaq et al., 2009 [42] | The Bayesian filter is applied to ontology system to mitigate web application attacks. |
Kruegel et al., 2010 [43] | Presented several healing strategies to recover malicious requests. Replaced suspicious section in a request with benign data on the basis of previously trained anomaly detectors. |
Corona et al., 2010 [44] | Extended the work proposed in the study [41] by using statistical models along with HMM model to enhance detection efficiency. Used clustering technique to identify anomalies. |
Lin et al., 2010 [45] | Performed comparative analysis on two promiscuous anomaly-based detection algorithms, namely DFA and N-grams in terms of effectiveness and efficiency |
Lampesberger et al., 2011 [46] | Addressed the tendency of continuous changes in web application Introduced transductive on-line strategy to train AIDS. |
Ludinard et al., 2012 [23] | Proposed invariant based anomaly detection model. Focused on monitoring of violations of the internal state of application |
Lee et al., 2012 [47] | Used container-based architecture in AIDS. Mapped HTTP requests to database queries. |
Wressnegger et al., 2013 [48] | Performed comparative analysis on two learning schemes, namely classification and anomaly detection. Also defined criteria for selecting the appropriate scheme. |
Alazab et al., 2014 [16] | Built IIDPS by embedding SIDS with AIDS. Proposed active response strategy using fuzzy logic Used DREAD model to assess the risk associated with alerts. |
Razzaq et al., 2014 [49] | Proposed semantic-based approach that uses ontologies to detect web-based attacks Provided protocol-based and attack-based ontology model |
Razzaq et al., 2014 [50] | Suggested how ontology-engineering practices could be applied to design ontology-based systems. |
Duessel et al., 2016 [51] | Modelled context-aware anomaly detection system by using cn-gram method. |
Marek Zachara, 2016 [52] | Proposed HIDS and used weighted-graph as an anomaly method. Misuse detection component uses attack patterns provided by different websites contributing to the detection process. |
|