Detection Of Probing Attacks In SWAF

Abstract

Probing is the major issue in web application security but there does not exit reasonable progress to detect probing before the actual attack is launched. The key challenge is to identify attacker’s probing process for gathering information of vulnerabilities in Web application and take appropriate actions quickly before attackers exploit them. In this research work, we propose a methodology to detect probing; it is currently implemented as a part of SWAF (Semantic Based Web Applications Firewall) project. It assists SWAF to detect probing before an attacker is able to exploit vulnerabilities. Most of the vulnerabilities are discovered as a result of trial and error by the attacker. We make it possible to detect probing by using three techniques viz. XML rules, SWAF log and application profiling (together comes under threshold learning) and carrying out behavioral analysis of the attackers traffic to detect and block them. The proposed methodology increases the detection rate of SWAF and considerably decreases the attack ratio. As a part of this work we have also evaluated the performance of SWAF with probing detection technique using most popular scanners. Evaluation results confirm the effectiveness of proposed approach as it detects scanners with high detection rate.