Web-based Intrusion Detection

Research on the detection of web-based attacks


Web-based systems are a composition of infrastructure components, such as web servers and databases, and of application-specific code, such as HTML-embedded scripts and server-side applications. While the infrastructure components are usually developed by experienced programmers with solid security skills, the application-specific code is often developed under strict time constraints by programmers with little security training. As a result, vulnerable web-applications are deployed and made available to the whole Internet, creating easily-exploitable entry points for the compromise of entire networks. Existing prevention systems are often insufficient to protect this class of applications, because the security mechanisms provided are either not well-understood or simply disabled by the web developers "to get the job done.'' Therefore, prevention mechanisms should be complemented by intrusion detection systems, which are able to identify attacks and provide early warning about suspicious activities. Our initial research focused on the use of stateful misuse-based intrusion detection systems to detect complex attacks whose evidence was scattered across different event stream. However, web-based applications often implement custom, site-specific services for which there is no known signature. Therefore, signature-based detection systems should work side-to-side with anomaly detection systems. Our second line of research was the development of a multi-model, web-based anomaly detection system that learns the normal usage profiles associated with web-based applications and identify attacks as anomalous deviations from the established profiles.


2006 (2 publications)

An Anomaly-driven Reverse Proxy for Web Applications F. Valeur, G. Vigna, C. Kruegel, E. Kirda Proceedings of the ACM Symposium on Applied Computing (SAC 2006)

Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks W. Robertson, G. Vigna, C. Kruegel, R. Kemmerer Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS 2006)

2005 (2 publications)

A Multi-model Approach to the Detection of Web-based Attacks C. Kruegel, G. Vigna, W. Robertson Computer Networks, 2005, vol. 48, no.5 BibTeX

A Learning-Based Approach to the Detection of SQL Attacks F. Valeur, D. Mutz, G. Vigna Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2005) BibTeX

2003 (2 publications)

A Stateful Intrusion Detection System for World-Wide Web Servers G. Vigna, W. Robertson, V. Kher, R. Kemmerer Proceedings of the Annual Computer Security Applications Conference (ACSAC 2003) BibTeX

Anomaly Detection of Web-based Attacks C. Kruegel, G. Vigna Proceedings of the ACM Conference on Computer and Communications Security (CCS 2003) BibTeX

Research topics

People involved


Post-doctoral Researchers

PhD Students


Last update
May 24, 2011, 11:11 a.m.