Swaddler: An approach for the anomaly-based detection of state violations in web applications

Download: PDF.

“Swaddler: An approach for the anomaly-based detection of state violations in web applications” by Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), (Queensland, Australia), September 5-7, 2007, pp. 63-86.

Abstract

In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Most approaches to the detection of web-based attacks analyze the interaction of a web application with its clients and back-end servers. Even though these approaches can effectively detect and block a number of attacks, there are attacks that cannot be detected only by looking at the external behavior of a web application.

In this paper, we present Swaddler, a novel approach to the anomaly-based detection of attacks against web applications. Swaddler analyzes the internal state of a web application and learns the relationships between the application's critical execution points and the application's internal state. By doing this, Swaddler is able to identify attacks that attempt to bring an application in an inconsistent, anomalous state, such as violations of the intended workflow of a web application. We developed a prototype of our approach for the PHP language and we evaluated it with respect to several real-world applications.

Download: PDF.

BibTeX entry:

@inproceedings{CovaBFV2007,
   author = {Marco Cova and Davide Balzarotti and Viktoria Felmetsger and
	Giovanni Vigna},
   title = {Swaddler: An approach for the anomaly-based detection of state
	violations in web applications},
   booktitle = {Proceedings of the 10th International Symposium on Recent
	Advances in Intrusion Detection (RAID)},
   pages = {63--86},
   address = {Queensland, Australia},
   month = {September~5--7,},
   year = {2007}
}

Back to Publications whose methodology uses invariant detection.