Master Thesis - Past Projects - Abstract

Intrusion Detection for Web Services

ID: LiTH-IDA-EX-05/058--SE

Services and applications residing on web or application servers, often referred to as Web services, are often used in business environments, carrying out transactions worth countless money. This makes these applications and services very attractive as targets for an attack. This thesis focuses on creating a framework that protects against Web service and Web based attacks. The services this framework protects are created out of a wide variety of technologies. Furthermore, the services provide both anonymous and authenticated user access. The biggest concern for the services is data theft since they all rely on the same database. It is hard to protect against attacks targeted at Web services since they rely on a transport layer protocol for communication and this enables them to penetrate firewalls. In order to secure Web service traffic adequately the firewall would have to inspect every incoming request. The resulting framework is capable of tracking the usage for each service and detecting abusive behaviour for both Web services and servlet based services. In order to inspect incoming request the framework relies on invocation handlers for Web services and servlet filters for servlet based services. As detection mechanism a rule based approach with regular expressions is used for detecting abnormal URI input, while abnormal service usage is detected by creating a user usage profile and comparing it with thresholds representing normal usage. The framework was tested in three ways: With a performance test measuring the overhead execution time added by the framework to each request. With two scenarios validating the abnormal usage part of the framework. By running a client to execute a series of abnormal URI inputs and validating that the rule set works correctly.

Keywords:

Author(s): Christofer Wallán

Contact: Simin Nadjm-Tehrani