[26 May 2014] A bachelor student at RTSLAB was awarded the best thesis
award from IDA - Simon Andersson. more ...
[31 May 2012] A masters student at RTSLAB was awarded the best thesis
award from IDA - Ulf Magnusson. more ...
[27 February 2008] A masters student at RTSLAB was awarded the best thesis
award from IDA - Johan Sigholm. more ...
[03 March 2004] A masters student at RTSLAB was awarded the best thesis
award from IDA - Tobias Chyssler. more ...
[01 Jul 2003] For second year in a row a masters student at RTSLAB was awarded the best thesis
award from SNART - Mehdi Amirijoo. more ...
Master Thesis - Past Projects - Abstract
Intrusion Detection for Web Services
Services and applications residing on web or application servers,
often referred to as Web services, are often used in business
environments, carrying out transactions worth countless money. This
makes these applications and services very attractive as targets for
This thesis focuses on creating a framework that protects against Web
service and Web based attacks. The services this framework protects
are created out of a wide variety of technologies. Furthermore, the
services provide both anonymous and authenticated user access. The
biggest concern for the services is data theft since they all rely on
the same database.
It is hard to protect against attacks targeted at Web services since
they rely on a transport layer protocol for communication and this
enables them to penetrate firewalls. In order to secure Web service
traffic adequately the firewall would have to inspect every incoming
The resulting framework is capable of tracking the usage for each
service and detecting abusive behaviour for both Web services and
servlet based services. In order to inspect incoming request the
framework relies on invocation handlers for Web services and servlet
filters for servlet based services. As detection mechanism a rule
based approach with regular expressions is used for detecting abnormal
URI input, while abnormal service usage is detected by creating a user
usage profile and comparing it with thresholds representing normal
The framework was tested in three ways:
With a performance test measuring the overhead execution time
added by the framework to each request.
With two scenarios validating the abnormal usage part of the
By running a client to execute a series of abnormal URI inputs
and validating that the rule set works correctly.
Author(s): Christofer Wallán
Contact: Simin Nadjm-Tehrani
Click here to return.