Rules Based Analysis Engine for Application Layer IDS

• Main Author: Scrobonia, David
• Format: Others
• Published: DigitalCommons@CalPoly 2017
• Subjects: web application security; security; intrustion detection system; appsensor; rule engine; owasp; Digital Communications and Networking
• Online Access: https://digitalcommons.calpoly.edu/theses/1773; https://digitalcommons.calpoly.edu/cgi/viewcontent.cgi?article=2954&context=theses

Web application attack volume, complexity, and costs have risen as people, companies, and entire industries move online. Solutions implemented to defend web applications against malicious activity have traditionally been implemented at the network or host layer. While this is helpful for detecting some attacks, it does not provide the gran- ularity to see malicious behavior occurring at the application layer. The AppSensor project, an application level intrusion detection system (IDS), is an example of a tool that operates in this layer. AppSensor monitors users within the application by observing activity in suspicious areas not able to be seen by traditional network layer tools. This thesis aims to improve the state of web application security by supporting the development of the AppSensor project. Specifically, this thesis entails contributing a rules-based analysis engine to provide a new method for determining whether suspicious activity constitutes an attack. The rules-based method aggregates information from multiple sources into a logical rule to identify malicious activity, as opposed to relying on a single source of information. The rules-based analysis engine is designed to offer more flexible configuration for administrators and more accurate results than the incumbent analysis engine. Tests indicate that the new engine should not hamper the performance of AppSensor and use cases highlight how rules can be leveraged for more accurate results.