Sphinx: An Anomaly-based Web Intrusion Detection System presented at BlackHatDC 2007

by Emmanuele Zambon, Damiano Bolzoni,

URL : https://www.blackhat.com/presentations/bh-usa-07/Bolzani_and_Zambon/Presenatation/bh-usa-07-bolzani_and_zambon.pdf

Summary : We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx learns automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS).
For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and then used to check the similarity of new content during detection. Long texts are typically e-mail/forum messages, which change often their length and would produce infeasible grammars. For this kind of content we use a modified version of our NIDS POSEIDON, using n-gram analysis.
Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures for numerical and (some) short-text parameters, making the deployment much easier.