Sphinx: An Anomaly-Based Web Intrusion Detection System presented at Blackhat USA 2007

by Emmanuele Zambon,

Tags: Security Web

Summary : We present Sphinx, a new fully
anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been
implemented as an Apache module (like ModSecurity, the most deployed Web
Application Firewall), therefore can deal with SSL and POST data. Our
system uses different techniques at the same time to improve detection
and false positive rates. Being anomaly-based, Sphinx needs a training
phase before the real detection could start: during the training, Sphinx
“learns” automatically the type of each parameter inside user requests
and applies the most suitable model to detect attacks. We define 3 basic
types: numerical, short and long texts. The idea behind this is that,
e.g., if we observe only integer values and later some text, that is
likely to be an attack (e.g. SQL Injection or XSS).