کشف الگوهای قانون رابطه فازی و افزایش تجزیه و تحلیل حساسیت از حمله های مرتبط با XML

Most active research in Host and Network-based Intrusion Detection (ID) and Intrusion Prevention (IP) systems are only able to detect and prevent attacks of the computer systems and attacks at the Network Layer. They are not adequate to countermeasure XML-related attacks. Furthermore, although research have been conducted to countermeasure Web application attacks, they are still not adequate in countering SOAP or XML-based attacks. In this paper, a predictive fuzzy association rule model aimed at segregating known attack patterns (such as SQL injection, buffer overflow and SOAP oversized payload) and anomalies is developed. First, inputs are validated using business policies. The validated input is then fed into our fuzzy association rule model (FARM). Consequently, 20 fuzzy association rule patterns matching input attributes with 3 decision outcomes are discovered with at least 99% confidence. These fuzzy association rule patterns will enable the identification of frequently occurring features, useful to the security administrator in prioritizing which feature to focus on in the future, hence addressing the features selection problem. Data simulated using a Web service e-commerce application are collected and tested on our model. Our model's detection or prediction rate is close to 100% and false alarm rate is less than 1%. Compared to other classifiers, our model's classification accuracy using random forests achieves the best results with RMSE close to 0.02 and time to build the model within 0.02 s for each data set with sample size of more than 600 instances. Thus, our novel fuzzy association rule model significantly provides a viable added layer of security protection for Web service and Business Intelligence-based applications.

Both the Internet and eXtensible Markup Language (XML)-based Web Services (WS) have revolutionized the Information Technology (IT) industry due to their many attractive features such as platform independence, interoperability, ease of use and ability to transport huge amount of information over the World Wide Web. Thus, more and more software applications, especially Business Intelligence (BI) or e-commerce applications are built on the Internet-enabled Web Service (WS) platform. Consequently, the Application Layer is open to various types of threats such as Structured Query Language (SQL) injection, XML injection, XML content and parameter tampering, Simple Object Access Protocol (SOAP) oversized payload, coercive parsing, and recursive payload leading to XML Denial-of-Service (DoS) attack. WS-Security, an important specification addressing the security needs of WS applications exists, but it is still not 100% dependable. WS-Security is used to preserve the integrity, confidentiality and availability of a WS system, but it does not define any direct countermeasures for DoS attacks. Moreover, according to Jensen et al. (2009), DoS attacks on WS can be conducted with much less resource effort than against non-WS systems. Furthermore, XML Encryption can mask message content from being inspected. Thus, although using WS-Security on WS provides confidentiality to sensible data, the encrypted content can still conceal attacks such as oversized payload, coercive parsing or XML injection. Jensen et al. (2009) therefore, suggest using schema validation as a countermeasure. However, this will incur heavy CPU load and memory consumption as the system is tied up during XML and cryptographic processing for message decryption. Hence, to address this security problem, there is a dire need to have an added layer of protection at the Application Layer especially for WS-based e-commerce applications. 1.1. Motivation Over the past decades, active research in Host and Network-based Intrusion Detection (ID) and Intrusion Prevention (IP) systems are only able to detect and prevent attacks of the computer systems and attacks at the Network Layer. They are not adequate to countermeasure XML-related attacks mentioned above. Furthermore, although research have been conducted to countermeasure Web application attacks, they are still not adequate in countering SOAP or XML-based attacks. For example, Ye (2008) has designed a scheme to authenticate and validate a service request when the system is suspicious of being under XML DoS attack. However, their experiments show that the time taken to authenticate and validate SOAP messages increases as the SOAP size increases. This is due to the fact that more time is taken for the system to digest and decrypt larger SOAP messages; similar to the constraints of schema validation mentioned in Jensen et al. (2009). In another study by Thakar et al. (2010), requests for Web service are simulated on honey-pots and the support vector machine-based semi-supervised classifier used is able to intercept SOAP request to identify, for example, SQL injection and XML DoS attacks only.

SOAP and XML-related attacks do exist at the Application Layer. In this study, by validating User ID, password, service request's input values, input size and SOAP size to form associative patterns and then matching these patterns with interesting rules obtained from a predictive fuzzy association rule mining (FARM) model, has enabled the detection, prevention and prediction of signature-based and anomaly-based SOAP and XML-related attacks. In this model, fuzzy logic is used to categorize the SOAP size as in normal range, greatly or extremely oversized or undersized. This has further strengthened the predictive capability of the model. An extremely out-of-range SOAP message has a high chance of it being a coercive parsing or recursive payload attack, hence predictive of XML DoS attacks. On the other hand, an extremely undersized SOAP message has a high chance that its content is being tampered with. Subsequently, this leads to the prediction of other attacks or discovery of new attacks. Furthermore, by restricting the inputs using business policies has further strengthened the model to be able to detect and prevent existing known attacks such as SQL injection, buffer overflow, XSS attacks and CDATA attacks; predict and prevent XML DoS caused by coercive parsing, recursive payload; and discovery of new or unknown to existing XML content tampering attacks or anomalies. Additionally, through a series of sensitivity and extensibility analysis conducted on the various simulated datasets exhibiting fuzzy associative patterns among the validated attributes using the Apriori algorithm to generate and prune the rules, the model has discovered 20 interesting rules with at least 99% confidence. Identifying meaningful associative patterns and subsequently matching each transaction to the relevant pattern helps to segregate the existing attack signatures and unknown anomalies from the normal. By segregating the known attack signatures and anomalies from the normal using FARM has enabled the identification of frequently occurring features from the set of interesting rules. This in turn helps the security administrator to prioritize which feature to focus on in the future thus addressing the features selection problem. Consequently, the model is able to detect, prevent and predict both the signature-based and anomaly-based SOAP and XML-related attacks. Moreover, the small error measure of close to zero obtained from various classifers such as multilayer perceptron, Naïve Bayes and decision table has further affirmed the classification accuracy using random forests to be close to 100%. This thus gives rise to the detection or prediction rate of close to 100% and a false alarm rate of less than 1%. Most significantly, our novel and predictive model, has provided a viable added layer of security protection at the Application Layer to counter known and unknown SOAP and XML-related attacks for WS and BI-based applications. Future work is to make use of real-world Web service-based BI applications to capture the normal and attack data for further optimum evaluation of the model, besides detection and false alarm rates for effectiveness, and on ‘time’ performance for efficiency.