Open Access
Subscription Access
Design and Implementation of the Web Application Intrusion Prevention System
Abstract
近來Web應用的蓬勃發展,衍生出許多Web應用安全的問題。國際產業研究公司Gartner Group也提到在所有攻擊事件中,有百分之七十五是發生在應用層(OSI Application layer),並且四分之三的商業網站是有漏洞的,但是傳統的網路安全設備(例如入侵偵測系統以及防火牆)並不能有效的防止應用層的攻擊。有鑑於此,本論文延伸有限狀態機(finite state machine)的原理及整合stateful session檢測機制,提出Web入侵防禦系統(WIPS)來解決Web應用所造成的安全問題。Web入侵防禦系統並結合正面表述(positive approach)與負面表述(negative approach)的優點防止Web攻擊的產生。本系統已完成設計且將系統實現在Intel網路處理器搭配MontaVista Linux的開發平台上,透過功能性與效能性的實際量測可以證明Web入侵防禦系統可以有效且快速的阻檔Web攻擊,建立一個高安全性的Web應用環境來保障企業以及合法使用者的財產安全。Web application portal with the single sign on (SSO) feature provides an integrated E-Business solution such that web application becomes an essential building block for business operations. Gartner Group report indicates that 75% of malicious attacks targeting the application layer and three out of four business Web sites are vulnerable to application-level attacks. Therefore, the traditional security devices (such as firewall and intrusion detection system) are not able to protect web-based applications any more. Implementing a solid web application security protection shield is top-of-mind of security researchers. Extending the finite state machine theory and coupling with stateful session inspection, we propose Web Intrusion Prevention System (WIPS) to solve web application security issues listed in the OWASP Top Ten project. WIPS works as the last defense line to separate web browsers and web servers by examining network traffic, maintaining every session's state information and allowing only specific web behaviors defined by web finite state machine to pass through. With embedded Snort capability, WIPS also provides negative security models to resist the lower layer attacks. A WIPS prototype has been implemented on Intel Network Processor (IXP425) running with MontaVista Linux. In our study, the functionality and performance has been assessed to show WIPS providing a key answer for advancing the state-of-the-art in web application security in a realistic environment.
Keywords
網路應用安全; 入侵偵測系統; 有限狀態機; 網路處理器; Web application security; intrusion prevention system; finite state machine; network processsor
Citation Format:
鄭伯炤(Bo-Chao Cheng), 陳瑞文(Jui-Wen Chen), 莊明霓(Ming-Ni Chuang), "Design and Implementation of the Web Application Intrusion Prevention System," Journal of Internet Technology, vol. 7, no. 2 , pp. 161-167, Apr. 2006.
鄭伯炤(Bo-Chao Cheng), 陳瑞文(Jui-Wen Chen), 莊明霓(Ming-Ni Chuang), "Design and Implementation of the Web Application Intrusion Prevention System," Journal of Internet Technology, vol. 7, no. 2 , pp. 161-167, Apr. 2006.
Refbacks
- There are currently no refbacks.
Published by Executive Committee, Taiwan Academic Network, Ministry of Education, Taipei, Taiwan, R.O.C
JIT Editorial Office, Office of Library and Information Services, National Dong Hwa University
No. 1, Sec. 2, Da Hsueh Rd., Shoufeng, Hualien 974301, Taiwan, R.O.C.
Tel: +886-3-931-7314 E-mail: jit.editorial@gmail.com