I'm researching AI-based solutions to detect malicious Web requests. I recently crossed the paper, showing that those web requests containing attack payload are mostly malicious SQL injection/XSS attacks.
They carried out URL parameter analysis and extracted some interesting features from Web requests. Statically they proved this concept via the Tokenization method. Credit to this study and another interesting post, I highlighted top features Token-set size and length as you see in the below picture:
Long story short, as it can be seen in picture:
Length: In general, the length of the request parameter value varies within a small range, but the length will be changed significantly when containing attack payload.
Token number: When the user’s input or click is used as a parameter value, the token number usually remains the same or changes subtly. When the user inputs a parameter that contains attack payload, the token number is usually bigger than the normal parameter value.
My questions:
* Which scenarios can we imagine having long web requests that are not malicious to filter out this study case from the Security domain experts side? e. g. any case to generate a long web request from a user by mistake?
* Generally speaking, how high is the probability of having strangely long in HTTP path (particularly in URL parameter part, not API) in Web server logs?
* which Web-based services and App-based services or any third-party SW can affect these issues? e. g. scanners or pseudonymization (To the best of my knowledge, pseudonymization affect in API part if consider ? as separator)
Anz helps/updates will be appreciated.
http://dlvr.it/S1Ngj5
No comments:
Post a Comment