Damiano Bolzoni (UT)

Sphinx: A Hybrid Anomaly-based Web Intrusion Detection System

We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx ?learns? automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. Furthermore, Sphinx can actively support the deployment of WAFs like ModSecurity: e.g. if we are deploying an ad hoc web application, most probably we need to spend a lot of time on writing signatures (or when 3rd parties? software is used). Once Sphinx accomplishes the training phase, it can automatically generates ModSecurity-style signatures, making the deployment much easier.  

---

Last Version - $Revision: 1.1 $ / $Date: 2007/11/13 15:32:56 $
Maintained by Jaap-Henk Hoepman
Email: