Black Hat Briefings, Usa 2007 [audio] Presentations From The Security Conference.

We present Sphinx, a new fully anomaly-based Web Intrusion Detection Systems (WIDS). Sphinx has been implemented as an Apache module (like ModSecurity, the most deployed Web Application Firewall), therefore can deal with SSL and POST data. Our system uses different techniques at the same time to improve detection and false positive rates. Being anomaly-based, Sphinx needs a training phase before the real detection could start: during the training, Sphinx ?learns? automatically the type of each parameter inside user requests and applies the most suitable model to detect attacks. We define 3 basic types: numerical, short and long texts. The idea behind this is that, e.g., if we observe only integer values and later some text, that is likely to be an attack (e.g. SQL Injection or XSS). For numerical parameters, a type checker is applied. For short texts (text with fixed length or slight variations), Sphinx uses a grammar checker: grammars are built observing the parameter content (during the training phase) and