Server-Side Code Injection Attack Detection Based on Kullback-Leibler Distance
In this paper, we apply a well-known measure from information theory domain called Kullback-Leibler distance (or divergence) (KLD) to detect the symptoms of code injection attacks early during programme runtime. We take advantage of the observation that during code injection attack, the intended structure deviates from the expected structure. The KLD can be a suitable measure to capture the deviation. Our contribution includes the development of a server-side framework to compute KLD. In particular, we apply a smoothing algorithm to avoid the infinite KLD distance during attack detection stage. We evaluate our approach with three PHP applications having SQLI and XSS vulnerabilities. The initial results show that KLD can be an effective measurement technique to detect the occurrence of code injection attacks. The approach suffers from lower false positive and negative rates, and imposes negligible runtime overhead.
International Journal of Internet Technology and Secured Transactions
Digital Object Identifier (DOI)
Shahriar, Hossain; North, Sarah M.; Lee, Yoonji; and Hu, Roger, "Server-Side Code Injection Attack Detection Based on Kullback-Leibler Distance" (2014). Faculty Publications. 3615.