Evaluating the efficiency of Host-based Intrusion Detection Systems protecting web applications

Abstract: Background. Web applications are a more significant part of our digital experience, and the number of users keeps continuously growing. Social media alone accounts for more than half of the world’s population. Therefore these applications have become a lucrative target for attackers, and we have seen several attacks against them. One such example saw attackers manage to compromise a twitter account [15], leading to false information being published, causing the New York stock exchange to drop 150 points, erasing 136 billion dollars in equity market value. There are methods to protect web applications, such as web application firewalls or content security policies. Still, another candidate for defending these applications is Host-based Intrusion Detection Systems (HIDS). This study aims to assess the efficiency of these HIDS when defending against web applications. Objectives. The main objective of the thesis is to create an efficiency evaluating model for a HIDS when protecting web applications. Additionally, we will test two open-source HIDS against web applications built to emulate a vulnerable environment and measure these HIDS efficiencies with the model mentioned above. Methods. To reach the objectives of our thesis, a literature review regarding what metrics to evaluate the efficiency of a HIDS was conducted. This allowed us to construct a model for which we evaluated the efficiency of our selected HIDS. In this model, we use 3 categories, each containing multiple metrics. Once completed, the environment hosting our vulnerable applications and their HIDS was set up, followed by the attacks of the applications. The data generated by the HIDS gave us the data required to make our efficiency evaluation which was performed through the lens of the previously mentioned model. Results. The result shows a low overall efficiency from the two HIDS when regarding the category attack detection. The most efficient of the two could be determined. Of the two evaluated, Wazuh and Samhain; we determined Wazuh to be the more efficient HIDS. We identified several components required to improve their attack detection. Conclusions. Through the use of our model, we concluded that the HIDS Wazuh had higher efficiency than the HIDS Samhain. However both HIDS had low performances regarding their ability to detect attacks. Some specific components need to be implemented within these systems before they can reliably be used for defending web applications.