Concept-drift in web-based IDS : evaluating current capabilities & future challenges

Anomaly based intrusion detection systems (IDS) are typically employed for protecting web applications. Changes in the applications, also known as Web Concept Drifts, negatively impact the accuracy of IDS, increasing the number of false alerts. To adapt the IDS to application changes, the retraining of the model is required. Unfortunately, retraining is a time consuming task that requires a considerable effort from system administrators and security experts. Different methods have been proposed in literature to deal with this issue. One of these, called Response Modeling, exploits the structure of HTTP responses to detect changes and automatically adapt the detection model to application drifts. In this thesis, we survey existing work that addresses the Concept Drift issue and we test one of them on simulated as well as real scenarios. The results seem to indicate that the existing approach is still not mature enough for consistently reduce the FPR (false positive rate). More precisely, it seems that just a specific type of alerts can be meaningfully reduced while most of the others are not decreased. We propose some requirements and future directions to improve such solutions, aimed at refine the efficacy of this technique.