Web application security - the fast guide 1.1 | Page 22

Chapter 1 - information Security overview
P a g e | 22
Notification
attack to response in real time because some attacks can be
stopped if a fast enough response is generated. Monitoring and
detection modules normally depend on abnormality in received
requests as a count, sequence, known attack patterns or even a
suspicious business content. Examples are receiving a big amount
of request from the same source IP or getting request in a
suspicious sequence or alteration of values that are normally
inaccessible by user (hidden fields) or getting a request to transfer
unusual big amount of money from an online bank account.
Detection modules can be a separated application like firewalls
and intrusion detection systems but using this approach might not
be as effective as integrated modules on all levels especially with
attacks of semantic nature due to the usage of generic patterns in
off-shelf application in contrast with the intrusion detection
modules integrated as part of the application.
NIDS
Administrator
Notification
HIDS
Attacker
Notification
Firewall
Victim
Figure 15: notifications sent by host & network based intrusion detection system to administrator and Victim
user
d. Response: notifying administrator that the application is under
attack is something and reacting actively is another thing because
responding in real time is an essential factor and can sometimes
save the application and stop the attack in many critical
applications.
Response might be something like blocking request from specific
source, react slowly with suspicious requests or drop the user
session.
Even though that the response was unable to stop a skilled
attacker malicious activities it will provide more information and
buy time to administrator to react more effectively to the attack.