The All-Seeing Eye: A Massive-Multi-Sensor Zero-Configuration Intrusion Detection System for Web Applications

Timing attacks are a challenge for current intrusion detection solutions. Timing attacks are dangerous for web applications because they may leak information about side channel vulnerabilities. This paper presents a massive-multi-sensor zero-configuration Intrusion Detection System that is especially good at detecting timing attacks. Unlike current solutions, the proposed Intrusion Detection System uses a huge number of sensors for attack detection. These sensors include sensors automatically inserted into web application or into the frameworks used to build web applications. With this approach the Intrusion Detection System is able to detect sophisticated attacks like timing attacks or other brute-force attacks with increased accuracy. The proposed massive-multi-sensor zero-configuration intrusion detection system does not need specific knowledge about the system to protect, hence it offers zero-configuration capability.

💡 Research Summary

The paper introduces “All‑Seeing Eye,” a massive‑multi‑sensor, zero‑configuration intrusion detection system (IDS) designed specifically for web applications and capable of detecting timing attacks, brute‑force probing, and other sophisticated threats without prior knowledge of the protected system.
The authors begin by highlighting the shortcomings of existing IDS solutions, which typically rely on a limited set of sensors and require extensive per‑application configuration. To overcome these limitations, All‑Seeing Eye automatically injects thousands of “software sensors” into the Java bytecode of a target web application using AspectJ load‑time weaving. These sensors record method entry and exit timestamps, execution durations, call order, and other runtime characteristics. In addition to software sensors, the framework can ingest traditional data sources such as network traffic, CPU/memory usage, kernel handles, and alerts from other IDSs, thereby forming a heterogeneous sensor pool.
A key innovation is the concept of “aggregation sensors.” Individual sensor readings are combined through arithmetic operations (addition, multiplication, logarithmic scaling) or statistical aggregations (averages, quantiles) over configurable time windows. This yields higher‑level metrics that capture complex behavior patterns while reducing noise. The system distinguishes two aggregation types: one‑time aggregation (instantaneous combination) and continuous aggregation (rolling statistics).
Detection is based on the notion of “fingerprints.” Under normal operation, requests that target the same URL or invoke the same business logic produce highly correlated sensor outputs, forming a stable fingerprint that recurs in each observation interval T. All‑Seeing Eye builds a normal model on‑the‑fly by maintaining a floating history of n × T intervals and computing a quantile‑based threshold α. For the current interval, the number of observed fingerprints |s_T| is compared against α × p, where p is a tunable sensitivity parameter. If |s_T| ≥ α × p, the system flags a potential intrusion; otherwise it assumes normal behavior. This approach eliminates the need for a pre‑trained baseline and is robust against statistical outliers.
The authors evaluate the prototype on OpenCMS 8.5.1 deployed in a paravirtualized OpenVZ environment (4‑core 2.1 GHz CPU, 6 GB RAM, 1 Gbps NIC). Memory overhead is approximately 300 MB per 10 000 requests, primarily due to buffering of log data; CPU overhead scales with method length, but the system suppresses logging for sub‑millisecond methods to mitigate impact.
Two attack scenarios are examined. First, a series of 100 consecutive requests to the same page generate fingerprints that differ by less than 3 ms, demonstrating the system’s ability to recognize identical workloads despite minor timing variations. Second, a brute‑force login probing attack exploiting OpenCMS’s verbose error messages is simulated. All‑Seeing Eye detects the abnormal pattern of repeated calls to the login resource with varying parameters, without any prior knowledge of the vulnerability or the application’s normal request distribution. Additionally, timing attacks that introduce subtle execution‑time differences are captured by the method‑level sensors and flagged through the aggregation‑based statistical test, a capability lacking in many conventional IDSs.
In summary, All‑Seeing Eye achieves three major goals: (1) automatic generation of a massive, heterogeneous sensor set, (2) deployment without any manual configuration, and (3) real‑time statistical detection of anomalies. The paper suggests future work on GPU‑accelerated aggregation, integration of hardware sensors, and extending the approach beyond the Java runtime to other platforms such as .NET or Node.js. The presented system demonstrates that a zero‑configuration, sensor‑rich architecture can effectively protect web applications against side‑channel and brute‑force attacks while maintaining acceptable performance overhead.