Abstract
The increasing popularity of web applications makes the web a main venue for attackers engaging in a myriad of cybercrimes. With large quantities of information processing and sharing by web applications, the situation for web attack detection or prevention becomes increasingly severe. We present a prototype implementation called DeepWAF to detect web attacks based on deep learning techniques. We systematically discuss the approach for effective use of the currently popular CNN and LSTM models, and their combinational models CNN-LSTM and LSTM-CNN. The experimental results on the dataset of HTTP DATASET CSIC 2010 demonstrate that our proposed four types of detection models all achieve satisfactory results, with the detection rate of approximately 95% and the false alarm rate of approximately 2%. We also carried out case studies to analyze the causes of false negatives and false positives, which can be used for further improvements. Our work further illustrates that machine learning has a promising application prospect in the field of web attack detection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Symantec Corporation: Symantec internet security threat report, Trends for July–December 07 (2008)
Trustwave: Cenzic application vulnerability trends 2014 (2014)
Halfond, W.G.J., Viegas, J., Orso, A.: A classification of SQL injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, pp. 13–15. IEEE (2006)
Kieyzun, A., Guo, P.J., Jayaraman, K., Ernst, M.D.: Automatic creation of SQL injection and cross-site scripting attacks. In: Proceedings of the 31st International Conference on Software Engineering, pp. 199–209. IEEE Computer Society (2009)
Li, H.-F., Lee, S.-Y., Shan, M.-K.: DSM-PLW: single-pass mining of path traversal patterns over streaming Web click-sequences. Comput. Netw. 50, 1474–1487 (2006)
Jensen, M., Gruschka, N., Herkenhoner, R.: A survey of attacks on web services. Comput. Sci. Res. Dev. 24, 185 (2009)
Prokhorenko, V., Choo, K.-K.R., Ashman, H.: Web application protection techniques: a taxonomy. J. Netw. Comput. Appl. 60, 95–112 (2016)
Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_8
Halfond, W.G.J., Orso, A.: Preventing SQL injection attacks using AMNESIA. In: Proceedings of the 28th International Conference on Software Engineering, pp. 795–798. ACM (2006)
Kemalis, K., Tzouramanis, T.: SQL-IDS: a specification-based approach for SQL-injection detection. In: Proceedings of the 2008 ACM Symposium on Applied Computing, pp. 2153–2158. ACM (2008)
Liu, A., Yuan, Y., Wijesekera, D., Stavrou, A.: SQLProb: a proxy-based architecture towards preventing SQL injection attacks. In: Proceedings of the 2009 ACM Symposium on Applied Computing, pp. 2054–2061. ACM (2009)
Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: dynamic candidate evaluations for automatic prevention of SQL injection attacks. ACM Trans. Inf. Syst. Secur. 13, 1–39 (2010)
Kar, D., Panigrahi, S., Sundararajan, S.: SQLiGoT: detecting SQL injection attacks using graph of tokens and SVM. Comput. Secur. 60, 206–225 (2016)
Gupta, S., Gupta, B.B.: Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art. Int. J. Syst. Assur. Eng. Manag. 8, 512–530 (2017)
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Network & Distributed System Security Symposium (2009)
Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, pp. 171–180. ACM (2008)
Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: A systematic analysis of XSS sanitization in web application frameworks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 150–171. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_9
Balduzzi, M., Gimenez, C.T., Balzarotti, D., Kirda, E.: Automated discovery of parameter pollution vulnerabilities in web applications. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, pp. 1–16 (2011)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 372–382. ACM, Charleston (2006)
Tajbakhsh, M.S., Bagherzadeh, J.: A sound framework for dynamic prevention of Local File Inclusion. In: 2015 7th Conference on Information and Knowledge Technology (IKT), pp. 1–6 (2015)
Han, E.E.: Detection of web application attacks with request length module and regex pattern analysis. In: Zin, T.T., Lin, J.C.-W., Pan, J.-S., Tin, P., Yokota, M. (eds.) GEC 2015. AISC, vol. 388, pp. 157–165. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-23207-2_16
Saxe, J., Berlin, K.: eXpose: a character-level convolutional neural network with embeddings for detecting malicious URLs, file paths and registry keys. arXiv:1702.08568 [cs] (2017)
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. Presented at the Proceedings of the 10th ACM Conference on Computer and Communications Security (2003)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48, 717–738 (2005)
Corona, I., Ariu, D., Giacinto, G.: HMM-Web: a framework for the detection of attacks against web applications. In: 2009 IEEE International Conference on Communications, pp. 1–6. IEEE (2009)
Corona, I., Giacinto, G.: Detection of server-side web attacks. In: Proceedings of the First Workshop on Applications of Pattern Analysis, pp. 160–166 (2010)
Corona, I., Tronci, R., Giacinto, G.: SuStorID: a multiple classifier system for the protection of web services. In: Proceedings of the 21st International Conference on Pattern Recognition (ICPR 2012), pp. 2375–2378. IEEE (2012)
Zolotukhin, M., Hamalainen, T., Kokkonen, T., Siltanen, J.: Analysis of HTTP requests for anomaly detection of web attacks. In: 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pp. 406–411. IEEE, Dalian (2014)
Choras, M., Kozik, R.: Machine learning techniques applied to detect cyber attacks on web applications. Log. J. IGPL 23, 45–56 (2015)
Bronte, R., Shahriar, H., Haddad, H.: Information theoretic anomaly detection framework for web application. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), pp. 394–399. IEEE (2016)
Zhang, M., Xu, B., Bai, S., Lu, S., Lin, Z.: A deep learning method to detect web attacks using a specially designed CNN. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.S. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 828–836. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70139-4_84
Gimenez, C.T., Villegas, A.P., Maranon, G.A.: HTTP dataset CSIC 2010 (2012). http://www.isi.csic.es/dataset/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kuang, X. et al. (2019). DeepWAF: Detecting Web Attacks Based on CNN and LSTM Models. In: Vaidya, J., Zhang, X., Li, J. (eds) Cyberspace Safety and Security. CSS 2019. Lecture Notes in Computer Science(), vol 11983. Springer, Cham. https://doi.org/10.1007/978-3-030-37352-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-37352-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-37351-1
Online ISBN: 978-3-030-37352-8
eBook Packages: Computer ScienceComputer Science (R0)