Automated Classification of Web-Application Attacks for Intrusion Detection

Abstract

In today’s information driven society and economy, web facing applications are most common way to run information dissemination, banking, e-commerce etc. Web applications are frequently targeted by attackers through intelligently crafted http requests to exploit vulnerabilities existing in the application, front-end, and the web-clients. Some of the most frequent such attacks are SQL Injection, Cross-Site Scripting, Path-traversal, Command Injection, Cross-site request forgery etc. Detecting these attacks up front and blocking them, or redirecting the request to a honey-pot could be a way to prevent web applications from being exploited. In this work, we developed a number of machine learning models for detecting and classifying http requests into normal, and various types of attacks. Currently, the models are applied as an ensemble on the http server logs, to classify and build data analytics on the http requests received by any web server in order to garner threat intelligence, and threat landscape. We also implemented an online log-analysis version that analyzes logs every 15 s to classify http requests in the recent 15 s. However, it can also be used as a web application firewall to block the http requests based on the classification results. We also have implemented an intrusion protection mechanism by redirecting http requests classified upfront as malicious towards a web honeypot. We compare various existing signature based, regular expression based, and machine learning based techniques against our models for detection and classification of http based attacks, and show that our methods achieve better performance over existing techniques.