Automated Classification of Web-Application Attacks for Intrusion Detection

  • Harsh Bhagwani
  • Rohit Negi
  • Aneet Kumar Dutta
  • Anand HandaEmail author
  • Nitesh Kumar
  • Sandeep Kumar Shukla
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11947)


In today’s information driven society and economy, web facing applications are most common way to run information dissemination, banking, e-commerce etc. Web applications are frequently targeted by attackers through intelligently crafted http requests to exploit vulnerabilities existing in the application, front-end, and the web-clients. Some of the most frequent such attacks are SQL Injection, Cross-Site Scripting, Path-traversal, Command Injection, Cross-site request forgery etc. Detecting these attacks up front and blocking them, or redirecting the request to a honey-pot could be a way to prevent web applications from being exploited. In this work, we developed a number of machine learning models for detecting and classifying http requests into normal, and various types of attacks. Currently, the models are applied as an ensemble on the http server logs, to classify and build data analytics on the http requests received by any web server in order to garner threat intelligence, and threat landscape. We also implemented an online log-analysis version that analyzes logs every 15 s to classify http requests in the recent 15 s. However, it can also be used as a web application firewall to block the http requests based on the classification results. We also have implemented an intrusion protection mechanism by redirecting http requests classified upfront as malicious towards a web honeypot. We compare various existing signature based, regular expression based, and machine learning based techniques against our models for detection and classification of http based attacks, and show that our methods achieve better performance over existing techniques.


Intrusion detection system Web security Machine learning 



This work has been partially supported by grants from the Science and Engineering Research Board (SERB), and Department of Science and Technology (DST), Government of India.


  1. 1.
    ECML/PKDD 2007 Dataset (2007).
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
    World Internet Users and 2019 Population Stats (2019).
  11. 11.
  12. 12.
  13. 13.
    Althubiti, S., Yuan, X., Esterline, A.: Analyzing http requests for web intrusion detection. KSU Proceedings on Cybersecurity Education, Research and Practice (2017)Google Scholar
  14. 14.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefGoogle Scholar
  15. 15.
    Carmen Torrano, A.P., Álvarez, G.: Http csic torpeda 2012 (2012).
  16. 16.
    Carmen Torrano, A.P., Álvarez, G.: Http csic torpeda 2012 (2012).
  17. 17.
    Elprocus: Basic intrusion detection system (2019).
  18. 18.
    ENISA: Enisa threat landscape report 2018 (2019).
  19. 19.
    Giménez, C.T., Villegas, A.P., Marañón, G.Á.: Http data set csic 2010. Information Security Institute of CSIC (Spanish Research National Council) (2010)Google Scholar
  20. 20.
    Hong Cheon, E., Huang, Z., Lee, Y.S.: Preventing sql injection attack based on machine learning. Int. J. Advancements Comput. Technol. 5, 967–974 (2013). Scholar
  21. 21.
    KF, DP: Xssed dataset (2007).
  22. 22.
    Kozik, R., Choraś, M., Renk, R., Hołubowicz, W.: Modelling http requests with regular expressions for detection of cyber attacks targeted at web applications. In: International Joint Conference SOCO 2014-CISIS 2014-ICEUTE 2014, pp. 527–535. Springer, Switzerland (2014). 10.1007/978-3-319-07995-0_52Google Scholar
  23. 23.
    Kumar, B.S., Ch, T., Raju, R.S.P., Ratnakar, M., Baba, S.D., Sudhakar, N.: Intrusion detection system-types and prevention. Int. J. Comput. Sci. Info. Tech. (IJCSIT) 4(1), 77–82 (2013)Google Scholar
  24. 24.
    Mansfield, M.: General small business cyber security statistics (2018).
  25. 25.
    Mereani, F.A., Howe, J.M.: Detecting cross-site scripting attacks using machine learning. In: Hassanien, A.E., Tolba, M.F., Elhoseny, M., Mostafa, M. (eds.) AMLTA 2018. AISC, vol. 723, pp. 200–210. Springer, Cham (2018). Scholar
  26. 26.
    Meyer, R.: Detecting attacks on web applications from log files (2008).
  27. 27.
  28. 28.
  29. 29.
  30. 30.
    OWASP: Command injection (2018).
  31. 31.
    Quinlan, R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Mateo (1993)Google Scholar
  32. 32.
    Sarmah, A.: Intrusion detection systems: definition, need and challenges (2019).
  33. 33.
    Scholkopf, B., Smola, A.J.: Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT press, Cambridge (2001)Google Scholar
  34. 34.
  35. 35.
  36. 36.
    W3Schools: SQL Injection (2019).
  37. 37.
    Yu, J., Tao, D., Lin, Z.: A hybrid web log based intrusion detection model. In: 2016 4th International Conference on Cloud Computing and Intelligence Systems (CCIS), pp. 356–360. IEEE (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Harsh Bhagwani
    • 1
  • Rohit Negi
    • 1
  • Aneet Kumar Dutta
    • 1
  • Anand Handa
    • 1
    Email author
  • Nitesh Kumar
    • 1
  • Sandeep Kumar Shukla
    • 1
  1. 1.C3I Center, Department of CSEIndian Institute of TechnologyKanpurIndia

Personalised recommendations