Patterns Extraction Method for Anomaly Detection in HTTP Traffic

  • Rafał KozikEmail author
  • Michał Choraś
  • Rafał Renk
  • Witold Hołubowicz
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 369)


In this paper the new pattern extraction method for HTTP traffic anomaly detection is proposed. The method is based on innovative combination of (i) text segmentation technique—used to identify some common parts (tokens) of requests and (ii) statistical analysis—that captures the dynamic properties (variables) of data between tokens. In result, such approach allows to capture the structure of the message body received from the consecutive requests. Our experiments show that this technique allows for significant improvement of effectiveness when compared to other techniques that treat the message body as the whole. Another advantage is the fact that our tool does not need any prior knowledge about protocols and APIs that use HTTP as a transportation mean (e.g. RESTFull API, SOAP, etc.).


Anomaly detection Pattern extraction Application layer attacks Web application security 


  1. 1.
    Symantec: 2014 Internet Security Threat Report, Volume 19. (2014)
  2. 2.
    SCALP: Project homepage.
  3. 3.
    PHPIDS: Project homepage.
  4. 4.
  5. 5.
    SNORT: Project homepage.
  6. 6.
    Shar, L.K., Tan, H.B.K.: Predicting common web application vulnerabilities from input validation and sanitization code patterns. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 310–313. IEEE (2012)Google Scholar
  7. 7.
    Yu, F., Muath, A., Tevfik, B.: Stranger: an automata based string analysis tool for PHP. Tools and algorithms for the construction and analysis of systems, pp. 154–157. Springer (2010)Google Scholar
  8. 8.
    CHalfond, W., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183 (2005)Google Scholar
  9. 9.
    Source Code Analysis Tools: Project homepage.
  10. 10.
    Choraś, M., Kozik, R., Puchalski, D.: Correlation approach for SQL injection attacks detection. In: Herrero, A., et al. (eds.) Advances in Intelligent and Soft Computing, vol. 189, pp. 177–186. Springer (2012)Google Scholar
  11. 11.
    Choraś, M., Kozik, R.: Real-time analysis of non-stationary and complex network related data for injection attempts detection. In: Proceedings of WSC17 Online Conference on Soft Computing in Industrial Applications, pp. 177–186 (2012)Google Scholar
  12. 12.
    Choraś, M., Kozik, R.: Evaluation of various techniques for SQL injection attack detection. In: Burduk, R. et al. (eds.) Proceedings of the 8th International Conference on Computer Recognition Systems (CORES 2013), Advances in Intelligent Systems and Computing, vol. 226, pp. 753–762. Springer (2013)Google Scholar
  13. 13.
    OWASP Top 10: The ten most critical web application security risks. (2013)
  14. 14.
    Welch, T.: A technique for high-performance data compression. IEEE Comput. 17(69), 8–19 (1984)CrossRefGoogle Scholar
  15. 15.
    Ziv, J., Lempel, A.: A universal algorithm for sequential data compression. IEEE Trans. Inf. Theory 23, 337–343 (1977)CrossRefzbMATHMathSciNetGoogle Scholar
  16. 16.
    Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of ACM Symposium on Applied Computing, pp. 201–208 (2002)Google Scholar
  17. 17.
    Torrano-Gimnez, C., Prez-Villegas, A., lvarez, G.: The HTTP dataset CSIC 2010. (2010)

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Rafał Kozik
    • 1
    Email author
  • Michał Choraś
    • 1
  • Rafał Renk
    • 2
  • Witold Hołubowicz
    • 1
    • 2
  1. 1.Institute of Telecommunications and Computer ScienceUTP University of Science and TechnologyBydgoszczPoland
  2. 2.Adam Mickiewicz University, UAMPoznanPoland

Personalised recommendations