A Novel Framework for Active Detection of HTTP Based Attacks

  • Liang Jie
  • Sun Jianwei
  • Hu Changzhen
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 100)


Web application vulnerabilities represent a substantial portion of the security exposures of computer networks. Considering HTTP protocol is stateless, we explore the effectiveness of HTTP-session model to effectively describe http behavior. Based on the HTTP-session model and the analysis of http attack behavior, we present a novel framework to actively detect http attacks. Our method takes http requests as input and calculates anomalous probability for each session attribute and for the session as a whole as output. All the probabilities are weighted and summed up to produce final probability, and this probability is used to decide whether http session is attack or not. We demonstrate the effectiveness of the proposed methods via simulation studies using real-world web access logs. Experiments prove that our detection framework achieves high detection rates under very few false positives.


HTTP-session anomaly detection http attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Chen, M., Park, J., Yu, P.: Data mining for path traversal patterns in a web environment. In: ICDCS (1996)Google Scholar
  2. 2.
    Liu, H., Kešelj, V.: Combined mining of Web server logs and web contents for classifying user navigation patterns and predicting users’ future requests. Data & Knowledge Engineering (2007)Google Scholar
  3. 3.
    Srikant, R., Yang, Y.: Mining web logs to improve website organization. In: International Conference on World Wide Web (2001)Google Scholar
  4. 4.
    Nuzman, C., Saniee, I., Sweldens, W., Weiss, A.: A compound model for TCP connection arrivals for LAN and WAN applications. Computer Networks 40(3), 319–337 (2002)CrossRefGoogle Scholar
  5. 5.
    Kruegel, C., Vigna, G.: Anomaly detection of web based attacks. In: Proceedings of the 10th ACM conference on Computer and communications security, pp. 251–261 (2003)Google Scholar
  6. 6.
    Kruegel, C., Vigna, G., Robertson, W.: A Multi-model Approach to the Detection of Web-based Attacks. Journal of Computer Networks 48(5) (2005)Google Scholar
  7. 7.
    Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Kantardzic, M.: Data Mining Concepts, Models, Methods and Algorithm. IEEE Press, New York (2002)Google Scholar
  9. 9.
    Yatagai, T., Isohara, T., Sasase, I.: Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior. In: Proceedings of the 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing, Victoria, Canada, pp. 232–235 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Liang Jie
    • 1
  • Sun Jianwei
    • 1
  • Hu Changzhen
    • 1
  1. 1.Department of Software EngineeringBeijing Institute of TechnologyChina

Personalised recommendations