Algorithm for detecting attacks on Web applications based on machine learning methods and attributes queries


  • Nguyen Manh Thang Academy of Cryptography Techniques
  • Tran Thi Luong



web attack, network security, signature method, anomaly detection method, machine learning method, Web application firewall, ModSecurity

Tóm tắt

Abstract—Almost developed applications tend to become as accessible as possible to the user on the Internet. Different applications often store their data in cyberspace for more effective work and entertainment, such as Google Docs, emails, cloud storage, maps, weather, news,... Attacks on Web resources most often occur at the application level, in the form of HTTP/HTTPS-requests to the site, where traditional firewalls have limited capabilities for analysis and detection attacks. To protect Web resources from attacks at the application level, there are special tools - Web Application Firewall (WAF). This article presents an anomaly detection algorithm, and how it works in the open-source web application firewall ModSecurity, which uses machine learning methods with 8 suggested features to detect attacks on web applications.

Tóm tắtHầu hết các ứng dụng được phát triển có xu hướng trở nên dễ tiếp cận nhất có thể đối với người dùng qua Internet. Các ứng dụng khác nhau thường lưu trữ dữ liệu trên không gian mạng để làm việc và giải trí hiệu quả hơn, chẳng hạn như Google Docs, email, lưu trữ đám mây, bản đồ, thời tiết, tin tức,... Các cuộc tấn công vào tài nguyên Web thường xảy ra nhất ở tầng ứng dụng, dưới dạng các yêu cầu HTTP/HTTPS đến trang web, nơi tường lửa truyền thống có khả năng hạn chế trong việc phân tích và phát hiện các cuộc tấn công. Để bảo vệ tài nguyên Web khỏi các cuộc tấn công ở tầng ứng dụng, xuất hiện các công cụ đặc biệt - Tường lửa Ứng dụng Web (WAF). Bài viết này trình bày thuật toán phát hiện bất thường và cách thức hoạt động của tường lửa ứng dụng web mã nguồn mở ModSecurity khi sử dụng phương pháp học máy với 8 đặc trưng được đề xuất để phát hiện các cuộc tấn công vào các ứng dụng web.


Аналитический центр InfoWatch. Глобальное исследование утечек конфиденциальной информации в 2018 году. – 2019. URL: (дата обращение 03.07.2018).

Ростелеком Solar. Solar JSOC Security Report 2018 и тренды 2019. 2019. URL: (дата обращение 03.07.2018).

Statista. Global number of web attacks blocked per day from 2015 to 2018 (in 1,000s). 2019. URL: (дата обращение 03.07.2018)

Modi, C. A survey of intrusion detection techniques in cloud / C. Modi, D. Patel, B. Borisaniya [et al.] // Journal of Network and Computer Applications. – 2013. – Vol. 36, no. 1. – P. 42–57.

Khamphakdee, N. Improving intrusion detection system based on snort rules for network probe attack detection / N. Khamphakdee, N. Benjamas, S. Saiyod // Information and Communication Technology (ICoICT), 2014 2nd International Conference On. – IEEE. 2014. – P. 69–74.

Scarfone, K. A., Mell, M. Guide to Intrusion Detection and Prevention Systems (IDPS)| NIST. –2007. URL: (дата обращение 03.07.2018).

Vigna, G. A stateful intrusion detection system for world-wide web servers / G. Vigna, W. Robertson, V. Kher, [и др.] // Computer Security Applications Conference, 2003. Proceedings. 19th Annual. – IEEE. 2003. – P. 34–43.

Sekar, R. An Efficient Black-box Technique for DefeatingWeb Application Attacks. NDSS. – 2009.

Mutz, D. An experience developing an IDS stimulator for the blackbox testing of network intrusion detection systems / D. Mutz, G. Vigna, R. Kemmerer // Computer Security Applications Conference, 2003. Proceedings. 19th Annual. – IEEE. 2003. – P. 374–383.

Li, X. BLOCK: a black-box approach for detection of state violation attacks towards web applications / X. Li, Y. Xue // Proceedings of the 27th Annual Computer Security Applications Conference. – ACM. 2011. – P. 247–256.

Saxena, P. Efficient fine-grained binary instrumentationwith applications to taint-tracking / P. Saxena, R. Sekar, V. Puranik // Proceedings of the 6th annual IEEE/ACM international symposium on Code generation and optimization. – ACM. 2008. – P. 74–83.

Браницкий, А. А. Анализ и классификация методов обнаружения сетевых атак / А. А. Браницкий, И. В. Котенко // Труды СПИИРАН. – 2016. – Т. 2, № 45. – С. 207–244.

Heckerman, D. A tutorial on learning with Bayesian networks. D. Heckerman. Innovations in Bayesian networks. – Springer, 2008. – P. 33–82.

Friedman, N. Bayesian network classifiers / N. Friedman, D. Geiger, M. Goldszmidt // Machine learning. – 1997. – Vol. 29, no. 2–3. – P. 131–163.

Goldszmidt, M. Bayesian network classifiers // Wiley Encyclopedia of Operations Research and Management Science. – 2010.

Barbara, D. Detecting novel network intrusions using Bayes estimators / D. Barbara, N. Wu, S. Jajodia // Proceedings of the 2001 SIAM International Conference on Data Mining. – SIAM. 2001. – P. 1–17.

Емельянова, Ю. Г. Нейросетевая технология обнаружения сетевых атак на информационные ресурсы / Ю. Г. Емельянова, А. А. Талалаев, И. П. Тищенко [и др.] // Программные системы: теория и приложения. – 2011. – Т. 2, № 3. – С. 3–15.

Tavallaee, M. A Detailed Analysis of the KDD CUP 99 Data Set / M. Tavallaee, E. Bagheri, W. Lu [и др.] // Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications. – Ottawa, Ontario, Canada: IEEE Press, 2009. – Pp. 53—58. – (CISDA’09). – URL: 1736481.1736489.

Васильев, В. И. Интеллектуальная система обнаружения атак в локальных беспроводных сетях / В. И. Васильев, И. В. Шарабыров // Вестник Уфимского государственного авиационного технического университета. – 2015. – Т. 19, 4 (70).

Su, M.-Y. Real-time anomaly detection systems for Denial-of-Service attacks by weighted knearest neighbor classifiers / M.-Y. Su // Expert Systems with Applications. – 2011. – Vol. 38, no. 4. – P. 3492–3498.

Lee, C. H. Network intrusion detection through genetic feature selection / C. H. Lee, J. W. Chung, S. W. Shin // Soft-ware Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2006. SNPD 2006. Seventh ACIS International Conference on. – IEEE. 2006. – P. 109–114.

Ireland, E. Intrusion detection with genetic algorithms and fuzzy logic / E. Ireland // UMM CSci senior seminar conference. – 2013. – P. 1–6.

Kruegel Christopher, Vigna Giovanni. Anomaly detection of web-based

attacks, Proceedings of the 10th ACM conference on Computer and

communications security. ACM. 2003. – P. 251–261.

Kruegel, C. Using decision trees to improve signature-based intrusion detection / C. Kruegel, T. Toth // Recent Advances in Intrusion Detection. – Springer. 2003. – P. 173–191.

Bouzida, Y. Neural networks vs. decision trees for intrusion detection. Y. Bouzida, F. Cuppens. IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (MonAM). Vol. 28. – 2006.

Nguyen, H.T., Torrano-Gimenez, C., Alvarez, G., Petrovic, S., and Franke, K., Application of the generic feature selection measure in detection of web attacks, in Computational Intelligence in Security for Information Systems, Herrero, Á. and Corchado, E., Eds., Berlin, Heidelberg: Springer, 2011.

Kozik, R., Choraś, M., Holubowicz, W., and Renk, R., Extreme learning machines for web layer anomaly detection, in Image Processing and Communications Challenges 8, Choraś, R.S., Ed., Cham: Springer Int. Publ., 2017, pp. 226–233.

Kozik, R. and Choras, M., Adapting an ensemble of one-class classifiers for a web-layer anomaly detection system, Proc. 10th Int. Conf. on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), Krakow, 2015, pp. 724–729.

Loffler, M., Improvement of intrusion detection using multiple classifier model, Diploma Thesis, FIIT STU, 2017.

Šoltes, F., Improving security of a web system using biology inspired methods, Diploma Thesis, FIIT STU, 2016.

Manh Thang Nguyen, Аlexander Kozachok. Representation Model of Requests to Web Resources, Based on a Vector Space Model and Attributes of Requests for HTTP Protocol. Journal of Science and Technology on Information Security. Vol. 10, No. 2, 2019.




How to Cite

Thang, N. M., & Luong, T. T. (2022). Algorithm for detecting attacks on Web applications based on machine learning methods and attributes queries. Journal of Science and Technology on Information Security, 2(14), 26-34.