Anomaly-based Web Attack Detection: The Application of Deep Neural Network Seq2Seq With Attention Mechanism



1 associate professor in Khajeh Nasir Toosi University of Technology

2 phd candidate in industrial engineering of Khajeh Nasir Toosi University of Technology., Tehran, Iran



Today, the use of the Internet and Internet sites has been an integrated part of the people’s lives, and most activities and important data are in the Internet websites. Thus, attempts to intrude into these websites have grown exponentially. Intrusion detection systems (IDS) of web attacks are an approach to protect users. But, these systems are suffering from such drawbacks as low accuracy in detecting new attacks. To tackle this problem, various methods of machine learning have been presented in recent years. Since malicious web requests have more delicate distinction than normal requests, these methods have failed to exhibit a good accuracy in new attack detection. This paper presents a new method for web attack detection using seq2seq networks using attention. The results show that this method could predict the possible responses and use the difference from the real responses of the server to model the normal traffic. Thereby, it could use the similarity measure to discriminate between normal and anomalous traffic. The highest accuracy of this method versus similar methods shows that the use of attention mechanism can cope with the challenge of studying long web requests to a great extent.


[1] Symantec Internet Security Threat Report, volume 24. 2019.

[2] Yoshua Bengio, Ian J Goodfellow, and Aaron Courville. Deep learning. The MIT Press, 2016. [3] A Moradi Vartouni, M Teshnehlab, and S Sedighian Kashi. Leveraging deep neural networksforanomaly-basedwebapplicationfirewall. IET Information Security, 13(4):352–361, 2019.

[4] Ni Gao, Ling Gao, Quanli Gao, and Hai Wang. An intrusion detection model based on deep belief networks. In Advanced Cloud and Big Data (CBD), 2014 Second International Conference on, pages 247–252. IEEE, 2014.

[5] Zhanyi Wang. The applications of deep learning on traffic identification. BlackHat USA, 2015.

[6] A Tekerek and O.F. Bay. Design and implementation of an artificial intelligence-based web application firewall model. Neural Network World, 29(4):189–206, 2019.
[7] Hieu Mac, Dung Truong, Lam Nguyen, Hoa Nguyen, Hai Anh Tran, and Duc Tran. Detecting Attacks on Web Applications Using Autoencoder. In Proceedings of the Ninth International Symposium on Information and Communication Technology, SoICT 2018, pages 416–421, New York, NY, USA, 2018. ACM.

[8] Joshua Saxe and Konstantin Berlin. eXpose: {A} Character-Level Convolutional Neural Network with Embeddings For Detecting Malicious URLs, File Paths and Registry Keys. CoRR, abs/1702.08568, 2017.

[9] Jingxi Liang, Wen Zhao, and Wei Ye. AnomalyBased Web Attack Detection: A Deep Learning Approach. In Proceedings of the 2017 VI International Conference on Network, Communication and Computing, ICNCC 2017, pages 80–85, New York, NY, USA, 2017. ACM. [10] Saiyu Hao, Jun Long, and Yingchuan Yang. BLIDS: Detecting Web Attacks Using Bi-LSTM Model Based on Deep Learning. In Jin Li, Zheli Liu,andHaoPeng,editors,Security and Privacy inNewComputingEnvironments,pages551–563, Cham, 2019. Springer International Publishing. [11] Z Tian, C Luo, J Qiu, X Du, and M Guizani. A Distributed Deep Learning System for Web Attack Detection on Edge Devices. IEEE Transactions on Industrial Informatics, page 1, 2019. [12] CarmenTorrano Giménez, Alejandro Pérez Villegas, Gonzalo Álvarez, and Marañón. HTTP data set CSIC 2010. 2010.

[13] Iman Sharafaldin., Arash Habibi Lashkari., and Ali A Ghorbani. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,,pages 108–116. INSTICC, SciTePress, 2018.

[14] Bo Dong and Xue Wang. Comparison Deep Learning Method to Traditional Methods Using for Network Intrusion Detection. 8th IEEE International Conference on Communication S oftw are and N etw ork s, 2016.

[15] Shahriar Mohammadi and Amin Namadchian. A New Deep Learning Approach for Anomaly BaseIDSusingMemeticClassifier. International Journal of Computers, Communications & Control, 12(5), 2017.

[16] AhmadJavaid,QuamarNiyaz,WeiqingSun,and Mansoor Alam. A Deep Learning Approach for NetworkIntrusionDetectionSystem. InProceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), 2016.

[17] Jaehyun Jihyun Kim, Jaehyun Jihyun Kim, HuongLeThiThu,andHowonKim. LongShort
Term Memory Recurrent Neural Network Classifier for Intrusion Detection. 2016 International Conference on Platform Technology and Service (PlatCon), 2016.

[18] Kenneth L Ingham, Anil Somayaji, John Burge, and Stephanie Forrest. Learning DFA Representations of HTTP for Protecting Web Applications. Comput. Netw., 51(5):1239–1255, 2007.

[19] Camen Torrano-Giménez, Alejandro PerezVillegas, and Gonzalo Alvarez Maranón. An anomaly-based approach for intrusion detection in web traffic. 2010.

[20] Igino Corona, Roberto Tronci, and Giorgio Giacinto. SuStorID: {A} multiple classifier system for the protection of web services. In Proceedings of the 21st International Conference on Pattern Recognition, {ICPR} 2012, Tsukuba, Japan, November 11-15, 2012, pages 2375–2378, 2012.

[21] M Zolotukhin, T Hämäläinen, T Kokkonen, and J Siltanen. Analysis of HTTP Requests for Anomaly Detection of Web Attacks. In 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pages 406–411, 2014.

[22] M Choraś and R Kozik. Machine learning techniquesappliedtodetectcyberattacksonwebapplications. Logic Journal of the IGPL, 23(1):45– 56, 2015.

[23] Christopher Kruegel, Giovanni Vigna, and William Robertson. A multi-model approach to the detection of web-based attacks. Computer Networks, 48(5):717–738, 2005.

[24] M Kirchner. A framework for detecting anomalies in HTTP traffic using instance-based learning and k-nearest neighbor classification. In 2010 2nd International Workshop on Security and Communication Networks (IWSCN), pages 1–8, 2010.

[25] Konrad Rieck and Pavel Laskov. Detecting UnknownNetworkAttacksUsingLanguageModels. In Proceedings of the Third International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA’06, pages 74–90, Berlin, Heidelberg, 2006. Springer-Verlag. [26] Duc Le Jr. An unsupervised learning approach for network and system analysis. 2017.

[27] Melody Moh, Santhosh Pininti, Sindhusha Doddapaneni, and Teng-Sheng Moh. Detecting web attacks using multi-stage log analysis. In Advanced Computing (IACC), 2016 IEEE 6th International Conference on, pages 733–738. IEEE, 2016.

[28] Ilya Sutskever, Oriol Vinyals, and Quoc V Le. Sequence to Sequence Learning with Neural Networks. In Proceedings of the 27th International Conference on Neural Information Processing
Systems - Volume 2, NIPS’14, pages 3104–3112, Cambridge, MA, USA, 2014. MIT Press.

[29] Minh-Thang Luong, Hieu Pham, and Christopher D Manning. Effective Approaches to Attention-based Neural Machine Translation. CoRR, abs/1508.04025, 2015.