Anomaly-based Web Application Firewall using HTTP-specific features and One-Class SVM

Vulnerabilities in web applications pose great risks because they can be exploited by malicious attackers through the Internet. Web Application Fire- walls placed in front of these applications can help to minimize these risks. In this paper, we present such a firewall based on anomaly detection that aims to detect anomalous HTTP requests using One-Class SVM classifier. Our work uses expert knowledge about the HTTP request structure to build feature extraction methods that improve the detection rates. We include a link to the online repository that contains the code of our implementation for the purpose of re- producibility and extensibility. With extensive experimental testing in a public dataset, we validate the competitiveness of our WAF presented here. These tests show that our WAF reaches an average of F1-score of 0.95 also show that the detection process of our implementation should not have a noticeable effect on the response time of the protected applications. Besides, the WAF can be trained with a considerable amount of normal messages in a matter of a few minutes. Finally, the source code of our implementation is available in our public repos- itory, so that others may reproduce our results and extend our work with further research.