Anomaly-based Web Application Firewall using HTTP-specific features and One-Class SVM

Main Article Content

Ralf Funk
Nico Epp
Cristian R. Cappo A.

Abstract




Vulnerabilities in web applications pose great risks because they can be exploited by malicious attackers through the Internet. Web Application Fire- walls placed in front of these applications can help to minimize these risks. In this paper, we present such a firewall based on anomaly detection that aims to detect anomalous HTTP requests using One-Class SVM classifier. Our work uses expert knowledge about the HTTP request structure to build feature extraction methods that improve the detection rates. We include a link to the online repository that contains the code of our implementation for the purpose of re- producibility and extensibility. With extensive experimental testing in a public dataset, we validate the competitiveness of our WAF presented here. These tests show that our WAF reaches an average of F1-score of 0.95 also show that the detection process of our implementation should not have a noticeable effect on the response time of the protected applications. Besides, the WAF can be trained with a considerable amount of normal messages in a matter of a few minutes. Finally, the source code of our implementation is available in our public repos- itory, so that others may reproduce our results and extend our work with further research.


Article Details

Section
Special Issue (ERRC)