An adaptive system for detecting malicious queries in web attacks

Web request query strings (queries), which pass parameters to a referenced resource, are always manipulated by attackers to retrieve sensitive data and even take full control of victim web servers and web applications. However, existing malicious query detection approaches in the literature cannot cope with changing web attacks. In this paper, we introduce a novel adaptive system (AMOD) that can adaptively detect web-based code injection attacks, which are the majority of web attacks, by analyzing queries. We also present a new adaptive learning strategy, called SVM HYBRID, leveraged by our system to minimize manual work. In the evaluation, an up-to-date detection model is trained on a ten-day query dataset collected from an academic institute's web server logs. The evaluation shows our approach overwhelms existing approaches in two respects. Firstly, AMOD outperforms existing web attack detection methods with an F-value of 99.50% and FP rate of 0.001%. Secondly, the total number of malicious queries obtained by SVM HYBRID is 3.07 times that by the popular support vector machine adaptive learning (SVM AL) method. The malicious queries obtained can be used to update the web application firewall (WAF) signature library.