An enhanced deep learning based framework for web attacks detection, mitigation and attacker profiling

Waleed Bin Shahid, Baber Aslam, Haider Abbas, Saad Bin Khalid, Hammad Afzal

Research output: Contribution to journalArticlepeer-review

Abstract

Protecting web applications is becoming challenging every passing day, primarily because of attack sophistication, omnipresence of web applications and over-reliance on traditional Web Application Firewalls (WAFs). Advanced Persistent Threats (APTs) make overwhelming use of web attacks during infiltration and expansion phase. Noteworthy research has been carried out to detect web attacks using deep learning because traditional approaches fail against complicated attacks having crafted payloads, scripts and cookie manipulations. This paper proposes a framework based on an enhanced hybrid approach where Deep Learning model is nested with a Cookie Analysis Engine for web attacks detection, mitigation and attacker profiling in real time. We first generated a huge dataset over a period of time and trained our Convolution Neural Network (CNN) based deep learning model using Hypertext Transfer Protocol (HTTP) request parameters like Type, Content length, Data and Requested URL etc. We also developed a Cookie Analysis Engine that checks all incoming cookie(s) for integrity, mutations and failed sanitization checks and informs the user about probable privacy infringement by third party cookies. The framework analyzes the cascading output from the classifier and cookie analysis engine and takes the final decision. We performed rigorous testing of the proposed framework wherein it was first validated on our own custom dataset giving an accuracy of 99.94%. It was also validated on a publicly available benchmark dataset and gave an accuracy of 98.74%. When deployed in a controlled real time environment, the attacker profiling feature enabled the framework to save useful processing time as the deep learning classifier does not get triggered for every incoming request. This makes it easy to deploy in any environment to protect web applications in real time.
Original languageEnglish
Article number103270
Number of pages14
JournalJournal of Network and Computer Applications
Volume198
Early online date13 Dec 2021
DOIs
Publication statusPublished - Feb 2022
Externally publishedYes

Cite this