Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.4.669

Web Attack Classification Model Based on Payload Embedding Pre-Training  

Kim, Yeonsu (Chonnam National University)
Ko, Younghun (Chonnam National University)
Euom, Ieckchae (Chonnam National University)
Kim, Kyungbaek (Chonnam National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.4, 2020 , pp. 669-677 More about this Journal
Abstract
As the number of Internet users exploded, attacks on the web increased. In addition, the attack patterns have been diversified to bypass existing defense techniques. Traditional web firewalls are difficult to detect attacks of unknown patterns.Therefore, the method of detecting abnormal behavior by artificial intelligence has been studied as an alternative. Specifically, attempts have been made to apply natural language processing techniques because the type of script or query being exploited consists of text. However, because there are many unknown words in scripts and queries, natural language processing requires a different approach. In this paper, we propose a new classification model which uses byte pair encoding (BPE) technology to learn the embedding vector, that is often used for web attack payloads, and uses an attention mechanism-based Bi-GRU neural network to extract a set of tokens that learn their order and importance. For major web attacks such as SQL injection, cross-site scripting, and command injection attacks, the accuracy of the proposed classification method is about 0.9990 and its accuracy outperforms the model suggested in the previous study.
Keywords
Web Attack; Payload; BPE(Byte Pair Encoding); Wrod embedding; Deep learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Sennrich, Rico, Barry Haddow, and Alexandra Birch, "Neural machine translation of rare words with subword units," arXiv preprint arXiv:1508.07909, Jun. 2016.
2 Armand Joulin, Edouard Grave, Piotr Bojanowski, Matthijs Douze, Herve Jegou and Tomas Mikolov, "Fasttext. zip: Compressing text classification models," arXiv preprint arXiv:1612.03651, Dec. 2016.
3 Vandana Dwivedi, Himanshu Yadav and Anurag Jain, "SQLAS: Tool to detect and prevent attacks in php web applications," International Journal of Security Privacy and Trust Management, vol. 4, no. 1, pp. 21-30 Feb. 2015.   DOI
4 Sahu, Divya Rishi, and Deepak Singh Tomar, "Analysis of web application code vulnerabilities using secure coding standards," Arabian Journal for Science and Engineering, vol. 42, no. 2, pp. 885-895, Feb. 2017.   DOI
5 Jason Bau, Elie Bursztein, Divij Gupta and John Mitchell, "State of the art: Automated black-box web application vulnerability testing," 2010 IEEE Symposium on Security and Privacy, pp. 332-345, May. 2010.
6 Priyank Bhojak, Kanu Patel, Vikram Agrawal and Vatsal Shah, "SQL Injection and XSS Vulnerability Detection in Web Application," International Journal of Advanced Research in Computer Science and Software Engineering, vol. 5, no. 12, pp. 110-115, Dec. 2015.
7 Roesch and Martin, "Snort: Lightweight intrusion detection for networks," Proceedings of the 13th USENIX conference on System administration, pp. 229-238, Nov. 1999.
8 Modsecurity, "Open Source Web Application Firewall," https://modsecurity.org/
9 Ren, Fangli, Zhengwei Jiang, and Jian Liu, "A Bi-Directional LSTM Model with Attention for Malicious URL Detection," 2019 IEEE 4th Advanced Information Technology, Electronic and Automation Control Conference, pp. 300-305, Dec. 2019.
10 Mikhail Zolotukhin, Timo Hämäläinen, Tero Kokkonen and Jarmo Siltanen, "Analysis of http requests for anomaly detection of web attacks," Proceedings of IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, pp. 406-411, Aug. 2014.
11 Abdelhamid Makiou. Youcef Begriche and Ahmed Serhrouchni, "Improving Web Application Firewalls to detect advanced SQL injection attacks," Information Assurance and Security 2014 10th International Conference, pp. 35-40, Nov. 2014.
12 Zhang, Zhaoxuan, Roy George, and Khalil Shujaee, "Efficient detection of anomolous HTTP payloads in networks," SoutheastCon 2016, pp. 1-3, Mar. 2016.
13 "Most advanced XSS scanner," https://github.com/s0md3v/XSStrike
14 Baojiang Cui, Shanshan He, Xi Yao and Peilin Shi, "Malicious URL detection with feature extraction based on machine learning," International Journal of High Performance Computing and Networking vol. 12, no. 2, pp. 166-178, Sep. 2018.   DOI
15 Damele, Bernardo, and M. Stampar, "Sqlmap," Online at http://sqlmap.org, 2012.
16 Stasinopoulos, Anastasios, Christoforos Ntantogian and Christos Xenakis, "Commix: Detecting and exploiting command injection flaws," The Black hat Europe 2015, Nov. 2015.
17 "URL dataset(ISCX-URL-2016)," https://www.unb.ca/cic/datasets/url-2016.html
18 Nilesh Khochare and B. B. Meshram, "Tool to Detect and Prevent Web Attacks," International Journal of Advanced Research in Computer Engineering & Technology, vol. 1, no. 4, pp. 375-378, 2012.
19 Hsiu-Chuan Huang, Zhi-Kai Zhang, Hao-Wen Cheng and Shiuhpyng Winston Shieh, "Web Application Security: Threats, Countermeasures, and Pitfalls," in Computer, vol. 50, no. 6, pp. 81-85, Jun. 2017.   DOI
20 Symantec, "Internet Security Threat Report," volume 24, Feb. 2019.
21 Hung Le, Quang Pham, Doyen Sahoo and Steven C.H. Hoi, "URLnet: Learning a URL representation with deep learning for malicious URL detection," arXiv preprint arXiv:1802.03162, Mar. 2018.
22 Saiyu Hao, Jun Long and Yingchuan Yang, "BL-IDS: Detecting Web Attacks Using Bi-LSTM Model Based on Deep Learning," International Conference on Security and Privacy in New Computing Environments, pp. 551-563, Apr. 2019.
23 Michiaki Ito and Hitoshi Iyatomi, "Web application firewall using character-level convolutional neural network," 2018 IEEE 14th International Colloquium on Signal Processing & Its Applications, pp. 103-106, Mar. 2018.
24 Yang, Wenchuan, Wen Zuo, and Baojiang Cui, "Detecting malicious urls via a keyword-based convolutional gated-recurrent-unit neural network," IEEE Access 7, pp. 29891-29900, Feb. 2019.   DOI