Attentional Payload Anomaly Detector for Web Applications

  • Zhi-Quan Qin
  • Xing-Kong Ma
  • Yong-Jun WangEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11304)


Nowadays web applications influence people deeply and become popular targets of attackers. The payload anomaly detection is an effective method to keep the security of web applications but requires proper features which takes a lot of time and effort for experts and researchers to design. Utilizing the deep learning techniques for the detection is a solution to the feature design problem because deep learning models can learn features during the training process and achieve great performances. However, current deep learning payload detection models have their limit on processing long sequences, which reduces the detection performance. And due to the intricate data processing, the results produced by the models are unconvincing. In this paper, we proposed an attentional recurrent neural network (RNN) model for the payload detection, called ATPAD. With the attention mechanism, ATPAD generates effective features for the detection tasks and provides a visualized way to verify detection results. The experiment results show that our proposed model not only achieves high detection rates and low false alarm rates, but also produces understandable results.


Web application Payload anomaly detection Deep learning RNN Attention mechanism 



This work is supported by NSFC No.61472439, National Natural Science Foundation of China under Grant.


  1. 1.
    Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate. arXiv preprint (2014).
  2. 2.
    Bochem, A., Zhang, H., Hogrefe, D.: Poster abstract: streamlined anomaly detection in web requests using recurrent neural networks. In: 2017 IEEE Conference on Computer Communications Workshops, pp. 1016–1017 (2017)Google Scholar
  3. 3.
    Cho, K., et al.: Learning phrase representations using RNN encoder-decoder for statistical machine translation. arXiv preprint (2014).
  4. 4.
    Düssel, P., Gehl, C., Laskov, P., Rieck, K.: Incorporation of application layer protocol syntax into anomaly detection. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 188–202. Springer, Heidelberg (2008). Scholar
  5. 5.
    Gal, Y., Ghahramani, Z.: A theoretically grounded application of dropout in recurrent neural networks. In: Data-Efficient Machine Learning workshop, ICML (2016)Google Scholar
  6. 6.
    Gharib, A., Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: An evaluation framework for intrusion detection dataset. In: International Conference on Information Science and Security, pp. 1–6 (2017)Google Scholar
  7. 7.
    Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRefGoogle Scholar
  8. 8.
    Jin, X., Cui, B., Yang, J., Cheng, Z.: Payload-based web attack detection using deep neural network. In: Barolli, L., Xhafa, F., Conesa, J. (eds.) BWCCA 2017. LNDECT, vol. 12, pp. 482–488. Springer, Cham (2018). Scholar
  9. 9.
    Kim, G., Yi, H., Lee, J., Paek, Y., Yoon, S.: LSTM-based system-call language modeling and robust ensemble method for designing host-based intrusion detection systems. arXiv preprint (2016).
  10. 10.
    Kim, J., Kim, J., Thu, H.L.T., Kim, H.: Long short term memory recurrent neural network classifier for intrusion detection. In: International Conference on Platform Technology and Service, pp. 1–5 (2016)Google Scholar
  11. 11.
    Kingma, D.P., Ba, J.: Adam: A method for stochastic optimization. arXiv preprint (2014).
  12. 12.
    Li, Y., Xia, J., Zhang, S., Yan, J., Ai, X., Dai, K.: An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Syst. Appl. 39(1), 424–430 (2012)CrossRefGoogle Scholar
  13. 13.
    Lin, Z., et al.: A structured self-attentive sentence embedding. arXiv preprint (2017).
  14. 14.
    Luong, M.T., Pham, H., Manning, C.D.: Effective approaches to attention-based neural machine translation. In: The 2015 Conference on Empirical Methods in Natural Language Processing, pp. 1412–1421 (2015)Google Scholar
  15. 15.
    Pascanu, R., Mikolov, T., Bengio, Y.: On the difficulty of training recurrent neural networks. In: International Conference on International Conference on Machine Learning, pp. III-1310 (2013)Google Scholar
  16. 16.
    Perdisci, R., Ariu, D., Fogla, P., Giacinto, G., Lee, W.: McPAD: a multiple classifier system for accurate payload-based anomaly detection. Comput. Netw. Int. J. Comput. Telecommun. Networking 53(6), 864–881 (2009)zbMATHGoogle Scholar
  17. 17.
    Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: International Conference on Information Systems Security and Privacy, pp. 108–116 (2018)Google Scholar
  18. 18.
    Tan, Z., Jamdagni, A., He, X., Nanda, P.: Network intrusion detection based on LDA for payload feature selection. In: GLOBECOM Workshops, pp. 1545–1549 (2011)Google Scholar
  19. 19.
    Torrano-Gimenez, C., Hai, T.N., Alvarez, G., Franke, K.: Combining expert knowledge with automatic feature extraction for reliable web attack detection. Secur. Commun. Netw. 8(16), 2750–2767 (2015)CrossRefGoogle Scholar
  20. 20.
    Torrano-Giménez, C., Pérez-Villegas, A., Álvarez, G.: HTTP DATASET CSIC 2010 (2010).
  21. 21.
    Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006). Scholar
  22. 22.
    Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. Recent Adv. Intrusion Detection 3224, 203–222 (2004)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.College of Computer, National University of Defense TechnologyChangshaChina

Personalised recommendations