A Self-learning Anomaly-Based Web Application Firewall

  • Carmen Torrano-Gimenez
  • Alejandro Perez-Villegas
  • Gonzalo Alvarez
Conference paper
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 63)


A simple and effective web application firewall is presented. This system follows the anomalous approach, therefore it can detect both known and unknown web attacks. The system decides whether the incoming requests are attacks or not aided by an XML file. The XML file contains the normal behavior of the target web application statistically characterized and is built from a set of normal requests artificially generated. Any request which deviates from the normal behavior is considered anomalous. The system has been applied to protect a real web application. An increasing number of training requests have been used to train the system. Experiments show that when the XML file has enough data to closely characterize the normal behaviour of the target web application, a very high detection rate is reached while the false alarm rate ramains very low.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alvarez, G., Petrovic, S.: A new taxonomy of Web attacks suitable for efficient encoding. Computers and Security 22(5), 453–449 (2003)Google Scholar
  2. 2.
    Patcha, A., Park, J.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12), 3448–3470 (2007)CrossRefGoogle Scholar
  3. 3.
    Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48(5), 717–738 (2005)CrossRefGoogle Scholar
  4. 4.
    Estévez-Tapiador, J., García-Teodoro, P., Díaz-Verdejo, J.: Measuring normality in HTTP traffic for anomaly-based intrusion detection. Computer Networks 45(2), 175–193 (2004)CrossRefGoogle Scholar
  5. 5.
    Bolzoni, D., Zambon, E.: Sphinx: An anomaly-based web intrusion detection system. In: Workshop on Intrusion Detection Systems, Utrecht, The Netherlands, 14 pages (2007)Google Scholar
  6. 6.
    ModSecurity. Open Source signature-based Web Application Firewall (2009),
  7. 7.
    Provost, F., Fawcett, T., Kohavi, R.: The case against accuracy estimation for comparing induction algorithms. In: Proceedings of the 15th International Conference on Machine Learning. Morgan Kaufmann, San Francisco (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Carmen Torrano-Gimenez
    • 1
  • Alejandro Perez-Villegas
    • 1
  • Gonzalo Alvarez
    • 1
  1. 1.Instituto de Física AplicadaConsejo Superior de Investigaciones CientíficasMadridSpain

Personalised recommendations