Detecting web attacks with end-to-end deep learning

• Published in: Journal of internet services and applications Vol. 10; no. 1; pp. 1 - 22
• Main Authors: Pan, Yao, Sun, Fangzhou, Teng, Zhongwei, White, Jules, Schmidt, Douglas C., Staples, Jacob, Krause, Lee
• Format: Journal Article
• Language: English
• Published: London Springer London 01.12.2019; Sociedade Brasileira de Computação; Brazilian Computing Society (SBC)
• Subjects: Algorithms; Anomalies; Application instrumentation; Applications programs; Computer Applications; Computer Communication Networks; Computer Science; Computer Systems Organization and Communication Networks; Cybersecurity; Deep learning; Feasibility studies; Feature extraction; Graphical representations; Information Systems and Communication Service; Intrusion detection systems; IT in Business; Machine learning; Monitors; Noise reduction; Packets (communication); Processor Architectures; Query languages; Software; Software reliability; Systems analysis; Vulnerability; Web security; Deep learning; Application instrumentation; Web security
• ISSN: 1867-4828; 1869-0238
• DOI: 10.1186/s13174-019-0115-x

Web applications are popular targets for cyber-attacks because they are network-accessible and often contain vulnerabilities. An intrusion detection system monitors web applications and issues alerts when an attack attempt is detected. Existing implementations of intrusion detection systems usually extract features from network packets or string characteristics of input that are manually selected as relevant to attack analysis. Manually selecting features, however, is time-consuming and requires in-depth security domain knowledge. Moreover, large amounts of labeled legitimate and attack request data are needed by supervised learning algorithms to classify normal and abnormal behaviors, which is often expensive and impractical to obtain for production web applications. This paper provides three contributions to the study of autonomic intrusion detection systems. First, we evaluate the feasibility of an unsupervised/semi-supervised approach for web attack detection based on the Robust Software Modeling Tool (RSMT), which autonomically monitors and characterizes the runtime behavior of web applications. Second, we describe how RSMT trains a stacked denoising autoencoder to encode and reconstruct the call graph for end-to-end deep learning, where a low-dimensional representation of the raw features with unlabeled request data is used to recognize anomalies by computing the reconstruction error of the request data. Third, we analyze the results of empirically testing RSMT on both synthetic datasets and production applications with intentional vulnerabilities. Our results show that the proposed approach can efficiently and accurately detect attacks, including SQL injection, cross-site scripting, and deserialization, with minimal domain knowledge and little labeled training data.