Detecting Malicious Inputs of Web Application Parameters Using Character Class Sequences

Web attacks that exploit vulnerabilities of web applications are still major problems. The number of attacks that maliciously manipulate parameters of web applications such as SQL injections and command injections is increasing nowadays. Anomaly detection is effective for detecting these attacks, particularly in the case of unknown attacks. However, existing anomaly detection methods often raise false alarms with normal requests whose parameters differ slightly from those of learning data because they perform strict feature matching between characters appeared as parameter values and those of normal profiles. We propose a novel anomaly detection method using the abstract structure of parameter values as features of normal profiles in this paper. The results of experiments show that our approach reduced the false positive rate more than existing methods with a comparable detection rate.