Web Attacks Detection Based on Patterns of Sessions

In recent years, we continued to see a trend of increasing number of web application vulnerabilities. Web application firewall or WAF for short is widely used to detect known attacks on web applications. Unfortunately, WAF is a signature intrusion detection and prevention system. Therefore, WAF requires the creation and maintenance of a large number of rules up to date. In addition, as practice shows, detection rules often require customization for a particular application. Therefore, for a more complete protection, WAF should be supplemented with an anomaly detection system. The article proposes a hybrid anomaly detection system based on a user session model. Anomaly detection is based on the detection of deviations of the current user session from the reference session model based on the variable order Markov model. To improve the reliability of attack detection, when assessing the session anomaly, models for the validity of the values of the HTTP request and SQL queries to the database are created for each stage of the session.