Identifying Anomalous HTTP Traffic with Association Rule Mining

Abstract

Web applications are compromised by exploiting different vulnerabilities. The protection systems designed to detect such attacks, screen the HTTP requests to decide whether a particular request is benign or malicious. Generating effective screening rules governs the detection performance and false positive rate. In this paper, we propose to generate classification rules to identify malicious HTTP requests using co-occurrence between certain character combinations. Our idea is motivated by the fact that, a successful attack will have some combination of characters together. For e.g., in an SQL injection attack = sign may appear along with “'”. We propose to learn such character combinations using association rules with a set of carefully chosen feature (character) set. We experiment with a publicly available HTTP dataset and show that malicious HTTP requests can be identified with rules generated from such associations.