Detecting Malicious HTTP Requests Without Log Parser Using RequestBERT-BiLSTM | SpringerLink
Skip to main content
Springer Nature Link
Log in

Detecting Malicious HTTP Requests Without Log Parser Using RequestBERT-BiLSTM

  • Conference paper
  • First Online:
Intelligent Systems (BRACIS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 13654 ))

Included in the following conference series:

Abstract

Web servers provide most internet services, such as information sharing, financial, health, entertainment, and education. In this context, the web has become the principal place for attackers. Unfortunately, most defensive techniques for web servers cannot deal with the complexity and evolution of cyber attacks on HTTP requests. However, machine learning approaches can help detect some attacks. This work presents the RequestBERT-BiLSTM, a new model to detect possible HTTP request attacks without using Log Parser. We evaluated the model on public datasets such as CSIC 2010, ECML/PKDD 2007, and BGL. We also developed a new dataset from a real environment to evaluate the method. In addition, we illustrate that the traditional log analysis step can degrade the model’s performance due to parser errors. Furthermore, we compared the performance of the proposed approach with literature models, and we obtained a detection rate above 95%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 11439
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 14299
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Regex is the abbreviation of the English Regular Expressions, for regular expressions.

References

  1. Assigning attack signatures to security policies (2022). https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-bot-and-attack-signatures-13-0-0/1.html

  2. Althubiti, S., Yuan, X., Esterline, A.: Analyzing http requests for web intrusion detection (2017)

    Google Scholar 

  3. Chen, Z., Liu, J., Gu, W., Su, Y., Lyu, M.R.: Experience report: deep learning-based system log analysis for anomaly detection. CoRR abs/2107.05908 (2021). https://arxiv.org/abs/2107.05908

  4. Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning, pp. 1285–1298 (2017). https://doi.org/10.1145/3133956.3134015

  5. Guo, H., Yuan, S., Wu, X.: LogBERT: log anomaly detection via BERT, pp. 1–8 (2021). https://doi.org/10.1109/IJCNN52387.2021.9534113

  6. He, P., Zhu, J., He, S., Li, J., Lyu, M.R.: An evaluation study on log parsing and its use in log mining, pp. 654–661 (2016). https://doi.org/10.1109/DSN.2016.66

  7. He, P., Zhu, J., Zheng, Z., Lyu, M.R.: Drain: an online log parsing approach with fixed depth tree, pp. 33–40 (2017). https://doi.org/10.1109/ICWS.2017.13

  8. He, S., Zhu, J., He, P., Lyu, M.R.: Experience report: system log analysis for anomaly detection, pp. 207–218 (2016). https://doi.org/10.1109/ISSRE.2016.21

  9. Ito, M., Iyatomi, H.: Web application firewall using character-level convolutional neural network, pp. 103–106 (2018). https://doi.org/10.1109/CSPA.2018.8368694

  10. Jiang, Z., Hassan, A.E., Hamann, G., Flora, P.: An automated approach for abstracting execution logs to execution events, pp. 249–267 (2008). https://doi.org/10.1002/smr.374

  11. Kim, Y.: Convolutional neural networks for sentence classification. CoRR abs/1408.5882 (2014). http://arxiv.org/abs/1408.5882

  12. Kuang, X., et al.: DeepWAF: detecting web attacks based on CNN and LSTM models. In: Vaidya, J., Zhang, X., Li, J. (eds.) CSS 2019. LNCS, vol. 11983, pp. 121–136. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-37352-8_11

    Chapter  Google Scholar 

  13. Le, V., Zhang, H.: Log-based anomaly detection without log parsing. CoRR abs/2108.01955 (2021). https://arxiv.org/abs/2108.01955

  14. Lu, S., Wei, X., Li, Y., Wang, L.: Detecting anomaly in big data system logs using convolutional neural network, pp. 151–158 (2018). https://doi.org/10.1109/DASC/PiCom/DataCom/CyberSciTec.2018.00037

  15. Meng, W., et al.: LogAnomaly: unsupervised detection of sequential and quantitative anomalies in unstructured logs. In: IJCAI (2019)

    Google Scholar 

  16. Nagappan, M., Vouk, M.A.: Abstracting log lines to log event types for mining software system logs, pp. 114–117 (2010). https://doi.org/10.1109/MSR.2010.5463281

  17. Nedelkoski, S., Bogatinovski, J., Acker, A., Cardoso, J., Kao, O.: Self-supervised log parsing. In: Dong, Y., Mladenić, D., Saunders, C. (eds.) ECML PKDD 2020. LNCS (LNAI), vol. 12460, pp. 122–138. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-67667-4_8

    Chapter  Google Scholar 

  18. Odumuyiwa, V., Chibueze, A.: Automatic detection of http injection attacks using convolutional neural network and deep neural network (2020)

    Google Scholar 

  19. Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs, pp. 575–584 (2007). https://doi.org/10.1109/DSN.2007.103

  20. Raïssi, C., Brissaud, J., Dray, G., Poncelet, P., Roche, M., Teisseire, M.: Web analyzing traffic challenge: description and results (2007)

    Google Scholar 

  21. Tang, L., Li, T., Perng, C.S.: LogSig: Generating System Events from Raw Textual Logs. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/2063576.2063690

  22. Torrano-Gimenez, C., Perez-Villegas, A., Alvarez, G.: A self-learning anomaly-based web application firewall. In: Herrero, Á., Gastaldo, P., Zunino, R., Corchado, E. (eds.) Computational Intelligence in Security for Information Systems. AISC, pp. 85–92. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04091-7_11

    Chapter  Google Scholar 

  23. Vaswani, A., et al.: Attention is all you need. CoRR abs/1706.03762 (2017). http://arxiv.org/abs/1706.03762

  24. Xuan, C., Dinh, H., Victor, T.: Malicious URL detection based on machine learning. 11 (2020). https://doi.org/10.14569/IJACSA.2020.0110119

  25. Yu, L., et al.: Detecting malicious web requests using an enhanced TextCNN, pp. 768–777 (2020). https://doi.org/10.1109/COMPSAC48688.2020.0-167

  26. Zhu, J., et al.: Tools and benchmarks for automated log parsing. CoRR abs/1811.03509 (2018). http://arxiv.org/abs/1811.03509

Download references

Author information

Authors and Affiliations

  1. Centro de Informática, Universidade Federal de Pernambuco, Recife, PE, 50.740-560, Brazil

    Levi S. Ramos Júnior, David Macêdo, Adriano L. I. Oliveira & Cleber Zanchettin

Authors
  1. Levi S. Ramos Júnior
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David Macêdo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adriano L. I. Oliveira
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cleber Zanchettin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Levi S. Ramos Júnior .

Editor information

Editors and Affiliations

  1. Federal University of Rio Grande do Norte, Natal, Brazil

    João Carlos Xavier-Junior

  2. Federal University of Bahia, Salvador, Brazil

    Ricardo Araújo Rios

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ramos Júnior, L.S., Macêdo, D., Oliveira, A.L.I., Zanchettin, C. (2022). Detecting Malicious HTTP Requests Without Log Parser Using RequestBERT-BiLSTM. In: Xavier-Junior, J.C., Rios, R.A. (eds) Intelligent Systems. BRACIS 2022. Lecture Notes in Computer Science(), vol 13654 . Springer, Cham. https://doi.org/10.1007/978-3-031-21689-3_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-21689-3_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-21688-6

  • Online ISBN: 978-3-031-21689-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation