Web attack detection using entropy-based analysis

Abstract

Web attacks are increases both magnitude and complexity. In this paper, we try to use the Shannon entropy analysis to detect these attacks. Our approach examines web access logging text using the principle that web attacking scripts usually have more sophisticated request patterns than legitimate ones. Risk level of attacking incidents are indicated by the average (AVG) and standard deviation (SD) of each entropy period, i.e., Alpha and Beta lines which are equal to AVG-SD and AVG-2*SD, respectively. They represent boundaries in detection scheme. As the result, our technique is not only used as high accurate procedure to investigate web request anomaly behaviors, but also useful to prune huge application access log files and focus on potential intrusive events. The experiments show that our proposed process can detect anomaly requests in web application system with proper effectiveness and low false alarm rate.