POSTER: Towards Automating Detection of Anomalous HTTP Requests with Joint Probability Estimation of Characters

Web applications are often exploited using different techniques like injection, buffer overflow, etc. An HTTP request carrying such malicious content will be different from a normal request. In this paper we propose to detect such anomalous HTTP requests using regular expression based signatures. These signatures are generated using character combinations specifically identified from known malicious requests. We identify certain characters which are useful for differentiating normal and anomalous requests using their frequency value comparison and subsequently select those combinations which have high chances of appearing together by estimating their joint probability values. We experiment with few sample attack types and show that proposed method can identify anomalous HTTP requests.