Skip to content
/ seq2seq-anomaly-detection Public

A Natural Language Processing based approach to detect malicious HTTP requests.

10 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

viral98/seq2seq-anomaly-detection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

datasets

datasets

 
 

utils

utils

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

main.py

main.py

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

THIS IS NO LONGER MAINTAINED

seq2seq-anomaly-detection

A Natural Language Processing based approach to detect malicious HTTP requests. Originally forked from seq2seq-web-attack-detection .

Model Parameters

• batch_size - 128 - the number of samples in a batch.

• embed_size - 64 - the dimension of embedding space (should be less than vocabulary size).

• hidden_size - 64 -the number of hidden states in lstm.

• num_layers - 2 - the number of lstm blocks.

• checkpoints - path to checkpoint directory.

• std_factor - 6. - the number of stds that is used for defining a model threshold.

• dropout - 0.7 - the probability that each element is kept.

• vocab - the Vocabulary object.

In the parameters setting stage, the threshold setting is introduced. Set_threshold calculates the threshold value using mean and std of loss values of valid samples.

At the testing stage, the model receives benign and anomalous samples. For each sample, the value of loss is calculated. If this value is greater than the threshold, then the request is considered anomalous.

Sample Data

Benign Sample

GET /vulnbank/assets/fonts/Pe-icon-7-stroke.woff?d7yf1v HTTP/1.1

Host: 10.0.212.25

Connection: keep-alive

Origin: http://10.0.212.25

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

Accept: /

Referer: http://10.0.212.25/vulnbank/assets/css/pe-icon-7-stroke.css

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: PHPSESSID=j1pavglp5ue30266c0j88ged30

Anomalous sample

POST /vulnbank/online/api.php HTTP/1.1

Host: 10.0.212.25

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

Accept: application/json, text/javascript, /; q=0.01

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://10.0.212.25/vulnbank/online/login.php

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 209

Cookie: PHPSESSID=mlacs0uiou344i3fa53s7raut6

Connection: keep-alive

type=user&action=create&username=Jack'+and+extractvalue(0x0a,concat(0x0a,(select version())))+and+'1'='1&password=passw0rd&firstname=first&lastname=last&birthdate=30-08-2017&email=eee%40mail.com&phone=747474747&account=DE44404419569750553340&creditcard=4556-9373-3913-6510

About

A Natural Language Processing based approach to detect malicious HTTP requests.

Resources

Readme
Activity

Stars

10 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages