top of page

Building Efficient AI Web Intrusion Detection Systems (WIDS)


An interesting paper, “Malicious Web Request Detection Using Character-Level CNN” written by researchers Wei Rong, Bowen Zhang, and Xixiang Lv of Xidian University describes how to build autonomous Web Intrusion Detection Systems (WIDS) that will thwart malicious HTTP requests. Code injection attacks occur at high rates on the internet. Bad actors inject malicious code into the parameters of an HTTP request link to attack a web server. Since the web server does not recognize the malicious code implanted, it will return the web response and give the attacker the information they seek.

Web Intrusion Detection Systems (WIDS) are defensive tools that try to prevent web parameter injection attacks. WIDS use anomaly detection; a machine learning technique that uses unsupervised learning to determine if something is unusual in a dataset. WIDS filter through web requests, allowing benign web requests to receive responses while blocking malicious web requests.

However, the problem with WIDS is that the false positive rate (FPR) of anomaly detection is high. The WIDS model cannot update itself to distinguish the data structure of a benign web request from a malicious web request, and therefore mistakes malicious requests for benign ones.


However, researchers from Xidian University believe that the anomaly detection model can be improved by using a Convolutional Neural Network (CNN). A CNN is a type of neural network belonging to the deep learning area of AI. It is usually applied to computer vision to share parameters across multiple image locations, which allows more knowledge to be incorporated into a network architecture without requiring a large increase in training data.

The entire detection model proposed by Rong, Zang, and Lv consists of four layers: 1. The Embedding layer, 2. Convolutional (CNN) layer, 3. Pooling layer, and 4. Output layer.


  1. The embedding layer learns the hidden similarity between malicious and benign characters in web requests. It takes an index list of characters and passes it to the convolutional layer.

  2. The convolutional layer extracts different features of the index by using filters of different matrices sizes.

  3. The pooling layer outputs “n” amount of results, or the amount of filters in the convolutional layer. The pooling layer also controls overfitting by reducing the amount of parameters in the network.

  4. The output layer outputs the results of the classification model, and represents the probability of a web request being benign or malicious.

The entire model is continuously trained to recognize new or unknown parameter attacks. It improves upon standard anomaly detection models and decreases the high false positive rates of WIDS before. It should be noted that such an application of AI to cybersecurity can do wonders for reducing the number of web attacks experienced. For a more detailed description of how the CNN WIDS works, it is suggested that the paper, “Malicious Web Request Detection Using Character-Level CNN”, be read in full.


SOURCES

bottom of page