Locate-Then-Detect: Real-time Web Attack Detection via Attention-based
Deep Neural Networks
Abstract
Web attacks such as Cross-Site Scripting and SQL
Injection are serious Web threats that lead to catastrophic data leaking and loss. Because attack payloads are often short segments hidden in URL requests/posts that can be very long, classical machine learning approaches have difficulties in learning useful patterns from them. In this study, we
propose a novel Locate-Then-Detect (LTD) system that can precisely detect Web threats in realtime by using attention-based deep neural networks. Firstly, an efficient Payload Locating Network (PLN) is employed to propose most suspicious regions from large URL requests/posts. Then
a Payload Classification Network (PCN) is adopted
to accurately classify malicious regions from suspicious candidates. In this way, PCN can focus more
on learning malicious segments and highly increase
detection accuracy. The noise induced by irrelevant
background strings can be largely eliminated. Besides, LTD can greatly reduce computational costs
(82.6% less) by ignoring large irrelevant URL content. Experiments are carried out on both benchmarks and real Web traffic. The LTD outperforms
an HMM-based approach, the Libinjection system,
and a leading commercial rule-based Web Application Firewall. Our method can be efficiently implemented on GPUs with an average detection time of
about 5ms and well qualified for real-time applications