WebAD: A Cascading Model Based on Machine Learning for Web Attacks Detection

Anomalies in network are complicated and fast-changing, which pose serious threats to network security. In an intrusion detection system (IDS), achieving high detection rate and low false alarm rate is an essential requirement. Furthermore, faced with the explosive growth of network data, rapid recognition counts for as much as accuracy. In this paper, we propose a two-stage cascading model, named WebAD, for detecting web attacks. WebAD applies machine learning techniques to detect anomalous behaviors. However, unlike traditional approaches, WebAD divided machine learning process into two stages. In the first stage, partial but key features are selected for training and detecting to accelerate the detection speed. The intermediate results are passed to the second stage and all features are applied to refine the detection results, therefore improve the accuracy of the model. We conduct comprehensive experiments to evaluate the effectiveness and efficiency of WebAD. The results show that WebAD could significantly improve the model efficiency without sacrificing the detection accuracy. The processing speed is reduced up to more than 70% on average, with an accuracy decrease less than 1%. What’s more, the performance results on NSL-KDD also verify that WebAD could be universal to detect network flow traffics.