Learning DFA representations of HTTP for protecting web applications

Kenneth L. Ingham, Anil Somayaji, John Burge, Stephanie Forrest

Research output: Contribution to journalArticlepeer-review

63 Scopus citations


Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

Original languageEnglish (US)
Pages (from-to)1239-1255
Number of pages17
JournalComputer Networks
Issue number5
StatePublished - Apr 11 2007
Externally publishedYes


  • Anomaly intrusion detection
  • Finite automata induction
  • Web server security

ASJC Scopus subject areas

  • Computer Networks and Communications


Dive into the research topics of 'Learning DFA representations of HTTP for protecting web applications'. Together they form a unique fingerprint.

Cite this