Boosting Web Intrusion Detection Systems by Inferring Positive Signatures

This paper presents a new approach to anomaly-based network intrusion detection for web applications. This approach is based on dividing the input parameters of the monitored web application in two groups: the "Regular" and the "Irregular" ones, and applying a new method for anomaly detection on the "Regular" ones based on the inference of a regular language. They support the proposal by realizing Sphinx, an anomaly-based intrusion detection system based on it. Thorough benchmarks show that Sphinx performs better than current state-of-the-art systems, both in terms of false positives/false negatives as well as needing a shorter training period.