Detecting anomalies in enterprise network events

Web based vulnerabilities have been of great interest because of the huge quantity of attacks over the last years, a trend that seems to continuously increase. This is why both academic researchers and companies are investing a large amount of money to secure and protect their networks. This thesis gives its contribution to the literature by presenting an intrusion detection system that uses a number of different anomaly detection techniques to detect attacks against web servers and web based applications over the HTTP protocol. The system analyzes client queries that reference server side programs and creates models for a range of different features of these queries. Examples of such features are the length and the byte distribution of a certain parameter. In particular, the use of application specific modeling of the invocation parameters allows the system to perform focused analysis and produce a reduced number of false positives.