Abstract

Feature selection for filtering HTTP-traffic in Web Application Firewalls (WAFs) is an important task. We focus on the generic-feature-selection (GeFS) measure, which was successfully tested on low-level package filters, i.e. the KDD CUP'99 dataset. However, the performance of the GeFS measure in analyzing high-level HTTP-traffic is still unknown. In this article we study the GeFS measure for WAFs. We conduct experiments on the publicly available ECML/PKDD-2007 dataset. Since this dataset does not target correct Web applications, we additionally generate our new CSIC-2010 dataset. We analyze the statistical properties of both two datasets to provide more insights of their nature and quality. Subsequently we determine appropriate instances of the GeFS measure for feature selection. We use different classifiers to test the detection accuracies. The experiments show that we can remove 63% of irrelevant and redundant features from the original dataset, while keeping the detection accuracy of WAFs.