Method for Web Server Attack Detection Based on Behavior Probability

摘要

According to the present invention, a method for detecting whether a web server is attacked is performed by an abnormality detecting device in an environment including a client terminal, a web server, and the abnormality detecting device. According to the present invention, the method for detecting whether a web server is attacked comprises: a first step of extracting standardized metadata from web access information based on an HTTP request received from a client terminal; a second step of generating a first behavior identifier including the current method and a web resource path based on the extracted metadata; a third step of generating a second behavior identifier including the previous method and the web resource path based on the metadata of the previous HTTP request; a fourth step of calculating a reference occurrence probability based on a ratio of the first behavior identifier and the second behavior identifier; and a fifth step of determining whether the web server is attacked based on the reference occurrence probability calculated in the fourth step.