{"references": ["T. Scholte, D. Balzarotti, and E. Kirda, \"Have things changed now? An\nempirical study on input validation vulnerabilities in web applications,\"\nComputers & Security, vol. 31, no. 3, pp. 344-356, May 2012.", "OWASP, \"OWASP Top 10 Application Security Risks - 2010,\" OWASP\nThe Open Web Application Security Project, Tech. Rep., 2010.", "WhiteHat Security, \"WhiteHatWebsite Security Statistic Report -Winter\n2011,\" WhiteHat Security, Tech. Rep., 2011.", "Symantec Corp., \"Symantec Internet Security Threat Report,\" Symantec\nInc., Tech. Rep., 2011.", "H. T. Nguyen, C. Torrano-Gimenez, G. Alvarez, S. Petrovi'c, and\nK. Franke, \"Application of the Generic Feature Selection Measure in\nDetection of Web Attacks,\" in Computational Intelligence in Security\nfor Information Systems, ser. Lecture Notes in Computer Science, vol.\n6694. Springer, 2011, pp. 25-32.", "M. F. Abdollah, A. H. Yaacob, S. Shahib, I. Mohamad, and M. F.\nIskandar, \"Revealing the Influence of Feature Selection for Fast Attack\nDetection,\" International Journal of Computer Science and Network\nSecurity, vol. 8, no. 8, pp. 107-115, 2007.", "A. Moosa, \"Artificial Neural Network based Web Application Firewall\nfor SQL Injection,\" World Academy of Science, Engineering and Technology,\nno. 64, pp. 12-21, 2010.", "V. Alarcon-Aquino, C. A. Oropeza-Clavel, J. Rodriguez-Asomoza,\nO. Starostenko, and R. Rosas-Romero, Intrusion Detection and Classification\nof Attacks in High-Level Network Protocols Using Recurrent\nNeural Networks. Springer Netherlands, 2010, pp. 129-134.", "A. H. Yaacob, I. K. T. Tan, S. F. Chien, and H. K. Tan, \"ARIMA Based\nNetwork Anomaly Detection,\" in 2010 Second International Conference\non Communication Software and Networks, no. 1. Ieee, 2010, pp. 205-\n209.\n[10] A. Gulve, \"Survey On Intrusion Detection System,\" International Journal\nOf, vol. 4, no. 1, pp. 7-13, 2011.\n[11] A. Razzaq, A. Hur, M. Masood, K. Latif, H. F. Ahmad, and H. Takahashi,\n\"Foundation of Semantic Rule Engine to Protect Web Application\nAttacks,\" in Autonomous Decentralized Systems (ISADS), 2011 10th\nInternational Symposium on. Ieee, 2011, pp. 95-102.\n[12] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and\nT. Berners-Lee, \"RFC 2616, Hypertext Transfer Protocol - HTTP/1.1,\"\n1999.\n[13] F. S. Rietta and G. Way, \"Application layer intrusion detection for\nSQL injection,\" in Proceedings of the 44th annual southeast regional\nconference on ACMSE 44. ACM Press, 2006, p. 531.\n[14] S. Stankovic and D. Simic, \"A Holistic Approach to Securing Web\nApplications,\" Journal of Computing, vol. 2, no. 1, pp. 16-20, Jan. 2010.\n[15] R. Koch, \"Towards Next-Generation Intrusion Detection,\" in Cyber\nConflict (ICCC), 2011 3rd International, 2011, pp. 1-18.\n[16] D. Bates, A. Barth, and C. Jackson, \"Regular expressions considered\nharmful in client-side XSS filters,\" in Proceedings of the 19th international\nconference on World wide web - WWW -10. New York, New\nYork, USA: ACM Press, Apr. 2010, p. 91.\n[17] O. Maor and A. Shulman, \"SQL Injection Signature Evasion Whitepaper,\"\n2004.\n[18] C. Torrano-Gimenez, A. Perez-Villegas, and G. Alvarez, \"A Selflearning\nAnomaly-Based Web Application Firewall,\" in Computational\nIntelligence in Security for Information Systems, ser. Advances in\nIntelligent and Soft Computing, A. Herrero, P. Gastaldo, R. Zunino,\nand E. Corchado, Eds. Springer Berlin / Heidelberg, 2009, vol. 63, pp.\n85-92.\n[19] P. Garc\u251c\u00a1a-Teodoro, J. D\u251c\u00a1az-Verdejo, G. Maci\u251c\u00ed-Fern\u251c\u00edndez, and\nE. V\u251c\u00edzquez, \"Anomaly-based network intrusion detection: Techniques,\nsystems and challenges,\" Computers & Security, vol. 28, no. 1-2, pp.\n18-28, Feb. 2009.\n[20] A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, \"Toward\ndeveloping a systematic approach to generate benchmark datasets for\nintrusion detection,\" Computers & Security, vol. 31, no. 3, pp. 357-374,\n2012."]}

The proliferation of web application and the pervasiveness of mobile technology make web-based attacks even more attractive and even easier to launch. Web Application Firewall (WAF) is an intermediate tool between web server and users that provides comprehensive protection for web application. WAF is a negative security model where the detection and prevention mechanisms are based on predefined or user-defined attack signatures and patterns. However, WAF alone is not adequate to offer best defensive system against web vulnerabilities that are increasing in number and complexity daily. This paper presents a methodology to automatically design a positive security based model which identifies and allows only legitimate web queries. The paper shows a true positive rate of more than 90% can be achieved.