US Patent 11223637 Detecting attacks on web applications using server logs

A previously-unknown type of attack on a web application can be detected dynamically using server logs. An alert can be raised for an application that returns a valid response to the potential attacker (e.g., when an http (hypertext transfer protocol) status code of 200 is returned to the requestor). Server logs can be analyzed to identify an external computer that uses the same attack methodology on multiple targets. The external computer may attempt to access the same Uniform Resource Identifier (URI) on various web sites. In many cases, the http status code that is returned is an error code. Characteristics such as but not limited to fast crawling and numerous error status codes being returned to a particular requestor can be used by a machine learning (ML) system to identify potentially malicious external computing devices and/or vulnerable URIs.