Application layer vulnerabilities represent a substantial portion of the security exposures of computer networks. In this paper, we explore the effectiveness of HTTP-session model to effectively describe web access behavior. HTTP-sessions are extracted from http requests as accessed by users. Based on the HTTP-session model and the analysis of web based attacks, we present an active anomaly detection framework to detect web based attacks. We demonstrate the effectiveness of the proposed methods via simulation studies using real-world web access requests. The result shows that our methods can effectively detect the application layer attacks.