This document provides a review of anomaly-based intrusion detection techniques for multi-tier web applications. It begins with an introduction to intrusion detection systems and the differences between misuse detection and anomaly detection. It then reviews several existing anomaly detection approaches including rule-based systems, multimodal approaches, state transition analysis, profiling of internal application states, and combined approaches that analyze both web requests and database queries. The key advantages and disadvantages of each technique are discussed. Overall, the document analyzes different methods for building behavior models and detecting anomalies to identify intrusions in complex multi-tier web applications.