Internet and web services become the core infrastructure for companies and institutes, and simultaneously, web servers also become a popular target for attackers. However, many of intrusion detection systems (IDSs) are only effective in detecting known web attacks and cannot evaluate the risk of web service. In order to get over these limitations and inspired by immune principles, this paper presents an immune-based model for web attacks, referred to as IMWA. In the model, the immune learning process is described and the risk of web service is quantitatively calculated. Simulation results show that the model is real-time and adaptive and can detect unknown attacks, thus providing an effective solution for web attacks.