Hindawi

Security and Communication Networks

Volume 2022, Article ID 5280158, 14 pages
https://doi.org/10.1155/2022/5280158

Research Article
Web Application Firewall Using Machine Learning and
Features Engineering

1 2
Aref Shaheed and M. H. D. Bassam Kurdy
1
Department of Web Technologies, Syrian Virtual University, Damascus, Syria
2
Department of Artificial Intelligence, Syrian Virtual University, Damascus, Syria

Correspondence should be addressed to Aref Shaheed; [email protected]

Received 22 May 2021; Revised 12 July 2021; Accepted 26 March 2022; Published 6 June 2022

Academic Editor: David Megias

Copyright © 2022 Aref Shaheed and M. H. D. Bassam Kurdy. -is is an open access article distributed under the Creative
Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the
original work is properly cited.
Web application security has become a major requirement for any business, especially with the wide web attacks spreading despite
the defensive measures and the continuous development of software frameworks and servers. In this study, we present a proposed
model for a web application firewall that used machine learning and features engineering to detect common web attacks. Our
proposed model analyses incoming requests to the webserver, parses these requests to extract four features that describe
completely HTTP request parts (URL, payload, and headers), and classifies whether a request is normal or an anomaly. We took
into consideration the limitation of previous works that use URL and payload only in classification and provided five features that
describe and summarize all parts of the HTTP request using features engineering and previous experience in the field of the
software security domain. Extracted features are length of request, percentage of characters allowed, percentage of special
characters, and attack weight. -ese features were calculated for four different datasets CSIC 2010, HTTPParams 2015, Hybrid
dataset (CSIC 2010 and HTTPParams), and real logs for the compromised web server. We evaluated our proposed model by using
these updated datasets with four classification algorithms (Naive Bayes, logistic regression, decision tree, and support vector
machine) with two methods (train test split and cross-validation) to negate the probability of overfitting and ensure that features
are effective. Features values for a normal request are usually short request length, large allowed character ratio, small special
character ratio, and zero attack weight or close to zero. Features values for anomaly requests are large request length, small allowed
character percentage, large special character percentage, and very large numerically attack weight. Our proposed model achieved a
classification accuracy of 99.6% with datasets used in research studies in this field and 98.8% with datasets of real web servers.

1. Introduction an integrated manner with these defensive procedures to raise

Cyberattacks targeting web servers and applications were
and still is one of the important points that are taken into
consideration when an organization uses technology in its
various types of work (applications, operating systems,
databases, networks, etc.), and these attacks remain high risk
despite the great diversity in the methods of combating
them. -is limited the impact of these attacks but was unable
to make a tangible effect.
Despite the implementation of defensive measures by web
application developers, attacks are constantly evolving, and
there has become an urgent need for dedicated software or
product that supports these defensive procedures and works in
the security level of web applications [1]. Security projects and
standards were published to help developers and white hat
hackers to increase the security level such as OWASP [2].
Traditional firewalls interact with packets in network and
transport layers [3], while web application firewalls interact
with web requests in the application layer [4]. -ese firewalls
were operated using the signature [5], as they recognize the
attack through a distinct fingerprint of it, and this requires
large databases and storing the fingerprint of each attack
after it is executed. Reliance on databases (signature-based
protection) and hardcoded logic and rules (using traditional
programming) make it more difficult to take advantage of
expert knowledge by transferring it to the computer.

2 Security and Communication Networks
In recent decades, artificial intelligence has become a
scientific revolution [6] and has achieved peerless superi-
ority in mastering the work that humans do, and we think
that a computer cannot learn and make decisions like
humans, but rather it has become a competitor to human
capabilities. In the coming decades, it is expected that ar-
tificial intelligence would eliminate many human jobs[7].
Researchers and information security professionals have
specifically moved to harness the capabilities of artificial
intelligence to detect and combat attacks [8]. -e time has
come for the machine to work side by side with the human to
do what is difficult for him despite having hundreds of
millions of real neurons.
Most recent works relied on one dataset only and work
with URL and payload only. In this article, we used features
engineering to present four generalizable features that
summarize the whole HTTP request information (URL,
payload, and headers) and we used four classification al-
gorithms in machine learning in the classification phase to
evaluate our proposed model.
-e rest of this article is organized as follows: Section 2
presents materials and methods (related works and proposed
model), Section 3 discusses results and discussion, Section 4
gives the conclusion, and Section 5 contains future work.
2. Materials and Methods
2.1. Related Works. Vulnerabilities of web applications have
not changed as concepts; it changes in how to exploit them.
-e most popular vulnerabilities of web applications are as
follows:
(i) Injections: manipulating the input to force a web
application to execute arbitrary commands in the
operating system and queries in databases [9], SQL
injection is the most famous of injection attacks [10],
and it allows the attacker to interact with the da-
tabase by reading, writing, and modifying records.
(ii) Broken authentication: exploiting logical and
weakness points in the authentication mechanism
to takeover and control accounts [11].
(iii) Sensitive data exposure: manipulating a web ap-
plication to make it throw exceptions and expose
sensitive data such as credentials of the database
[12].
(iv) XML external entity (XXE): manipulating inputs
using functions that parse XML to execute arbi-
trary commands [13].
(v) Broken access control: accessing unauthorized
resources in a web application due to the weakness
of access control rules such as accessing the ad-
ministrator panel if there is no restriction on access
to it [14].
(vi) Security misconfigurations: using brute force to
find and exploit security misconfigurations such as
unpatched flaws, default configurations, unused
pages, unprotected files and directories, and un-
necessary services [15].
2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
(vii) Cross-site scripting (XSS): injecting JavaScript
code in a web application to modify the display of a
web application and force the victim to execute it
in his browser; there are many types of it, such as
Reflected XSS and DOM XSS [16].
(viii) Insecure deserialization: manipulating the inputs
of a web application by deserializing it, modifying
it, and serializing it again to compromise the web
application [17].
(ix) Using components with known vulnerabilities: stop
updating the used component in a web application
allows attackers to exploit its known vulnerabilities;
this type of vulnerability is found in abundance,
especially in CMS web applications [18].
(x) Insufficient logging and monitoring refer to the
lack of logging and monitoring mechanisms and
techniques, which allow attackers to find and ex-
ploit without being detected [19].
Studies and research about protecting web applications
from malicious requests were following two methodologies
to detect an attack: identify and detect a particular attack
(such as detection of the SQL injection attack only or cross-
site scripting attack detection) or classify requests if it is an
anomaly or normal in general, regardless of the type of attack.
It also followed two approaches to transfer this experi-
ence to computers: designing and implementing behavioral-
based detection by using artificial intelligence techniques
such as classification algorithms or using a custom algorithm,
and signature-based detection by using databases that con-
tain patterns of attacks.
Most of the studies relied on old datasets such as CSIC
2010 [20], ECML-PKDD 2007 [21]. -e proposed models
were not evaluated using modern datasets, and the datasets
created by some researchers are not available online.
Zhang et al. proposed a framework to detect web attacks
by extracting seven features, web resource, attribute se-
quence, attribute value, HTTP version, header, and header
input value. -is framework includes three components: the
probability distribution model, the hidden Markov model,
and the one-class SVM model. Each of these components
can be considered as a machine learning model. Each model
trained on a dataset contains normal requests only and is
evaluated by using two datasets: Wikipedia access traces [22]
and FuzzDB [23]. Using a multimodel-based method takes
advantage of all models in it, by this method, the authors
mitigated false positive issue significantly [24]. -e main
advantage of this model is that it takes advantage of multiple
components by combining them in a hybrid one. On the
other side, running multiple components may affect per-
formance. WAF is a real-time service that handles many
requests and performance is an important parameter to take
into consideration.
Tekerek and Bay provided a hybrid model for the de-
tection of malicious and normal requests using signature-
based detection to overcome speed issue for traditional
attacks and behavioral-based detection to solve zero-day
attacks issue using neural networks with three features

Security and Communication Networks
described by mathematical equations as input to this neural
network [25]. -e advantages of this model are that it used
hybrid detection methods (signature-based and behavioral-
based) in detection that increase the performance and speed
of implementation. In addition to the simplicity and speed of
implementation of the neural network, this research has
undergone successive development work in recent years and
the model is mature. On the other side, the features extracted
cannot be generalized for all web applications (values of the
features calculated depends on average and derivation of
other requests, it requires a massive log of an application to
make the model able to classify the requests arrived at this
application). In addition, the usage of statistical functions gives
anomaly cases that cannot be handled (using the average in the
denominator of 2 generates a very big number of requests that
its length is near to the average of request lengths).
Sharma et al. used features engineering to extract seven
features from the incoming request and used three classi-
fication algorithms to test their effectiveness. -ey applied
preprocessing procedures on CSIC 2010 dataset to identify
subcategories for malicious requests to overcome missing
features issue [26]. -is method yielded many useful fea-
tures, but some of these features cannot be extracted from
the dataset that used in this article due to the unavailability
of its fields in the dataset, such as the length of cookies (you
can review the structure of the CSIC 2010 dataset). In ad-
dition, researchers did not use another dataset and relied
only on CSIC 2010.
Vartouni et al. applied n-gram character-based model to
construct features. -e size of features increased depends on
the value of n; to overcome this issue and avoid using di-
mensionality decrease techniques, they applied an autoen-
coder to extract features as a data abstract. Deep learning
algorithms were used to work more effectively with extracted
features. -is proposed model gave a generalizable model,
but the classification accuracy was low in comparison with
other models. In addition to use a single dataset, refer CSIC
2010 [27].
Hoang used supervised machine learning (inexpensive
decision tree algorithm as a suitable real-time classifier to
mitigate performance issue in terms of speed) to detect four
major web attacks (SQLi, XSS, command injection, and path
traversal) and N-gram used with fixed n value (n � 3) and
PCA (principal component analysis) method to obtain a
reduced number of features. He used the HTTPParams
dataset [28] and CSIC 2010 to evaluate the proposed model
and achieved high accuracy of 98.56% [29]. Hoang X.D
proposed model takes web server logs as input and turns
every single row into a vector, results of the model only focus
on the HTTPParams dataset, and experiments done used
only one algorithm.
Niu and Li extracted eight statistical features and used
convolutional neural network (CNN) combined with gated
recurrent unit (GRU) with CSIC 2010 dataset. Using these
techniques together with eight features improved detection
performance but at the expense of speed performance. -ey
evaluated the detection performance of this model by
comparing it with other deep learning methods and they
achieved 99.00% accuracy [30]. Niu and Li also used only
2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
3
one dataset (CSIC 2010). In addition, using deep learning
techniques for real-time services like WAF will affect speed
performance if they deploy it in a real environment.
All of these previous studies deal with the request if it is
normal or anomaly; it used the second methodology of
detection.
Other studies detect specific attacks, such as detecting an
attack of database rights; it used the first methodology, as the
following study of Dr. Ahmad Ghafarian, in which he
provided an approach that puts a line in each table and used
an algorithm that it executes to verify queries before exe-
cuting it on the web application. Malicious requests fetch the
added line and the normal requests do not fetch it. -is way,
an SQL injection attack is detected in real time before it is
executed on the web application, but the proposed model
reveals only one of the seven types mentioned by the re-
searcher in his article. In addition, this study did not discuss
the overload on resources, databases, and the delay in ex-
ecution time due to testing each query before executing [31].
-ere are many studies similar to the study of Dr.
Ahmad Ghafarian that detect SQL injection in runtime like
AMNESIA (proposed by Halfond and Orso) [32] and
CANDID (proposed by Bisht, Madhusudan, and Ven-
katakrishnan) [33].
2.2. Proposed Model
2.2.1. Architecture. Our proposed model of WAF works as
an operating system service, which acts as an intermediary
between the web server and the clients. -is service receives
the request, parses it, extracts features, classifies it, and
makes decisions based on the classification result.
WAF can be configured through a dedicated web ap-
plication (web control panel, see Figure 1). -e proposed
WAF consists of the following five basic units (see Figure 2):
(1) Power on/off unit
(2) Training unit
(3) Parsing unit
(4) Classification unit
(5) Decision-making unit
-e process starts in the first unit, the power on/off unit,
when the WAF is running, the OS service contacts the
database and fetches the configurations to run WAF, initiate
the listener, and wait for incoming requests for the WAF that
mediates between the client and the web server.
After running the WAF, the training process starts
using the selected dataset and the selected classification
algorithm.
After the completion of the training process and the
completion of the work of the first and second units, WAF is
ready to receive requests.
When the request arrives, WAF, the first unit to handle it
is the parsing unit, which breaks down the request, extracts
the features, and passes it as a vector to the classification unit
that classifies according to the classification method that the
administrator chooses it in the training unit.
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
4 Security and Communication Networks

Web Server

WAF Web Service

Client

Control Panel
Figure 1: Architecture of the web server environment with proposal WAF.

Request

Classification Decision
Power Unit Training Unit Parsing Unit
Unit Making Unit

No Is Normal Yes
request?

Drop request and

Pass to web server
redirect to custom page

Figure 2: Units of proposal WAF (brief diagram).

After classifying the request, the classification unit sends
the result to the decision-making unit, which takes the
appropriate action to pass or drop the request (see Figure 3
or Algorithm 1).
(1) Power on/Off Unit. -is unit is responsible for controlling
WAF by turning it on and off. When the WAF started, all
configurations will be fetched from the database such as the
IP address and port of the firewall, IP address, and port of the
web server to run the service (the listener).
(2) Training Unit. After running WAF, the dataset name
and classification algorithm will be fetched from
databases to train the model, now WAF is ready to re-
ceive requests.
We used popular classification algorithms, any algo-
rithm can be added by inserting its name in the database
(algorithms table) and call it programmatically in the WAF
implementation code.
In addition, any dataset can be added by inserting its
name in the database (datasets table) and adding the CSV file
of the desired dataset in the dataset folder inside the WAF
implementation code folder.
Used algorithms are Naive Bayes, Logistic Regression,
Decision Tree, and Support Vector Machine (popular al-
gorithms in binary classification problems) [34].
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 5

Start

Power Unit

Get Configuration from Database

Power On WAF

Start WAF Listener

Classification Unit
Training Model using Dataset and
Algorithm (got from Configuration)

No Yes

New Request
Wait for New Requests
Arrived?

Parsing Unit
Parse Request to retrieve Basic Features

Extract Final Features from parsed request

Classification Unit

Classify request

Decision Making Unit

No Yes
Is Request
Normal?
Drop request

Redirect to custom page with Pass request to Web Server

message “Attack !!”

Store all data in database

End

Figure 3: Units of proposal WAF (detailed diagram).

We preferred to use these algorithms instead of neural
networks, which can be used in future works (see Future
works for Researchers section).
Used datasets include CSIC 2010, HTTPParams 2015,
Hybrid dataset (Generated by combining CSIC 2010 and
HTTPParams 2015), and Custom dataset (logs of real web
servers).
(3) Parsing Unit. After turning on WAF and the training
model, now WAF is ready to receive requests. When an
HTTP request arrives at WAF, the parsing unit breaks down
the request to extract features (features will be discussed in
the next section).
-e parsing unit creates a final vector consisting of
features and passed this vector to the classification unit.
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
6 Security and Communication Networks

Input of data: d (dataset), a (algorithm), p1 (web server port), i1 (web server IP), p2 (WAF port), i2 (WAF IP).
(1) Start
(2) Connect to database to initialize Inputs (d, a, p1, i1, p2, i2)
(3) Start WAF listener using Inputs (p1, i1, p2, i2)
(4) Training WAF using Inputs (d, a)
(5) While WAF listener is “ON”:
(6) If new request arrived R:
(7) Parse R
(8) Compute basic features vector B from parsed R
(9) Compute V Final features vector from B
(10) Compute C (class) of parsed request R by classify based on V
(11) If C � “anomal”
(12) Drop request
(13) Redirect to custom page with message “Attack”
(14) Else//C � ‘normal’
(15) pass request to web server
(16) Store V and C in database
(17) Endif
(18) Endif
(19) EndWhile
(20) End

ALGORITHM 1: Units of proposal WAF (detailed algorithm).

Parsing unit implemented using MITM Proxy in Python
[35].
(4) Classification Unit. -is unit receives the final vector
from the parsing unit and classifies the request depending on
it. -e classification unit sends the classification results to
decision-making unit.
(5) Decision-Making Unit. -is unit receives the classifica-
tion results from the classification unit and forwards the
request to the web server if the request is normal, and drops
the request if it is an anomaly.
2.2.2. Features Engineering. When an HTTP request arrives
at the parsing unit, it is dismantled to extract the basic
features, and these basic features will be used to calculate the
final features that will be sent to the classification unit (see
Algorithm 2).
(1) Basic Features. All basic information extracted directly
from the request is called a basic feature; it is the content of
HTTP Message [36], in our proposed model, and we have
five basic features (see Table 1):
(1) HTTP Method: HTTP protocol, method, or verb that
is used by the client to request the resource from the
web server, it may be POST, GET, HEAD, OPTION,
PUT, PATCH, or DELETE
(2) Absolute URL (URL): it includes the IP address or
domain of a web application with the resource, for
example, https://www.mysite.com/login
(3) Payload: all data submitted by the client (text input,
dropdown menu, text area, etc.)
(4) Headers: request headers (original headers or
custom headers added by the client or web
application)
(5) Files: it is usually included in the payload but we
separated it as an independent feature
(2) Final Features. Final features used by WAF to classify the
request if it is normal or anomaly; these features are cal-
culated and extracted based on the basic features, and we
have four final features (see Table 2):
(1) Input length: it describes the number of characters in
payload, and it is calculated as follows:
n
l � 􏽘 ci , (1)
i�0
where l is the input length, c is the character in
payload, and n is the payload length.
Usually, this feature value is bigger in anomaly re-
quests compared to normal requests (see Figure 4).
(2) Alphanumeric character ratio: it describes the ratio
of alphanumeric characters over the input length.
Normal requests usually contain more numeric and
alphabetic characters compared to special characters
such as symbols, so this feature will have a big value
in normal requests compared to anomaly requests
(see Figure 5).
-is feature is calculated as follows:
n
ci |ci ∈ e􏼁
a�􏽘 × 100, (2)
l
i�0
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 7

Input of data: R raw HTTP request

Output: V Final features vector
(1) Start
(2) parse R
(3) compute B basic features vector from parsed R
(4) compute V Final features vector from B
(5) End

ALGORITHM 2: Features extraction from raw HTTP request by parsing unit.

Table 1: Basic features of the proposed model.

Feature Description 80
HTTP
HTTP protocol method
method

Frequencies in Dataset
IP address or domain of web application with 60
URL
resource
Payload All data submitted from the client
Headers Request headers 40
Files Uploaded files in payloads

Table 2: Extracted features of the proposed model. 20

Feature Description
Input length Number of characters in payload 0
Alphanumeric -e ratio of alphanumeric characters 0 20 40 60 80 100 120 140
character ratio over input length Number of requests in Dataset
-e ratio of nonalphanumeric characters
Special characters ratio Figure 5: Histogram implementation of alphanumeric character
over input length
ratio feature in the CSIC 2010 dataset; green values represent
Sum of five subfeatures (see Table 3):
normal request and red values represent anomaly requests.
(i) URL weight
(ii) Number of attack words in inputs
Attack weight (iii) Manipulate payload weight
(iv) Alphanumeric character to special (3) Special character ratio: it describes the ratio of special
character ratio characters (nonalphanumeric) over the input length.
(v) Files weight
Anomaly requests usually contain fewer numeric
and alphabetic characters compared to special
70 characters such as symbols, so this feature will have a
big value in anomaly requests compared to normal
60
requests (see Figure 6).
Frequencies in Dataset

50 -is feature is calculated as follows:

n
40 ci |ci ∈ f􏼁
s�􏽘 × 100, (3)
i�0 l
30
where s is the special character ratio, c is the character
20 in payload, n is the payload length, f is the cluster of
not allowed characters (any character that is not
10
alphabet and numbers), and l is the input length.
0 Alternatively, it can be calculated as follows:
0 200 400 600 800 1000
Number of requests s � 1 − a, (4)
Figure 4: Histogram implementation of input length feature in the where s is the special character ratio and a is the
CSIC 2010 dataset; green values represent normal request and red alphanumeric character ratio.
values represent anomaly requests.
(4) Attack weight: it is the most important feature in the
where a is the alphanumeric character ratio, c is the classification process. It is calculated by summing
character in payload, n is the payload length, e is the four subfeatures.
cluster of allowed characters (alphabet and num- Anomaly requests usually have a big attack weight
bers), and l is the input length. compared to normal requests (see Figures 7 and 8).
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
8 Security and Communication Networks

(1) URL weight

-e value of this subfeature is initialized to
80
zero. Value of this subfeature for each dis-
covered special character, attack word, or
Frequencies in Dataset

access of unauthorized resource.

60
Each discovered malicious have its weight.
-is subfeature is calculated as follows:
40 n
u � 􏽘 wi |di ∈ URL􏼁, (5)
i�0
20
where u is the URL Weight, d is the discovered
malicious, w is the weight of discovered malicious, n
0
–40 –20 0 20 40 60 80 100 is the number of discovered malicious in WAF
Number of requests in Dataset database, and URL is request absolute URL.
Example: http://www.example.com/.env.
Figure 6: Histogram implementation of special character ratio
feature in the CSIC 2010 dataset; green values represent normal u � 200 (200 is the weight of discovered access
request and red values represent anomaly requests. of unauthorized resource—only one discov-
ered malicious in URL).
(2) Number of attack words in inputs
-e value of this subfeature is initialized to
zero. Value of this subfeature for each dis-
80
covered attack word in payload and headers.
Each discovered word attack has its own
Frequencies in Dataset

60
weight.
-is subfeature is calculated as follows:
n
40 v � 􏽘 wi |di ∈ Input􏼁, (6)
i�0

20
where v is the number of attack words in inputs, d is
the discovered attack word, w is the weight of attack
word, n is the number of attack words in WAF
0 database, and Input is request headers and payloads.
–20 0 20 40 60 80 100 Example: Email � [email protected] & passwd�’
Number of requests in Dataset or 1�1 --&mode�’ or 1�1 --
Figure 7: Histogram implementation of attack weight feature in v � 150 + 150 (150 is the weight of discovered
the CSIC 2010 dataset for normal request and red values represent SQLI, it exists twice).
anomaly requests. (3) Manipulate payloads weight
-e value of this subfeature is initialized to
zero. -e value of this subfeature increases for
each discovered manipulate in payload and
headers.
80 Manipulation is passing wrong data to the
application to throw an exception and to
Frequencies in Dataset

expose sensitive data, for example, passing a

60 string as a mobile number.
Each discovered manipulation has its own
weight.
40
-is subfeature is calculated as follows:
n
20 m � 􏽘 wi |di ∈ Input􏼁, (7)
i�0

0 where m is the manipulate payload weight, d is the

0 50000 100000 150000 200000 250000 300000 discovered manipulation, w is the weight of dis-
Number of requests in Dataset covered manipulation, n is the number of manip-
Figure 8: Histogram implementation of attack weight feature in ulations in WAF database, and Input is request
CSIC 2010 dataset for anomaly request. headers and payloads.

Security and Communication Networks
Example: Email � aref@
mail.com&mobile � Hello
m � 100 (100 is the weight of discovered
manipulation in payload, passing a string as a
mobile number—only one discovered ma-
nipulation in URL).
(4) Alphanumeric characters to special character
ratio
-e value of this subfeature is the result of
dividing alphanumeric character ratio over
special characters ratio.
If alphanumeric character ratio or special
character ratio equals zero then set subfeature
value to zero.
-is subfeature is calculated as follows:
s number of attack words in inputs, m is the manipulation
⎪
⎧
⎪ 500, 􏼒 􏼓 ≥ 0.3,
⎪
⎪
⎪
⎨ a
r �⎪ (8)
⎪
⎪
⎪
⎪ s
⎩ 0, 􏼒 􏼓 < 0,
a -is table is a sample of the dataset generated by our
where r is the alphanumeric character to special
character ratio, s is the special character ratio, and a
is the alphanumeric character ratio.
Example: Email �
[email protected]
&passwd � ’
or 1 � 1 -- &mode � ’ or 1 � 1 --
a � 40/55 (all numbers and alphabet number
over input length).
s � 15/55 (count of nonalphanumeric char-
acters such as’ � - @. and)
s/a � 0.375
r � 500.
(5) Files weight
-e value of this subfeature is initialized to
zero. Value of this subfeature increases for
each suspicious discovered in files.
Suspicious cases:
(i) Invalid file extension (.exe,.bin,.php, etc.)
(ii) Positive results of antivirus scanning (we used
three antiviruses: Kaspersky, MalwareBytes,
and BitDefender)
Each discovered malicious have its weight.
-is subfeature is calculated as follows:
f � w1 + w2 + w3 + w4, (9)
where f is the files weight, w1 � (300 if file
extension is invalid or 0 if file extension is
valid), w2 � (200 if Kaspersky detect this file as
virus or 0 if not), w3 � (200 if MalwareBytes
detect this file as virus or 0 if not), and w4 �
(200 if BitDefender detect this file as virus or 0
if not).
Example: uploaded file: shell.php
w1 � 300 (invalid extension).
w2 � 200 (Kaspersky detected it as virus).
w3 � 200 (MalwareBytes detected it as virus).
w4 � 200 (BitDefender detected it as virus).
2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
9
f � 300 + 200 + 200 + 200 � 900.
You have to calculate it for each uploaded file
and sum the results to get the final files weight
for all files in request as follows:
n
F � 􏽘 fi , (10)
i�0
where F is the files weight, n is the number of files in
request, and f is the file weight.
Finally, the value of the attack weight feature is calcu-
lated by summing all subfeatures as follows:
z � u + v + m + r + F, (11)
where z is the attack weight, u is the URL Weight, v is the
payload weight, r is the alphanumeric character to special
character ratio, and F is the files weight.
Now, all requests are converted from the raw form to the
final form (four features with the label).
model, label is 1 for anomaly requests and 0 for normal
requests (see Table 4):
3. Results and Discussion
A set of generalizable features extracted from HTTP requests
to detect common attacks on web applications.
We used four datasets: CSIC 2010, HTTPParams 2015,
Hybrid dataset (CSIC + HTTPParams), and custom web
server logs (compromised real server). -e last dataset was
not published in the GitHub repository due to its privacy.
We used four basic extracted from HTTP requests to
calculate the final features, basic features are HTTP Protocol
(HTTP Method), Absolute URL (URL), payload, headers,
and files. Extracted features are the length of request, per-
centage of characters allowed, percentage of special char-
acters, and attack weight.
We used various classification algorithms that work
more efficiently on binary classification problems, such as
Linear Regression, Decision Tree, and Naive Bayes but we
focus on Naive Bayes.
3.1. Experiments
3.1.1. Experimental Environment. WAF implemented in
web server under Linux Xubuntu 20.04 LTS. -is server
contains apache2 service (web service), web control panel
(web application developed using Django-Python), and
WAF service (daemon service).
3.1.2. Preprocessing Datasets. Four datasets were used in this
study: CSIC 2010, HTTPParams, Hybrid dataset (CSIC 2010
and HTTPParams), and custom dataset of compromised web
server logs. Data preparation procedure has been done on
these datasets (remove missing values, duplications, and
outliers) and exported as CSV to be able to interact with
machine learning algorithms in Python (Scikit-learn package).
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
10 Security and Communication Networks

Table 3: Subfeatures of attack weight feature.

Subfeature Description
URL weight Sum of weights of discovered manipulation in URL
Number of attack words in inputs Sum of weights of discovered attack words in inputs
Manipulate payload weight Sum of weights of discovered manipulation in payloads
Alphanumeric character to special
-e ratio of the number of alphanumeric characters to the number of nonalphanumeric characters
character ratio
Sum of weights of the malicious files (malicious file weight is the weight of extension + sum of
Files weight
weights of scan using three antiviruses)

Table 4: Sample of the dataset used to train the model, we have four features for every single request and its label.
payload_len Alpha non_alpha attack_feature Label
0 0 0 0 0
41 95.45454545 4.545454545 200 1
241 100 0 0 0
9 100 0 0 0
24 94.73684211 5.263157895 2600 1
54 77.77777778 22.22222222 90000 1
75 100 0 0 0
103 87.37864078 12.62135922 60000 1
91 84.61538462 15.38461538 90000 1

CSIC 2010 contains 18 columns, custom compromised
web server logs contain 10 columns, and HTTPParams 2015
contains 4 columns.
All previous datasets after preprocessing and di-
mension reduction procedures become with only 5 nu-
meric columns, all columns that contain information
about request were removed and replaced by final fea-
tures columns that describe request briefly and
effectively. -ereafter, the Hybrid dataset became very
simple.
3.1.3. Training. We used four algorithms to classify (Naive
Bayes, Logistic Regression, Decision Tree, and SVM). Four
datasets were fed to the classifier using two methods: train
test split (80%, 20%) and cross-validation (100 Folds), and
results were very close.
Mixing and shuffling rows of CSIC 2010 and
HTTPParams 2015 as a new dataset (Hybrid dataset) gave a
very close result compared to the results of the classifier with
each of the datasets separately (see Table 5).
Previous experiments negate the probability of over-
fitting and prove that the final features of our proposed
model are effective.
3.2. Results
Usage of four different datasets negates the probability of
overfitting presence, to confirm that, k-fold cross-validation
used in training also [37].
Most of the related works used CSIC 2010 dataset with or
without the custom dataset, and we used it in the proposed
model for the possibility of comparing the proposed model
with previous models (see Figure 9 or Table 5).
Implementation of the proposed model includes a
function to export WAF records as a new dataset with the
ability to correct records. Administrators can train the
proposed model using this exported dataset to strengthen
WAF in protecting its web applications.
Most false positive cases are normal requests classified as
anomaly requests (not the opposite).
3.2.2. Results Compared to Related Works. Our proposed
model achieved high accuracy of 98.8% compared with
related works. -e following table shows the results for CSIC
2010, HTTPParams, and custom datasets created by the
researchers (see Figure 10 or Table 6).
3.3. Comparison
3.3.1. Limitations of Previous Works. Researchers have
provided many models for detecting web attacks, and despite
their various features, there are some common weaknesses
among these researches, which can be summarized as follows:

3.2.1. Results Based on Datasets. Our proposed model used
Naive Bayes with cross-validation (100 Folds) and
achieved an accuracy of 98.8% with the dataset created
from logs of a compromised real web server, 97.61% with
HTTPParams dataset, 99.58% with CSIC dataset, and
96.40% for Hybrid dataset (combination of CSIC 2010
and HTTPParams 2015).
(1) Extracted features are not able to be general features
and most of these features fit only web applications,
which it extracts from it.
(2) Using old datasets such as CSIC and evaluating the
model depends on the results of training it. In ad-
dition, all modern datasets used are not available on
the Internet.
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks 11

Table 5: Classification accuracy of our proposed model for various datasets using Naive Bayes.
Compromised web
CSIC 2010 HTTPParams 2015 Hybrid dataset
server dataset
Number of normal requests 28,800 19,305 48,105 60250
Number of anomaly 11,213 11,764 22,977 5210
Classification accuracy (80% training, 20% testing) 99.59% 97.91% 96.40% 98.80%
Classification accuracy (100-fold cross-validation) 99.71% 98.02% 96.66% 98.97%
False positive rate 0.54% 1.20% 3.35% 0.84%

100 99.59

99 98.8

97.91
98
Accuracy

97
96.4
96

95

94
Datasets

CSIC 2010 Hybrid (CSIC + HTTPParams)

HTTPParams 2015 Custom IIS Logs
Figure 9: Classification accuracy of our proposed model for various datasets.

100 98.8
98 97.4
96.74
96

94
Accuracy

92

90
88.32
88

86

84

82
Web Application Firewalls

Tekerek A. and Bay O.F. (2019) Sharma S., Zavarsky P. and Butakov S. (2020)
Ghafarian A. (2017) proposed model

Figure 10: Classification accuracy of our proposed model compared with related works.

Table 6: Classification accuracy of our proposed model compared with related works.
Our proposed model Tekerek and Bay [25] Sharma et al. [26] Ghafarian [31]
CSIC 2010 99.59% 96.74% 94.7% 88.32%
ECML-PKDD 2007 Not tested 94.53% Not tested Not tested
HTTPParams 2015 97.61% Not tested Not tested Not tested
Custom dataset 98.8% 98.52% Not tested Not tested

12
(3) Some papers of related works contain some errors
and inaccurate information, such as the study by
Sharma S., Zavarsky P., and Butakov S. (2020) [26].
-ey used features that cannot be extracted from
CSIC 2010 (e.g., _cookie_len feature).
(4) Most of the related works process payload only
without taking headers and files into consideration.
(5) Hybrid models are too rare (in related works only
TekerekA.and O.F.Bay(2019) paperisa hybridmodel).
(6) Most of the related works detect common web at-
tacks such as XSS and SQLI, no suggested model can
detect attacks that use normal requests to be per-
formed, such as DOS attacks.
3.3.2. Advantages of the Proposed Model. Disadvantages of
related works and weakness points were taken into con-
sideration while designing and preparing our proposal
model. Features extracted in this model are general and can
work with any web application. In addition, we used various
datasets (standard datasets such as CSIC 2010 to compare our
model with related works, modern datasets such as
HTTPParams 2015, and Hybrid dataset, in addition, we also
used a custom dataset of a real compromised web server).
Final features describe all parts of the HTTP request in-
cluding headers and files. Finally, a high-accuracy rate was
achieved (98.8% for custom dataset and 99.6% for standard
dataset).
4. Conclusion
In this article, we proposed a web application firewall model
that used machine learning techniques and features engi-
neering to detect common web attacks. We took into
consideration major limitations in previous works (unuse of
request headers, using one dataset only, absence of general
features). Features engineering and previous experience in
the software security domain were used to extract general
and comprehensive features that describe and summarize
requests and make the classification problem much easier.
We extract the final four features from HTTP requests using
basic features. Basic features: All basic information extracted
directly from the request, we have five basic features: HTTP
protocol (HTTP method), absolute URL (URL), payload,
headers, and files. Final features: all features that are cal-
culated and extracted based on basic features, we have four
extracted features: input length, alphanumeric character
ratio, special character ratio, and attack weight. Values of
extracted features for the normal request are usually short
request length, big allowed character ratio, small special
character ratio, and zero risk weight or close to zero. Values
of extracted features for anomaly requests are usually large
request length, small allowed character percentage, large
special character percentage, and very large numeric risk
weight. To increase the security level, we suggest training our
proposed model on web server records of web applications
that will be protected by WAF. Any classification algorithm
can be used, but we used algorithms that work more effi-
ciently on binary classification problems, such as Logistic
2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Security and Communication Networks
Regression, Decision Tree, and Naive Bayes, we focus on
Naive Bayes. Our proposed model achieved a high classifi-
cation accuracy of 99.6% with standard datasets used in
research studies in this field (CSIC 2010), and 98.8% with
datasets of real compromised web server dataset.
5. Future Works
Future works domains are wide, it can be summarized as
follows (see next three subsections for more information):
Researchers in the information security domain can
develop proposed WAF by feeding it with more datasets
(generated dataset from our proposed WAF or by creating a
custom dataset from web servers logs) or by add or modify
current features, also they can develop separate components
and migrate them with our proposed WAF (signature-based
model to check request before pass it to the classifier, DOS
attack detector, and use natural language process to make a
model to identify attack words instead of using a table in the
database to store these attack words).
For software engineers, developers and information
security engineers use our proposed model to evaluate their
applications and improve their skills by learning how to
write a secure source code.
Sponsors and businesspersons can invest money to
develop the proposed model and become a commercial
product.
5.1. Future Works for Researchers in the Information Security
Domain
(1) Export web server logs as dataset after deploying
WAF for a specified period in the real environment,
and use neural networks instead of algorithms used
in this article.
(2) Use natural language processing to generate rules to
detect common attack words and malicious payloads
instead of using hardcoded arrays. Common attack
words and malicious payloads are implemented as
arrays within the proposed model.
(3) Use reinforcement learning to obtain feedback and
use it during decision-making (this proposal can be
implemented after the proposed model becomes
mature and ready, so reinforcement learning is not a
good option in real-time applications).
(4) Use various and new datasets (dimensionality re-
duction required depends on features numbers
[38, 39]).
(5) Extend the proposed model to detect attacks that use
normal requests such as DOS attacks and brute force
attacks. -e proposed model cannot detect these
types of attacks because it can detect attacks by
detecting anomaly requests.
(6) Use features engineering to modify or add features to
the model. Features are the most important com-
ponent in the model depending on the researcher’s
experience in the field of information security.

Security and Communication Networks
(7) Extend the proposed model by adding components
that work with signature-based detection. -e pro-
posed model works by using one technique, which is
detection depending on the content through features
extracted from the incoming request. -e proposed
system can be combined with different detection
techniques and provide a hybrid model (see Tekerek
A. and Bay O.F (2019) [25] study in related works).
(8) Use ensemble classifiers instead of the proposed
classifier (Naive Bayes) to increase the efficiency of
request classification [40] (it depends on balancing
between security level sensitivity and perform-
ance—usually using ensemble classifiers increase the
efficiency of classification at the expense of speed
performance especially that WAF is a real-time
service).
5.2. Future Works for Software Engineers, Developers, and
Information Security Engineers
(1) Training model by supplying logs of their web ap-
plications as a dataset. -is will increase the security
level of WAF to protect their web application and
WAF will get a great experience.
(2) Implementing the proposed model to support
Windows operating systems (current implementa-
tion supports Linux distributions only).
(3) Installing vulnerable web applications such as
DVWA in the web server and try to bypass WAF;
this will increase the experience of information se-
curity engineers to learn new methods of bypassing
WAF and help researchers to modify features to
prevent these bypasses.
5.3. Future Works for Sponsors and Businesspersons.
Investing money to develop the proposed model to be a
product in the security and IT market.
Data Availability
CSIC 2010, HTTPParams 2015, and a hybrid dataset with
Python code to train these datasets are available in the
following repository: https://github.com/aref2008/waf. We
recommend reading README.md to read all instructions
about usage. We did not publish a custom dataset (real
compromised web server logs) due to privacy.
Conflicts of Interest
-e authors declare no conflicts of interest.
Acknowledgments
-e authors thank everyone who provided any kind of
support to complete this work, especially to the Hindawi
Foundation, Mrs. Nadia Ali, the reviewers, and the editors
Prof. Megias David, Prof. Roberto Di Pietro, and Prof.
Jhaveri Rutvij for their great efforts.
2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
13
References
[1] M. Choraś and R. Kozik, “Machine learning techniques ap-
plied to detect cyber attacks on web applications,” Logic
Journal of IGPL, vol. 23, no. 1, pp. 45–56, 2015.
[2] D. Wichers and J. Williams, “Owasp Top Ten,” 9e open web
application security project, vol. 3, 2017.
[3] Z. J. Huang, O. Ai, and X. U. Hong-xian, “Network Security
and Firewall Technology,” Journal of Naval University of
Engineering, vol. 1, 2002.
[4] A. H. Yaacob, M. Nazrul, N. Ahmad, and M. Roslee, “Moving
towards positive security model for web application firewall,”
International Journal of Computer and Information Engi-
neering, vol. 6, no. 12, pp. 1763–1768, 2012.
[5] P. P. Mukkamala and S. Rajendran, “A survey on the different
firewall technologies,” International Journal of Engineering
Applied Sciences and Technology, vol. 5, no. 1, pp. 363–365,
2020.
[6] W. Wang and K. Siau, “Artificial intelligence, machine
learning, automation, robotics, future of work and future of
humanity,” Journal of Database Management, vol. 30,
pp. 61–79, 2019.
[7] M.-H. Huang and R. T. Rust, “Artificial intelligence in ser-
vice,” Journal of Service Research, vol. 21, no. 2, pp. 155–172,
2018.
[8] J. H. Li, “Cyber security meets artificial intelligence: a survey,”
Frontiers of Information Technology & Electronic Engineering,
vol. 19, no. 12, pp. 1462–1474, 2018.
[9] A. K. Dalai and S. Kumar Jena, “Neutralizing SQL Injection
Attack Using Server Side Code Modification in Web appli-
cations,” Security and Communication Networks, vol. 2017,
Article ID 3825373, 2017.
[10] D. Mitropoulos, V. Karakoidas, P. Louridas, and D. Spinellis,
“Countering Code Injection Attacks: A Unified Approach,”
Information Management & Computer Security, vol. 19, no. 3,
2011.
[11] M. M. Hassan, S. S. Nipa, M. Akter et al., “Broken authen-
tication and session management vulnerability: a case study of
web application,” International Journal of Simulation: Sys-
tems, Science & Technology, vol. 19, no. 2, pp. 1–6, 2018.
[12] J. Doshi and T. Bhushan, “Sensitive data exposure prevention
using dynamic database security policy,” International Jour-
nal of Computer Application, vol. 106, no. 15, pp. 18600–
19869, 2014.
[13] A. A. Osincev and O. R. Laponina, “Vulnerability testing in
web applications external entities XML,” International Jour-
nal of Open Information Technologies, vol. 7, no. 10, pp. 71–79,
2019.
[14] D. H. Lee, J. W. Lee, and J. G. Kim, “Verification methods of
OWASP TOP 10 security vulnerability under multi-tenancy
web site’s environments,” Convergence security journal,
vol. 16, no. 4, pp. 43–51, 2016.
[15] P. Jayabalan, R. Ibrahim, and A. A. Manaf, “Understanding
cybercrime in Malaysia: an overview,” Sains Humanika, vol. 2,
no. 2, 2014.
[16] B. K. Ayeni, J. B. Sahalu, and K. R. Adeyanju, “Detecting
cross-site scripting in web applications using fuzzy inference
system,” Journal of Computer Networks and Communications,
vol. 2018, pp. 1–10, 2018.
[17] V. Pedreira, D. Barros, and P. Pinto, “A review of attacks,
vulnerabilities, and defenses in industry 4.0 with new chal-
lenges on data sovereignty ahead,” Sensors, vol. 21, p. 5189,
2021.
 2037, 2022, 1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1155/2022/5280158 by INASP/HINARI - CAMEROON, Wiley Online Library on [04/04/2025]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
14 Security and Communication Networks

[18] N. Mendes, J. Duraes, and H. Madeira, “Benchmarking the [36] S. Suroto, “A review of defense against slow HTTP attack,”
security of web serving systems based on known vulnera- JOIV International Journal on Informatics Visualization,
bilities,” in Proceedings of the 2011 5th Latin-American vol. 1, no. 4, pp. 127–134, 2017.
Symposium on Dependable Computing, pp. 55–64, IEEE, Sao [37] S. B. Kotsiantis, I. Zaharakis, and P. Pintelas, “Supervised
Jose dos Campos, Brazil, April 2011. machine learning: a review of classification techniques,”
[19] M. Malviya, A. Jain, and N. Gupta, “Improving security by Emerging artificial intelligence applications in computer en-
predicting anomaly user through web mining: a review,” gineering, vol. 160, no. 1, pp. 3–24, 2007.
International Journal of Advances in Engineering & Tech- [38] R. Abdulhammed, H. Musafer, A. Alessa, M. Faezipour, and
nology, vol. 1, no. 2, p. 28, 2011. A. Abuzneid, “Features dimensionality reduction approaches
[20] C. T. Giménez, A. P. Villegas, and G. Á. Marañón, “Http for machine learning based network intrusion detection,”
Electronics, vol. 8, no. 3, p. 322, 2019.
dataset CSIC 2010,” 2010, https://www.isi.csic.es/dataset/.
[39] G. T. Reddy, M. P. K. Reddy, K. Lakshmanna et al., “Analysis
[21] F. Eisterlehner, A. Hotho, and R. Jäschke, “ECML/PKDD
of dimensionality reduction techniques on big data,” IEEE
dataset,” 2007, https://gitlab.fing.edu.uy/gsi/web-application-
Access, vol. 8, pp. 54776–54788, 2020.
attacks-datasets/-/tree/master/ecml_pkdd. [40] G. T. Reddy, S. Bhattacharya, S. S. Ramakrishnan et al., “An
[22] G. P. Urdaneta and G. V. S. Maarten, “Wikipedia access traces ensemble based machine learning model for diabetic reti-
Datasets,” 2008, http://www.wikibench.eu/?page_id�60. nopathy classification,” in Proceedings of the 2020 Interna-
[23] FuzzDB, 2007, https://code.google.com/p/fuzzdb/. tional Conference on Emerging Trends in Information
[24] M. Zhang, S. Lu, and B. Xu, “An anomaly detection method Technology and Engineering (Ic-ETITE), pp. 1–6, IEEE, Vel-
based on multi-models to detect web attacks,” in Proceedings lore, India, Feb 2020.
of the 2017 10th International Symposium on Computational
Intelligence and Design (ISCID), pp. 404–409, IEEE, Hang-
zhou, China, December 2017.
[25] A. Tekerek and O. F. Bay, “Design and implementation of an
artificial intelligence-based web application firewall model,”
Neural Network World, vol. 29, no. 4, pp. 189–206, 2019.
[26] S. Sharma, P. Zavarsky, and S. Butakov, “Machine learning
based intrusion detection system for web-based attacks,” in
Proceedings of the 2020 IEEE 6th Intl Conference on Big Data
Security on Cloud (BigDataSecurity), IEEE Intl Conference on
High Performance and Smart Computing,(HPSC) and IEEE
Intl Conference on Intelligent Data and Security (IDS),
pp. 227–230, IEEE, Baltimore, MD, USA, May 2020.
[27] A. M. Vartouni, S. S. Kashi, and M. Teshnehlab, “An anomaly
detection method to detect web attacks using stacked auto-
encoder,” in Proceedings of the 2018 6th Iranian Joint Congress
on Fuzzy and Intelligent Systems (CFIS), pp. 131–134, IEEE,
Kerman, Iran, March 2018.
[28] “HttpParams dataset,” 2015, https://github.com/Morzeux/
HttpParamsDataset.
[29] X. D. Hoang, “Detecting common web attacks based on
machine learning using web log,” in Proceedings of the In-
ternational Conference on Engineering Research and Appli-
cations, pp. 311–318, Springer, -ai Nguyen, December 2020.
[30] Q. Niu and X. Li, “A high-performance web attack detection
method based on CNN-GRU model,” in Proceedings of the
2020 IEEE 4th Information Technology, Networking, Electronic
and Automation Control Conference (ITNEC), pp. 804–808,
IEEE, Chongqing, China, June 2020.
[31] A. Ghafarian, “A hybrid method for detection and prevention
of SQL injection attacks,” in Proceedings of the 2017 Com-
puting Conference, pp. 833–838, IEEE, London, UK, July 2017.
[32] W. G. J. Halfond and A. Orso, “Preventing SQL injection
attacks using AMNESIA,” in Proceedings of the 28th Inter-
national Conference on Software Engineering, pp. 795–798,
Shanghai, China, May 2006.
[33] P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan,
“Candid,” ACM Transactions on Information and System
Security, vol. 13, pp. 1–39, 2010.
[34] R. Kumari and S. K. Srivastava, “Machine learning: a review
on binary classification,” International Journal of Computer
Application, vol. 160, p. 7, 2017.
[35] M. Proxy: https://docs.mitmproxy.org/stable/.