Saved in:
Bibliographic Details
Main Authors: Osama, Heba, Elebiary, Omar, Qassim, Youssef, Amgad, Mohamed, Maghawry, Ahmed, Saafan, Ahmed, Ghalwash, Haitham
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.23610
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918288025452544
author Osama, Heba
Elebiary, Omar
Qassim, Youssef
Amgad, Mohamed
Maghawry, Ahmed
Saafan, Ahmed
Ghalwash, Haitham
author_facet Osama, Heba
Elebiary, Omar
Qassim, Youssef
Amgad, Mohamed
Maghawry, Ahmed
Saafan, Ahmed
Ghalwash, Haitham
contents Web applications increasingly face evasive and polymorphic attack payloads, yet traditional web application firewalls (WAFs) based on static rule sets such as the OWASP Core Rule Set (CRS) often miss obfuscated or zero-day patterns without extensive manual tuning. This work introduces WAMM, an AI-driven multiclass web attack detection framework designed to reveal the limitations of rule-based systems by reclassifying HTTP requests into OWASP-aligned categories for a specific technology stack. WAMM applies a multi-phase enhancement pipeline to the SR-BH 2020 dataset that includes large-scale deduplication, LLM-guided relabeling, realistic attack data augmentation, and LLM-based filtering, producing three refined datasets. Four machine and deep learning models are evaluated using a unified feature space built from statistical and text-based representations. Results show that using an augmented and LLM-filtered dataset on the same technology stack, XGBoost reaches 99.59% accuracy with microsecond-level inference while deep learning models degrade under noisy augmentation. When tested against OWASP CRS using an unseen augmented dataset, WAMM achieves true positive block rates between 96 and 100% with improvements of up to 86%. These findings expose gaps in widely deployed rule-based defenses and demonstrate that curated training pipelines combined with efficient machine learning models enable a more resilient, real-time approach to web attack detection suitable for production WAF environments.
format Preprint
id arxiv_https___arxiv_org_abs_2512_23610
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Enhanced Web Payload Classification Using WAMM: An AI-Based Framework for Dataset Refinement and Model Evaluation
Osama, Heba
Elebiary, Omar
Qassim, Youssef
Amgad, Mohamed
Maghawry, Ahmed
Saafan, Ahmed
Ghalwash, Haitham
Cryptography and Security
C.2; H.4; I.2
Web applications increasingly face evasive and polymorphic attack payloads, yet traditional web application firewalls (WAFs) based on static rule sets such as the OWASP Core Rule Set (CRS) often miss obfuscated or zero-day patterns without extensive manual tuning. This work introduces WAMM, an AI-driven multiclass web attack detection framework designed to reveal the limitations of rule-based systems by reclassifying HTTP requests into OWASP-aligned categories for a specific technology stack. WAMM applies a multi-phase enhancement pipeline to the SR-BH 2020 dataset that includes large-scale deduplication, LLM-guided relabeling, realistic attack data augmentation, and LLM-based filtering, producing three refined datasets. Four machine and deep learning models are evaluated using a unified feature space built from statistical and text-based representations. Results show that using an augmented and LLM-filtered dataset on the same technology stack, XGBoost reaches 99.59% accuracy with microsecond-level inference while deep learning models degrade under noisy augmentation. When tested against OWASP CRS using an unseen augmented dataset, WAMM achieves true positive block rates between 96 and 100% with improvements of up to 86%. These findings expose gaps in widely deployed rule-based defenses and demonstrate that curated training pipelines combined with efficient machine learning models enable a more resilient, real-time approach to web attack detection suitable for production WAF environments.
title Enhanced Web Payload Classification Using WAMM: An AI-Based Framework for Dataset Refinement and Model Evaluation
topic Cryptography and Security
C.2; H.4; I.2
url https://arxiv.org/abs/2512.23610