LLM-AE-MP: Web Attack Detection Using a Large Language Model with Autoencoder and Multilayer Perceptron

IF 7.5 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE Expert Systems with Applications Pub Date : 2025-05-15 Epub Date: 2025-02-21 DOI:10.1016/j.eswa.2025.126982

Jing Yang , Yuangui Wu , Yuping Yuan , Haozhong Xue , Sami Bourouis , Mahmoud Abdel-Salam , Sunil Prajapat , Lip Yee Por

{"title":"LLM-AE-MP: Web Attack Detection Using a Large Language Model with Autoencoder and Multilayer Perceptron","authors":"Jing Yang , Yuangui Wu , Yuping Yuan , Haozhong Xue , Sami Bourouis , Mahmoud Abdel-Salam , Sunil Prajapat , Lip Yee Por","doi":"10.1016/j.eswa.2025.126982","DOIUrl":null,"url":null,"abstract":"<div><div>Web applications store sensitive data, making them prime targets for cybercriminals and posing national security risks. This study introduces a new approach to distinguishing legitimate and malicious hypertext transfer protocol (HTTP) requests using an autoencoder (AE). The integration of AE allows for efficient feature distillation, enhancing the sensitivity of the model to anomalies in HTTP traffic. The AE framework is combined with a transductive long short-term memory (TLSTM) network, which is trained with an advanced generative adversarial network (GAN). Using GAN promotes an adaptive learning environment, significantly boosting the robustness and generalizability of our method against evolving web attack vectors. TLSTM uses transductive learning to focus on data points near the test set, improving the adaptability of the model to outperform traditional LSTM models. In our GAN, the generator purposely excludes gradients from the most influential batch elements, improving the ability of the model to generate diverse and generalized outputs. After training the AE, its latent representations are passed to a multilayer perceptron (MLP) for detection tasks. To address the imbalanced classification in MLP, we use a reinforcement learning (RL) strategy. The RL approach strategically adjusts incentives, enhancing the performance of the model in identifying less frequent but critical malicious instances, thereby supporting a balanced security assessment. Our evaluations using the CSIC 2010 (Spanish National Research Council 2010), FWAF (web application firewall), and HttpParams datasets show that our method outperforms existing techniques, achieving (Accuracy, F-measure, geometric mean (G-means), and area under the curve (AUC)) reaching (90.937%, 89.755%, 88.446%, 0.838), (89.055, 90.663%, 88.334%, 0.847) and (92.242%, 93.774%, 91.356%, 0.897), respectively. Moreover, our model achieves efficient runtime and memory usage across the datasets, providing a practical solution for real-time web attack detection. These results confirm the effectiveness of the model in security contexts, representing a substantial advancement in web attack detection and the improvement of investigative strategies.</div></div>","PeriodicalId":50461,"journal":{"name":"Expert Systems with Applications","volume":"274 ","pages":"Article 126982"},"PeriodicalIF":7.5000,"publicationDate":"2025-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Expert Systems with Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0957417425006049","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2025/2/21 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Web applications store sensitive data, making them prime targets for cybercriminals and posing national security risks. This study introduces a new approach to distinguishing legitimate and malicious hypertext transfer protocol (HTTP) requests using an autoencoder (AE). The integration of AE allows for efficient feature distillation, enhancing the sensitivity of the model to anomalies in HTTP traffic. The AE framework is combined with a transductive long short-term memory (TLSTM) network, which is trained with an advanced generative adversarial network (GAN). Using GAN promotes an adaptive learning environment, significantly boosting the robustness and generalizability of our method against evolving web attack vectors. TLSTM uses transductive learning to focus on data points near the test set, improving the adaptability of the model to outperform traditional LSTM models. In our GAN, the generator purposely excludes gradients from the most influential batch elements, improving the ability of the model to generate diverse and generalized outputs. After training the AE, its latent representations are passed to a multilayer perceptron (MLP) for detection tasks. To address the imbalanced classification in MLP, we use a reinforcement learning (RL) strategy. The RL approach strategically adjusts incentives, enhancing the performance of the model in identifying less frequent but critical malicious instances, thereby supporting a balanced security assessment. Our evaluations using the CSIC 2010 (Spanish National Research Council 2010), FWAF (web application firewall), and HttpParams datasets show that our method outperforms existing techniques, achieving (Accuracy, F-measure, geometric mean (G-means), and area under the curve (AUC)) reaching (90.937%, 89.755%, 88.446%, 0.838), (89.055, 90.663%, 88.334%, 0.847) and (92.242%, 93.774%, 91.356%, 0.897), respectively. Moreover, our model achieves efficient runtime and memory usage across the datasets, providing a practical solution for real-time web attack detection. These results confirm the effectiveness of the model in security contexts, representing a substantial advancement in web attack detection and the improvement of investigative strategies.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

LLM-AE-MP：基于自编码器和多层感知器的大型语言模型Web攻击检测

Web应用程序存储敏感数据，使其成为网络犯罪分子的主要目标，并对国家安全构成威胁。本研究介绍了一种使用自动编码器（AE）来区分合法和恶意超文本传输协议（HTTP）请求的新方法。AE的集成允许有效的特征提取，增强模型对HTTP流量异常的敏感性。AE框架与转导长短期记忆（TLSTM）网络相结合，该网络使用高级生成对抗网络（GAN）进行训练。使用GAN促进了自适应学习环境，显著提高了我们的方法对不断变化的web攻击向量的鲁棒性和泛化性。TLSTM使用换向学习来关注测试集附近的数据点，提高了模型的适应性，优于传统的LSTM模型。在我们的GAN中，生成器有意地从最具影响力的批元素中排除梯度，从而提高了模型生成多样化和一般化输出的能力。在对AE进行训练后，将其潜在表征传递给多层感知器（MLP）进行检测任务。为了解决MLP中的不平衡分类问题，我们使用了一种强化学习（RL）策略。RL方法战略性地调整激励，增强模型在识别不太频繁但关键的恶意实例方面的性能，从而支持平衡的安全评估。我们使用CSIC 2010（西班牙国家研究委员会2010）、FWAF （web应用防火墙）和HttpParams数据集进行的评估表明，我们的方法优于现有技术，分别达到（90.937%、89.755%、88.446%、0.838）、（89.055、90.663%、88.334%、0.847）和（92.242%、93.774%、91.356%、0.897）的准确率、F-measure、几何平均值（G-means）和曲线下面积（AUC）。此外，我们的模型实现了跨数据集的高效运行时和内存使用，为实时web攻击检测提供了一个实用的解决方案。这些结果证实了该模型在安全环境中的有效性，代表了web攻击检测和调查策略改进方面的实质性进步。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Expert Systems with Applications 工程技术-工程：电子与电气

CiteScore

13.80

自引率

10.60%

发文量

2045

审稿时长

8.7 months

期刊介绍： Expert Systems With Applications is an international journal dedicated to the exchange of information on expert and intelligent systems used globally in industry, government, and universities. The journal emphasizes original papers covering the design, development, testing, implementation, and management of these systems, offering practical guidelines. It spans various sectors such as finance, engineering, marketing, law, project management, information management, medicine, and more. The journal also welcomes papers on multi-agent systems, knowledge management, neural networks, knowledge discovery, data mining, and other related areas, excluding applications to military/defense systems.