EBTM: Web Vulnerability Attack Behavior Recognition Method Based on Feature Fusion

Authors

  • Xiangnan Lin Key Laboratory of Cyberspace Security, Ministry of Education, China
  • Bin Lu Key Laboratory of Cyberspace Security, Ministry of Education, China

DOI:

https://doi.org/10.4108/eetsis.11636

Keywords:

Vulnerability Attack Behavior, Large-Scale Traffic, False Positive Rate, Feature Fusion, Deep Learning

Abstract

INTRODUCTION: With the continuous expansion of network scale, effectively detecting web vulnerability attacks has become a critical challenge for ensuring network security. Existing research, primarily focused on balanced sample recognition, proves inadequate for real-world scenarios due to high false alarm rates in large-scale traffic and poor recognition performance for minority attack samples caused by imbalanced data distribution.

OBJECTIVES: This paper aims to address the limitations of current web vulnerability attack detection methods in imbalanced real-world environments. The objective is to propose a novel recognition method that reduces the false positive rate and improves the identification performance for minority attack samples under highly skewed data distributions.

METHODS: We propose a feature fusion-based recognition method named EBTM for imbalanced samples. The method integrates expert knowledge to optimize feature selection, focusing on key information and ensuring a more uniform mapping of URL requests. It employs three output features from different advantageous models for feature fusion, thereby generating a richer and more discriminative feature representation for the final recognition task.

RESULTS: Experimental results demonstrate that the proposed EBTM method significantly enhances the recognition of web vulnerability attack behaviors. Under a realistic imbalanced condition where attack samples constitute only about 3% of the data, the model achieves a macro-average F1 score of 99.1% and reduces the false positive rate to 0.054%.

CONCLUSION: The EBTM method effectively improves the efficiency and accuracy of web vulnerability attack behavior recognition in practical, imbalanced scenarios. By combining expert-guided feature optimization and multi-model feature fusion, it successfully addresses key challenges of high false alarms and poor minority class recognition, offering a robust solution for securing large-scale network environments.

References

[1] Sadeghian A, Zamani M, Manaf A A. SQL injection vulnerability general patch using header sanitization [C]//Proceedings of the International Conference on Computer, Communications, and Control Technology (I4CT 2014). Langkawi: IEEE, 2014: 239-42.

[2] Shar L K, Tan H B K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns [J]. Information Software Technology, 2013, 55(10): 1767-80.

[3] Kavitha M, Vennila V, Padmapriya G, et al. Prevention of SQL injection attack using unsupervised machine learning approach [J]. International Journal of Aquatic Science, 2021, 12(3): 1413-24.

[4] Anbiya D R, Purwarianti A, Asnar Y. Vulnerability detection in php web application using lexical analysis approach with machine learning [C]//Proceedings of the 5th International Conference on Data and Software Engineering (ICoDSE 2018). Mataram: IEEE, 2018: 1-6.

[5] Alaoui R L, Nfaoui E H. Deep learning for vulnerability and attack detection on web applications: A systematic literature review [J]. Future Internet, 2022, 14(4): 118-39.

[6] Tadhani J R, Vekariya V, Sorathiya V, et al. Securing web applications against XSS and SQLi attacks using a novel deep learning approach [J]. Scientific Reports, 2024, 14(1): 1803-19

[7] Jin X, Cui B, Yang J, et al. Payload-based web attack detection using deep neural network [C]//Proceedings of the 12th International Conference on Broad-Band Wireless Computing, Communication and Applications (BWCCA 2017). Barcelona: Springer, 2018: 482-8

[8] Zhu M, Hong T, Luo Q, et al. A deep learning-based method for HTTP payload classification in attack detection [C]//Proceedings of the Third International Conference on Green Communication, Network, and Internet of Things (CNIoT 2023). Chongqing: SPIE, 2023: 517-23.

[9] Montes N, Betarte G, Martínez R, et al. Web application attacks detection using deep learning [C]//Proceedings of the 25th Iberoamerican Congress(CIARP 2021). Porto: Springer, 2021: 227-36.

[10] Seyyar Y E, Yavuz A G, Ünver H M. An attack detection framework based on BERT and deep learning [J]. IEEE Access, 2022, 10: 68633-44.

[11] Liu Y, Dai Y. Deep Learning in Cybersecurity: A Hybrid BERT–LSTM Network for SQL Injection Attack Detection [J]. IET Information Security, 2024, 2024(1): 5565950-65.

[12] Nana S R, Bassolé D, Guel D, et al. Deep Learning and Web Applications Vulnerabilities Detection: An Approach Based on Large Language Models [J]. International Journal of Advanced Computer Science Applications, 2024, 15(7): 67-83.

[13] Luo C, Su S, Sun Y, et al. A convolution-based system for malicious URLs detection [J]. Computers, Materials Continua, 2020, 62(1): 69-84.

[14] Nguyen H T, Franke K. Adaptive Intrusion Detection System via online machine learning [C]//Proceedings of the 12th international conference on hybrid intelligent systems (HIS 2012): IEEE, 2012: 271-7.

[15] Vartouni A M, Kashi S S, Teshnehlab M. An anomaly detection method to detect web attacks using stacked auto-encoder [C]//Proceedings of the 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS 2018). Kerman: IEEE, 2018: 131-4.

[16] Zhang M, Xu B, Bai S, et al. A deep learning method to detect web attacks using a specially designed CNN [C]//Proceedings of the 24th International Conference on Neural Information Processing (ICONIP 2017) Guangzhou: Springer, 2017: 828-36.

[17] Tian Z, Luo C, Qiu J, et al. A distributed deep learning system for web attack detection on edge devices [J]. IEEE Transactions on Industrial Informatics, 2019, 16(3): 1963-71.

[18] Althubiti S, Nick W, Mason J, et al. Applying long short-term memory recurrent neural network for intrusion detection [C]//Proceedings of the SoutheastCon 2018. Petersburg: IEEE, 2018: 1-5.

[19] Hao S, Long J, Yang Y. Bl-ids: Detecting web attacks using bi-lstm model based on deep learning [C]//Proceedings of the International conference on security and privacy in new computing environments(SPNCE 2019). Guangzhou: Springer, 2019: 551-63.

[20] Odumuyiwa V, Chibueze A. Automatic detection of http injection attacks using convolutional neural network and deep neural network [J]. Journal of Cyber Security Mobility, 2020: 489-514.

[21] Qin Z-Q, Ma X-K, Wang Y-J. Attentional payload anomaly detector for web applications [C]//Proceedings of the 25th International Conference on Neural Information Processing (ICONIP 2018). Siem Reap: Springer, 2018: 588-99.

[22] Tekerek A. A novel architecture for web-based attack detection using convolutional neural network [J]. Computers Security, 2021, 100: 102096-112.

[23] Guo Z, Shang Q, Li X, et al. Web-FTP: A Feature Transferring-Based Pre-Trained Model for Web Attack Detection [J]. IEEE Transactions on Knowledge, 2025, 37(3): 1495-507.

Downloads

Published

21-01-2026

Issue

Vol. 12 No. 7 (2025): EAI Endorsed Transactions on Scalable Information Systems

Section

Research articles

License

Copyright (c) 2026 Xiangnan Lin, Bin Lu

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

This is an open access article distributed under the terms of the CC BY-NC-SA 4.0, which permits copying, redistributing, remixing, transformation, and building upon the material in any medium so long as the original work is properly cited.

How to Cite

1.
Lin X, Lu B. EBTM: Web Vulnerability Attack Behavior Recognition Method Based on Feature Fusion. EAI Endorsed Scal Inf Syst [Internet]. 2026 Jan. 21 [cited 2026 Jan. 25];12(7). Available from: https://publications.eai.eu/index.php/sis/article/view/11636