WADBERT: Dual-channel Web Attack Detection Based on BERT Models

TL;DR

WADBERT is a novel deep learning model that effectively detects web attacks by embedding and analyzing HTTP request features, achieving high accuracy and attack traceability.

Contribution

The paper introduces WADBERT, combining hybrid granularity embedding and BERT-based models with multi-head attention for improved web attack detection and parameter identification.

Findings

Achieves F1-score of 99.63% on CSIC2010 dataset.

Outperforms existing state-of-the-art methods.

Enables precise malicious parameter identification.

Abstract

Web attack detection is the first line of defense for securing web applications, designed to preemptively identify malicious activities. Deep learning-based approaches are increasingly popular for their advantages: automatically learning complex patterns and extracting semantic features from HTTP requests to achieve superior detection performance. However, existing methods are less effective in embedding irregular HTTP requests, even failing to model unordered parameters and achieve attack traceability. In this paper, we propose an effective web attack detection model, named WADBERT. It achieves high detection accuracy while enabling the precise identification of malicious parameters. To this end, we first employ Hybrid Granularity Embedding (HGE) to generate fine-grained embeddings for URL and payload parameters. Then, URLBERT and SecBERT are respectively utilized to extract their semantic features. Further, parameter-level features (extracted by SecBERT) are fused through a multi-head attention mechanism, resulting in a comprehensive payload feature. Finally, by feeding the concatenated URL and payload features into a linear classifier, a final detection result is obtained. The experimental results on CSIC2010 and SR-BH2020 datasets validate the efficacy of WADBERT, which respectively achieves F1-scores of 99.63% and 99.50%, and significantly outperforms state-of-the-art methods.