Enhanced Web Payload Classification Using WAMM: An AI-Based Framework for Dataset Refinement and Model Evaluation
Heba Osama, Omar Elebiary, Youssef Qassim, Mohamed Amgad, Ahmed Maghawry, Ahmed Saafan, Haitham Ghalwash
TL;DR
WAMM introduces an AI-driven multiclass framework for web attack detection that redefines payload classification to OWASP categories within a specific technology stack. It combines a four-phase data refinement pipeline—deduplication, LLM-guided relabeling, realistic augmentation, and LLM filtering—with four benchmarking models, achieving peak accuracy of 99.59% using XGBoost on augmented data while maintaining microsecond-level inference. The approach demonstrates substantial improvements over traditional rule-based CRS in true positive block rates, highlighting gaps in static defenses and the value of curated training pipelines for production WAF deployment. The work emphasizes realistic dataset design and model efficiency as key to enabling robust, real-time web attack detection in dynamic operational settings.
Abstract
Web applications increasingly face evasive and polymorphic attack payloads, yet traditional web application firewalls (WAFs) based on static rule sets such as the OWASP Core Rule Set (CRS) often miss obfuscated or zero-day patterns without extensive manual tuning. This work introduces WAMM, an AI-driven multiclass web attack detection framework designed to reveal the limitations of rule-based systems by reclassifying HTTP requests into OWASP-aligned categories for a specific technology stack. WAMM applies a multi-phase enhancement pipeline to the SR-BH 2020 dataset that includes large-scale deduplication, LLM-guided relabeling, realistic attack data augmentation, and LLM-based filtering, producing three refined datasets. Four machine and deep learning models are evaluated using a unified feature space built from statistical and text-based representations. Results show that using an augmented and LLM-filtered dataset on the same technology stack, XGBoost reaches 99.59% accuracy with microsecond-level inference while deep learning models degrade under noisy augmentation. When tested against OWASP CRS using an unseen augmented dataset, WAMM achieves true positive block rates between 96 and 100% with improvements of up to 86%. These findings expose gaps in widely deployed rule-based defenses and demonstrate that curated training pipelines combined with efficient machine learning models enable a more resilient, real-time approach to web attack detection suitable for production WAF environments.
