{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,2]],"date-time":"2026-04-02T17:15:59Z","timestamp":1775150159886,"version":"3.50.1"},"reference-count":58,"publisher":"MDPI AG","issue":"6","license":[{"start":{"date-parts":[[2025,5,26]],"date-time":"2025-05-26T00:00:00Z","timestamp":1748217600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>The increasing sophistication of web-based services has intensified the risk of zero-day attacks, exposing critical vulnerabilities in user information security. Traditional detection systems often rely on labeled attack data and struggle to identify novel threats without prior knowledge. This paper introduces a novel one-class ensemble method for detecting zero-day web attacks, combining the strengths of Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), and stacked autoencoders through latent representation concatenation and compression. Additionally, a structured tokenization strategy based on character-level analysis is employed to enhance input consistency and reduce feature dimensionality. The proposed method was evaluated using the CSIC 2012 dataset, achieving 97.58% accuracy, 97.52% recall, 99.76% specificity, and 99.99% precision, with a false positive rate of just 0.2%. Compared to conventional ensemble techniques like majority voting, our approach demonstrates superior anomaly detection performance by fusing diverse feature representations at the latent level rather than the output level. These results highlight the model\u2019s effectiveness in accurately detecting unknown web attacks with low false positives, addressing major limitations of existing detection frameworks.<\/jats:p>","DOI":"10.3390\/computers14060205","type":"journal-article","created":{"date-parts":[[2025,5,26]],"date-time":"2025-05-26T04:49:52Z","timestamp":1748234992000},"page":"205","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":14,"title":["Detecting Zero-Day Web Attacks with an Ensemble of LSTM, GRU, and Stacked Autoencoders"],"prefix":"10.3390","volume":"14","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-0163-8281","authenticated-orcid":false,"given":"Vahid","family":"Babaey","sequence":"first","affiliation":[{"name":"Department of Electrical and Computer Engineering, University of North Carolina at Charlotte, Charlotte, NC 28223, USA"}]},{"given":"Hamid Reza","family":"Faragardi","sequence":"additional","affiliation":[{"name":"Research Engineer, KTH Royal Institute of Technology, SE-100 44 Stockholm, Sweden"}]}],"member":"1968","published-online":{"date-parts":[[2025,5,26]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"10733","DOI":"10.1007\/s10462-023-10437-z","article-title":"Zero-day attack detection: A systematic literature review","volume":"56","author":"Ahmad","year":"2023","journal-title":"Artif. Intell. Rev."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Dawadi, B.R., Adhikari, B., and Srivastava, D.K. (2023). Deep learning technique-enabled web application firewall for the detection of web attacks. Sensors, 23.","DOI":"10.3390\/s23042073"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"100634","DOI":"10.1016\/j.cosrev.2024.100634","article-title":"Twenty-two years since revealing cross-site scripting attacks: A systematic mapping and a comprehensive survey","volume":"52","author":"Hannousse","year":"2024","journal-title":"Comput. Sci. Rev."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Babaey, V., and Ravindran, A. (2025). GenSQLi: A Generative Artificial Intelligence Framework for Automatically Securing Web Application Firewalls Against Structured Query Language Injection Attacks. Future Internet, 17.","DOI":"10.3390\/fi17010008"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Yang, J., Chen, Y.L., Por, L.Y., and Ku, C.S. (2023). A systematic literature review of information security in chatbots. Appl. Sci., 13.","DOI":"10.3390\/app13116355"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1109\/MSEC.2019.2961649","article-title":"Machine learning for web vulnerability detection: The case of cross-site request forgery","volume":"18","author":"Calzavara","year":"2020","journal-title":"IEEE Secur. Priv."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Kalla, D., Mohammed, A.S., Boddapati, V.N., Jiwani, N., and Kiruthiga, T. (2024, January 28\u201329). Investigating the Impact of Heuristic Algorithms on Cyberthreat Detection. Proceedings of the 2024 2nd International Conference on Advances in Computation, Communication and Information Technology (ICAICCIT), Faridabad, India.","DOI":"10.1109\/ICAICCIT64383.2024.10912106"},{"key":"ref_8","first-page":"1","article-title":"A survey on explainable anomaly detection","volume":"18","author":"Li","year":"2023","journal-title":"ACM Trans. Knowl. Discov. Data"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"146","DOI":"10.26599\/TST.2019.9010051","article-title":"A hybrid unsupervised clustering-based anomaly detection method","volume":"26","author":"Pu","year":"2020","journal-title":"Tsinghua Sci. Technol."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1504\/IJWGS.2020.106128","article-title":"An efficient algorithm and tool for detecting dangerous website vulnerabilities","volume":"16","author":"Long","year":"2020","journal-title":"Int. J. Web Grid Serv."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"1239","DOI":"10.1016\/j.comnet.2006.09.016","article-title":"Learning DFA representations of HTTP for protecting web applications","volume":"51","author":"Ingham","year":"2007","journal-title":"Comput. Netw."},{"key":"ref_12","first-page":"269","article-title":"Web intrusion detection using character level machine learning approaches with upsampled data","volume":"32","author":"Sivri","year":"2022","journal-title":"Ann. Comput. Sci. Inf. Syst."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Jung, I., Lim, J., and Kim, H.K. (2021). PF-TL: Payload feature-based transfer learning for dealing with the lack of training data. Electronics, 10.","DOI":"10.3390\/electronics10101148"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Vartouni, A.M., Kashi, S.S., and Teshnehlab, M. (March, January 28). An anomaly detection method to detect web attacks using stacked auto-encoder. Proceedings of the 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems (CFIS), Kerman, Iran.","DOI":"10.1109\/CFIS.2018.8336654"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"221","DOI":"10.1016\/j.cose.2010.12.004","article-title":"HMMPayl: An intrusion detection system based on Hidden Markov Models","volume":"30","author":"Ariu","year":"2011","journal-title":"Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Liang, J., Zhao, W., and Ye, W. (2017, January 8\u201310). Anomaly-based web attack detection: A deep learning approach. Proceedings of the 2017 VI International Conference on Network, Communication and Computing, Kunming, China.","DOI":"10.1145\/3171592.3171594"},{"key":"ref_17","unstructured":"Kuang, X., Zhang, M., Li, H., Zhao, G., Cao, H., Wu, Z., and Wang, X. (2019, January 1\u20133). DeepWAF: Detecting web attacks based on CNN and LSTM models. Proceedings of the Cyberspace Safety and Security: 11th International Symposium, CSS 2019, Guangzhou, China. Proceedings, Part II 11."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Tang, R., Yang, Z., Li, Z., Meng, W., Wang, H., Li, Q., Sun, Y., Pei, D., Wei, T., and Xu, Y. (2020, January 6\u20139). Zerowall: Detecting zero-day web attacks through encoder-decoder recurrent neural networks. Proceedings of the IEEE INFOCOM 2020-IEEE Conference on Computer Communications, Virtually.","DOI":"10.1109\/INFOCOM41043.2020.9155278"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"150142","DOI":"10.1109\/ACCESS.2021.3124628","article-title":"Robust ensemble machine learning model for filtering phishing URLs: Expandable random gradient stacked voting classifier (ERG-SVC)","volume":"9","author":"Indrasiri","year":"2021","journal-title":"IEEE Access"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"187","DOI":"10.1007\/s11265-019-01494-1","article-title":"Model uncertainty based annotation error fixing for web attack detection","volume":"93","author":"Gong","year":"2021","journal-title":"J. Signal Process. Syst."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"102096","DOI":"10.1016\/j.cose.2020.102096","article-title":"A novel architecture for web-based attack detection using convolutional neural network","volume":"100","author":"Tekerek","year":"2021","journal-title":"Comput. Secur."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Jemal, I., Haddar, M.A., Cheikhrouhou, O., and Mahfoudhi, A. (2022, January 11\u201313). SWAF: A smart web application firewall based on convolutional neural network. Proceedings of the 2022 15th International Conference on Security of Information and Networks (SIN), Sousse, Tunisia.","DOI":"10.1109\/SIN56466.2022.9970545"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"687","DOI":"10.1016\/j.procs.2022.12.070","article-title":"Web attacks detection using stacked generalization ensemble for LSTMs and word embedding","volume":"215","author":"Alaoui","year":"2022","journal-title":"Procedia Comput. Sci."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"2415288","DOI":"10.1155\/2023\/2415288","article-title":"MC-MLDCNN: Multichannel Multilayer Dilated Convolutional Neural Networks for Web Attack Detection","volume":"2023","author":"Moarref","year":"2023","journal-title":"Secur. Commun. Netw."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Yatagha, R., Nebebe, B., Waedt, K., and Ruland, C. (2024, January 21\u201325). Towards a Zero-Day Anomaly Detector in Cyber Physical Systems Using a Hybrid VAE-LSTM-OCSVM Model. Proceedings of the 33rd ACM International Conference on Information and Knowledge Management, Boise, ID, USA.","DOI":"10.1145\/3627673.3680064"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"105153","DOI":"10.1016\/j.dsp.2025.105153","article-title":"One-class IoT anomaly detection system using an improved interpolated deep SVDD autoencoder with adversarial regularizer","volume":"162","author":"Katbi","year":"2025","journal-title":"Digit. Signal Process."},{"key":"ref_27","unstructured":"Tokmak, M., and Nkongolo, M. (2023). Stacking an autoencoder for feature selection of zero-day threats. arXiv."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Alghawazi, M., Alghazzawi, D., and Alarifi, S. (2023). Deep learning architecture for detecting SQL injection attacks based on RNN autoencoder model. Mathematics, 11.","DOI":"10.20944\/preprints202307.0679.v1"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"135507","DOI":"10.1109\/ACCESS.2023.3337645","article-title":"Ae-net: Novel autoencoder-based deep features for sql injection attack detection","volume":"11","author":"Thalji","year":"2023","journal-title":"IEEE Access"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Yao, W., Hu, L., Hou, Y., and Li, X. (2023). A lightweight intelligent network intrusion detection system using one-class autoencoder and ensemble learning for IoT. Sensors, 23.","DOI":"10.3390\/s23084141"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"869","DOI":"10.21608\/auej.2023.213003.1375","article-title":"Multi-Class Intrusion Detection System using Deep Learning","volume":"18","author":"Mohamed","year":"2023","journal-title":"J. Al-Azhar Univ. Eng. Sect."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"103270","DOI":"10.1016\/j.jnca.2021.103270","article-title":"An enhanced deep learning based framework for web attacks detection, mitigation and attacker profiling","volume":"198","author":"Shahid","year":"2022","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"780","DOI":"10.1016\/j.procs.2020.04.085","article-title":"Siam-IDS: Handling class imbalance problem in intrusion detection systems using siamese neural network","volume":"171","author":"Bedi","year":"2020","journal-title":"Procedia Comput. Sci."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"102940","DOI":"10.1016\/j.cose.2022.102940","article-title":"Extreme minority class detection in imbalanced data for network intrusion","volume":"123","author":"Milosevic","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"10611","DOI":"10.1007\/s11227-023-05073-x","article-title":"Addressing the class imbalance problem in network intrusion detection systems using data resampling and deep learning","volume":"79","author":"Abdelkhalek","year":"2023","journal-title":"J. Supercomput."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Yuan, Y., Lu, Y., Zhu, K., Huang, H., Yu, L., and Zhao, J. (2023). A Static Detection Method for SQL Injection Vulnerability Based on Program Transformation. Appl. Sci., 13.","DOI":"10.3390\/app132111763"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Vorobyov, K., Gauthier, F., and Krishnan, P. (2024, January 14\u201320). Synthesis of Allowlists for Runtime Protection against SQLi. Proceedings of the 2024 ACM\/IEEE 44th International Conference on Software Engineering: New Ideas and Emerging Results, Lisbon, Portugal.","DOI":"10.1145\/3639476.3639772"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Su, H., Li, F., Xu, L., Hu, W., Sun, Y., Sun, Q., Chao, H., and Huo, W. (2023, January 17\u201321). Splendor: Static Detection of Stored XSS in Modern Web Applications. Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, Seattle, WA, USA.","DOI":"10.1145\/3597926.3598116"},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Silvestre, A., Medeiros, I., and Mordido, A. (2024, January 28\u201329). Towards a SQL Injection Vulnerability Detector Based on Session Types. Proceedings of the 19th International Conference on Evaluation of Novel Approaches to Software Engineering, Angers, France. Volume 1: ENASE. INSTICC.","DOI":"10.5220\/0012732500003687"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Thomas, S., Koleini, F., and Tabrizi, N. (2022, January 14\u201316). Dynamic defenses and the transferability of adversarial examples. Proceedings of the 2022 IEEE 4th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA), Virtual.","DOI":"10.1109\/TPS-ISA56441.2022.00041"},{"key":"ref_41","unstructured":"Khalid, M.N., Farooq, H., Iqbal, M., Alam, M.T., and Rasheed, K. (2018, January 23\u201325). Predicting web vulnerabilities in web applications based on machine learning. Proceedings of the Intelligent Technologies and Applications: First International Conference, INTAP 2018, Bahawalpur, Pakistan. Revised Selected Papers 1."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Levene, M., Poulovassilis, A., and Davison, B.D. (2004). Learning web request patterns. Web Dynamics: Adapting to Change in Content, Size, Topology and Use, Springer.","DOI":"10.1007\/978-3-662-10874-1"},{"key":"ref_43","first-page":"37","article-title":"Text mining: Open source tokenization tools-an analysis","volume":"3","author":"Vijayarani","year":"2016","journal-title":"Adv. Comput. Intell. Int. J. (ACII)"},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Rashvand, N., Hosseini, S.S., Azarbayjani, M., and Tabkhi, H. (2023). Real-Time Bus Arrival Prediction: A Deep Learning Approach for Enhanced Urban Mobility. arXiv.","DOI":"10.5220\/0012365500003639"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Kefayat, E., and Thill, J.C. (2025). Urban Street Network Configuration and Property Crime: An Empirical Multivariate Case Study. ISPRS Int. J. Geo-Inf., 14.","DOI":"10.3390\/ijgi14050200"},{"key":"ref_46","unstructured":"Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A.N., Kaiser, L., and Polosukhin, I. (2017, January 4\u20139). Attention is all you need. Proceedings of the 2017 Conference on Neural Information Processing Systems, Long Beach, CA, USA."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"212","DOI":"10.3390\/iot5020011","article-title":"Enhancing automatic modulation recognition for iot applications using transformers","volume":"5","author":"Rashvand","year":"2024","journal-title":"IoT"},{"key":"ref_48","doi-asserted-by":"crossref","first-page":"5280158","DOI":"10.1155\/2022\/5280158","article-title":"Web application firewall using machine learning and features engineering","volume":"2022","author":"Shaheed","year":"2022","journal-title":"Secur. Commun. Netw."},{"key":"ref_49","unstructured":"DuckDuckBug (2025, January 29). CNN Web Application Firewall. Available online: https:\/\/github.com\/DuckDuckBug\/cnn_waf."},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"2210","DOI":"10.1109\/TSC.2024.3453748","article-title":"Detecting web attacks from HTTP weblogs using variational LSTM autoencoder deviation network","volume":"17","author":"Jagat","year":"2024","journal-title":"IEEE Trans. Serv. Comput."},{"key":"ref_51","unstructured":"Abshari, D., Fu, C., and Sridhar, M. (2024). LLM-assisted Physical Invariant Extraction for Cyber-Physical Systems Anomaly Detection. arXiv."},{"key":"ref_52","unstructured":"Zibaeirad, A., Koleini, F., Bi, S., Hou, T., and Wang, T. (2024). A comprehensive survey on the security of smart grid: Challenges, mitigations, and future research opportunities. arXiv."},{"key":"ref_53","unstructured":"Abshari, D., and Sridhar, M. (2025). A Survey of Anomaly Detection in Cyber-Physical Systems. arXiv."},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Babaey, V., and Ravindran, A. (2025). GenXSS: An AI-Driven Framework for Automated Detection of XSS Attacks in WAFs. arXiv.","DOI":"10.20944\/preprints202503.0313.v1"},{"key":"ref_55","unstructured":"White, J., Fu, Q., Hays, S., Sandborn, M., Olea, C., Gilbert, H., Elnashar, A., Spencer-Smith, J., and Schmidt, D.C. (2023). A prompt pattern catalog to enhance prompt engineering with chatgpt. arXiv."},{"key":"ref_56","doi-asserted-by":"crossref","unstructured":"Graves, A., Jaitly, N., and Mohamed, A.r. (2013, January 8\u201312). Hybrid speech recognition with deep bidirectional LSTM. Proceedings of the 2013 IEEE Workshop on Automatic Speech Recognition and Understanding, Olomouc, Czech Republic.","DOI":"10.1109\/ASRU.2013.6707742"},{"key":"ref_57","unstructured":"Talebi, S., and Zhou, K. (2025). Graph Neural Networks for Efficient AC Power Flow Prediction in Power Grids. arXiv."},{"key":"ref_58","unstructured":"Zibaeirad, A., and Vieira, M. (2025). Reasoning with LLMs for Zero-Shot Vulnerability Detection. arXiv."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/6\/205\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:40:20Z","timestamp":1760031620000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/6\/205"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,5,26]]},"references-count":58,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2025,6]]}},"alternative-id":["computers14060205"],"URL":"https:\/\/doi.org\/10.3390\/computers14060205","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,5,26]]}}}