{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:46:12Z","timestamp":1760060772783,"version":"build-2065373602"},"reference-count":29,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2025,9,17]],"date-time":"2025-09-17T00:00:00Z","timestamp":1758067200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["12105303","12505226"],"award-info":[{"award-number":["12105303","12505226"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>To address the increasing complexity of web user behavior anomaly detection and the issue of missing semantic information caused by relying solely on features like request semantics or request sequences, this study proposes a multi-angle semantic feature fusion approach for user behavior anomaly detection. The research is based on user sessions. Firstly, by analyzing the access sequence behavior within user sessions and utilizing an improved SimHash algorithm, sequence features are extracted to model browsing patterns. Secondly, combining the semantic content contained in user sessions, a multi-attention Transformer model is employed to extract semantic features, representing user visit semantics. Finally, an end-to-end model is constructed to fuse sequence and semantic features, enabling effective detection of user behavior anomalies. Experimental results demonstrate that the proposed model exhibits excellent performance and stability in detection accuracy, with significant effects in real-world anomaly user identification. As the proportion of anomalous sessions increases, precision, recall, and F1-score also improve, all reaching 99%. Even when anomalous sessions are scarce in the dataset, the model still achieves satisfactory detection results.<\/jats:p>","DOI":"10.3390\/info16090807","type":"journal-article","created":{"date-parts":[[2025,9,17]],"date-time":"2025-09-17T13:03:02Z","timestamp":1758114182000},"page":"807","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Multi-Angle Semantic Feature Fusion Method for Web User Behavior Anomaly Detection"],"prefix":"10.3390","volume":"16","author":[{"given":"Li","family":"Wang","sequence":"first","affiliation":[{"name":"Institute of High Energy Physics, Chinese Academy of Sciences, Beijing 100049, China"},{"name":"Spallation Neutron Source Science Center (SNSSC), Dongguan 523803, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mingshan","family":"Xia","sequence":"additional","affiliation":[{"name":"Institute of High Energy Physics, Chinese Academy of Sciences, Beijing 100049, China"},{"name":"Spallation Neutron Source Science Center (SNSSC), Dongguan 523803, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yakang","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of High Energy Physics, Chinese Academy of Sciences, Beijing 100049, China"},{"name":"Spallation Neutron Source Science Center (SNSSC), Dongguan 523803, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jiahong","family":"Xu","sequence":"additional","affiliation":[{"name":"State Grid Tianjin Electric Power Company Dongli Power Supply Branch, Tianjin 300300, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4771-6631","authenticated-orcid":false,"given":"Fengyao","family":"Hou","sequence":"additional","affiliation":[{"name":"Institute of High Energy Physics, Chinese Academy of Sciences, Beijing 100049, China"},{"name":"Spallation Neutron Source Science Center (SNSSC), Dongguan 523803, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fazhi","family":"Qi","sequence":"additional","affiliation":[{"name":"Institute of High Energy Physics, Chinese Academy of Sciences, Beijing 100049, China"},{"name":"Spallation Neutron Source Science Center (SNSSC), Dongguan 523803, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,9,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Kruegel, C., and Vigna, G. (2003). Anomaly detection of web-based attacks. CCS \u201903, Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, 27\u201331 October 2003, Association for Computing Machinery.","DOI":"10.1145\/948143.948144"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"717","DOI":"10.1016\/j.comnet.2005.01.009","article-title":"A multi-model approach to the detection of web-based attacks","volume":"48","author":"Kruegel","year":"2005","journal-title":"Comput. Netw."},{"key":"ref_3","unstructured":"Robertson, W., Vigna, G., Kruegel, C., and Kemmerer, R.A. (2025, September 14). Using Generalization and Characterization Techniques in the Anomaly-Based Detection of Web Attacks. NDSS. Available online: https:\/\/api.semanticscholar.org\/CorpusID:8266221."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"5810","DOI":"10.1109\/TII.2020.3038761","article-title":"A Novel Web Attack Detection System for Internet of Things via Ensemble Classification","volume":"17","author":"Luo","year":"2021","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Laiq, F., Al-Obeidat, F., Amin, A., and Moreira, F. (2023, January 16\u201318). DDoS Attack Detection in Edge-IIoT using Ensemble Learning. Proceedings of the 2023 7th Cyber Security in Networking Conference (CSNet), Montreal, QC, Canada.","DOI":"10.1109\/CSNet59123.2023.10339784"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Xie, Y., and Tang, S. (2012, January 21\u201325). Online anomaly detection based on web usage mining. Proceedings of the 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops PhD Forum, Shanghai, China.","DOI":"10.1109\/IPDPSW.2012.143"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"520","DOI":"10.1109\/TBDATA.2017.2657623","article-title":"A situational analytic method for user behavior pattern in multimedia social networks","volume":"5","author":"Zhang","year":"2019","journal-title":"IEEE Trans. Big Data"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Hong, L. (2013, January 23\u201324). Based on the user behavior characteristics of mining database anomaly detection model design. Proceedings of the 2013 6th International Conference on Information Management, Innovation Management and Industrial Engineering, Xi\u2019an, China.","DOI":"10.1109\/ICIII.2013.6703229"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Wang, Y., and Ma, X. (2016, January 16\u201318). A user behavior anomaly detection approach based on sequence mining over data streams. Proceedings of the 2016 17th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT), Guangzhou, China.","DOI":"10.1109\/PDCAT.2016.086"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Prinakaa, S., Bavanika, V., Sanjana, S., Srinivasan, S., and Sarasvathi, V. (2024, January 20\u201324). A Real-Time Approach to Detecting API Abuses Based on Behavioral Patterns. Proceedings of the 2024 8th International Conference on Cryptography, Security and Privacy (CSP), Osaka, Japan.","DOI":"10.1109\/CSP62567.2024.00012"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Hu, S., Xiao, Z., Rao, Q., and Liao, R. (2018, January 14\u201316). An anomaly detection model of user behavior based on similarity clustering. Proceedings of the 2018 IEEE 4th Information Technology and Mechatronics Engineering Conference (ITOEC), Chongqing, China.","DOI":"10.1109\/ITOEC.2018.8740748"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Gao, Y., Ma, Y., and Li, D. (2017, January 27\u201330). Anomaly detection of malicious users\u2019 behaviors for web applications based on web logs. Proceedings of the 2017 IEEE 17th International Conference on Communication Technology (ICCT), Chengdu, China.","DOI":"10.1109\/ICCT.2017.8359854"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Paul, M., and Medhe, K. (, January 29\u201330). Using Machine Learning to Detect Anomalies in Internet Browsing Pattern of Users. Proceedings of the 5th International Conference on Cyber Security & Privacy in Communication Networks (ICCS) 2019, Kurukshetra, India. Available online: https:\/\/ssrn.com\/abstract=3511054.","DOI":"10.2139\/ssrn.3511054"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"149","DOI":"10.1016\/j.knosys.2018.11.026","article-title":"Sfad: Toward effective anomaly detection based on session feature similarity","volume":"165","author":"Xiao","year":"2019","journal-title":"Knowl. Based Syst."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Modell, A., Larson, J., Turcotte, M., and Bertiger, A. (2021, January 15\u201318). A graph embedding approach to user behavior anomaly detection. Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA.","DOI":"10.1109\/BigData52589.2021.9671423"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Ma, H., Wang, C., and Qi, H. (2021, January 10\u201311). Anomaly Behavior Detection for the Web Application Based on LSTM. Proceedings of the 2021 IEEE Conference on Telecommunications, Optics and Computer Science (TOCS), Shenyang, China.","DOI":"10.1109\/TOCS53301.2021.9688720"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Gui, J., Chen, Z., Yu, X., Lumezanu, C., and Chen, H. (2020). Anomaly detection on web-user behaviors through deep learning. Security and Privacy in Communication Networks, Springer International Publishing. Available online: https:\/\/api.semanticscholar.org\/CorpusID:229182996.","DOI":"10.1007\/978-3-030-63086-7_25"},{"key":"ref_18","first-page":"39","article-title":"A User Behavior Prediction Method for Web Applications Based on Deep For-est","volume":"24","author":"Ma","year":"2025","journal-title":"J. Web Eng."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Perumal, S., and Sujatha, P.K. (2021, January 8\u201310). Stacking ensemble-based xss attack detection strategy using classiffcation algorithms. Proceedings of the 2021 6th International Conference on Communication and Electronics Systems (ICCES), Coimbatore, India.","DOI":"10.1109\/ICCES51350.2021.9489177"},{"key":"ref_20","unstructured":"Le, H., Pham, Q., Sahoo, D., and Hoi, S.C. (2018). Urlnet: Learning a url representation with deep learning for malicious url detection. arXiv, Available online: https:\/\/api.semanticscholar.org\/CorpusID:3670018."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"1615","DOI":"10.1016\/j.phpro.2012.02.238","article-title":"Intrusion detection technology research based on apriori algorithm","volume":"24","author":"Li","year":"2012","journal-title":"Phys. Procedia"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Zolotukhin, M., H\u00e4m\u00e4l\u00e4inen, T., Kokkonen, T., and Siltanen, J. (2014, January 24\u201327). Analysis of http requests for anomaly detection of web attacks. Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing, Dalian, China.","DOI":"10.1109\/DASC.2014.79"},{"key":"ref_23","first-page":"10095","article-title":"An improved medoid clustering algorithm for intrusion detection using web usage mining technique","volume":"6","author":"Rathi","year":"2022","journal-title":"J. Posit. Sch. Psychol."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Zhen, L., Hu, P., Wang, X., and Peng, D. (2019, January 15\u201320). Deep supervised cross-modal retrieval. Proceedings of the 2019 IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Long Beach, CA, USA.","DOI":"10.1109\/CVPR.2019.01064"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Zeng, D., and Oyama, K. (2019, January 8\u201311). Learning joint embedding for cross-modal retrieval. Proceedings of the 2019 International Conference on Data Mining Workshops (ICDMW), Beijing, China.","DOI":"10.1109\/ICDMW.2019.00156"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Yang, T., Li, M., Deng, H., and Wang, J. (2023, January 16\u201318). A sentence-bert-based model for expressing key features of hospital web logs. Proceedings of the 2023 4th International Seminar on Artiffcial Intelligence, Networking and Information Technology (AINIT), Nanjing, China.","DOI":"10.1109\/AINIT59027.2023.10212603"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Ahir, D., and Shaikh, N. (2025, January 5\u20137). Analyzing Machine Learning Frameworks for Anomaly Detection on Web Server Log Data. Proceedings of the 2025 International Conference on Emerging Smart Computing and Informatics (ESCI), Pune, India.","DOI":"10.1109\/ESCI63694.2025.10988343"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Wang, J., Zhou, Z., and Chen, J. (2018, January 26\u201328). Evaluating cnn and lstm for web attack detection. Proceedings of the 2018 10th International Conference on Machine Learning and Computing, Macau, China.","DOI":"10.1145\/3195106.3195107"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Mac, H., Truong, D., Nguyen, L., Nguyen, H., Tran, H.A., and Tran, D. (2018, January 6\u20137). Detecting attacks on web applications using autoencoder. Proceedings of the Ninth International Symposium on Information and Communication Technology, Da Nang, Vietnam.","DOI":"10.1145\/3287921.3287946"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/9\/807\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:47:06Z","timestamp":1760035626000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/9\/807"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,17]]},"references-count":29,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["info16090807"],"URL":"https:\/\/doi.org\/10.3390\/info16090807","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,9,17]]}}}