Search Results (9)

Structured Query Language injection (SQLi) remains a persistent threat to web applications due to the obfuscation, diversity, and evolving structure of malicious payloads, which limit the effectiveness of conventional rule and signature-based Web Application Firewalls (WAFs). Although prior studies have reported high detection performance using individual feature extraction methods or offline classification models, limited work has addressed deployment-oriented SQLi prevention through an integrated real-time inspection framework. This paper proposes a Machine Learning (ML)-based SQLi detection and prevention framework that combines hybrid feature representation, supervised dimensionality reduction, Genetic Algorithm (GA)-based hyperparameter optimization, and real-time WAF validation. Multiple public SQLi datasets were merged, cleaned, and deduplicated to improve exposure to diverse query patterns. SQL queries were encoded using Term Frequency–Inverse Document Frequency (TF-IDF), Word2Vec, and FastText features, which were fused and transformed through a Supervised Autoencoder into a compact discriminative representation. GA was then employed to optimize multiple classifiers, including Random Forest (RF), Support Vector Machine (SVM), Decision Tree (DT), and Multi-Layer Perceptron (MLP). The MLP achieved the best overall performance, with an accuracy of 0.998681. The optimized model was deployed within a lightweight Flask-based WAF for real-time Hypertext Transfer Protocol (HTTP) request inspection and malicious input blocking. SQLMap v1.8.4-based robustness testing and runtime analysis demonstrate that the proposed framework provides effective SQLi prevention with practical deployment efficiency beyond conventional offline benchmark evaluation. Full article

Java middleware platforms expose powerful management functions through HTTP-accessible interfaces such as Jolokia. This article discusses the analysis of CVE-2023-50780 in Apache ActiveMQ Artemis by framing the vulnerability as a management-plane state-transition problem rather than as a set of isolated exploit recipes. We analyze three remote-code-execution paths that combine Jolokia-accessible MBeans with Log4J2 configuration mutability, Artemis filesystem and deployment semantics, broker or web-server restart behavior, and, in one vector, the Java DiagnosticCommand interface. The study defines a formal attacker model; separates demonstrated preconditions from deployment-dependent assumptions; compares the three vectors across required privileges, network dependencies, writable artifacts, execution triggers, reliability, detection opportunities, and mitigations; and evaluates defensive controls at the level of the exploit stage they interrupt. The paper also clarifies the responsible-disclosure context and reduces operational payload detail in favor of defender-oriented evidence, validation tables, and architectural analysis. The resulting contribution is a reproducible but bounded case study of how legitimate administrative operations can compose into code execution when management interfaces are exposed without sufficient privilege separation, MBean restriction, filesystem hardening, and upgrade controls. Full article

Private cloud object stores provide infrastructure isolation but leave application-layer data exposed to insider threats and compromised credentials. This paper presents an engineering integration of an Add-Rotate-XOR (ARX) block cipher and multi-bit Least Significant Bit (LSB) steganography into an end-to-end pipeline for private MinIO object storage. The cipher, KREA v2, is a SPECK-64/128 derived ARX construction with three application-driven choices: CRC32 key whitening, byte-aligned rotations ($\alpha =7$, $\beta =2$), and deterministic CTR-mode nonces. Mixed Integer Linear Programming (MILP) trail analysis matches SPECK-64/128’s minimum-trail weights through rounds 1–4. KREA v2 ciphertext meets standard keystream-quality preconditions (NIST SP 800-22 battery, 49.98% mean avalanche, Shannon entropy 7.9992–7.9998 bits/byte across realistic XML, JSON, video, and HTTP/2 payloads). Modified LSB (MLSB) embeds 3 bits per RGB channel with an XOR watermark at 37–38 dB Peak Signal-to-Noise Ratio (PSNR), providing $3\times$ standard-LSB capacity. Steganalysis uses chi-square and RS detectors plus a Convolutional Neural Network (CNN) detector (Yedroudj-Net) trained on 8000 BOSSBase-1.01 cover/stego pairs; CNN area under the ROC curve is ≥0.999 against the watermarked variant. The MinIO pipeline runs at 355.1 ms (68.6% network I/O) with 100% message fidelity. The XOR watermark increases RS detectability above 75% capacity; a 200-image ablation cuts median RS detection (0.289 to 0.000) and mean (0.342 to 0.130) in a sparse-keystream variant, prioritised for follow-on full-scale evaluation. The architecture is offered as a documented engineering integration with explicit security caveats and threat-model boundaries, not as a production-hardened cryptographic primitive. Full article

We present a composable, pipeline-based rules engine for detecting application-level intrusions in HTTP traffic with adaptive rule generation capabilities. Rules are expressed in JSON chain multi-step decoders (Base64, hex, XOR, zlib, gzip) with matching primitives (word boundaries, regular expressions, substring sets) to detect obfuscated payloads. To enable adaptation to novel attack patterns, we integrate a large language model (LLM) component as a second-opinion layer that automatically generates validated detection rules for previously unseen threats, combining the adaptability of machine learning with the interpretability of explicit rules. We evaluate the system on two standard benchmarks (CSIC 2010 and HttpParamsDataset) and present a head-to-head comparison with ModSecurity and the OWASP Core Rule Set, achieving 98.1% and 98.3% detection rates with F1 scores above 0.97 on both datasets while maintaining false positive rates below 0.51%. Full article

Zero-day intrusion detection is still a difficult task because of the difference between high laboratory precision and real-time deployability under strict operational constraints. This paper proposes a lightweight two-stage cascade architecture that is specifically designed for CPU-only environments and strict zero-day evaluation. The proposed architecture only uses statistical and flow-level metadata attributes, which are independent of payload analysis, to ensure compatibility with encrypted traffic. The first stage of the proposed architecture is precision oriented to detect potentially malicious traffic with a low decision threshold, and the second stage is precision oriented to enhance classification and remove false positives. To avoid optimistic bias, a strict attack-type separation protocol is employed, where testing attack types are strictly prohibited from training. The proposed method is tested on three benchmark datasets: CSIC 2012 (HTTP level), UNSW-NB15 (intra-domain), and CSE-CIC-IDS2018 (cross-domain). The experimental results show the excellent intra-domain zero-day detection capability (up to 94.81% accuracy with 0.50% FPR), controllable performance degradation in the cross-domain setting (80.53% accuracy with near-zero FPR), and extremely low FP rates on all datasets. The system provides microsecond-level inference latency (0.002–0.006 ms), a throughput of up to 470,000 requests per second, and memory usage below 6.2 MB without GPU support. These results confirm the significance of architectural optimization and thorough evaluation in building efficient zero-day detection systems. Full article

The rapid growth of Internet of Things (IoT) deployments has created an urgent need for energy-efficient communication strategies that can adapt to dynamic operational conditions. This study presents a novel adaptive protocol selection framework that dynamically optimizes IoT communication energy consumption through context-aware decision making, achieving up to 34% energy reduction compared to static protocol selection. The framework is grounded in a comprehensive empirical evaluation of three widely used IoT communication protocols—MQTT, CoAP, and HTTP—using Intel’s Running Average Power Limit (RAPL) for precise energy measurement across varied network conditions including packet loss (0–20%) and latency variations (1–200 ms). Our key contribution is the design and validation of an adaptive selection mechanism that employs multi-criteria decision making with hysteresis control to prevent oscillation, dynamically switching between protocols based on six runtime metrics: message frequency, payload size, network conditions, packet loss rate, available energy budget, and QoS requirements. Results show MQTT consumes only 40% of HTTP’s energy per byte at high volumes (>10,000 messages), while HTTP remains practical for low-volume traffic (<10 msg/min). A novel finding reveals receiver nodes consistently consume 15–20% more energy than senders, requiring new design considerations for IoT gateways. The framework demonstrates robust performance across simulated real-world conditions, maintaining 92% of optimal performance while requiring 85% less computation than machine learning approaches. These findings offer actionable guidance for IoT architects and developers, positioning this work as a practical solution for energy-aware IoT communication in production environments. Full article

The exponential expansion of Internet interconnectivity has led to a dramatic increase in cyber-attack alerts, which contain a considerable proportion of false positives. The overwhelming number of false positives cause tremendous resource consumption and delay responses to the really severe incidents, namely, alert fatigue. To cope with the challenge from alert fatigue, we focus on enhancing the capability of detectors to reduce the generation of false alerts from the detection perspective. The core idea of our work is to train a machine-learning-based detector to grasp the empirical intelligence of security analysts to estimate the feasibility of an incoming HTTP request to cause substantial threats, and integrate the estimation into the detection stage to reduce false alarms. To this end, we innovatively introduce the concept of attack feasibility to characterize the composition rationality of an inbound HTTP request as a feasible attack under static scrutinization. First, we adopt a fast request-reorganization algorithm to transform an HTTP request into the form of interface:payload pair for further alignment of structural components which can reveal the processing logic of the target program. Then, we build a dual-channel attention-based circulant convolution neural network (DualAC${}_2$NN) to integrate the attack feasibility estimation into the alert decision, by comprehensively considering the interface sensitivity, payload maliciousness, and their bipartite compatibility. Experiments on a real-world dataset show that the proposed method significantly reduces invalid alerts by around 86.37% and over 61.64% compared to a rule-based commercial WAF and several state-of-the-art methods, along with retaining a detection rate at 97.89% and a lower time overhead, which indicates that our approach can effectively mitigate alert fatigue from the detection perspective. Full article

Malicious HTTP traffic detection plays an important role in web application security. Most existing work applies machine learning and deep learning techniques to build the malicious HTTP traffic detection model. However, they still suffer from the problems of huge training data collection cost and low cross-dataset generalization ability. Aiming at these problems, this paper proposes DeepPTSD, a deep learning method for payload based malicious HTTP traffic detection. First, it treats the malicious HTTP traffic detection as a text classification problem and trains the initial detection model using TextCNN on a public dataset, and then adapts the initial detection model to the target dataset based on a transfer learning algorithm. Second, in the transfer learning procedure, it uses a semi-supervised learning algorithm to accomplish the model adaptation task. The semi-supervised learning algorithm enhances the target dataset based on a HTTP payload data augmentation mechanism to exploit both the labeled and unlabeled data. We evaluate DeepPTSD on two real HTTP traffic datasets. The results show that DeepPTSD has competitive performance under the small data condition. Full article

Malicious software utilizes HTTP protocol for communication purposes, creating network traffic that is hard to identify as it blends into the traffic generated by benign applications. To this aim, fingerprinting tools have been developed to help track and identify such traffic by providing a short representation of malicious HTTP requests. However, currently existing tools do not analyze all information included in the HTTP message or analyze it insufficiently. To address these issues, we propose Hfinger, a novel malware HTTP request fingerprinting tool. It extracts information from the parts of the request such as URI, protocol information, headers, and payload, providing a concise request representation that preserves the extracted information in a form interpretable by a human analyst. For the developed solution, we have performed an extensive experimental evaluation using real-world data sets and we also compared Hfinger with the most related and popular existing tools such as FATT, Mercury, and p0f. The conducted effectiveness analysis reveals that on average only 1.85% of requests fingerprinted by Hfinger collide between malware families, what is 8–34 times lower than existing tools. Moreover, unlike these tools, in default mode, Hfinger does not introduce collisions between malware and benign applications and achieves it by increasing the number of fingerprints by at most 3 times. As a result, Hfinger can effectively track and hunt malware by providing more unique fingerprints than other standard tools. Full article