WEB VULNERABILITIES DETECTION USING A HYBRID MODEL OF CNN, GRU AND ATTENTION MECHANISM

Authors

  • Sarbast H. Ali Duhok Technical College, Duhok Polytechnic University.
  • Arman I. Mohammed Duhok Technical College, Duhok Polytechnic University
  • Sarwar MA. Mustafa College of Science, University of Duhok
  • Sardar Omar Salih Duhok Technical Institute, Duhok Polytechnic University https://orcid.org/0000-0002-1546-6837

DOI:

https://doi.org/10.25271/sjuoz.2025.13.1.1404

Keywords:

CNN, Web vulnerabilities, Deep Learning, XSS, SQL injection

Abstract

The frequency of cyber-attacks has been rising in recent years due to the fact that startup developers have failed to overlook security issues in the core web services. This stated serious concerns about the security of the web. Therefore, this paper proposes a hybrid model built on the base of Convolutional Neural Networks (CNN), Gated Recurrent Units (GRU) and an attention mechanism to detect vulnerabilities in application code. Particularly, the model can help detect attacks based on Structured Query Language Injection (SQLi), Cross-Site Scripting (XSS), and command injection. When using the dataset SXCM1, our model achieved 99.77%, 99.66% and 99.63% for training, validation and testing, respectively. The results obtained on data from the DPU-WVD dataset are even better because it was 99.97%, 99.98% and 99.99% for training, validation and testing, respectively. These results significantly outperform the state-of-the-art models and can strongly identify vulnerabilities in web applications. Through training, on both the SXCM1 and DPU-WVD datasets, the model achieved an accuracy rate of 99.99%. The results show that this combination model is highly effective at recognizing three vulnerability categories and surpasses cutting-edge models that usually specialize in just one type of vulnerability detection.

References

Abdulhamza, F. R., & Al-Janabi, R. J. S. (2022). SQL Injection Detection Using 2D-Convolutional Neural Networks (2D-CNN). 2022 International Conference on Data Science and Intelligent Computing, ICDSIC 2022, 212–217. https://doi.org/10.1109/ICDSIC56987.2022.10075777

Abhishek, S., Ravindran, R., Anjali, T., & Shriamrut. (2023). AI-Driven Deep Structured Learning for Cross-Site Scripting Attacks. International Conference on Innovative Data Communication Technologies and Application, ICIDCA 2023 - Proceedings, 701–709. https://doi.org/10.1109/ICIDCA56705.2023.10099960

Alarfaj, F. K., & Khan, N. A. (2023). Enhancing the Performance of SQL Injection Attack Detection through Probabilistic Neural Networks. Applied Sciences (Switzerland), 13(7). https://doi.org/10.3390/APP13074365

Arasteh, B., Aghaei, B., Farzad, B., Arasteh, K., Kiani, F., & Torkamanian-Afshar, M. (2024). Detecting SQL injection attacks by binary gray wolf optimizer and machine learning algorithms. Neural Computing and Applications, 36(12), 6771–6792. https://doi.org/10.1007/S00521-024-09429-Z

Ashlam, A. A., Badii, A., & Stahl, F. (2022). Multi-Phase Algorithmic Framework to Prevent SQL Injection Attacks using Improved Machine learning and Deep learning to Enhance Database security in Real-time. Proceedings of the 2022 15th IEEE International Conference on Security of Information and Networks, SIN 2022. https://doi.org/10.1109/SIN56466.2022.9970504

Blind SQL Injection | OWASP Foundation. (2023). https://owasp.org/www-community/attacks/Blind_SQL_Injection

Cho, K., van Merrienboer, B., Gulcehre, C., Bahdanau, D., Bougares, F., Schwenk, H., & Bengio, Y. (2014). Learning Phrase Representations using RNN Encoder-Decoder for Statistical Machine Translation.

Command Injection | OWASP Foundation. (2021). https://owasp.org/www-community/attacks/Command_Injection

Cross Site Scripting (XSS) | OWASP Foundation. (2022). https://owasp.org/www-community/attacks/xss/

Demilie, W. B., & Deriba, F. G. (2022). Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniques. Journal of Big Data, 9(1). https://doi.org/10.1186/S40537-022-00678-0

Kakisim, A. G. (2024). A deep learning approach based on multi-view consensus for SQL injection detection. International Journal of Information Security, 23(2), 1541–1556. https://doi.org/10.1007/S10207-023-00791-Y

Mikolov, T., Chen, K., Corrado, G., & Dean, J. (2013). Efficient Estimation of Word Representations in Vector Space.

Mondal, B., Banerjee, A., & Gupta, S. (2022). XSS filter evasion using reinforcement learning to assist cross-site scripting testing. International Journal of Health Sciences, 11779–11793. https://doi.org/10.53730/IJHS.V6NS2.8167

Mondal, B., Banerjee, A., & Gupta, S. (2023). XSS Filter detection using Trust Region Policy Optimization. 1st International Conference in Advanced Innovation on Smart City, ICAISC 2023 - Proceedings. https://doi.org/10.1109/ICAISC56366.2023.10085076

Natarajan, Y., Karthikeyan, B., Wadhwa, G., Srinivasan, S. A., & Akilesh, A. S. P. (2023). A Deep Learning Based Natural Language Processing Approach for Detecting SQL Injection Attack. Lecture Notes in Networks and Systems, 715 LNNS, 396–406. https://doi.org/10.1007/978-3-031-35507-3_38

Nilavarasan, G. S., & Balachander, T. (2023). XSS Attack Detection using Convolution Neural Network. Proceedings of the International Conference on Artificial Intelligence and Knowledge Discovery in Concurrent Engineering, ICECONF 2023. https://doi.org/10.1109/ICECONF57129.2023.10083807

OWASP Top Ten | OWASP Foundation. (2021). https://owasp.org/www-project-top-ten/

payloadbox/sql-injection-payload-list: SQL Injection Payload List. (2021). https://github.com/payloadbox/sql-injection-payload-list

Roy, P., Kumar, R. & Rani, P. (2022). SQL Injection Attack Detection by Machine Learning Classifier. Proceedings - International Conference on Applied Artificial Intelligence and Computing, ICAAIC 2022, 394–400. https://doi.org/10.1109/ICAAIC53929.2022.9792964

Sethi, M., Verma, J., Snehi, M., Baggan, V., Virender, & Chhabra, G. (2023). Web Server Security Solution for Detecting Cross-site Scripting Attacks in Real-time Using Deep Learning. 2023 International Conference on Artificial Intelligence and Applications, ICAIA 2023 and Alliance Technology Conference, ATCON-1 2023 - Proceeding. https://doi.org/10.1109/ICAIA57370.2023.10169255

SQL Injection | OWASP Foundation. (2023). https://owasp.org/www-community/attacks/SQL_Injection

SQLi XSS dataset. (2023). https://www.kaggle.com/datasets/alextrinity/sqli-xss-dataset

Sun, H., Du, Y., & Li, Q. (2023). Deep Learning-Based Detection Technology for SQL Injection Research and Implementation. Applied Sciences (Switzerland), 13(16). https://doi.org/10.3390/APP13169466

Tadhani, J. R., Vekariya, V., Sorathiya, V., Alshathri, S., & El-Shafai, W. (2024). Securing web applications against XSS and SQLi attacks using a novel deep learning approach. Scientific Reports, 14(1). https://doi.org/10.1038/S41598-023-48845-4

Tan, X., Xu, Y., Wu, T., & Li, B. (2023). Detection of Reflected XSS Vulnerabilities Based on Paths-Attention Method. Applied Sciences (Switzerland), 13(13). https://doi.org/10.3390/APP13137895

Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., Kaiser, L., & Polosukhin, I. (2017). Attention Is All You Need.

Yan, H., Feng, L., Yu, Y., Liao, W., Feng, L., Zhang, J., Liu, D., Zou, Y., Liu, C., Qu, L., & Zhang, X. (2022). Cross-site scripting attack detection based on a modified convolution neural network. Frontiers in Computational Neuroscience, 16. https://doi.org/10.3389/FNCOM.2022.981739

Younas, F., Raza, A., Thalji, N., Abualigah, L., Zitar, R. A., & Jia, H. (2024). An efficient artificial intelligence approach for early detection of cross-site scripting attacks. Decision Analytics Journal, 11. https://doi.org/10.1016/J.DAJOUR.2024.100466

Zhang, W., Li, Y., Li, X., Shao, M., Mi, Y., Zhang, H., & Zhi, G. (2022). Deep Neural Network-Based SQL Injection Detection Method. Security and Communication Networks, 2022. https://doi.org/10.1155/2022/4836289

Zhao, C., Si, S., Tu, T., Shi, Y., & Qin, S. (2022). Deep-Learning Based Injection Attacks Detection Method for HTTP. Mathematics, 10(16). https://doi.org/10.3390/MATH10162914

Niu, Q. and Li, X. (2020)"A High-performance Web Attack Detection Method based on CNN-GRU Model," IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China, 2020, pp. 804-808, doi: 10.1109/ITNEC48623.2020.9085028

Jiang, Y., Jia, M., Zhang, B. and Deng, L. (2021) "Malicious Domain Name Detection Model Based on CNN-GRU-Attention, 33rd Chinese Control and Decision Conference (CCDC), Kunming, China, 2021, pp. 1602-1607, doi: 10.1109/CCDC52312.2021.960237.

Downloads

Published

2025-01-12

How to Cite

Ali, S. H., Mohammed, A. I., Mustafa, S. M., & Salih, S. O. (2025). WEB VULNERABILITIES DETECTION USING A HYBRID MODEL OF CNN, GRU AND ATTENTION MECHANISM. Science Journal of University of Zakho, 13(1), 58–64. https://doi.org/10.25271/sjuoz.2025.13.1.1404

Issue

Vol. 13 No. 1 (2025): January - March Issue

Section

Science Journal of University of Zakho

License

Copyright (c) 2025 Sarbast H. Ali, Arman I. Mohammed, Sarwar MA. Mustafa, Sardar Omar Salih

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

  • Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License [CC BY-NC-SA 4.0] that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
  • Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work, with an acknowledgment of its initial publication in this journal.
  • Authors are permitted and encouraged to post their work online.