WAMS: Experimenting with an AI-Based Web Attack Monitoring System

The Challenge of Analyzing Server Logs

In enterprise web application operations, web servers like Nginx or Apache can generate millions of access log lines daily. Traditionally, system administrators rely on static analytical tools or perform exhausting manual grep queries to hunt for traces of hacking attempts (such as SQL Injection, Path Traversal, or XSS).

This method is incredibly slow and entirely unresponsive. Modern attackers rarely hack manually; they deploy botnets and distributed automated attacks. This is precisely why the concept of an Intrusion Detection System (IDS) was conceived: to monitor network traffic streams in real-time and issue alerting notifications as swiftly as possible when traffic anomalies occur.

Traffic Classification with Random Forest

A classical IDS security system (like Snort or ModSecurity) generally relies entirely on 'Signature-Based Detection', where the system rigidly matches incoming traffic against a database of known threats (regex rules). The fatal flaw: this method is entirely ineffective against new variant attacks or Zero-Day Exploits.

In this WAMS prototype experiment, I applied a cutting-edge anomaly-based approach utilizing one of the most robust Machine Learning algorithms: Random Forest. The model was trained using web traffic datasets (like the CSIC 2010 HTTP Dataset) that distinguish between normal HTTP request packets and those concealing malicious payloads.

The extracted features encompassed URL length, frequency of special characters, to payload size. Consequently, the ensemble model of this Random Forest can predictively classify which traffic patterns indicate a dangerous attack, even if those patterns have never existed in any conventional signature list.

The Crucial Role of LLM for Contextual Analysis

While Machine Learning excels at detecting hidden mathematical patterns, its log output (in the form of probabilities and flags) can sometimes be difficult and time-consuming for human teams to decipher. This is where the role of a Large Language Model (LLM) is integrated.

When Random Forest detects an attack, for instance, a complex SQL Injection attempt, the raw log is forwarded to an LLM agent (such as OpenAI GPT or Gemini API) utilizing specialized prompt engineering. The LLM then acts as a secondary Tier 2 SOC security analyst.

The LLM translates the raw log into a narrative: 'Detected a Union-Based SQL Injection exploit attempt from IP 192.168.1.1 on the product search parameter, aiming to dump the customer database. It is highly recommended to immediately block this IP on the WAF firewall.' This narrative drastically cuts down incident triage time (Incident Response).

Limitation: Detection Does Not Replace Hardening

To validate and calibrate the accuracy of this WAMS system, I conducted independent Penetration Testing (Pentest) to simulate real-world attacks and ensure WAMS didn't trigger an excessive amount of False Positives (flagging legitimate traffic as an attack).

However, it must be underlined that an IDS (Detection) is not an IPS (Prevention). WAMS serves solely as an intelligent Early Warning System. The presence of even the most advanced monitoring system must never substitute fundamental security hardening practices at the application coding level (such as prepared statements for SQLi and input sanitization) as well as robust web server configurations.