Web applications increasingly face evasive and polymorphic attack payloads, yet traditional web application firewalls (WAFs) based on static rule sets such as the OWASP Core Rule Set (CRS) often miss obfuscated or zero-day patterns without extensive manual tuning. This work introduces WAMM, an AI-driven multiclass web attack detection framework designed to reveal the limitations of rule-based systems by reclassifying HTTP requests into OWASP-aligned categories for a specific technology stack. WAMM applies a multi-phase enhancement pipeline to the SR-BH 2020 dataset that includes large-scale deduplication, LLM-guided relabeling, realistic attack data augmentation, and LLM-based filtering, producing three refined datasets. Four machine and deep learning models are evaluated using a unified feature space built from statistical and text-based representations. Results show that using an augmented and LLM-filtered dataset on the same technology stack, XGBoost reaches 99.59% accuracy with microsecond-level inference while deep learning models degrade under noisy augmentation. When tested against OWASP CRS using an unseen augmented dataset, WAMM achieves true positive block rates between 96 and 100% with improvements of up to 86%. These findings expose gaps in widely deployed rule-based defenses and demonstrate that curated training pipelines combined with efficient machine learning models enable a more resilient, real-time approach to web attack detection suitable for production WAF environments.

翻译：Web应用日益面临规避性和多态性攻击载荷的威胁，然而基于静态规则集（如OWASP核心规则集CRS）的传统Web应用防火墙（WAF）常因缺乏大量人工调优而无法识别混淆或零日攻击模式。本研究提出WAMM——一种AI驱动的多类别Web攻击检测框架，通过将HTTP请求按特定技术栈重新分类至OWASP标准类别，以揭示基于规则的检测系统的局限性。WAMM对SR-BH 2020数据集实施多阶段增强流程，包括大规模去重、LLM引导的重标注、真实攻击数据增强及基于LLM的过滤，最终生成三个精炼数据集。研究采用基于统计特征与文本表征的统一特征空间，对四种机器学习和深度学习模型进行评估。结果表明：在同一技术栈上使用经增强和LLM过滤的数据集时，XGBoost模型达到99.59%的准确率且具备微秒级推理速度，而深度学习模型在噪声增强环境下性能下降。当使用未见过的增强数据集对OWASP CRS进行测试时，WAMM实现了96%至100%的真实阳性拦截率，最高提升幅度达86%。这些发现揭示了广泛部署的基于规则的防御体系存在的缺陷，并证明经过优化的训练流程与高效的机器学习模型相结合，能够为生产级WAF环境提供更具弹性、实时的Web攻击检测方案。