SmartWAF: Real-Time Web Threat Detection Using a Pretrained GRU Model and ModSecurity Integration

The growing complexity of web attacks highlights the need for adaptive, intelligent defense systems that overcome the limitations of traditional rule-based web security. Thus, the architecture proposed in this paper integrates data-driven deep learning with deterministic rule-based logic to enhance real-time detection accuracy and adaptability in dynamic web threat environments. The practical integration of a deep learning-based Gated Recurrent Unit (GRU) model with ModSecurity, an open-source Web Application Firewall (WAF), is employed to improve the detection and classification of malicious HTTP requests. The model, pre-trained on a large labeled up-to-date dataset of web traffic and attack types collected post-2020, is designed to classify requests in real-time, identifying both whether a request is malicious and the corresponding attack category (e.g., SQL Injection, Cross-Site Scripting, Command Injection). We demonstrate how the trained model is incorporated into ModSecurity’s inspection pipeline, allowing it to analyze real-time web traffic alongside traditional rule-based inspection. This hybrid approach aims to significantly reduce false positives and improve adaptability to new attack patterns. Evaluation metrics such as accuracy, receiver operating characteristic (ROC), area under the curve (AUC), Principal Component Analysis (PCA), confusion matrix, and t-Distributed Stochastic Neighbor Embedding (t-SNE) visualization are discussed, along with performance considerations and implementation architecture. The integration presents a robust framework for ML-improved intelligent web security defense.