Text Classification
Scikit-learn
Joblib
Keras
English
cybersecurity
http-attack-detection
intrusion-detection
web-security
tfidf
xgboost
lightgbm
Instructions to use cycloevan/http-attack-classification with libraries, inference providers, notebooks, and local apps. Follow these links to get started.
- Libraries
- Scikit-learn
How to use cycloevan/http-attack-classification with Scikit-learn:
from huggingface_hub import hf_hub_download import joblib model = joblib.load( hf_hub_download("cycloevan/http-attack-classification", "sklearn_model.joblib") ) # only load pickle files from sources you trust # read more about it here https://skops.readthedocs.io/en/stable/persistence.html - Keras
How to use cycloevan/http-attack-classification with Keras:
# Available backend options are: "jax", "torch", "tensorflow". import os os.environ["KERAS_BACKEND"] = "jax" import keras model = keras.saving.load_model("hf://cycloevan/http-attack-classification") - Notebooks
- Google Colab
- Kaggle
Upload 12 files
Browse files- README.md +195 -0
- catboost.joblib +3 -0
- lgb_model.joblib +3 -0
- lstm_bidirectional.h5 +3 -0
- multinomial_nb.joblib +3 -0
- rf_basic.joblib +3 -0
- rf_gridsearch.joblib +3 -0
- rf_nltk.joblib +3 -0
- tdidf-svc.joblib +3 -0
- textcnn_model.h5 +3 -0
- xgb_char.joblib +3 -0
- xgb_word.joblib +3 -0
README.md
ADDED
|
@@ -0,0 +1,195 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
---
|
| 2 |
+
language:
|
| 3 |
+
- en
|
| 4 |
+
tags:
|
| 5 |
+
- text-classification
|
| 6 |
+
- cybersecurity
|
| 7 |
+
- http-attack-detection
|
| 8 |
+
- intrusion-detection
|
| 9 |
+
- web-security
|
| 10 |
+
- tfidf
|
| 11 |
+
- xgboost
|
| 12 |
+
- lightgbm
|
| 13 |
+
- sklearn
|
| 14 |
+
- keras
|
| 15 |
+
license: mit
|
| 16 |
+
metrics:
|
| 17 |
+
- accuracy
|
| 18 |
+
- f1
|
| 19 |
+
---
|
| 20 |
+
|
| 21 |
+
# HTTP Attack Classification Models
|
| 22 |
+
|
| 23 |
+
A collection of machine learning models for detecting and classifying HTTP-based cyber attacks from raw request logs.
|
| 24 |
+
Each model takes a raw HTTP request string as input and classifies it into one of 9 attack categories.
|
| 25 |
+
|
| 26 |
+
---
|
| 27 |
+
|
| 28 |
+
## Task
|
| 29 |
+
|
| 30 |
+
- **Task**: Multi-class Text Classification
|
| 31 |
+
- **Domain**: Network Security / Intrusion Detection
|
| 32 |
+
- **Input**: Raw HTTP request string (method, path, headers, body)
|
| 33 |
+
- **Output**: One of 9 attack type labels
|
| 34 |
+
|
| 35 |
+
---
|
| 36 |
+
|
| 37 |
+
## Attack Types
|
| 38 |
+
|
| 39 |
+
| Class | Description | Common Indicators |
|
| 40 |
+
|-------|-------------|-------------------|
|
| 41 |
+
| `Vulnerability_Scan` | Automated scanning for known vulnerabilities | sqlmap, nikto, nmap user-agents; repeated probing patterns |
|
| 42 |
+
| `System_Cmd_Execution` | OS command injection attempts | `\|`, `;`, `&&`, `wget`, `curl`, `/bin/sh`, `boot.ini` |
|
| 43 |
+
| `HOST_Scan` | Network host discovery and port scanning | Minimal headers, bare `GET /`, nmap scripting engine |
|
| 44 |
+
| `Path_Disclosure` | Directory traversal and file path exposure | `../`, `..%2F`, `/etc/passwd`, `/etc/shadow`, `/proc/` |
|
| 45 |
+
| `SQL_Injection` | SQL injection in query parameters | `UNION SELECT`, `OR 1=1`, `--`, `'`, boolean-based blind patterns |
|
| 46 |
+
| `Cross_Site_Scripting` | XSS payload injection | `<script>`, `onerror=`, `javascript:`, `alert()`, `prompt()` |
|
| 47 |
+
| `Automatically_Searching_Infor` | Automated information gathering | Crawlers, `/_vti_pvt/`, `robots.txt`, `sitemap.xml` probing |
|
| 48 |
+
| `Leakage_Through_NW` | Sensitive file access via network | Access to config files, logs, backups (`.ico`, `.conf`, `.bak`) |
|
| 49 |
+
| `Directory_Indexing` | Browsing exposed directory listings | Trailing `/` on directory paths, source/workspace/src paths |
|
| 50 |
+
|
| 51 |
+
---
|
| 52 |
+
|
| 53 |
+
## Models
|
| 54 |
+
|
| 55 |
+
| File | Model | Feature Extraction | Test Accuracy | Notes |
|
| 56 |
+
|------|-------|--------------------|:-------------:|-------|
|
| 57 |
+
| `tdidf-svc.joblib` | TF-IDF + LinearSVC | word, default | 87.4% | Best generalization |
|
| 58 |
+
| `xgb_char.joblib` | TF-IDF + XGBoost | char, ngram(1,2), max_features=1024 | **88.5%** | Best local accuracy |
|
| 59 |
+
| `xgb_word.joblib` | TF-IDF + XGBoost | word, NLTK tokenizer | 86.7% | |
|
| 60 |
+
| `lgb_model.joblib` | TF-IDF + LightGBM | word, NLTK tokenizer | 86.5% | |
|
| 61 |
+
| `rf_nltk.joblib` | TF-IDF + RandomForest | word, NLTK, n_estimators=1000 | 84.8% | |
|
| 62 |
+
| `rf_gridsearch.joblib` | TF-IDF + RandomForest | word, GridSearchCV best | 83.6% | best: max_depth=None, n_estimators=150 |
|
| 63 |
+
| `rf_basic.joblib` | TF-IDF + RandomForest | word, default | 83.3% | |
|
| 64 |
+
| `catboost.joblib` | TF-IDF + CatBoost | word, NLTK tokenizer | 83.0% | |
|
| 65 |
+
| `multinomial_nb.joblib` | CountVectorizer + MultinomialNB | word, default | 67.5% | Baseline |
|
| 66 |
+
| `lstm_bidirectional.h5` | BiLSTM | Keras Tokenizer, maxlen=216 | 85.2% | Requires Keras/TF |
|
| 67 |
+
| `textcnn_model.h5` | TextCNN | Keras Tokenizer, maxlen=256 | 86.1% | Requires Keras/TF |
|
| 68 |
+
|
| 69 |
+
---
|
| 70 |
+
|
| 71 |
+
## Usage
|
| 72 |
+
|
| 73 |
+
### Preprocessing
|
| 74 |
+
|
| 75 |
+
```python
|
| 76 |
+
import urllib.parse
|
| 77 |
+
|
| 78 |
+
def preprocess(payload: str) -> str:
|
| 79 |
+
return urllib.parse.unquote_plus(payload)
|
| 80 |
+
```
|
| 81 |
+
|
| 82 |
+
### sklearn-based models (joblib)
|
| 83 |
+
|
| 84 |
+
Applies to: `tdidf-svc.joblib`, `xgb_char.joblib`, `xgb_word.joblib`, `lgb_model.joblib`, `rf_*.joblib`, `catboost.joblib`, `multinomial_nb.joblib`
|
| 85 |
+
|
| 86 |
+
Each file is a scikit-learn Pipeline with the vectorizer and classifier bundled together β raw text can be passed directly.
|
| 87 |
+
|
| 88 |
+
```python
|
| 89 |
+
import joblib
|
| 90 |
+
|
| 91 |
+
model = joblib.load("xgb_char.joblib")
|
| 92 |
+
|
| 93 |
+
payloads = [
|
| 94 |
+
"GET /../../../../etc/passwd HTTP/1.1\r\nHost: 10.0.0.1\r\n",
|
| 95 |
+
"GET /search?q=' OR 1=1-- HTTP/1.1\r\nHost: example.com\r\n",
|
| 96 |
+
]
|
| 97 |
+
predictions = model.predict(payloads)
|
| 98 |
+
print(predictions)
|
| 99 |
+
# ['Path_Disclosure', 'SQL_Injection']
|
| 100 |
+
```
|
| 101 |
+
|
| 102 |
+
### Keras-based models (.h5)
|
| 103 |
+
|
| 104 |
+
```python
|
| 105 |
+
import numpy as np
|
| 106 |
+
from tensorflow.keras.models import load_model
|
| 107 |
+
from tensorflow.keras.preprocessing.sequence import pad_sequences
|
| 108 |
+
import joblib
|
| 109 |
+
|
| 110 |
+
model = load_model("lstm_bidirectional.h5") # or textcnn_model.h5
|
| 111 |
+
tokenizer = joblib.load("tokenizer.joblib") # must be saved separately during training
|
| 112 |
+
|
| 113 |
+
payloads = ["GET /../../../../etc/passwd HTTP/1.1\r\nHost: 10.0.0.1"]
|
| 114 |
+
sequences = tokenizer.texts_to_sequences(payloads)
|
| 115 |
+
padded = pad_sequences(sequences, maxlen=216) # maxlen=256 for TextCNN
|
| 116 |
+
|
| 117 |
+
pred = model.predict(padded)
|
| 118 |
+
label_idx = np.argmax(pred, axis=1)
|
| 119 |
+
print(label_idx)
|
| 120 |
+
```
|
| 121 |
+
|
| 122 |
+
---
|
| 123 |
+
|
| 124 |
+
## Evaluation
|
| 125 |
+
|
| 126 |
+
### Per-model summary
|
| 127 |
+
|
| 128 |
+
| Model | Accuracy | Macro F1 | Weakest Class (F1) |
|
| 129 |
+
|-------|:--------:|:--------:|--------------------|
|
| 130 |
+
| TF-IDF + XGBoost (char) | 88.5% | 0.92 | System_Cmd_Execution (0.84) |
|
| 131 |
+
| TF-IDF + LinearSVC | 87.4% | β | System_Cmd_Execution |
|
| 132 |
+
| TF-IDF + XGBoost (word) | 86.7% | 0.90 | System_Cmd_Execution (0.83) |
|
| 133 |
+
| TF-IDF + LightGBM | 86.5% | 0.91 | System_Cmd_Execution (0.83) |
|
| 134 |
+
| TextCNN | 86.1% | 0.89 | System_Cmd_Execution (0.79) |
|
| 135 |
+
| BiLSTM | 85.2% | 0.89 | System_Cmd_Execution (0.78) |
|
| 136 |
+
|
| 137 |
+
### Per-class observations
|
| 138 |
+
|
| 139 |
+
- **Easiest classes**: `Automatically_Searching_Infor` and `Leakage_Through_NW` achieve F1 β₯ 0.99 across all models β highly distinctive tool signatures (nmap, crawlers) and file access patterns make them trivial to separate.
|
| 140 |
+
- **Hardest class**: `System_Cmd_Execution` consistently scores the lowest F1 (0.75β0.84) due to pattern overlap with `Vulnerability_Scan`. Both classes involve probing behavior with similar HTTP structure.
|
| 141 |
+
- **char-level XGBoost advantage**: Sub-word character n-grams capture attack-specific tokens like `../`, `<script>`, `UNION` more robustly than word tokenization, especially for obfuscated payloads.
|
| 142 |
+
|
| 143 |
+
---
|
| 144 |
+
|
| 145 |
+
## Architecture Details
|
| 146 |
+
|
| 147 |
+
### BiLSTM
|
| 148 |
+
|
| 149 |
+
```
|
| 150 |
+
Embedding(22,883 vocab, dim=100, maxlen=216)
|
| 151 |
+
β Bidirectional(LSTM(64)) β LSTM(32) β Dense(512) β Dense(9, softmax)
|
| 152 |
+
```
|
| 153 |
+
|
| 154 |
+
- EarlyStopping(monitor=val_accuracy, patience=3) β triggered at epoch 20
|
| 155 |
+
- Saved: `lstm_bidirectional.h5` (28 MB)
|
| 156 |
+
|
| 157 |
+
### TextCNN
|
| 158 |
+
|
| 159 |
+
```
|
| 160 |
+
Embedding(20,000 vocab, dim=128, maxlen=256)
|
| 161 |
+
β Conv1D(128, kernel=3) ββ
|
| 162 |
+
β Conv1D(128, kernel=4) βββ GlobalMaxPool β Concat(384) β Dense(256) β Dropout(0.3) β Dense(9, softmax)
|
| 163 |
+
β Conv1D(128, kernel=5) ββ
|
| 164 |
+
Total params: 2.86M
|
| 165 |
+
```
|
| 166 |
+
|
| 167 |
+
- EarlyStopping(monitor=val_loss, patience=3) β triggered at epoch 5
|
| 168 |
+
- Saved: `textcnn_model.h5` (33 MB)
|
| 169 |
+
|
| 170 |
+
---
|
| 171 |
+
|
| 172 |
+
## Key Findings
|
| 173 |
+
|
| 174 |
+
- **TF-IDF outperforms deep learning** on HTTP attack data: attack patterns rely on decisive keywords (`UNION SELECT`, `../`, `<script>`, `wget`). Bag-of-words representations capture these directly, while sequential models can be distracted by irrelevant header noise.
|
| 175 |
+
- **char-level features beat word-level**: Character n-grams handle URL encoding variations and partial token matches more effectively (e.g., `%3Cscript%3E` vs `<script>`).
|
| 176 |
+
- **Class imbalance effect**: `Vulnerability_Scan` dominates at 37.5% β models tend to over-predict this class for ambiguous samples.
|
| 177 |
+
|
| 178 |
+
---
|
| 179 |
+
|
| 180 |
+
## Environment
|
| 181 |
+
|
| 182 |
+
| Item | Value |
|
| 183 |
+
|------|-------|
|
| 184 |
+
| Python | 3.12 |
|
| 185 |
+
| scikit-learn | 1.x |
|
| 186 |
+
| XGBoost | 3.2.0 |
|
| 187 |
+
| LightGBM | 4.6.0 |
|
| 188 |
+
| CatBoost | 1.2.10 |
|
| 189 |
+
| TensorFlow / Keras | 2.x |
|
| 190 |
+
|
| 191 |
+
---
|
| 192 |
+
|
| 193 |
+
## License
|
| 194 |
+
|
| 195 |
+
MIT License
|
catboost.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:f0f127d164756f6c9621f3ce165eaca26006ca945d782d340a7c1fb6f4077065
|
| 3 |
+
size 3948333
|
lgb_model.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:6aaebbf1eaf85d1f7c2bf98cda725c5f28acb91d159fc14c8a730d7ca10c1317
|
| 3 |
+
size 17148844
|
lstm_bidirectional.h5
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:a601f20e63cc378f7a4b67da8e8e7da681be4788c71b175eeaf7bdbd60d8cf22
|
| 3 |
+
size 29036848
|
multinomial_nb.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:260db5462fc57f98443317a0d8bc6c0431d165d53934dcad2672538d8f7293d2
|
| 3 |
+
size 2828655
|
rf_basic.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:fad53ec475bbf7393970a379a5a6dc7561f5822bf50e64462bd2fe5c2625be7c
|
| 3 |
+
size 152076897
|
rf_gridsearch.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:df3cb6212b3e6708d2bea9d89b76900eca65781e370b9f520b219da89e129b7a
|
| 3 |
+
size 228332049
|
rf_nltk.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:cf01be06c904a1a89aafe54e1e52db98cb3932c6901dc4c518db0f9f724060cd
|
| 3 |
+
size 1473269505
|
tdidf-svc.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:00bb97d77df10fcc2fdac74f4e1ecc28c4b5ce027225ba6b9f12b1fb110da0b0
|
| 3 |
+
size 46887692
|
textcnn_model.h5
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:447b514d23f90a0be872d2296d180952a6966ee46d0b233098f2b1bb2c2626ed
|
| 3 |
+
size 34348792
|
xgb_char.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:8f7a3371ab9681bda9eec29759a922da686891807d1537737a102249da747bf1
|
| 3 |
+
size 15677296
|
xgb_word.joblib
ADDED
|
@@ -0,0 +1,3 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
version https://git-lfs.github.com/spec/v1
|
| 2 |
+
oid sha256:a5d48bf8342e44b5fe6c6755c14557d0028d8c9a02d79873291c8565af05b6b0
|
| 3 |
+
size 13866421
|