ML-WAF information technology for classification and blocking of injection attacks in a containerized Web environment
DOI:
https://doi.org/10.30837/rt.2025.4.223.11Keywords:
cybersecurity, ML-WAF, injection attacks, SQLi, XSS, containerized web environment, Kubernetes, KNN, TF/IDF, MLOpsAbstract
This paper presents an adaptive ML-based Web Application Firewall (ML-WAF) designed for the classification and blocking of injection attacks in containerized web environments. The relevance of this work is driven by the widespread adoption of micro-services, container orchestration, and Kubernetes, which significantly reshapes the requirements for securing HTTP(S) traffic. Traditional signature-based WAF solutions exhibit limited effectiveness against SQL Injection, Cross-Site Scripting, and Command Injection due to their variability, contextual dependence, and susceptibility to evasion techniques. The aim of the study is to develop and experimentally evaluate a ML-oriented web-filtering technology that provides high-accuracy detection of malicious HTTP(S) requests, low processing latency, and continuous model self-updating within an MLOps pipeline. To achieve this goal, the paper introduces conceptual, structural, functional, and information-logical models of the ML-WAF, along with UML representations (Use Case, Activity, Class, Sequence) that formalize the architecture, behaviour, and interactions between system components. The proposed technology incorporates a multi-stage processing pipeline, including TF/IDF vectorization with enriched features, a KNN classifier, a risk-based decision engine (ALLOW/SANDBOX/BLOCK), monitoring and logging subsystems, and automated model retraining. A hybrid method of integrating the ML component into a WAF in Kubernetes is proposed, combining an Ingress Controller, a dedicated ML-service, and a Horizontal Pod Autoscaler. This approach ensures high scalability and stable performance under varying workloads. The practical evaluation was conducted in a Kubernetes-based containerized environment using realistic SQLi and XSS datasets and load testing with Apache JMeter. Experimental results demonstrate that the ML-WAF achieves a Precision of 0.95, Recall of 0.93, and an F₁-score of 0.94, with an average processing latency of 3.9 ms and a throughput of approximately 700 requests per second. The system reduced false positives to 2.3%, compared to 6.8% for ModSecurity, while scaling the ML-WAF to six Pods increased throughput by 27% without degrading classification quality. The presented results confirm that the proposed ML-WAF technology forms a robust foundation for next-generation AI-driven security gateways in cloud-native and containerized infrastructures.
References
Терейковський І. А., Гнатюк С. О. Захист інформації в комп’ютерних системах : навч. посіб. Київ : КПІ, 2022.
Захарченко С. М., Трояновська Т. І., Бойко О. В. Побудова захищених мереж на базі обладнання компанії Cisco : навч. посіб. Вінниця : ВНТУ, 2017.
Коробейнікова Т. І., Захарченко С. М. Технології захисту локальних мереж на основі обладнання CISCO : навч. посіб. Львів : Львівська політехніка, 2021.
Korobeinikova T., Maidaniuk V., Romanyuk O., Chekhmestruk R., Romanyuk O. and Romanyuk S. Web-applications Fault Tolerance and Autoscaling Provided by the Combined Method of Databases Scaling // 2022 12th In-ternational Conference on Advanced Computer Information Technologies (ACIT). 2022. Р. 27–32. doi: 10.1109/ACIT54803.2022.9913098.
Korobeinikova T. and Kravchuk N. ML-trained model and method for blocking dangerous queries // CEUR Workshop Proceedings. 2025. Vol. 4042 // Proceedings of the Cyber Security and Data Protection workshop (CSDP 2025), Lviv, Ukraine, July 31, 2025. P. 1–16.
Коробейнікова Т. І., Кравчук Н. В. Огляд безпечного доступу до веб-ресурсу за допомогою методів ма-шинного навчання // International Scientific Integration 2023: Міжнар. наук. конф., 11 липня 2023 р.: тези доповідей. С. 26–33. Seattle, Washington, USA: ProConference, 2023.
Кравчук Н., Коробейнікова Т. Безпечний доступ до серверів інформаційних систем, забезпечений ML-моделлю для блокування шкідливих запитів // Herald of Khmelnytskyi National University. Technical Sciences. 2024. № 341(5). С. 327–333.
Korobeinikova T., Chekhmestruk R., Mykhaylov P., Romanyuk O., and Achanyar H. The Fault-Resistant Web Application Infrastructure Using Autoscaling // 2023 13th International Conference on Advanced Computer Informa-tion Technologies (ACIT), Wrocław, Poland, 2023. Р. 479–482, doi: 10.1109/ACIT58437.2023.10275448
Bennouk K., Ait Aali N., El Bouzekri El Idrissi Y., Sebai B., Faroukhi A. Z., Mahouachi D. A Comprehensive Review and Assessment of Cybersecurity Vulnerability157 Detection Methodologies // Journal of Cybersecurity and Privacy. 2024. Vol. 4, No. 4. P. 853–908.
Wunder J., Kurtz A., Eichenmüller C., Gassmann F., Benenson Z. Shedding Light on CVSS Scoring Inconsis-tencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities // Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP). San Francisco, CA, USA, 2024. P. 1102–1121.
Liang S., Wang Q. Dynamic Scaling of Containerized Security Services with HPA Policies // Future Internet. 2023. Vol. 15, No. 3. P. 88–102.
Palanisamy D., Kaur R. Adaptive Resource Management for AI-Driven WAF in Cloud Kubernetes Clusters // Journal of Cloud Computing: Advances, Systems and Applications. 2023. Vol. 12, No. 1. P. 1–17.
Wang X., Lyu C. Performance Evaluation Metrics for ML-Based Web Application Firewalls // IEEE Access. 2022. Vol. 10. P. 98451–98463.
Rahman M., Qiu Y. Containerized Intrusion Detection and Response in Cloud-Native WAF Systems // Journal of Network and Computer Applications. 2023. Vol. 216. P. 103670.
Downloads
Published
How to Cite
Issue
Section
License
Authors who publish with this journal agree to the following terms:
1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
