SIEGEWALL

SIEGEWALL

Adithya Krishna R

Department of Computer Science and Engineering (Cyber Security), Vimal Jyothi Engineering College, Chemperi, Kannur

Arjun K

Department of Computer Science and Engineering (Cyber Security) Vimal Jyothi Engineering College Chemperi, Kannur

Ms. Subhaga K

Assistant Professor Department of Computer Science Vimal Jyothi Engineering College, Chemperi, Kannur

Athul P V

Department of Computer Science and Engineering (Cyber Security) Vimal Jyothi Engineering College Chemperi, Kannur

Abstract – As web applications continue to expand in scale and complexity, they increasingly become targets for sophisticated cyber threats that traditional security measures often struggle to mitigate effectively. SiegeWall introduces a robust security solu-tion by providing a Software-as-a-Service (SaaS) based Web Ap-plication Firewall (WAF) designed to safeguard web applications and their services from malicious attacks. Operating as a reverse proxy, SiegeWall sits between the client and the web server, con-tinuously monitoring and ltering all incoming requests before they reach the application. When suspicious or malicious trafc is detected, the system blocks the request in real time, preventing any potential damage to the server or application.SiegeWall maintains detailed logs of detected threats, including source IP addresses and attack patterns, enabling effective threat tracking, analysis, and monitoring. IP addresses identied as malicious are automatically and permanently blocked, reducing the likelihood of repeated attacks. Additionally, the platform incorporates adaptive learning mechanisms that allow it to evolve alongside emerging threats and new attack vectors. By combining real-time trafc inspection, automated threat blocking, and intelligent monitoring, SiegeWall delivers a resilient and scalable security layer. Its user-friendly design and seamless integration require minimal conguration, making it suitable for both individual developers and enterprise-level organizations seeking reliable web application protection.

Index TermsOperating System Security, Behavioral Analysis, Zero-Day Defense, Local AI, Privacy-Preserving Computing, Malware Detection, Proactive Defense

1. INTRODUCTION

   The rapid evolution of web technologies and digital ser-vices has necessitated a fundamental shift in how web ap-plications are secured and managed. Modern computing envi-ronments are no longer limited to standalone systems; they have expanded into cloud platforms, distributed architectures, and large-scale online services. However, as web applications become more interconnected and accessible, they also become highly vulnerable to sophisticated cyber threats such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and distributed denial-of-service (DDoS) attacks.

   Traditional security mechanisms, which primarily rely on static rule-based rewalls and signature detection, often fail to pro- vide adequate protection against evolving and unknown threats.

   Signicant research has been conducted to enhance web ap- plication security using intelligent and adaptive techniques. Maheshwari et al. proposed an adaptive Web Application Fire-wall capable of detecting multiple types of web attacks through dynamic trafc analysis, improving detection accuracy and re-ducing reliance on manual rule updates. Similarly, Kumar et al. introduced a machine learning-based WAF designed for real-time threat detection by analyzing trafc behavior patterns, demonstrating improved adaptability compared to traditional systems. Further advancements were made by Durmus¸kaya et al., who utilized machine learning models to classify web trafc and enhance detection performance, particularly against injection- based attacks.

   Expanding on these approaches, Dawadi et al. explored the integration of deep learning techniques into WAF systems, demonstrating improved capability in detecting complex and evolving attack patterns with reduced false positives. Addi-tionally, survey-based studies have highlighted the limitations of existing WAF solutions, including challenges in handling zero-day attacks, maintaining high detection accuracy, and en-suring scalability in cloud-based environments. These studies emphasize the need for more adaptive and intelligent security frameworks that can respond to dynamic threat landscapes.

   The Gap While existing solutions provide effective mech-anisms for detecting known attacks and improving accuracy through machine learning, there is still a lack of a unied sys-tem that integrates real-time monitoring, rule-based ltering, and behavior-based anomaly detection within a scalable cloud-based architecture. Most traditional systems remain reactive in nature and are not fully capable of handling zero-day vulnerabilities or providing comprehensive visibility into web trafc. This gap highlights the need for a robust, intelligent,

   and scalable Web Application Firewall that can proactively detect, analyze, and mitigate modern web-based threats while ensuring high performance and usability.

2. OVERVIEW OF SIEGEWALL

   SiegeWall is a comprehensive cloud-based Web Application Firewall (WAF) designed to bridge the gap between modern web security requirements and scalable application deploy-ment. Unlike traditional rewalls that rely on static rule- based and reactive security mechanisms responding only after an attack is identied, SiegeWall is built on a proactive defense architecture. It is specically engineered for modern web envi- ronments where applications are exposed to sophisticated threats such as SQL injection, cross-site scripting (XSS), zero-day at- tacks, and distributed denial-of-service (DDoS), which often bypass conventional security systems.

   The system operates as a reverse proxy positioned between the client and the web server, enabling real-time monitor-ing and ltering of all incoming HTTP/HTTPS requests. SiegeWall in- tegrates both rule-based ltering and machine learning-based behavior analysis using the K-Nearest Neigh-bors (KNN) algo- rithm to detect malicious activities. By analyzing request pat- terns, payload structures, and trafc behavior, the system can identify both known and previously unseen threats. Addition- ally, SiegeWall provides a central-ized dashboard for monitoring trafc, analyzing logs, and managing security rules. By com- bining intelligent threat detection, automated response mech- anisms, and scalable cloud deployment, SiegeWall serves as a unied, secure, and efcient platform for protecting modern web applications.

   A. KEY FEATURES

   1. Reverse Proxy Security Module (Core Protection Layer):

      • Intercepts all incoming HTTP/HTTPS requests be-fore they reach the web application, ensuring com-plete trafc inspection.

      • Filters malicious requests in real time, preventing unau- thorized access and attack execution.

   2. Intelligent Threat Detection Engine:

      • Combines rule-based ltering with machine learning- based behavior analysis using the KNN algorithm.

      • Detects both known attacks and zero-day style anomalies by analyzing request patterns and trafc behavior.

   3. Automatic IP Blocking Mechanism:

      • Identies repeated malicious activity from specic IP addresses and blocks them automatically.

      • Prvents further attack attempts and reduces system exposure to recurring threats.

   4. Centralized Monitoring and Logging System:

      • Maintains detailed logs of all incoming requests, includ- ing source IP, request type, timestamps, and detected threats.

      • Enables administrators to analyze attack patterns and improve security strategies.

   5. Administrator Dashboard and Visualization:

      • Provides a real-time dashboard displaying trafc statis- tics, alerts, and attack logs.

      • Offers visualization tools for monitoring system activity and responding quickly to threats.

   6. Scalable Cloud-Based Architecture:

      • Supports deployment across multiple web applica-tions in distributed and cloud environments.

      • Ensures high availability, performance, and scalabil-ity for handling large volumes of web trafc.

   The SiegeWall framework incorporates several key compo-nents to ensure robust security, real-time threat detection, and efcient web application protection.

3. PROPOSED SYSTEM AND DESIGN

   The proposed system, SiegeWall, redenes traditional web ap- plication security by integrating intelligent threat detection into a scalable cloud-based Web Application Firewall architec-ture. Its core innovation lies in combining rule-based ltering with behavior-based anomaly detection using machine learn-ing, en- abling proactive identication and mitigation of both known and unknown threats. Operating as a reverse proxy, the system con- tinuously analyzes incoming HTTP/HTTPS requests in real time, ensuring that malicious trafc is blocked before it reaches the web application.

   The system is composed of three core components:

   • WAF Filtering Engine:This module serves as the pri-mary defense mechanism by applying predened security rules to detect and block common web attacks such as SQL injection, cross-site scripting (XSS), cross-site re-quest forgery (CSRF), and path traversal. It ensures fast and efcient ltering of known threats based on estab-lished attack signatures.

   • Behavior Analysis Module: This component incorpo-rates machine learning techniques, specically the K-Nearest Neighbors (KNN) algorithm, to analyze trafc patterns and request behavior in real time. It identies anomalies and suspicious activities, enabling the system to detect previously unseen or zero-day style attacks be-yond traditional rule-based approaches.

   • Reverse Proxy and Monitoring System: Acting as an intermediary between clients and the web server, this module routes all incoming trafc through the WAF for inspection. It also maintains detailed logs of requests, including source IP, timestamps, and detected threats, and provides a centralized dashboard for real-time mon-itoring and analysis.

   Overall, the SiegeWall system stands as a robust and scal-able solution for modern web application security, strength-ening de- fense mechanisms while maintaining system per-formance and usability. By shifting from reactive ltering to proactive and intelligent threat detection, it establishes

   a reliable and efcient environment capable of mitigating evolving cyber threats.

   1. SYSTEM ARCHITECTURE

      The system architecture of SiegeWall demonstrates how the framework ensures continuous protection through a layered design that separates trafc ltering, behavior analysis, and user interaction. The process is centered on the WAF Filtering Engine, which acts as the core security layer. When a client initiates a request, the reverse proxy intercepts it before it reaches the web application. The request is then passed to the ltering engine, where it is analyzed against predened secu-rity rules to detect known attack patterns such as SQL injection and cross-site scripting (XSS).

      Simultaneously, the Behavior Analysis Module operates as an intelligent layer, examining request patterns and trafc behav- ior using the K-Nearest Neighbors (KNN) algorithm to identify anomalies or zero-day style threats. The top layer, consisting of the Monitoring and Dashboard System, provides a centralized interface for administrators, ensuring real-time visibility, log analysis, and system control without compromising the core security mechanisms.

      Fig. 1. Architecture Diagram

   2. SYSTEM DESIGN

      The systems design is further detailed through Use Case and Data Flow Diagrams. The Use Case Diagram shows the interactions between the Administrator and the SiegeWall system. The Administrator initiates actions such as monitor-ing trafc, analyzing logs, conguring rules, and managing blocked IP addresses. The SiegeWall system processes these requests while enforcing security through the ltering and behavior analysis modules.

      The Data Flow Diagrams illustrate the movement of data within the system. The Level 0 DFD shows the main entities: the Client, the SiegeWall system, and the Web Server. The Client sends HTTP/HTTPS requests to the system, which pro-cesses them and communicates with the web server based on security decisions.

      The Level 0 Data Flow Diagram illustrates the high-level boundary of the SiegeWall system. It depicts the WAF as the central processing entity that mediates communication between the client and the web application.

      Fig. 2. Use Case Diagram

      • Input: The process begins with the Client sending HTTP/ HTTPS requests to the WAF system.

      • Process: The SiegeWall system analyzes these requests using rule-based ltering and behavior analysis before deciding whether to allow or block them.

      • Feedback: The Web Server returns responses for valid requests, while blocked requests generate alerts and logs, which are then displayed on the dashboard.

        Fig. 3. Data Flow Diagram (Level 0)

        The Level 1 Data Flow Diagram expands the central pro-cess to detail interactions between specic modules and data storage components.

      • Security Analysis: The WAF Filtering Engine is shown as a composite module that performs rule matching, pay-load inspection, and attack detection, ensuring thorough analysis of incoming requests. The Behavior Analysis

        Module provides additional anomaly detection based on trafc patterns.

      • Monitoring and Logging: The system maintains a con-tinuous data ow where all requests and detected threats are stored in the database. The dashboard retrieves this data to provide real-time visualization and alerts.

      • System Management: The Administrator interacts with the system through the dashboard to congure rules, manage blocked IPs, and monitor system performance.

      • Storage and Communication: The database stores logs, request details, and attack information, while the reverse proxy ensures secure communication between clients and the web server.

   Fig. 4. .Data Flow Diagram (Level 1)

4. IMPLEMENTATION

   The development of the SiegeWall system was executed in a structured, phased approach to ensure the stability of the core security modules before integrating monitoring and user-facing features.

   1. MODULES

      Phase 1: System Design and Architecture The initial phase focused on dening the overall system architecture, including the reverse proxy model and integration of ltering and analy-sis components. This stage involved designing the workow for handling HTTP/HTTPS requests and establishing the foun-dation for scalable cloud-based deployment.

      Phase 2: WAF Core and Filtering Engine This critical phase involved the development of the WAF Filtering Engine and reverse proxy mechanism. Using Python and Flask along with Nginx, the system was designed to intercept incoming requests, apply rule-based ltering, and block known web attacks such as SQL injection, cross-site scripting (XSS), and CSRF in real time.

      Phase 3: Machine Learning Integration This phase fo-cused on implementing the behavior-based detection module using machine learning techniques:

      • Part 1 (Model Integration):The K-Nearest Neighbors (KNN) algorithm was integrated to analyze request pat-terns and classify trafc as normal or malicious.

      • Part 2 (Behavior Analysis): The system was enhanced to monitor request frequency, payload structure, and user behavior to detect anomalies and identify previously un-seen threats.

        Phase 4: Dashboard and Monitoring System The nal phase focused on usability and system management. A cen-tralized dashboard was developed using React and web tech-nologies to provide real-time trafc monitoring, visualization of attack logs, alert notications, and administrative control over security rules and IP blocking mechanisms.

   2. TOOLS AND TECHNIQUES

      The development of SiegeWall utilizes a combination of modern web technologies and machine learning tech- niques to ensure efcient real-time threat detection and scalable web application security.

      • Programming Languages: The implementation adopts a multi-language approach to optimize different compo-nents of the system. Python serves as the primary lan-guage for developing the backend logic, request handling, and machine learning integration due to its simplicity and extensive library support. JavaScript is used for building interactive frontend components, while HTML and CSS are utilized for structuring and designing the user inter-face. This combination enables efcient system operation and a responsive user experience.

      • Frameworks and Libraries: The backend of the system is developed using the Flask framework, which facilitates lightweight and efcient handling of HTTP requests and API communication. The behavior-based detection mech-anism is implemented using machine learning techniques, specically the K-Nearest Neighbors (KNN) algorithm, to analyze trafc patterns and identify anomalies. On the frontend, React is used to create a dynamic and interactive dashboard interface, allowing real-time visualization of system activity.

      • Database and Storage: SQLite is used as the primary database for storing system logs, detected threats, and request details. It provides a lightweight and efcient storage solution without requiring a separate database server, enabling quick data retrieval and analysis.

      • Development and Monitoring Tools: The development process was carried out using standard development en-vironments such as Visual Studio Code for coding and debugging. Nginx is utilized as the reverse proxy server to handle incoming HTTP/HTTPS trafc and route it through the WAF ltering layer. The system is deployed and tested on both Windows and Linux environments to ensure compatibility, reliability, and consistent perfor-mance across platforms.

5. Results and Discussion

   The implementation of SiegeWall successfully achieved its pri- mary objectives of integrating a real-time Web Application Fire- wall with an intelligent behavior-based detection mecha-nism. The system was validated through a series of functional tests designed to evaluate the rule-based ltering engine and the KNN- based anomaly detection model against common evasion tech- niques used in web-based attacks.

   Functional Testing and Threat Detection The core security module demonstrated high accuracy in identifying zero-day style anomalies that traditional rule-based rewalls often miss. In the prototype testing environment, the system successfully executed the following security checks:

   • Attack Filtering: The system correctly agged mali-cious requests such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and path traver-sal attacks, blocking them before reaching the web server.

   • Behavioral Monitoring: The KNN-based detection engine analyzed request patterns such as frequency and payload structure, identifying abnormal trafc and clas- sifying it as suspicious or malicious.

   • IP Blocking Mechanism: The system detected repeated malicious activity from specic IP addresses and auto-matically blocked them, preventing further attack at-tempts.

   System Performance and Resource Efciency Performance testing conrmed the systems ability to handle real-time trafc efciently without introducing signicant latency. The reverse proxy architecture maintained stable operation while processing multiple concurrent HTTP/HTTPS requests and supporting scalable cloud-based deployment.

   Monitoring and Visualization The administrator dashboard successfully provided real-time visibility into system activity. Functional testing veried that trafc statistics, attack logs, and alerts were displayed accurately, enabling efcient monitoring and quick response to threats.

   Fig. 5. SeigeWall Login Page

   Fig. 6. SeigeWall Dashboard with Real-Time Request Feed

6. CONCLUSION AND FUTURE WORK

1. Conclusion

   The SiegeWall system was successfully developed as a cloud-based Web Application Firewall designed to enhance the security of web applications. The system operates as a reverse proxy that lters and monitors all incoming HTTP/HTTPS trafc before it reaches the web server. This approach en-sures that malicious requests are detected and blocked in real time, preventing potential damage to the application. The project demonstrates how a WAF can effectively protect against common web attacks such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other threats. By combining rule-based ltering with behavior-based analysis using the K-Nearest Neighbors (KNN) algorithm, the system improves its ability to detect both known and unknown attacks. SiegeWall records important details such as source IP addresses, request types, timestamps, and de-tected threats. This information provides valuable insights for analyzing attack patterns and improving security strategies. The automatic IP blocking mechanism further strengthens the system by preventing repeated attacks from malicious sources. The system also includes a user-friendly dashboard that allows administrators to monitor trafc, view alerts, and analyze logs in real time. Overall, SiegeWall provides a scal-able, efcient, and cost-effective solution for enhancing web application security. It highlights the importance of combining real-time monitoring, intelligent ltering, and adaptive analysis in modern cybersecurity systems.

2. Future Work

Future enhancements of SiegeWall can focus on improv-ing its intelligence, scalability, and usability to meet evolv-ing cybersecurity demands. By integrating advanced machine learning and deep learning techniques, the system can achieve higher detection accuracy and identify complex attack patterns more effectively. It can also be scaled to support large-scale enterprise environments with high trafc and distributed appli-cations. Implementing cloud-based multi-region deployment will enhance performance, ensure redundancy, and enable global threat monitoring. Additionally, strengthening the sys-tem to better detect and respond to zero-day vulnerabilities

will improve overall security against sophisticated attacks. Finally, upgrading the user interface wih advanced analytics, visualization tools, and detailed reporting features will pro-vide deeper insights into system activities and improve user experience.

References

1. M. Maheshwari, A. Nayak, A. Sethy, and S. G, Adaptive web application rewall for multi-threat detection, 2024 International Conference on IoT Based Control Networks and Intelligent Systems (ICICNIS), pp. 232238, 12 2024. [Online]. Available: https:

   //ieeexplore.ieee.org/document/10823239

2. A. Kumar, J. B. Simha, and R. Agarwal, Machine learning-based web application rewall for real-time threat detection, pp. 18, 11 2024. [Online]. Available: https://ieeexplore.ieee.org/document/10912239

3. M. E. Durmus¸kaya and S. Bayrakl, Web application rewall based on machine learning models, PeerJ Computer Science, vol. 11, p. e2975, 07 2025. [Online]. Available: https://peerj.com/articles/cs-2975/

4. B. R. Dawadi, B. Adhikari, and D. K. Srivastava, Deep learning technique-enabled web application rewall for the detection of web attacks, Sensors, vol. 23, p. 2073, 02 2023.

5. M. Hosain, S. A. Shuvo, M. Ogbe, M. S. Jalal Mazumder, Y. Rahman,

   M. A. Hakim, and A. Pandey, Web technologies security in the ai era: A survey of cdn-enhanced defenses, 2025 IEEE Asia Pacic Conference on Wireless and Mobile (APWiMob), pp. 180186, 11 2025.

6. A. Razzaq, A. Hur, S. Shahbaz, M. Masood, and H. F. Ahmad, Critical analysis on web application rewall solutions, in 2013 IEEE Eleventh International Symposium on Autonomous Decentralized Sys-tems (ISADS). IEEE, 2013, pp. 16.

7. S. Prandl, M. Lazarescu, and D.-S. Pham, A study of web application rewall solutions, in International conference on information systems security. Springer, 2015, pp. 501510.

8. N. Gupta, A. Saikia, and D. Sanghi, Web application rewall, Indian Institute of Technology, Kanpur, vol. 61, p. 62, 2007.

9. V. Clincy and H. Shahriar, Web application rewall: Network security models and conguration, in 2018 IEEE 42nd annual computer soft-ware and applications conference (COMPSAC), vol. 1. IEEE, 2018,

   pp. 835836.

10. A. Shaheed and M. B. Kurdy, Web application rewall using machine learning and features engineering, Security and Communication Net-works, vol. 2022, no. 1, p. 5280158, 2022.