Stacked Random Forest-LightGBM for Web Attack Classification

Abstract

The rapid expansion of web services in the digital era has intensified exposure to increasingly complex and imbalanced cyber threats. This study proposes a stacking hybrid ensemble framework for web attack classification, integrating Random Forest as the base learner and LightGBM as the meta-learner, enhanced by the SMOTE technique for data balancing. The Web Attack subset of the CICIDS-2017 dataset serves as a case study, with a focus on detecting minority attacks such as SQL Injection, XSS, and Brute Force. The preprocessing pipeline includes data cleaning, removal of irrelevant features, normalization, extreme value imputation, and ANOVA F-test-based feature selection. Evaluation results indicate that the proposed model outperforms baseline models in both multiclass classification (98.7% accuracy, 0.634 macro F1-score) and binary classification (99.41% accuracy, 99.47% F1-score), while maintaining high sensitivity to minority classes. These results contribute to informatics and cybersecurity scholarship through a generalizable stacking baseline and well-specified evaluation procedures for web-attack detection, facilitating replicability, fair comparison, and dataset-agnostic insights.