USAGE OF THE KNN METHOD WITH FEATURE ENHANCEMENT FOR DETECTING INJECTIONS

Abstract

The article investigates the extended application of the k-nearest neighbors (KNN) algorithm for detecting injection attacks in web queries: SQL injections, XSS, and command injections. A comprehensive pipeline is proposed: preprocessing of HTTP parameters, character and token representation of queries, calculation of statistical and domain-oriented features, formation of a compact set of seven numerical features and their combination with basic representations. The influence of metrics and weighting strategies, k-tuning, normalization, and class balancing is investigated.

The experimental part covers three public datasets and stratified cross-validation. Quality is assessed by accuracy, precision, recall, F1, and ROC-AUC metrics; ablation experiments are performed. The results confirm that the basic KNN configuration provides competitive performance for SQLi at low computational cost; feature expansion consistently increases accuracy and F1, reduces false positives, and improves generalization across datasets. The advantage of the approach is interpretability through the analysis of nearest neighbors and weighted features, which facilitates security auditing and explanation of practical decisions.

The practical value lies in the simplicity of implementation in IDS/WAF, transparency of decisions, determinism of behavior, and compatibility with stream processing. Recommendations are provided for choosing k, normalization, distance metrics, and class balancing. It is concluded that the combination of easily computable features and carefully selected hyperparameters makes KNN an effective and explainable basis for injection detection, suitable for integration as a lightweight module and as a benchmark for further hybrid solutions.