To address poor generalization, high false positive rates, and overreliance on handcrafted rules in zero-day web attack detection, this paper proposes a one-class ensemble detection method based on latent-space fusion. We introduce a lightweight, web-request-oriented tokenization mechanism that maps HTTP requests into numerical sequences. Furthermore, we design a novel one-class autoencoder ensemble framework integrating LSTM, GRU, and stacked autoencoder architectures; their latent representations are concatenated and compressed at the feature level to enhance anomaly discrimination and generalization. Evaluated on standard benchmark datasets, the system achieves 97.58% accuracy, 97.52% recall, 99.76% specificity, 99.99% precision, and only a 0.2% false positive rate—significantly outperforming existing single-model and conventional ensemble approaches.

The rapid growth in web-based services has significantly increased security risks related to user information, as web-based attacks become increasingly sophisticated and prevalent. Traditional security methods frequently struggle to detect previously unknown (zero-day) web attacks, putting sensitive user data at significant risk. Additionally, reducing human intervention in web security tasks can minimize errors and enhance reliability. This paper introduces an intelligent system designed to detect zero-day web attacks using a novel one-class ensemble method consisting of three distinct autoencoder architectures: LSTM autoencoder, GRU autoencoder, and stacked autoencoder. Our approach employs a novel tokenization strategy to convert normal web requests into structured numeric sequences, enabling the ensemble model to effectively identify anomalous activities by uniquely concatenating and compressing the latent representations from each autoencoder. The proposed method efficiently detects unknown web attacks while effectively addressing common limitations of previous methods, such as high memory consumption and excessive false positive rates. Extensive experimental evaluations demonstrate the superiority of our proposed ensemble, achieving remarkable detection metrics: 97.58% accuracy, 97.52% recall, 99.76% specificity, and 99.99% precision, with an exceptionally low false positive rate of 0.2%. These results underscore our method's significant potential in enhancing real-world web security through accurate and reliable detection of web-based attacks.