Abstract: The use of web security scanners for scanning and probing serves as a primary way of cyber reconnaissance in the early stages of web attacks. Existing web intrusion detection methods primarily focus on addressing the binary classification problem between known attack flows and normal flows, which have issues such as being easily bypassed and an inability to detect unknown attacks. To address these, this paper proposes a method for detecting web intrusion attacks from the perspective of web security scanner scanning. Firstly, this paper collects scanning data from various web security scanners through experiments, and analyzes the similarity of the scanning data. Secondly, a web intrusion detection scheme based on scanning data is proposed, which includes a feature extraction method and a convolutional gated recurrent network model. Finally, comparative experiments are conducted on the collected dataset, and the results show that the web intrusion detection scheme proposed in this paper achieves superior attack detection performance. Specifically, it achieves a detection precision of 99.87% and an F₁-score of 98.99% for known Web security scanners, and a detection precision of 92.98% and an F₁-score of 95.71% for unknown Web security scanners.