Abstract
Cyber security have always been a major concern for internet applications and the demand for website protection is on the rise. Web Application Firewalls (WAFs) services are commonly used, as they are convenient as plug-and-play services and provide protection against multiple type of attacks. However, they have high false positive rates. Their rules are often concrete to provide one-size-fit-all services, so rule-based WAFs are either too strict that they block all the incoming requests, or too general that they do not block any malicious requests at all. A feasible solution to concrete rule-based WAFs is applying machine learning approaches, which can help WAFs to monitor and adapt with each specific situation of website and application. Many WAF providers have already migrated to this approaches: Cloudfare, Amazon, Fortinet, etc. Most of these effort concentrated on observing users’ behavior. It is hard to draw a line between normal behavior and malicious behavior, and they require enormous machine learning models. Therefore, we have developed a simple machine learning system to categorize the requests and support traditional WAFs, with the goal of eliminating the high false positive rates and providing better a surveillance system for web applications. Our model is based on our observation that legitimate requests to a website are usually similar. The module uses CNN to categorize the network requests and determine whether each incoming request is abnormal. The output of our model is combined with the result of a rule-based WAF (ModSecurity in our implementation) to conclude that should the incoming request be blocked or not. In our experiments, the model greatly improve the ModSecurity WAF with false positive rate reduced from 24% to only 3%, keeping pace with other notable studies on using machine learning models to improve WAFs and only requiring processing time 0.05 s per request.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Available at https://github.com/SpiderLabs/ModSecurity.
- 2.
Available at https://github.com/SpiderLabs/ModSecurity/wiki.
- 3.
Available at https://www.isi.csic.es/dataset.
- 4.
Available at http://www.lirmm.fr/pkdd2007-challenge.
- 5.
Available at https://www.omg.org/spec/ASTM/1.0.
References
Boukhtouta, A., Lakhdari, N.-E., Mokhov, S.A., Debbabi, M.: Towards fingerprinting malicious traffic. Procedia Comput. Sci. 19, 548–555 (2013)
Gao, M., Ma, L., Liu, H., Zhang, Z., Ning, Z., Xu, J.: Malicious network traffic detection based on deep neural networks and association analysis. Sensors 20(5), 1452 (2020)
Shinomiya, K., Goto, S.: Detecting malicious traffic through two-phase machine learning. In: Proceedings of the Asia-Pacific Advanced Network, vol. 40, p. 34 (2015)
Radford, B.J., Apolonio, L.M., Trias, A.J., Simpson, J.A.: Network traffic anomaly detection using recurrent neural networks. CoRR, vol. abs/1803.10769 (2018)
Marín, G., Caasas, P., Capdehourat, G.: DeepMAL - deep learning models for malware traffic detection and classification. In: Data Science - Analytics and Applications, pp. 105–112 (2021)
Hwang, R.-H., Peng, M.-C., Nguyen, V.-L., Chang, Y.-L.: An LSTM-based deep learning approach for classifying malicious traffic at the packet level. Appl. Sci. 9(16), 3414 (2019)
Mikolov, T., Yih, W., Zweig, G.: Linguistic regularities in continuous space word representations. In: Human Language Technologies - Proceedings of the Conference of the North American Chapter, pp. 746–751 (2013)
Zhang, M., Xu, B., Bai, S., Lu, S., Lin, Z.: A deep learning method to detect web attacks using a specially designed CNN. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 828–836. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70139-4_84
Betarte, G., Gimenez, E., Martinez, R., Pardo, A.: Improving web application firewalls through anomaly detection. In: 17th IEEE International Conference on Machine Learning and Applications - ICMLA (2018)
Tran, N.-T., Nguyen, V.-H., Nguyen-Le, T., Nguyen-An, K.: Improving ModSecurity WAF with machine learning methods. In: Dang, T.K., Küng, J., Takizawa, M., Chung, T.M. (eds.) FDSE 2020. CCIS, vol. 1306, pp. 93–107. Springer, Singapore (2020). https://doi.org/10.1007/978-981-33-4370-2_7
Pennington, J., Socher, R., Manning, C.: GloVe: global vectors for word representation. In: Proceedings of the Conference on Empirical Methods in Natural Language Processing - EMNLP (2014)
Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. In: Proceedings of the 3rd International Conference on Learning Representations - ICLR (2015)
Acknowledgment
During the preparation of this works, the first two authors were supported by University of Technology (HCMUT), VNU-HCM under “Student Scientific Research” grant number SVOISP-2020-KHKTMT-95/HĐ-ĐHBK-KHCN&DA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Nguyen, TCH., Le-Nguyen, MK., Le, DT., Nguyen, VH., Tôn, LP., Nguyen-An, K. (2021). Improving ModSecurity WAF Using a Structured-Language Classifier. In: Dang, T.K., Küng, J., Chung, T.M., Takizawa, M. (eds) Future Data and Security Engineering. Big Data, Security and Privacy, Smart City and Industry 4.0 Applications. FDSE 2021. Communications in Computer and Information Science, vol 1500. Springer, Singapore. https://doi.org/10.1007/978-981-16-8062-5_6
Download citation
DOI: https://doi.org/10.1007/978-981-16-8062-5_6
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-8061-8
Online ISBN: 978-981-16-8062-5
eBook Packages: Computer ScienceComputer Science (R0)