Web Application Firewalls penalizes everyone, including latency in all requests, whether they are malicious or not. Several studies have reported the benefits of using Machine Learning to extract new rules to detect malware and malicious web requests. However, comparing the metrics of the models with their use of computational resources remains to be accomplished. This work aims to show a distributed WAF architecture, using ML classifiers as one of its components. Instead of having an enforcement point that analyzes the complete HTTP protocol for violations in this architecture, we have a trained classifier to detect them. The first part of this work verifies the viability of using classifiers based on their metrics, such as accuracy and recall. We analyze two datasets and make comparisons about their use. The second part of this paper compares ML models’ prediction processing time and a rules-based engine’s processing time. The classifiers used in this paper had a processing time of about 18x less than a rule-based engine. We also show that a classifier can find errors in the classification of a dataset generated by a WAF based on rules. We present samples and experimental codes to show the difference in approaches.

Web应用程序防火墙会惩罚所有人，包括所有请求中的延迟，无论它们是否是恶意的。多项研究报告了使用机器学习提取新规则来检测恶意软件和恶意Web请求的好处。但是，将模型的度量与其使用的计算资源进行比较仍有待完成。这项工作旨在展示使用ML分类器作为其组件之一的分布式WAF体系结构。我们没有让执行点分析整个HTTP协议中此体系结构中的违规的地方，而是拥有训练有素的分类器来检测它们。这项工作的第一部分基于分类器的度量标准（例如准确性和召回率）验证了使用分类器的可行性。我们分析了两个数据集，并对其使用进行了比较。本文的第二部分比较了ML模型的预测处理时间和基于规则的引擎的处理时间。本文使用的分类器的处理时间比基于规则的引擎少约18倍。我们还表明，分类器可以在WAF基于规则生成的数据集的分类中发现错误。我们提供样本和实验代码以显示方法上的差异。