TC 11 Briefing PapersA new WAF architecture with machine learning for resource-efficient use
Section snippets
Introduction and previous work
Web Application Firewalls (WAFs) are used in the industry to protect web applications from vulnerability exploits and other security attacks. In the examples shown in the literature, WAFs can work in a heuristic way and through rules, often using a blocklist approach.
The aspect that we will evaluate in this work is related to the architecture used to implement WAFs. We can predict that the implementation of a WAF requires an increase in the computational capacity available for the applications
Classifiers
In this work, we will use classifiers to speed up the verification of malicious activities in a rules engine for WAFs. Part of the work is to evaluate some classifiers and check the balance provided in detection and speed.
Thus, we seek fewer complexity classifiers, and that could make the most efficient use of resources. We also limited the choice to 3 classifiers to compare their detection and performance rates. Thus, we evaluate the following: Linear Support Vector Classification (LSVM),
Environment
An evaluation of the performance of the classifiers runs at a Google Cloud virtual machine (n1-highmem-2) with 2 vCPUs Intel (R) Xeon (R) CPU @ 2.20GHz (Family 6 Model 79), each vCPUs’s cache with 56,320 KB. The system used had 13,333,540 KB of RAM with Ubuntu 18.04.3 LTS operating system.
The compiler used was GCC in version 7.5.0 (Ubuntu 7.5.0-3ubuntu1 18.04), with optimization options 2 and optimization for the Broadwell architecture. We measure the execution time using the standard C++
Conclusions
This work’s scope analyzed the use of classifiers to obtain a performance gain when using rules engines such as ModSecurity. At request time, we only evaluate the headers provided, with a particular interest in the URI.
This work shows that machine learning can bring practical results superior to the increase in accuracy (Section 2.3.3) and performance in detecting the exploitation of vulnerabilities. The architecture proposed in 1.4 is one of the ways to provide this efficiency increase in the
CRediT authorship contribution statement
Manoel Domingues Junior: Conceptualization, Methodology, Software, Validation, Investigation, Resources, Data curation, Writing - original draft, Visualization. Nelson F.F. Ebecken: Methodology, Validation, Formal analysis, Writing - review & editing, Supervision, Project administration.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgments
The authors would like to thank Globo Comunicações e Participações for the resources used (Private Dataset), in addition to the availability of time to complete this work. Additionally, the authors recognize Globo’s Information Security team for reviewing the points covered and additional considerations.
Nelson Francisco Favilla Ebecken earned a Ph.D. in Civil Engineering from the Federal University of Rio de Janeiro in 1977. He is currently a Full Professor at the Federal University of Rio de Janeiro. He published 135 articles in professional journals and 361 papers in conference proceedings. Has 19 books published. He guided 135 dissertations and 138 doctoral theses in the areas of Computer Science, Civil Engineering, and Information Science. He received 8 awards or honors. He operates in
References (22)
- Alemalakra, 2018. xWAF....
- Belov, A., Zimmerle, F., Hutchings, A., 2018. ngx_http_modsecurity_module.c....
- Buchwald, H., 2016. Shadow daemon....
- D’Hoinne, J., Hils, A., Kaur, R., Neiva, C., 2019. Magic quadrant for web application firewalls....
- et al.
Anomaly-based web application firewall using HTTP-specific features and one-Class SVM
Revista Eletrônica Argentina-Brasil de Tecnologias da Informação e da Comunicação
(2018) - Junior, M.D., 2020. Complete comparison of classifieds with variation in vocabulary size....
- Kanapickas, P., 2011. std::clock - cppreference.com. https://en.cppreference.com/w/cpp/chrono/c/clock. Accessed:...
- Koechlin, T., Brabez, S., Zin, N., Sabban, M., Lawson, C., 2019. naxsi_runtime.c....
- et al.
Anomaly-Based web attack detection: A deep learning approach
Proceedings of the 2017 VI International Conference on Network, Communication and Computing
(2017)
Detecting attacks on web applications using autoencoder
Proceedings of the Ninth International Symposium on Information and Communication Technology
Cited by (3)
AdvSQLi: Generating Adversarial SQL Injections Against Real-World WAF-as-a-Service
2024, IEEE Transactions on Information Forensics and SecurityAn Adaptive Web Application Firewall
2022, Proceedings of the International Conference on Security and Cryptography
Nelson Francisco Favilla Ebecken earned a Ph.D. in Civil Engineering from the Federal University of Rio de Janeiro in 1977. He is currently a Full Professor at the Federal University of Rio de Janeiro. He published 135 articles in professional journals and 361 papers in conference proceedings. Has 19 books published. He guided 135 dissertations and 138 doctoral theses in the areas of Computer Science, Civil Engineering, and Information Science. He received 8 awards or honors. He operates in interdisciplinary areas of Engineering and Petroleum Engineering, with an emphasis on Computer Systems. In their professional activities interacted with 161 employees in the co-authorship of scientific papers. In his Lattes, the most frequent terms in the context of scientific, technological, and artistic-cultural are Data Mining, Structures, Offshore Structures, Risk Analysis, Neural Networks, Neural Networks, Nonlinear Analysis, Large Scale Computation, Computational Methods, Finite Element Method and Structural Analysis.
Manoel Domingues Junior earned a B.Sc. in Electronic and Computer Engineering from the Federal University of Rio de Janeiro (2019). He is currently the Principal Security Engineer at the Globo Comunicaço e Participações SA, substitute professor at the Federal University of Rio de Janeiro and founder of MFS Security Engineering. He is a master’s student in the Civil Engineering Program at Federal University of Rio de Janeiro, working on the use of machine learning techniques to solve transversal engineering and computing problems for IoT and smart cities. He has experience in Computer Science, with an emphasis on Information Security, working mainly on the following topics: information security, access control and systems architecture.