Figure - uploaded by Khuong Nguyen-An
Content may be subject to copyright.
Source publication
Cybersecurity has always been a major concern for internet applications and the demand for website protection is on the rise. Nowadays, Web Application Firewalls (WAFs) are commonly used and trusted by web owners, as they are convenient and provide protection against multiple types of attacks by filtering incoming network requests. WAFs are powered...
Context in source publication
Context 1
... Table 1, we demonstrate the example relationship between each request category and some types of servers; and the definition of each type of example server is presented in Table 2. It is noted that plain text is always the normal category, while the other may vary (for example, SQL script is SQLi in most cases, but 'normal' to category server). ...Citations
... However, they did not evaluate ModSecurity. Nguyen et al., [15] proposed a hybrid approach, combining ModSecurity with a machine-learning model for request categorization. However, none of these studies assessed the TPR-FPR trade-off for each PL as in this work. ...
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.
... T.-C.-H. Nguyen et al. [10] proposed a machine learning approach using WAF rules to train a self-reliant decision model, resulting in neutral results. The module has been tested but has limitations such as a small dataset, skewed ML model, and limited testing of malicious request validators. ...
... We aim to classify requests supplied as inputs to determine whether they are harmful or inoffensive. The requests then can be categorized into five categories, as inspired by [10]: ...
... As presented in [10], normal requests to a server have the same category. For example, a static web request may only contain plain text, API server requests are mostly JSON format, incoming queries to a database are SQL, or online compilers use programming language-format requests. ...
Web application firewalls (WAFs) are frequently utilized since they are simple services and offer considerable defense against various cyber attacks. However, based on rules and signatures, traditional WAFs have significant false positive rates (34%.
