-
ModSec-Learn: Boosting ModSecurity with Machine Learning
Authors:
Christian Scano,
Giuseppe Floris,
Biagio Montaruli,
Luca Demetrio,
Andrea Valenza,
Luca Compagna,
Davide Ariu,
Luca Piras,
Davide Balzarotti,
Battista Biggio
Abstract:
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matche…
▽ More
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.
△ Less
Submitted 19 June, 2024;
originally announced June 2024.
-
Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning
Authors:
Biagio Montaruli,
Luca Demetrio,
Andrea Valenza,
Luca Compagna,
Davide Ariu,
Luca Piras,
Davide Balzarotti,
Battista Biggio
Abstract:
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of t…
▽ More
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of the weights of the firing rules exceeds a given threshold. In this work, we show that this simple strategy is largely ineffective for detecting SQL injection (SQLi) attacks, as it tends to block many legitimate requests, while also being vulnerable to adversarial SQLi attacks, i.e., attacks intentionally manipulated to evade detection. To overcome these issues, we design a robust machine learning model, named AdvModSec, which uses the CRS rules as input features, and it is trained to detect adversarial SQLi attacks. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better trade-off between detection and false positive rates, improving the detection rate of the vanilla version of ModSecurity with CRS by 21%. Moreover, our approach is able to improve its adversarial robustness against adversarial SQLi attacks by 42%, thereby taking a step forward towards building more robust and trustworthy WAFs.
△ Less
Submitted 17 August, 2023; v1 submitted 9 August, 2023;
originally announced August 2023.
-
DeltaPhish: Detecting Phishing Webpages in Compromised Websites
Authors:
Igino Corona,
Battista Biggio,
Matteo Contini,
Luca Piras,
Roberto Corda,
Mauro Mereu,
Guido Mureddu,
Davide Ariu,
Fabio Roli
Abstract:
The large-scale deployment of modern phishing attacks relies on the automatic exploitation of vulnerable websites in the wild, to maximize profit while hindering attack traceability, detection and blacklisting. To the best of our knowledge, this is the first work that specifically leverages this adversarial behavior for detection purposes. We show that phishing webpages can be accurately detected…
▽ More
The large-scale deployment of modern phishing attacks relies on the automatic exploitation of vulnerable websites in the wild, to maximize profit while hindering attack traceability, detection and blacklisting. To the best of our knowledge, this is the first work that specifically leverages this adversarial behavior for detection purposes. We show that phishing webpages can be accurately detected by highlighting HTML code and visual differences with respect to other (legitimate) pages hosted within a compromised website. Our system, named DeltaPhish, can be installed as part of a web application firewall, to detect the presence of anomalous content on a website after compromise, and eventually prevent access to it. DeltaPhish is also robust against adversarial attempts in which the HTML code of the phishing page is carefully manipulated to evade detection. We empirically evaluate it on more than 5,500 webpages collected in the wild from compromised websites, showing that it is capable of detecting more than 99% of phishing webpages, while only misclassifying less than 1% of legitimate pages. We further show that the detection rate remains higher than 70% even under very sophisticated attacks carefully designed to evade our system.
△ Less
Submitted 2 July, 2017;
originally announced July 2017.
-
Bucklin Voting is Broadly Resistant to Control
Authors:
Gábor Erdélyi,
Lena Piras,
Jörg Rothe
Abstract:
Electoral control models ways of changing the outcome of an election via such actions as adding/deleting/partitioning either candidates or voters. These actions modify an election's participation structure and aim at either making a favorite candidate win ("constructive control") or prevent a despised candidate from winning ("destructive control"), which yields a total of 22 standard control scena…
▽ More
Electoral control models ways of changing the outcome of an election via such actions as adding/deleting/partitioning either candidates or voters. These actions modify an election's participation structure and aim at either making a favorite candidate win ("constructive control") or prevent a despised candidate from winning ("destructive control"), which yields a total of 22 standard control scenarios. To protect elections from such control attempts, computational complexity has been used to show that electoral control, though not impossible, is computationally prohibitive. Among natural voting systems with a polynomial-time winner problem, the two systems with the highest number of proven resistances to control types (namely 19 out of 22) are "sincere-strategy preference-based approval voting" (SP-AV, a modification of a system proposed by Brams and Sanver) and fallback voting. Both are hybrid systems; e.g., fallback voting combines approval with Bucklin voting. In this paper, we study the control complexity of Bucklin voting itself and show that it behaves equally well in terms of control resistance for the 20 cases investigated so far. As Bucklin voting is a special case of fallback voting, all resistances shown for Bucklin voting in this paper strengthen the corresponding resistance for fallback voting.
△ Less
Submitted 22 May, 2010;
originally announced May 2010.
-
Control Complexity in Fallback Voting
Authors:
Gábor Erdélyi,
Lena Piras,
Jörg Rothe
Abstract:
We study the control complexity of fallback voting. Like manipulation and bribery, electoral control describes ways of changing the outcome of an election; unlike manipulation or bribery attempts, control actions---such as adding/deleting/partitioning either candidates or voters---modify the participative structure of an election. Via such actions one can try to either make a favorite candidate w…
▽ More
We study the control complexity of fallback voting. Like manipulation and bribery, electoral control describes ways of changing the outcome of an election; unlike manipulation or bribery attempts, control actions---such as adding/deleting/partitioning either candidates or voters---modify the participative structure of an election. Via such actions one can try to either make a favorite candidate win ("constructive control") or prevent a despised candidate from winning ("destructive control"). Computational complexity can be used to protect elections from control attempts, i.e., proving an election system resistant to some type of control shows that the success of the corresponding control action, though not impossible, is computationally prohibitive. We show that fallback voting, an election system combining approval with majority voting, is resistant to each of the common types of candidate control and to each common type of constructive control. Among natural election systems with a polynomial-time winner problem, only plurality and sincere-strategy preference-based approval voting (SP-AV) were previously known to be fully resistant to candidate control, and only Copeland voting and SP-AV were previously known to be fully resistant to constructive control. However, plurality has fewer resistances to voter control, Copeland voting has fewer resistances to destructive control, and SP-AV (which like fallback voting has 19 out of 22 proven control resistances) is arguably less natural a system than fallback voting.
△ Less
Submitted 20 April, 2010;
originally announced April 2010.