-
ModSec-Learn: Boosting ModSecurity with Machine Learning
Authors:
Christian Scano,
Giuseppe Floris,
Biagio Montaruli,
Luca Demetrio,
Andrea Valenza,
Luca Compagna,
Davide Ariu,
Luca Piras,
Davide Balzarotti,
Battista Biggio
Abstract:
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matche…
▽ More
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.
△ Less
Submitted 19 June, 2024;
originally announced June 2024.
-
Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning
Authors:
Biagio Montaruli,
Luca Demetrio,
Andrea Valenza,
Luca Compagna,
Davide Ariu,
Luca Piras,
Davide Balzarotti,
Battista Biggio
Abstract:
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of t…
▽ More
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of the weights of the firing rules exceeds a given threshold. In this work, we show that this simple strategy is largely ineffective for detecting SQL injection (SQLi) attacks, as it tends to block many legitimate requests, while also being vulnerable to adversarial SQLi attacks, i.e., attacks intentionally manipulated to evade detection. To overcome these issues, we design a robust machine learning model, named AdvModSec, which uses the CRS rules as input features, and it is trained to detect adversarial SQLi attacks. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better trade-off between detection and false positive rates, improving the detection rate of the vanilla version of ModSecurity with CRS by 21%. Moreover, our approach is able to improve its adversarial robustness against adversarial SQLi attacks by 42%, thereby taking a step forward towards building more robust and trustworthy WAFs.
△ Less
Submitted 17 August, 2023; v1 submitted 9 August, 2023;
originally announced August 2023.
-
Why Charles Can Pen-test: an Evolutionary Approach to Vulnerability Testing
Authors:
Gabriele Costa,
Andrea Valenza
Abstract:
Discovering vulnerabilities in applications of real-world complexity is a daunting task: a vulnerability may affect a single line of code, and yet it compromises the security of the entire application. Even worse, vulnerabilities may manifest only in exceptional circumstances that do not occur in the normal operation of the application. It is widely recognized that state-of-the-art penetration tes…
▽ More
Discovering vulnerabilities in applications of real-world complexity is a daunting task: a vulnerability may affect a single line of code, and yet it compromises the security of the entire application. Even worse, vulnerabilities may manifest only in exceptional circumstances that do not occur in the normal operation of the application. It is widely recognized that state-of-the-art penetration testing tools play a crucial role, and are routinely used, to dig up vulnerabilities. Yet penetration testing is still primarily a human-driven activity, and its effectiveness still depends on the skills and ingenuity of the security analyst driving the tool. In this paper, we propose a technique for the automatic discovery of vulnerabilities in event-based systems, such as web and mobile applications. Our approach is based on a collaborative, co-evolutionary and contract-driven search strategy that iteratively (i) executes a pool of test cases, (ii) identifies the most promising ones, and (iii) generates new test cases from them. The approach makes a synergistic combination of evolutionary algorithms where several "species" contribute to solving the problem: one species, the test species, evolves to find the target test case, i.e., the set of instruction whose execution lead to the vulnerable statement, whereas the other species, called contract species, evolve to select the parameters for the procedure calls needed to trigger the vulnerability. To assess the effectiveness of our approach, we implemented a working prototype and ran it against both a case study and a benchmark web application. The experimental results confirm that our tool automatically discovers and executes a number of injection flaw attacks that are out of reach for state-of-the-art web scanners.
△ Less
Submitted 9 December, 2020; v1 submitted 26 November, 2020;
originally announced November 2020.
-
Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners
Authors:
Andrea Valenza,
Gabriele Costa,
Alessandro Armando
Abstract:
The first step of every attack is reconnaissance, i.e., to acquire information about the target. A common belief is that there is almost no risk in scanning a target from a remote location. In this paper we falsify this belief by showing that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model where the scan author becomes the victim of a cou…
▽ More
The first step of every attack is reconnaissance, i.e., to acquire information about the target. A common belief is that there is almost no risk in scanning a target from a remote location. In this paper we falsify this belief by showing that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model where the scan author becomes the victim of a counter-strike. We developed a working prototype, called RevOK, and we applied it to 78 scanning systems. Out of them, 36 were found vulnerable to XSS. Remarkably, RevOK also found a severe vulnerability in Metasploit Pro, a mainstream penetration testing tool.
△ Less
Submitted 17 June, 2020;
originally announced June 2020.
-
WAF-A-MoLE: Evading Web Application Firewalls through Adversarial Machine Learning
Authors:
Luca Demetrio,
Andrea Valenza,
Gabriele Costa,
Giovanni Lagorio
Abstract:
Web Application Firewalls are widely used in production environments to mitigate security threats like SQL injections. Many industrial products rely on signature-based techniques, but machine learning approaches are becoming more and more popular. The main goal of an adversary is to craft semantically malicious payloads to bypass the syntactic analysis performed by a WAF. In this paper, we present…
▽ More
Web Application Firewalls are widely used in production environments to mitigate security threats like SQL injections. Many industrial products rely on signature-based techniques, but machine learning approaches are becoming more and more popular. The main goal of an adversary is to craft semantically malicious payloads to bypass the syntactic analysis performed by a WAF. In this paper, we present WAF-A-MoLE, a tool that models the presence of an adversary. This tool leverages on a set of mutation operators that alter the syntax of a payload without affecting the original semantics. We evaluate the performance of the tool against existing WAFs, that we trained using our publicly available SQL query dataset. We show that WAF-A-MoLE bypasses all the considered machine learning based WAFs.
△ Less
Submitted 7 January, 2020;
originally announced January 2020.
