Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Doing Research about Web Application Firewalls

2.067 visualizaciones

Publicado el

It presents several WAFs and it discusses about the problem of data adquisition to evaluate these systems. As a solution, several datasets are proposed. The results obtained are shown and compared.

Publicado en: Internet
  • Sé el primero en comentar

Doing Research about Web Application Firewalls

  1. 1. Doing research about Web Application Firewalls Carmen Torrano Giménez 1
  2. 2. Agenda • Three WAFs. • Data acquisition.  • Results.  • Comparison.  2
  3. 3. Web Application Firewalls • Misuse detection.  • Anomaly detection.  3
  4. 4. 3 Anomaly‐based WAFs STATISTICAL  TECHNIQUES MARKOV  CHAINS DECISION  TREES 4 STOCHASTIC MACHINE LEARNING
  5. 5. Stochastic design 5 NBD File Feature Extraction Training  phase Test  phase PREPROCESSING PROCESSING Store Check Dataset WAF
  6. 6. Demo Time 6
  7. 7. Detection models • Length model. • Character distribution model.  7
  8. 8. Statistical detection models • Length model. • Character distribution.  • Percentage of letters. • Percentage of digits. • Percentage of non‐alphanumeric characters. • Non‐alphanumeric set. 8
  9. 9. Markovian detection models • Length model. • Character distribution.  [Ramana, 2007]. 9
  10. 10. Test‐ Detection Process 10 Request Forward  Request Reject Request NBD File Method Resource Headers Arguments incorrect incorrect incorrect incorrect correct correct correct correct
  11. 11. Detection process • Length model. • Character distribution.  • Statistical or Markovian  implementation.  11
  12. 12. Demo Time 12
  13. 13. 3 Anomaly‐based WAFs STATISTICAL  TECHNIQUES MARKOV  CHAINS DECISION  TREES 13 STOCHASTIC MACHINE LEARNING
  14. 14. Machine Learning System Preprocessing Processing Training Phase Test Phase Feature Extraction Feature Selection Combination of  expert knowledge and n‐gram. Generic FS (GeFS)  [Nguyen et al., 2010]. Decision Trees: C4.5,  CART, Random Tree,  Random Forest.  14
  15. 15. How to evaluate WAFs?  15
  16. 16. Data acquisition • “The most significant challenge that an  evaluation faces is the lack of  appropriate public datasets for  assessing anomaly detection systems”  [Sommer and Paxson, 2010], [Tavallaee et al., 2010]. • Private datasets.  • Comparison problem.  16
  17. 17. Dataset Public HTTP Labelled Classes Up‐ to‐ date Not anony‐ mized UNB ISCX ECML/PKDD LBNL DEFCON DARPA  98/99 Captured 17
  18. 18. Datasets • Solution: Creation of our own datasets.  CSIC  TORPEDA 18
  19. 19. Dataset Public HTTP Labelled Classes Up‐ to‐ date Not anony‐ mized UNB ISCX ECML/PKDD LBNL DEFCON DARPA  98/99 Captured CSIC/ TORPEDA 19
  20. 20. CSIC dataset • 36 000 normal requests, 25 000  anomalous requests. • Modern web attacks: SQLi, buffer  overflow, information gathering, CRLFi,  XSS, server side include and parameter  tampering. • http://www.tic.itefi.csic.es/dataset/ 20
  21. 21. TORPEDA dataset • 8 500 normal requests, 15 000 anomalous  requests, 55 000 attacks.  • Modern web attacks: SQLi, XSS, buffer overflow,  format string attack, LDAPi, OS command  injection, HTTP splitting, local file include, server  side include, Xpathi, CRLFi, directory browsing,  parameter tampering.  • Type of attack.  • http://www.tic.itefi.csic.es/torpeda/ 21
  22. 22. Experiments 22
  23. 23. Results Technique Detection Rate False Positive Rate Statistical 99.4% 0.9% Markov chain 98.1% 1% Machine Learning 95.1% 4.9% 23 CSIC dataset. 
  24. 24. More about contributions • Proposal of new feature extraction methods by combining expert knowledge and n‐grams. 24 Detection Rate False Positive  Rate Expert Knowledge 93.55% 7.15% N‐grams 82.43% 23.85% Combination 94.41% 6.18%
  25. 25. More about contributions • Successful application of the GeFS measure to  web traffic for the first time.  25 Before FS After FS Expert Knowledge 30 11 N‐grams 114 12 Combination 42 42 • Reduction of the number of features between  63% and 91%.  • Lower resource consumption and processing  time. 
  26. 26. More about contributions Total number of  requests: 61 000.  Reduced to half  (Markov and ML)  or even to quarter (statistical system). 26 • Optimization of the training  phase by reducing the number of  training requests. 
  27. 27. Comparison Technique Detection Rate False  Positive  Rate Processing Time  (ms/req.) Number of Training  requests Statistical 99.4% 0.9% 0.59 16 383 Markov chain 98.1% 1% 7.9 32 767 ML 95.1% 4.9% 0.3 32 767 27 CSIC dataset. 
  28. 28. Publications 28 http://www.itefi.csic.es/es/personal/ torrano‐gimenez‐carmen
  29. 29. WAF‐ Defence “What is defence in  conception?  The warding off a blow.  What is then its characteristic sign?  The state of expectancy  (or of waiting for this blow).” Carl Von Clausewitz “On war”. 29
  30. 30. Thanks for your attention 30 Carmen.torrano@iec.csic.es ctorranog@gmail.com Carmen Torrano @ctorranog http://www.itefi.csic.es/es/personal/  torrano‐gimenez‐carmen

×