Saved in:
Bibliographic Details
Main Authors: Scano, Christian, Floris, Giuseppe, Montaruli, Biagio, Demetrio, Luca, Valenza, Andrea, Compagna, Luca, Ariu, Davide, Piras, Luca, Balzarotti, Davide, Biggio, Battista
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2406.13547
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909533165584384
author Scano, Christian
Floris, Giuseppe
Montaruli, Biagio
Demetrio, Luca
Valenza, Andrea
Compagna, Luca
Ariu, Davide
Piras, Luca
Balzarotti, Davide
Biggio, Battista
author_facet Scano, Christian
Floris, Giuseppe
Montaruli, Biagio
Demetrio, Luca
Valenza, Andrea
Compagna, Luca
Ariu, Davide
Piras, Luca
Balzarotti, Davide
Biggio, Battista
contents ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.
format Preprint
id arxiv_https___arxiv_org_abs_2406_13547
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle ModSec-Learn: Boosting ModSecurity with Machine Learning
Scano, Christian
Floris, Giuseppe
Montaruli, Biagio
Demetrio, Luca
Valenza, Andrea
Compagna, Luca
Ariu, Davide
Piras, Luca
Balzarotti, Davide
Biggio, Battista
Machine Learning
ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.
title ModSec-Learn: Boosting ModSecurity with Machine Learning
topic Machine Learning
url https://arxiv.org/abs/2406.13547