ModSec-Learn: Boosting ModSecurity with Machine Learning

• URL: http://arxiv.org/abs/2406.13547v1
• Date: Wed, 19 Jun 2024 13:32:47 GMT
• Title: ModSec-Learn: Boosting ModSecurity with Machine Learning
• Authors: Christian Scano, Giuseppe Floris, Biagio Montaruli, Luca Demetrio, Andrea Valenza, Luca Compagna, Davide Ariu, Luca Piras, Davide Balzarotti, Battista Biggio,
• Abstract summary: ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF) We propose a machine-learning model that uses the Core Rule Set (CRS) rules as input features. ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect.
• Score: 14.392409275321528
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.

Related papers

• AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
  Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries. We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots. We also show that ACPT is robust to 3 types of adaptive attacks.
  arXiv  Detail & Related papers  (2024-08-04T09:53:50Z)
• Malicious URL Detection using optimized Hist Gradient Boosting Classifier based on grid search method [0.0]
  Trusting the accuracy of data inputted on online platforms can be difficult due to the possibility of malicious websites gathering information for unlawful reasons. To detect the risk posed by malicious websites, it is proposed to utilize Machine Learning (ML)-based techniques. The dataset used contains 1781 records of malicious benign website data with 13 features.
  arXiv  Detail & Related papers  (2024-06-12T11:16:30Z)
• EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
  Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data. While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated. We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
  arXiv  Detail & Related papers  (2024-05-21T06:14:49Z)
• Robust Federated Learning Mitigates Client-side Training Data Distribution Inference Attacks [48.70867241987739]
  InferGuard is a novel Byzantine-robust aggregation rule aimed at defending against client-side training data distribution inference attacks. The results of our experiments indicate that our defense mechanism is highly effective in protecting against client-side training data distribution inference attacks.
  arXiv  Detail & Related papers  (2024-03-05T17:41:35Z)
• Can LLMs Follow Simple Rules? [28.73820874333199]
  Rule-following Language Evaluation Scenarios (RuLES) is a framework for measuring rule-following ability in Large Language Models. RuLES consists of 14 simple text scenarios in which the model is instructed to obey various rules while interacting with the user. We show that almost all current models struggle to follow scenario rules, even on straightforward test cases.
  arXiv  Detail & Related papers  (2023-11-06T08:50:29Z)
• Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning [16.09513503181256]
  ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF) We develop a robust machine learning model, named AdvModSec, which uses the Core Rule Set ( CRS) rules as input features. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better trade-off between detection and false positive rates.
  arXiv  Detail & Related papers  (2023-08-09T13:58:03Z)
• CleanCLIP: Mitigating Data Poisoning Attacks in Multimodal Contrastive Learning [63.72975421109622]
  CleanCLIP is a finetuning framework that weakens the learned spurious associations introduced by backdoor attacks. CleanCLIP maintains model performance on benign examples while erasing a range of backdoor attacks on multimodal contrastive learning.
  arXiv  Detail & Related papers  (2023-03-06T17:48:32Z)
• Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios [22.22337220509128]
  Backdoor attacks (BAs) are an emerging threat to deep neural network classifiers. We propose a detection framework based on BP reverse-engineering and a novel it expected transferability (ET) statistic.
  arXiv  Detail & Related papers  (2022-01-20T22:21:38Z)
• Controlling Neural Networks with Rule Representations [48.165658432032636]
  We propose a novel training method to integrate rules into deep learning. DeepCTRL incorporates a rule encoder into the model coupled with a rule-based objective. It does not require retraining to adapt the rule strength -- at inference, the user can adjust it based on the desired operation point.
  arXiv  Detail & Related papers  (2021-06-14T23:28:56Z)
• Intrinsic Certified Robustness of Bagging against Data Poisoning Attacks [75.46678178805382]
  In a emphdata poisoning attack, an attacker modifies, deletes, and/or inserts some training examples to corrupt the learnt machine learning model. We prove the intrinsic certified robustness of bagging against data poisoning attacks. Our method achieves a certified accuracy of $91.1%$ on MNIST when arbitrarily modifying, deleting, and/or inserting 100 training examples.
  arXiv  Detail & Related papers  (2020-08-11T03:12:42Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.