基于循环神经网络的Web应用防火墙加固方案

doi:10.19678/j.issn.1000-3428.0063581

摘要/Abstract

摘要： Web应用防火墙（WAF）基于一组规则检测和过滤进出Web应用程序的HTTP流量，鉴于恶意流量的复杂性，需要对WAF规则进行不断更新以抵御最新的攻击。然而，现有的WAF规则更新方法都需要专业知识来人工设计关于某种攻击的恶意测试流量，并针对该恶意流量生成防护规则，这种方法十分耗时且不能扩展到其他类型的攻击。提出一种基于循环神经网络（RNN）的Web应用防火墙加固方案，在不依赖任何专业知识的情况下自动化加固WAF。使用RNN模型生成恶意攻击样本，从中找到能够绕过WAF的恶意攻击，发现WAF规则存在的安全风险。在此基础上，通过设计评分函数找到恶意攻击样本的重要字符串来生成加固签名，阻止后续类似的攻击，并设计简化的正则表达式作为加固签名的表达形式。在4款WAF上针对SQL注入、跨站脚本攻击和命令注入这3种攻击进行测试，结果显示，该方案成功生成了大量绕过WAF的恶意样本，WAF针对这些样本的平均拦截率仅为52%，与传统突变方案和SQLMap工具相比能够生成更多绕过恶意攻击，在应用加固签名后，WAF的恶意攻击拦截率提升至90%以上且误报率维持为0，表明加固签名成功阻止了这些绕过攻击，验证了所提方案的有效性。

关键词: Web应用防火墙, 循环神经网络, SQL注入, 跨站脚本, 命令注入

Abstract: Web Application Firewall(WAF) detects and filters HTTP traffic to and from a Web application via a set of rules.Owing to the complexity of malicious traffic, WAF rules must be constantly updated to defend against latest or advanced attacks.However, existing methods for updating WAF rules require high degree of human expertise to manually design malicious test traffic for a particular attack and generate protection rules for malicious traffic, which is time-consuming and cannot be adapted to other types of attacks.In this study, a WAF reinforcement scheme based on Recurrent Neural Network(RNN) is proposed to automate the reinforcement of the WAF without relying on any human expert knowledge.It generates malicious payloads through RNN and discovers bypassing malicious payloads against WAF from the payloads, that is, to discover the security risks of the WAF rules.Then it designs scoring functions to find the important strings of the malicious payloads to generate signatures and block subsequent similar attacks, and designs a simplified regular expression as the expression of the strengthened signature.We test four WAFs and examine three types of attacks:SQL injection, Cross-Site Scripting(XSS) and Command Injection(CI).The results show that the proposed scheme successfully generates a large number of malicious payloads that bypass the WAF, and the average blocking rate of the WAF is only 52%.We also generate more bypassed malicious attacks compared with traditional mutation schemes and SQLMap.After applying the signatures, the WAF malicious attack blocking rate increased to over 90% and maintained a false positive rate of 0.This shows that the signatures successfully block these bypassed attacks, thereby validating the effectiveness of the proposed scheme.

Key words: Web Application Firewall(WAF), Recurrent Neural Network(RNN), SQL injection, Cross-Site Scripting(XSS), Command Injection(CI)

中图分类号:

TP393.08

朱思猛, 杜瑞颖, 陈晶, 何琨. 基于循环神经网络的Web应用防火墙加固方案[J]. 计算机工程, 2022, 48(11): 120-126.

ZHU Simeng, DU Ruiying, CHEN Jing, HE Kun. Web Application Firewall Reinforcement Scheme Based on Recurrent Neural Network[J]. Computer Engineering, 2022, 48(11): 120-126.

http://www.ecice06.com/CN/Y2022/V48/I11/120

图/表 8

20230211175444

20230211175447

20230211175451

20230211175455

20230211175458

20230211175502

20230211175505

20230211175508

参考文献

[1] LI X, XUE Y.A survey on Web application security[EB/OL].[2021-12-05].https://www.isis.vanderbilt.edu/sites/default/files/main_0.pdf.
[2] NTTsecurity.2019 NTT global threat intelligence report[EB/OL].[2021-12-05].https://ishare.iask.sina.com.cn/f/8vy3VW5Iyt.html.
[3] 马月, 侯雪城, 吴佳帅, 等.Web应用防火墙(WAF)技术的综述[J].计算机时代, 2020(3):13-15, 19. MA Y, HOU X C, WU J S, et al.Research on technologies of Web application firewall[J].Computer Era, 2020(3):13-15, 19.(in Chinese)
[4] 刘志光.Web应用防火墙技术分析[J].情报探索, 2014(3):103-105, 129. LIU Z G.Analysis on firewall technologies of Web-based application[J].Information Research, 2014(3):103-105, 129.(in Chinese)
[5] LI Y F, DAS P K, DOWE D L.Two decades of Web application testing-a survey of recent advances[J].Information Systems, 2014, 43:20-54.
[6] LEE T, WI S, LEE S, et al.FUSE:finding file upload bugs via penetration testing[C]//Proceedings of 2020 Network and Distributed System Security Symposium.Reston, USA:Internet Society, 2020:1-10.
[7] DEMETRIO L, VALENZA A, COSTA G, et al.WAF-A-MoLE:evading Web application firewalls through adversarial machine learning[C]//Proceedings of the 35th Annual ACM Symposium on Applied Computing.New York, USA:ACM Press, 2020:1745-1752.
[8] LYU C, JI S, ZHANG C, et al.MOPT:optimized mutation scheduling for fuzzers[C]//Proceedings of the 28th USENIX Security Symposium.[S.l.]:USENIX, 2019:1949-1966.
[9] APPELT D, NGUYEN C D, PANICHELLA A, et al.A machine-learning-driven evolutionary approach for testing Web application firewalls[J].IEEE Transactions on Reliability, 2018, 67(3):733-757.
[10] BAU J, BURSZTEIN E, GUPTA D, et al.State of the art:automated black-box Web application vulnerability testing[C]//Proceedings of IEEE Symposium on Security and Privacy.Washington D.C., USA:IEEE Press, 2010:332-345.
[11] DOUPÉ A, COVA M, VIGNA G.Why Johnny can't pentest:an analysis of black-box Web vulnerability scanners[C]//Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.Berlin, Germany:Springer, 2010:111-131.
[12] BOYD S W, KEROMYTIS A D.SQLrand:preventing SQL injection attacks[C]//Proceedings of International Conference on Applied Cryptography and Network Security.Berlin, Germany:Springer, 2004:292-302.
[13] 谷家腾, 辛阳.基于动态分析的XSS漏洞检测模型[J].计算机工程, 2018, 44(10):34-41. GU J T, XIN Y.XSS vulnerability detection model based on dynamic analysis[J].Computer Engineering, 2018, 44(10):34-41.(in Chinese)
[14] 朱辉, 沈明星, 李善平.Web应用中代码注入漏洞的测试方法[J].计算机工程, 2010, 36(10):173-175, 178. ZHU H, SHEN M X, LI S P.Test method on code injection vulnerabilities of Web application[J].Computer Engineering, 2010, 36(10):173-175, 178.(in Chinese)
[15] 刘博, 王明烁, 李永, 等.深度学习在时空序列预测中的应用综述[J].北京工业大学学报, 2021, 47(8):925-941. LIU B, WANG M L, LI Y, et al.Deep learning for spatio-temporal sequence forecasting:a survey[J].Journal of Beijing University of Technology, 2021, 47(8):925-941. (in Chinese)
[16] 何力, 郑灶贤, 项凤涛, 等.基于深度学习的文本分类技术研究进展[J].计算机工程, 2021, 47(2):1-11. HE L, ZHENG Z X, XIANG F T, et al.Research progress of text classification technology based on deep learning[J].Computer Engineering, 2021, 47(2):1-11.(in Chinese)
[17] LI Z, ZOU D Q, XU S H, et al.VulDeePecker:a deep learning-based system for vulnerability detection[C]//Proceedings of 2018 Network and Distributed System Security Symposium.Reston, USA:Internet Society, 2018:1-10.
[18] 郭可翔, 王衡军, 白祉旭.基于多通道CNN和BiGRU的字词级文本错误检测模型[J].计算机工程:2022, 48(9):63-70. GUO K X, WANG H J, BAI Z X.A word-level text error detection model based on multi-channel CNN and BiGRU[J].Computer Engineering:2022, 48(9):63-70.(in Chinese)
[19] CHO K, VAN MERRIENBOER B, GULCEHRE C, et al.Learning phrase representations using RNN encoder-decoder for statistical machine translation[C]//Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing.Stroudsburg, USA:Association for Computational Linguistics, 2014:1-10.
[20] ITO M, IYATOMI H.Web application firewall using character-level convolutional neural network[C]//Proceedings of the 14th International Colloquium on Signal Processing & Its Applications.Washington D.C., USA:IEEE Press:103-106.
[21] 姚琳琳, 何倩, 王勇, 等.基于分布式对等架构的Web应用防火墙[J].计算机工程, 2012, 38(22):114-118. YAO L L, HE Q, WANG Y, et al.Web application firewall based on distributed P2P architecture[J].Computer Engineering, 2012, 38(22):114-118.(in Chinese)
[22] APPELT D, NGUYEN C D, BRIAND L.Behind an application firewall, are we safe from SQL injection attacks?[C]//Proceedings of the 8th International Conference on Software Testing, Verification and Validation.Washington D.C., USA:IEEE Press, 2015:1-10.
[23] KINGMA D P, BA J.Adam:a method for stochastic optimization[EB/OL].[2021-12-05].https://arxiv.org/abs/1412.6980.
[24] ABADI M, AGARWAL A, BARHAM P, et al.TensorFlow:large-scale machine learning on heterogeneous distributed systems[EB/OL].[2021-12-05].https://arxiv.org/abs/1603.04467.
[25] CSIC.HTTP CSIC 2010[EB/OL].[2021-12-05].https://www.isi.csic.es/dataset/.

选择文件类型/文献管理软件名称

选择包含的内容