A Machine-Learning-Driven Evolutionary Approach for Testing Web Application Firewalls

Web application firewalls (WAFs) are an essential protection mechanism for online software systems. Because of the relentless flow of new kinds of attacks as well as their increased sophistication, WAFs have to be updated and tested regularly to prevent attackers from easily circumventing them. In t...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on reliability 2018-09, Vol.67 (3), p.733-757
Main Authors: Appelt, Dennis, Nguyen, Cu D., Panichella, Annibale, Briand, Lionel C.
Format: Article
Language:English
Subjects:
Applications programs
Artificial intelligence
Bypasses
Cyberattack
Evolutionary algorithms
Evolutionary computation
Firewalls
Firewalls (computing)
Machine learning
On-line systems
Query languages
Software security testing
Source code
SQL injection
SQL injection (SQLi)
Testing
web application firewall (WAF)
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Web application firewalls (WAFs) are an essential protection mechanism for online software systems. Because of the relentless flow of new kinds of attacks as well as their increased sophistication, WAFs have to be updated and tested regularly to prevent attackers from easily circumventing them. In this paper, we focus on testing WAFs for SQL injection attacks, but the general principles and strategy we propose can be adapted to other contexts. We present ML-Driven , an approach based on machine learning and an evolutionary algorithm to automatically detect holes in WAFs that let SQL injection attacks bypass them. Initially, ML-Driven automatically generates a diverse set of attacks and submits them to the system being protected by the target WAF. Then, ML-Driven selects attacks that exhibit patterns (substrings) associated with bypassing the WAF and evolves them to generate new successful bypassing attacks. Machine learning is used to incrementally learn attack patterns from previously generated attacks according to their testing results, i.e., if they are blocked or bypass the WAF. We implemented ML-Driven in a tool and evaluated it on ModSecurity, a widely used open-source WAF, and a proprietary WAF protecting a financial institution. Our empirical results indicate that ML-Driven is effective and efficient at generating SQL injection attacks bypassing WAFs and identifying attack patterns.
ISSN:0018-9529
1558-1721
DOI:10.1109/TR.2018.2805763