This document describes a zero-day web attack detection system called ZeroWall. It uses an encoder-decoder neural network trained on over 1.4 billion normal requests to learn patterns in web traffic. For new requests, it acts as a "self-translation machine" by encoding the request and trying to decode it back. It uses BLEU metrics to quantify how well the request translates - anomalous requests that cannot be translated are flagged as potential attacks. In experiments on real world traffic, ZeroWall detected 28 types of zero-day attacks comprising over 100,000 requests, while having low overhead when deployed with an existing signature-based web application firewall.
7. Introduce
> Why a zero-day attack is difficult to detect?
1) Have not been previously seen
2) Can be carried out by a single malicious HTTP request
3) Very rare within a large number of Web requests
#Kookmin_University #Natural_Language_Processing_lab. 6
> Most supervised approaches are inappropriate
> Contextual information is not helpful
> Collective and statistical information are not effective
ZeroWall
- Unsupervised approach
(work with an existing WAF in pipeline)
- Detecting a zero-day Web attack
hidden in an individual Web request
8. Introduce
> What we want?
1) WAF detects those known attacks effectively
2) ZeroWall detects unknown attacks ignored by WAF rules
#Kookmin_University #Natural_Language_Processing_lab. 7
> Filter out known attacks
> Report new attack patterns to operators
and security engineers to update WAF rules
9. Idea
1) HTTP request: string following HTTP
2) Most requests are benign, malicious requests are rare
#Kookmin_University #Natural_Language_Processing_lab. 8
> Consider an HTTP request as one sentence in the HTTP request language
> Train a kind of language model based on historical logs,
to learn this language from benign requests
Historical
Web logs
Language
Model
Train
One request
Can
understand
Cannot
understand
Benign Malicious
10. Idea : Self-Translate Machine
> How to learn this βHyper-Textβ language?
: Use Neural Network Translation model to train a Self-Translate Machine
- Encoder: encode the original request into one representation
- Decoder: decode it back
#Kookmin_University #Natural_Language_Processing_lab. 9
11. Idea : Self-Translate Machine
> How to quantify the self-translation quality(anomaly score)?
(Translation Quality = Anomaly Score)
An attack detection problem = A machine translation quality assessment problem
: use machine translation metrics
#Kookmin_University #Natural_Language_Processing_lab. 10
Historical
Web logs
Self-Translate
Machine
Train
One request
Good
Translation
Bad
Translation
Benign Malicious
14. Model: ZeroWall
> Offline Periodic Retraining
: build and update vocabulary and re-train the model
#Kookmin_University #Natural_Language_Processing_lab. 13
1
2 3
15. Model: ZeroWall
1) Building Vocabulary
#Kookmin_University #Natural_Language_Processing_lab. 14
Raw log
Bag of
Words
Vocabulary
Filtering
- Stop words
- variables
18. Model: ZeroWall
1) Parsing = parsing in offline training
2) Translation
#Kookmin_University #Natural_Language_Processing_lab. 17
translation
19. Model: ZeroWall
3) Detection
4) Investigate
(1) BLEU metrics
(2) Threshold [Larger? Yes β¨ Go to step 3; No β¨ Benign]
(3) Check whitelist [Not in whitelist? Yes β¨ Go to step 4; No β¨ Benign]
(4) Investigation [True Attacks β¨ Update WAF/IDS; False Alarms β¨ Update whitelist rules]
#Kookmin_University #Natural_Language_Processing_lab. 18
Original sequence(token sequence) vs. Translated sequence(recovered token sequence)
1 2 3 4
20. Experiments
> Data
- 8 real world trace from an internet company
- Over 1.4 billion requests in a week
> Overview
- Captured 28 different types of zero-day attacks
- Contribute to 141,583 of zero-day attack requests in total
#Kookmin_University #Natural_Language_Processing_lab. 19
# B2M: Ratio of Benign to Malicious (in WAF)
# B2Z: Ratio of Benign to Zero-Day
21. Experiments
> Baseline & labels
1) Unsupervised Approaches
2) Supervised Approaches
#Kookmin_University #Natural_Language_Processing_lab. 20
> SAE(stacked auto-encoder), HMM and DFA(Deterministic Finite Automata)
> Use data filtered by WAF as training set
> CNN, RNN and DT
> Use all data (allowed/dropped) as training set and WAF results as labels
23. Experiments
> Zero-Day case
- These attack is detected by ZeroWall, CNN, and RNN
- WAF are usually based on keywords, e.g., eval, request, select, and execute
- ZeroWall is based on the βunderstandingβ of benign requests
- The structure of this zero-day attack request is more like a programming language
#Kookmin_University #Natural_Language_Processing_lab. 22
ZeroWall
CNN and RNN
24. Experiments
> Whitelist
- To mitigate False Alarms
- The numbers of whitelist rules refer to βhow many whitelist rules are added each dayβ,
based on the FPs labeled on that day
(No rules applied on 0602 since it is the first day of testing set)
- The results shows that the whitelist reduces the number of FPs with low overhead
(Numbers of rules are very small)
- Based on these results, we believe ZeroWall is practical in real-world deployment
#Kookmin_University #Natural_Language_Processing_lab. 23
25. Summary
1) Present a zero-day web attack detection system ZeroWall
2) Deployed in the wild
#Kookmin_University #Natural_Language_Processing_lab. 24
- Augmenting existing signature-based WAFs
- Use Encoder-Decoder Network to learn patterns from normal requests
- Use Self-Translation Machine & BLEU metrics
- Over 1.4 billion requests
- Captured 28 different types of zero-day attacks
(100K of zero-day attack requests)
- Low overhead