SlideShare a Scribd company logo

Web Intrusion Detection with Bayesian Network by Kanatoko AVTokyo 2013.5 English Slide

Download as PPT, PDF
Tadashi Satoh
Tadashi Satoh
Technology
1 of 19
  Web Intrusion Detection with Bayesian Network Kanatoko Chief Tech Officer Bitforest Co.,Ltd. @kinyuka http://www.jumperz.net/ http://www.scutum.jp/ 1 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Who am I? – Kanatoko – Web Application Firewall Developer – My mission: Building accurate WAF • Reduce false positives/false negatives 2 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Bayes’ theorem – Used when we want to calculate P(A|B) when P(B| A) is known – P(B|A) : the probability of event B given event A – Not so hard to understand 3 02/17/14 Copyright (c) Bitforest Co., Ltd.
  What is Bayesian Network? – probabilistic graphical model (a type of statistical model) that represents a set of random variables and their conditional dependencies via a graph(Wikipedia) Hacker Drunken AVTokyo 4 Beer in hand 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Famous sprinkler example •Nodes and Edges represent cause and effect •Probabilities are shown as tables (CPT: conditional probability table) •Observations(=Evidences) are used as Input to nodes •Unobservable nodes are used as Output (= What want to know ) •“Glass is wet. What is the probability it rained?” 5 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Weka – OSS, Java, Data mining software – GUI/lib/tools – (Sprinkler Demo) 6 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Web Intrusion Detection with Bayesian Network •Probability that the HTTP request is an attack: 1% •Probability that the HTTP request is NOT an attack: 99% •Probability that the HTTP request contains ‘alert’ given that the request is an attack: 8% •Probability that the HTTP request contains ‘alert’ given that the request is NOT an attack: 92% •Probability that the HTTP request contains ‘alert’ given that the request is NOT an attack: 0.2% •Probability that the HTTP request NOT contains ‘alert’ given that the request is NOT an attack: 99.8% What is the probability that the HTTP request is an attack? 1% What is the probability that the HTTP request is an attack Given that the HTTP request contains ‘alert’ 28.8% 7 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Spam filter and Naïve Bayes 8 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Building Accurate Intrusion Detection System / Web Application Firewall – Signature-based ( Blacklist) • If ‘alert’ then die! • Simple and has some advantages – Clear – Performance: Stable / Fast enough – Maintainable/Human readable • Disadvantage: High false positive rate 9 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Building Accurate Intrusion Detection System / Web Application Firewall(cont) – Threshold model (vs. simple signature/blacklist model) • Inc/Dec scores on each signature matching • Treated as an attack when total score exceeds the certain threshold • Low false positives (good) • Hard to change/maintenance(bad) • Example rule 1: score +5 on ‘UNION’ • Example rule 2: score +5 on ‘SELECT’ • When both ‘UNION’ and ‘SELECT’ found… score +10 ? • Example rule 3: score +20 on ‘UNION and SELECT’ • Too complicated 10 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Building Accurate Intrusion Detection System / Web Application Firewall(cont) – Threshold model (vs. simple signature/blacklist model) – Score +5 on ‘Alert’ ( XSS ) – Score +5 on ‘UNION’ ( SQLi ) – Score +10 on “Alert UNION”? – Should distinct XSS and SQLi (classes) 11 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Building Accurate Intrusion Detection System / Web Application Firewall(cont) – Bayesian Network • Resolves almost all problems of the threshold model 12 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Advantages of Bayesian Network – Complicated relations can be modeled as network (GUI) – Computation result is expressed as probability – Easy to maintain – Corresponds to expert knowledge 13 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Complicated relations can be modeled as network (GUI) – One to many, weak/strong relations can be expressed – Models can be developed in GUI tool and then can be used to compute the probabilities – We use Weka Bayesian Network Editor – Example: XSS/CMS – Example: VA/User in Japan – Example: ‘eval’ and Programming languages(Java, Ruby, JavaScript, Perl, PHP… ) 14 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Computation result is expressed as probability – ‘UNION’ only ( not special ) – ‘SELECT’ only ( not special ) – Both ‘UNION’ and ‘SELECT’ ( should be marked ) – The probability of ‘rare case’ is calculated as high by Bayes Theorem 15 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Easy to maintain – Intermediate nodes(mediating variables) play important role – Influences are as expected when we update the values in CPT – Can be improved little by little because it is not a black box such as Neural Network 16 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Corresponds to expert knowledge “If A and B, then maybe C …” Is expressed as probability Similarity between human decision making process and Bayesian Network 17 02/17/14 Copyright (c) Bitforest Co., Ltd.
  Conclusion Bayesian Network can be used to make decisions based on observations If “Human(Expert) can detect attacks” Then, We want the computer to do that Use Bayesian Network! 18 02/17/14 Copyright (c) Bitforest Co., Ltd.
  We’re hiring! – Bitforest Co.,Ltd. – Web Application Security Expert – Data Science Expert – Contact to @kinyuka 19 02/17/14 Copyright (c) Bitforest Co., Ltd.

Recommended

Network Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetNetwork Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetGyan Prakash
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
 
Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Tom Kranz
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
API Design and WebSocket
API Design and WebSocketAPI Design and WebSocket
API Design and WebSocketFrank Greco
 

Recommended

Network Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetNetwork Traffic Anomaly Detection Through Bayes Net
Network Traffic Anomaly Detection Through Bayes NetGyan Prakash
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Detecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkDetecting Anomaly IDS in Network using Bayesian Network
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataJames Sirota
 
Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Can Containers be Secured in a PaaS?
Can Containers be Secured in a PaaS?Tom Kranz
 
Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Can Containers be secured in a PaaS?
Can Containers be secured in a PaaS?Tom Kranz
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
API Design and WebSocket
API Design and WebSocketAPI Design and WebSocket
API Design and WebSocketFrank Greco
 
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...apidays
 
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Gabriele Bozzi
 
CloudCamp Milan 2009: Telecom Italia
CloudCamp Milan 2009: Telecom ItaliaCloudCamp Milan 2009: Telecom Italia
CloudCamp Milan 2009: Telecom ItaliaGabriele Bozzi
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)Abhishek Singh
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalSummit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalOPNFV
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
Agile software architecture
Agile software architectureAgile software architecture
Agile software architectureBoyan Mihaylov
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Solace
 
Hop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksHop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksLeMeniz Infotech
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPamela Wright
 
An automated approach to fix buffer overflows
An automated approach to fix buffer overflows An automated approach to fix buffer overflows
An automated approach to fix buffer overflows IJECEIAES
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET Journal
 
Hacking3e ppt ch02
Hacking3e ppt ch02Hacking3e ppt ch02
Hacking3e ppt ch02Skillspire LLC
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure mlBerkovich Consulting
 
Distributed Systems in Data Engineering
Distributed Systems in Data EngineeringDistributed Systems in Data Engineering
Distributed Systems in Data EngineeringAdetimehin Oluwasegun Matthew
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

More Related Content

Similar to Web Intrusion Detection with Bayesian Network by Kanatoko AVTokyo 2013.5 English Slide

apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...apidays
 
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Gabriele Bozzi
 
CloudCamp Milan 2009: Telecom Italia
CloudCamp Milan 2009: Telecom ItaliaCloudCamp Milan 2009: Telecom Italia
CloudCamp Milan 2009: Telecom ItaliaGabriele Bozzi
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalSummit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalOPNFV
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary SoftwareYun Zhi Lin
 
Agile software architecture
Agile software architectureAgile software architecture
Agile software architectureBoyan Mihaylov
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Solace
 
Hop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksHop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksLeMeniz Infotech
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPamela Wright
 
An automated approach to fix buffer overflows
An automated approach to fix buffer overflows An automated approach to fix buffer overflows
An automated approach to fix buffer overflows IJECEIAES
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET Journal
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 

Similar to Web Intrusion Detection with Bayesian Network by Kanatoko AVTokyo 2013.5 English Slide (20)

apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
apidays LIVE Paris - Bring the API culture to DevOps teams by Christophe Bour...
 
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
 
CloudCamp Milan 2009: Telecom Italia
CloudCamp Milan 2009: Telecom ItaliaCloudCamp Milan 2009: Telecom Italia
CloudCamp Milan 2009: Telecom Italia
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project ProposalSummit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
Summit 16: Open-O Mini-Summit - VF Event Streaming Project Proposal
 
A Tale of Contemporary Software
A Tale of Contemporary SoftwareA Tale of Contemporary Software
A Tale of Contemporary Software
 
Agile software architecture
Agile software architectureAgile software architecture
Agile software architecture
 
Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture Introduction to Event-Driven Architecture
Introduction to Event-Driven Architecture
 
Hop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networksHop by-hop authentication and source privacy in wireless sensor networks
Hop by-hop authentication and source privacy in wireless sensor networks
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
An automated approach to fix buffer overflows
An automated approach to fix buffer overflows An automated approach to fix buffer overflows
An automated approach to fix buffer overflows
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
IRJET- An Efficient Hardware-Oriented Runtime Approach for Stack-Based Softwa...
 
Hacking3e ppt ch02
Hacking3e ppt ch02Hacking3e ppt ch02
Hacking3e ppt ch02
 
Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Power bi and azure ml
Power bi and azure mlPower bi and azure ml
Power bi and azure ml
 
Distributed Systems in Data Engineering
Distributed Systems in Data EngineeringDistributed Systems in Data Engineering
Distributed Systems in Data Engineering
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 

Web Intrusion Detection with Bayesian Network by Kanatoko AVTokyo 2013.5 English Slide

  • 1.   Web Intrusion Detection with Bayesian Network Kanatoko Chief Tech Officer Bitforest Co.,Ltd. @kinyuka http://www.jumperz.net/ http://www.scutum.jp/ 1 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 2.   Who am I? – Kanatoko – Web Application Firewall Developer – My mission: Building accurate WAF • Reduce false positives/false negatives 2 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 3.   Bayes’ theorem – Used when we want to calculate P(A|B) when P(B| A) is known – P(B|A) : the probability of event B given event A – Not so hard to understand 3 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 4.   What is Bayesian Network? – probabilistic graphical model (a type of statistical model) that represents a set of random variables and their conditional dependencies via a graph(Wikipedia) Hacker Drunken AVTokyo 4 Beer in hand 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 5.   Famous sprinkler example •Nodes and Edges represent cause and effect •Probabilities are shown as tables (CPT: conditional probability table) •Observations(=Evidences) are used as Input to nodes •Unobservable nodes are used as Output (= What want to know ) •“Glass is wet. What is the probability it rained?” 5 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 6.   Weka – OSS, Java, Data mining software – GUI/lib/tools – (Sprinkler Demo) 6 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 7.   Web Intrusion Detection with Bayesian Network •Probability that the HTTP request is an attack: 1% •Probability that the HTTP request is NOT an attack: 99% •Probability that the HTTP request contains ‘alert’ given that the request is an attack: 8% •Probability that the HTTP request contains ‘alert’ given that the request is NOT an attack: 92% •Probability that the HTTP request contains ‘alert’ given that the request is NOT an attack: 0.2% •Probability that the HTTP request NOT contains ‘alert’ given that the request is NOT an attack: 99.8% What is the probability that the HTTP request is an attack? 1% What is the probability that the HTTP request is an attack Given that the HTTP request contains ‘alert’ 28.8% 7 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 8.   Spam filter and Naïve Bayes 8 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 9.   Building Accurate Intrusion Detection System / Web Application Firewall – Signature-based ( Blacklist) • If ‘alert’ then die! • Simple and has some advantages – Clear – Performance: Stable / Fast enough – Maintainable/Human readable • Disadvantage: High false positive rate 9 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 10.   Building Accurate Intrusion Detection System / Web Application Firewall(cont) – Threshold model (vs. simple signature/blacklist model) • Inc/Dec scores on each signature matching • Treated as an attack when total score exceeds the certain threshold • Low false positives (good) • Hard to change/maintenance(bad) • Example rule 1: score +5 on ‘UNION’ • Example rule 2: score +5 on ‘SELECT’ • When both ‘UNION’ and ‘SELECT’ found… score +10 ? • Example rule 3: score +20 on ‘UNION and SELECT’ • Too complicated 10 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 11.   Building Accurate Intrusion Detection System / Web Application Firewall(cont) – Threshold model (vs. simple signature/blacklist model) – Score +5 on ‘Alert’ ( XSS ) – Score +5 on ‘UNION’ ( SQLi ) – Score +10 on “Alert UNION”? – Should distinct XSS and SQLi (classes) 11 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 12.   Building Accurate Intrusion Detection System / Web Application Firewall(cont) – Bayesian Network • Resolves almost all problems of the threshold model 12 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 13.   Advantages of Bayesian Network – Complicated relations can be modeled as network (GUI) – Computation result is expressed as probability – Easy to maintain – Corresponds to expert knowledge 13 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 14.   Complicated relations can be modeled as network (GUI) – One to many, weak/strong relations can be expressed – Models can be developed in GUI tool and then can be used to compute the probabilities – We use Weka Bayesian Network Editor – Example: XSS/CMS – Example: VA/User in Japan – Example: ‘eval’ and Programming languages(Java, Ruby, JavaScript, Perl, PHP… ) 14 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 15.   Computation result is expressed as probability – ‘UNION’ only ( not special ) – ‘SELECT’ only ( not special ) – Both ‘UNION’ and ‘SELECT’ ( should be marked ) – The probability of ‘rare case’ is calculated as high by Bayes Theorem 15 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 16.   Easy to maintain – Intermediate nodes(mediating variables) play important role – Influences are as expected when we update the values in CPT – Can be improved little by little because it is not a black box such as Neural Network 16 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 17.   Corresponds to expert knowledge “If A and B, then maybe C …” Is expressed as probability Similarity between human decision making process and Bayesian Network 17 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 18.   Conclusion Bayesian Network can be used to make decisions based on observations If “Human(Expert) can detect attacks” Then, We want the computer to do that Use Bayesian Network! 18 02/17/14 Copyright (c) Bitforest Co., Ltd.
  • 19.   We’re hiring! – Bitforest Co.,Ltd. – Web Application Security Expert – Data Science Expert – Contact to @kinyuka 19 02/17/14 Copyright (c) Bitforest Co., Ltd.