2.
Who am I?
– Kanatoko
– Web Application Firewall Developer
– My mission: Building accurate WAF
• Reduce false positives/false negatives
2
02/17/14
Copyright (c) Bitforest Co., Ltd.
3.
Bayes’ theorem
– Used when we want to calculate P(A|B) when P(B|
A) is known
– P(B|A) : the probability of event B given event A
– Not so hard to understand
3
02/17/14
Copyright (c) Bitforest Co., Ltd.
4.
What is Bayesian Network?
– probabilistic graphical model (a type of statistical
model) that represents a set of random variables
and their conditional dependencies via a
graph(Wikipedia)
Hacker
Drunken
AVTokyo
4
Beer in
hand
02/17/14
Copyright (c) Bitforest Co., Ltd.
5.
Famous sprinkler example
•Nodes and Edges represent cause and effect
•Probabilities are shown as tables (CPT: conditional probability table)
•Observations(=Evidences) are used as Input to nodes
•Unobservable nodes are used as Output (= What want to know )
•“Glass is wet. What is the probability it rained?”
5
02/17/14
Copyright (c) Bitforest Co., Ltd.
7.
Web Intrusion Detection with Bayesian Network
•Probability that the HTTP request is an attack: 1%
•Probability that the HTTP request is NOT an attack: 99%
•Probability that the HTTP request contains ‘alert’ given
that the request is an attack: 8%
•Probability that the HTTP request contains ‘alert’ given
that the request is NOT an attack: 92%
•Probability that the HTTP request contains ‘alert’ given
that the request is NOT an attack: 0.2%
•Probability that the HTTP request NOT contains ‘alert’
given that the request is NOT an attack: 99.8%
What is the probability that the HTTP request is an attack?
1%
What is the probability that the HTTP request is an attack
Given that the HTTP request contains ‘alert’
28.8%
7
02/17/14
Copyright (c) Bitforest Co., Ltd.
9.
Building Accurate Intrusion Detection System / Web Application Firewall
– Signature-based ( Blacklist)
• If ‘alert’ then die!
• Simple and has some advantages
– Clear
– Performance: Stable / Fast enough
– Maintainable/Human readable
• Disadvantage: High false positive rate
9
02/17/14
Copyright (c) Bitforest Co., Ltd.
10.
Building Accurate Intrusion Detection System / Web Application Firewall(cont)
– Threshold model (vs. simple signature/blacklist model)
• Inc/Dec scores on each signature matching
• Treated as an attack when total score exceeds the
certain threshold
• Low false positives (good)
• Hard to change/maintenance(bad)
• Example rule 1: score +5 on ‘UNION’
• Example rule 2: score +5 on ‘SELECT’
• When both ‘UNION’ and ‘SELECT’ found… score +10 ?
• Example rule 3: score +20 on ‘UNION and SELECT’
• Too complicated
10
02/17/14
Copyright (c) Bitforest Co., Ltd.
11.
Building Accurate Intrusion Detection System / Web Application Firewall(cont)
– Threshold model (vs. simple signature/blacklist model)
– Score +5 on ‘Alert’ ( XSS )
– Score +5 on ‘UNION’ ( SQLi )
– Score +10 on “Alert UNION”?
– Should distinct XSS and SQLi (classes)
11
02/17/14
Copyright (c) Bitforest Co., Ltd.
12.
Building Accurate Intrusion Detection System / Web Application Firewall(cont)
– Bayesian Network
• Resolves almost all problems of the threshold model
12
02/17/14
Copyright (c) Bitforest Co., Ltd.
13.
Advantages of Bayesian Network
– Complicated relations can be modeled as network
(GUI)
– Computation result is expressed as probability
– Easy to maintain
– Corresponds to expert knowledge
13
02/17/14
Copyright (c) Bitforest Co., Ltd.
14.
Complicated relations can be modeled as network (GUI)
– One to many, weak/strong relations can be expressed
– Models can be developed in GUI tool and then can be
used to compute the probabilities
– We use Weka Bayesian Network Editor
– Example: XSS/CMS
– Example: VA/User in Japan
– Example: ‘eval’ and Programming languages(Java,
Ruby, JavaScript, Perl, PHP… )
14
02/17/14
Copyright (c) Bitforest Co., Ltd.
15.
Computation result is expressed as probability
– ‘UNION’ only ( not special )
– ‘SELECT’ only ( not special )
– Both ‘UNION’ and ‘SELECT’ ( should be marked )
– The probability of ‘rare case’ is calculated as high by
Bayes Theorem
15
02/17/14
Copyright (c) Bitforest Co., Ltd.
16.
Easy to maintain
– Intermediate nodes(mediating variables) play
important role
– Influences are as expected when we update the
values in CPT
– Can be improved little by little because it is not a
black box such as Neural Network
16
02/17/14
Copyright (c) Bitforest Co., Ltd.
17.
Corresponds to expert knowledge
“If A and B, then maybe C …”
Is expressed as probability
Similarity between human decision making process
and Bayesian Network
17
02/17/14
Copyright (c) Bitforest Co., Ltd.
18.
Conclusion
Bayesian Network can be used to make decisions
based on observations
If “Human(Expert) can detect attacks”
Then, We want the computer to do that
Use Bayesian Network!
18
02/17/14
Copyright (c) Bitforest Co., Ltd.
19.
We’re hiring!
– Bitforest Co.,Ltd.
– Web Application Security Expert
– Data Science Expert
– Contact to @kinyuka
19
02/17/14
Copyright (c) Bitforest Co., Ltd.