WAF-A-MoLE: An adversarial tool for assessing ML-based WAFs

Abstract Web Application Firewalls (WAFs) are plug-and-play security gateways that promise to enhance the security of a (potentially vulnerable) system with minimal cost and configuration. In recent years, machine learning-based WAFs are catching up with traditional, signature-based ones. They are competitive because they do not require predefined rules; instead, they infer their rules through a learning process. In this paper, we present WAF-A-MoLE, a WAF breaching tool. It uses guided mutational-based fuzzing to generate adversarial examples. The main applications include WAF ( i ) penetration testing, ( i i ) benchmarking and ( i i i ) hardening

Analyzing audit trails in a distributed and hybrid intrusion detection platform

Efforts have been made over the last decades in order to design and perfect Intrusion Detection Systems (IDS). In addition to the widespread use of Intrusion Prevention Systems (IPS) as perimeter defense devices in systems and networks, various IDS solutions are used together as elements of holistic approaches to cyber security incident detection and prevention, including Network-Intrusion Detection Systems (NIDS) and Host-Intrusion Detection Systems (HIDS). Nevertheless, specific IDS and IPS technology face several effectiveness challenges to respond to the increasing scale and complexity of information systems and sophistication of attacks. The use of isolated IDS components, focused on one-dimensional approaches, strongly limits a common analysis based on evidence correlation. Today, most organizations’ cyber-security operations centers still rely on conventional SIEM (Security Information and Event Management) technology. However, SIEM platforms also have significant drawbacks in dealing with heterogeneous and specialized security event-sources, lacking the support for flexible and uniform multi-level analysis of security audit-trails involving distributed and heterogeneous systems. In this thesis, we propose an auditing solution that leverages on different intrusion detection components and synergistically combines them in a Distributed and Hybrid IDS (DHIDS) platform, taking advantage of their benefits while overcoming the effectiveness drawbacks of each one. In this approach, security events are detected by multiple probes forming a pervasive, heterogeneous and distributed monitoring environment spread over the network, integrating NIDS, HIDS and specialized Honeypot probing systems. Events from those heterogeneous sources are converted to a canonical representation format, and then conveyed through a Publish-Subscribe middleware to a dedicated logging and auditing system, built on top of an elastic and scalable document-oriented storage system. The aggregated events can then be queried and matched against suspicious attack signature patterns, by means of a proposed declarative query-language that provides event-correlation semantics

The impact of SQL injection attacks on the security of databases

SQL injection Attack (SQLIA) can be detected in many web applications that lack of input variable filtering. The problem of this study is the weak input filtration and validation of forms in dynamic web applications and using a single detection and prevention technique against SQL injection attacks.The aim of this study is to investigate the effect of poor input validation of SQL query to discriminate the parameters used for injection malicious SQL on the security of server database and to improve the filtration level of a user input from real one and a malicious one on dynamic web applications in e-commerce, and to proposes a technique called Combined Detect based on two methods based on JavaScript and PHP coding to detect malicious SQL query and isolate it before sending to the server.The result of this study shows that many web developers neglect the high risks of SQL injection attacks on the security and confidentially of data stored in databases.The injection of malicious SQL parameters pass to the database in the server could damage the whole database or steal data.The method used in this study is based on JavaScript and PHP codes enable the dynamic web application to separate between normal data and malicious data, nevertheless of what user input is entered through input fields.The study recommended avoiding any weakness in SQL server by providing effective input validation to discriminate the malicious parameters used for injection SQL attack queries and using multiple detection methods for SQL injection

Detection of vulnerabilities and automatic protection for web applications

Tese de doutoramento, Informática (Ciências da Computação), Universidade de Lisboa, Faculdade de Ciências, 2016In less than three decades of existence, the Web evolved from a platform for accessing hypermedia to a framework for running complex web applications. These applications appear in many forms, from small home-made to large-scale commercial services such as Gmail, Office 365, and Facebook. Although a significant research effort on web application security has been on going for a while, these applications have been a major source of problems and their security continues to be challenged. An important part of the problem derives from vulnerable source code, often written in unsafe languages like PHP, and programmed by people without the appropriate knowledge about secure coding, who leave flaws in the applications. Nowadays the most exploited vulnerability category is the input validation, which is directly related with the user inputs inserted in web application forms. The thesis proposes methodologies and tools for the detection of input validation vulnerabilities in source code and for the protection of web applications written in PHP, using source code static analysis, machine learning and runtime protection techniques. An approach based on source code static analysis is used to identify vulnerabilities in applications programmed with PHP. The user inputs are tracked with taint analysis to determine if they reach a PHP function susceptible to be exploited. Then, machine learning is applied to determine if the identified flaws are actually vulnerabilities. In the affirmative case, the results of static analysis are used to remove the flaws, correcting the source code automatically thus protecting the web application. A new technique for source code static analysis is suggested to automatically learn about vulnerabilities and then to detect them. Machine learning applied to natural language processing is used to, in a first instance, learn characteristics about flaws in the source code, classifying it as being vulnerable or not, and then discovering and identifying the vulnerabilities. A runtime protection technique is also proposed to flag and block injection attacks against databases. The technique is implemented inside the database management system to improve the effectiveness of the detection of attacks, avoiding a semantic mismatch. Source code identifiers are employed so that, when an attack is flagged, the vulnerability is localized in the source code. Overall this work allowed the identification of about 1200 vulnerabilities in open source web applications available in the Internet, 560 of which previously unknown. The unknown vulnerabilities were reported to the corresponding software developers and most of them have already been removed.Em duas décadas de existência, a web evoluiu de uma plataforma para aceder a conteúdos hipermédia para uma infraestrutura para execução de aplicações complexas. Estas aplicações têm várias formas, desde aplicações pequenas e caseiras, a aplicações complexas e de grande escala e para diversos propósitos, como por exemplo serviços comerciais como o Gmail, Office 365 e Facebook. Apesar do grande esforço de investigação da última década em como tornar as aplicações web seguras, estas continuam a ser uma fonte de problemas e a sua segurança um desafio. Uma parte importante deste problema deriva de código fonte vulnerável, muitas vezes desenvolvido com linguagens de programação com poucas validações e construído por pessoas sem os conhecimentos mais adequados para uma programação segura. Atualmente a categoria de vulnerabilidades mais explorada é a de validação de input, diretamente relacionada com os dados (inputs) que os utilizadores inserem nas aplicações web. A tese propõe metodologias para a detecção e remoção de vulnerabilidades no código fonte e para a proteção das aplicações web em tempo de execução, empregando técnicas como a análise estática de código, aprendizagem máquina e protecção em tempo de execução. Numa primeira fase, a análise estática é utilizada para descobrir e identificar vulnerabilidades no código programado na linguagem PHP. Os inputs dos utilizadores são rastreados e é verificado se estes são parâmetros de funções PHP susceptíveis de serem exploradas. A combinação desta técnica com a aprendizagem máquina aplicada em minerização de dados é proposta para prever se as vulnerabilidades detectadas são falsos positivos ou reais. Caso sejam reais, o resultado da análise estática de código é utilizado para eliminá-las, corrigindo o código fonte automaticamente com fixes (remendos) e protegendo assim as aplicações web. A tese apresenta também uma nova técnica de análise estática de código para descobrir vulnerabilidades. A técnica aprende o que é código vulnerável e depois tira partido desse conhecimento para localizar problemas. A aprendizagem máquina aplicada ao processamento de linguagem natural é utilizada para, numa primeira instância, aprender aspectos que caracterizam as vulnerabilidades, para depois processar e analisar o código fonte, classificando-o como sendo ou não vulnerável, descobrindo e identificando os erros. Numa terceira fase, é proposta uma nova técnica de proteção em tempo de execução para descobrir e bloquear ataques de injeção contra bases de dados. A técnica é concretizada dentro do sistema de gestão de bases de dados para melhorar a eficácia na detecção dos ataques. É utilizada conjuntamente com identificadores de código fonte que, quando um ataque é sinalizado, permitem identificar a vulnerabilidade no programa. No total este trabalho permitiu a identificação de cerca de 1200 vulnerabilidades em aplicações web de código aberto disponíveis na Internet, das quais 560 eram até então desconhecidas. As vulnerabilidades desconhecidas foram reportadas aos autores do software onde foram encontradas e muitas delas já foram removidas

Systematic Approach for Web Protection Runtime Tools’ Effectiveness Analysis

Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources. Thus, different approaches to protect web applications have been proposed to date. Of them, the two major approaches are Web Application Firewalls (WAF) and Runtime Application Self Protection (RASP). It is, thus, essential to understand the differences and relative effectiveness of both these approaches for effective decision-making regarding the security of web applications. Here we present a comparative study between WAF and RASP simulated settings, with the aim to compare their effectiveness and efficiency against different categories of attacks. For this, we used computation of different metrics and sorted their results using F-Score index. We found that RASP tools scored better than WAF tools. In this study, we also developed a new experimental methodology for the objective evaluation of web protection tools since, to the best of our knowledge, no method specifically evaluates web protection tools

A framework for correlation and aggregation of security alerts in communication networks. A reasoning correlation and aggregation approach to detect multi-stage attack scenarios using elementary alerts generated by Network Intrusion Detection Systems (NIDS) for a global security perspective.

The tremendous increase in usage and complexity of modern communication and network systems connected to the Internet, places demands upon security management to protect organisations¿ sensitive data and resources from malicious intrusion. Malicious attacks by intruders and hackers exploit flaws and weakness points in deployed systems through several sophisticated techniques that cannot be prevented by traditional measures, such as user authentication, access controls and firewalls. Consequently, automated detection and timely response systems are urgently needed to detect abnormal activities by monitoring network traffic and system events. Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) are technologies that inspect traffic and diagnose system behaviour to provide improved attack protection. The current implementation of intrusion detection systems (commercial and open-source) lacks the scalability to support the massive increase in network speed, the emergence of new protocols and services. Multi-giga networks have become a standard installation posing the NIDS to be susceptible to resource exhaustion attacks. The research focuses on two distinct problems for the NIDS: missing alerts due to packet loss as a result of NIDS performance limitations; and the huge volumes of generated alerts by the NIDS overwhelming the security analyst which makes event observation tedious. A methodology for analysing alerts using a proposed framework for alert correlation has been presented to provide the security operator with a global view of the security perspective. Missed alerts are recovered implicitly using a contextual technique to detect multi-stage attack scenarios. This is based on the assumption that the most serious intrusions consist of relevant steps that temporally ordered. The pre- and post- condition approach is used to identify the logical relations among low level alerts. The alerts are aggregated, verified using vulnerability modelling, and correlated to construct multi-stage attacks. A number of algorithms have been proposed in this research to support the functionality of our framework including: alert correlation, alert aggregation and graph reduction. These algorithms have been implemented in a tool called Multi-stage Attack Recognition System (MARS) consisting of a collection of integrated components. The system has been evaluated using a series of experiments and using different data sets i.e. publicly available datasets and data sets collected using real-life experiments. The results show that our approach can effectively detect multi-stage attacks. The false positive rates are reduced due to implementation of the vulnerability and target host information

Cyber Attack Surface Mapping For Offensive Security Testing

Security testing consists of automated processes, like Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST), as well as manual offensive security testing, like Penetration Testing and Red Teaming. This nonautomated testing is frequently time-constrained and difficult to scale. Previous literature suggests that most research is spent in support of improving fully automated processes or in finding specific vulnerabilities, with little time spent improving the interpretation of the scanned attack surface critical to nonautomated testing. In this work, agglomerative hierarchical clustering is used to compress the Internet-facing hosts of 13 representative companies as collected by the Shodan search engine, resulting in an average 89% reduction in attack surface complexity. The work is then extended to map network services and also analyze the characteristics of the Log4Shell security vulnerability and its impact on attack surface mapping. The results highlighted outliers indicative of possible anti-patterns as well as opportunities to improve how testers and tools map the web attack surface. Ultimately the work is extended to compress web attack surfaces based on security relevant features, demonstrating via accuracy measurements not only that this compression is feasible but can also be automated. In the process a framework is created which could be extended in future work to compress other attack surfaces, including physical structures/campuses for physical security testing and even humans for social engineering tests

Moth: a hybrid threat model for improving software security testing

As SQL injection attack (SQLIA) continues to threaten web applications despite several techniques recommended to prevent it, a Hybrid Threat Modeling strategy was adopted in this research due to its proactive approach to risk mitigation in web applications. This involved the combination of 3 threat modeling techniques namely misuse cases, attack trees and finite state machines in order to harness their individual strengths to design a Hybrid Threat Modeling framework and tool called MOTH (Modeling Threats using Hybrid techniques). Using the MOTH tool developed using Eclipse rich client platform, experimental results with an e-commerce web application downloaded from GitHub namely BodgeIt store shows an improved SQL injection vulnerability detection rate of 13.33% in comparison to a commercial tool, IBM AppScan. Further benchmarking of MOTH with respect to SQL injection vulnerability detection in both BodgeIT store and IBM’s Altoro Mutual online banking application shows it is 30.6% more effective over AppScan. Relative to other threat modeling tools, MOTH was able to realize a 41.7% optimization of attack paths required to design effective test plans and test cases for the recommendation of efficient security requirements needed to prevent SQL injection attacks. A 100% risk mitigation was achieved after applying these recommendations due to a complete security test coverage of all test cases during the experiment as all test cases successfully exposed the inherent security mutants in the AUT. These results show that MOTH is a more suitable hybrid threat modeling tool for preventing poor specifications that expose web applications to SQL injection attacks