Técnicas de aprendizaje automático aplicadas a la mejora de detección de ataques en aplicaciones web

Los portales de aplicaciones y servicios web suelen ser una de las puertas de entrada para el lanzamiento de ataques y otros tipos de actividades malintencionadas contra empresas y diversos tipos de entidades. Desde bancos a webs de comercio electrónico, pasando por las infraestructuras de sistemas sanitarios, sistema judicial, etc., los posibles perjuicios económicos, reputacionales, de fuga de información y de otra índole ocasionados no solo a las organizaciones, sino también a los usuarios legítimos de las aplicaciones y servicios web por un ataque, son incalculables. En un afán de proporcionar una capa de protección adicional contra este tipo de ataques, se ha investigado abundantemente sobre técnicas de protección web: desde un enfoque más clásico basado en reglas de protección que deben actualizarse constantemente hasta las técnicas basadas en la detección de anomalías, el número de estudios Con esta tesis, se pretende contribuir a afianzar el conocimiento sobre las técnicas de detección de anomalías mediante tres artículos en los que se aporta conocimiento a la comunidad científica mediante la primera revisión sistemática de literatura de las técnicas de detección de anomalías aplicadas a la protección de aplicaciones web. Posteriormente se plantea una nueva metodología para la comparación objetiva de herramientas de protección web, demostrando su aplicabilidad mediante la comparación de diversas herramientas WAF y RASP. Por último, se facilita a la comunidad científica un nuevo dataset multietiqueta con el que se entrenan nuevos diseños de modelos de clasificación capaces de identificar los ataques web mediante patrones de ataque CAPEC

Systematic Approach for Web Protection Runtime Tools’ Effectiveness Analysis

Web applications represent one of the principal vehicles by which attackers gain access to an organization’s network or resources. Thus, different approaches to protect web applications have been proposed to date. Of them, the two major approaches are Web Application Firewalls (WAF) and Runtime Application Self Protection (RASP). It is, thus, essential to understand the differences and relative effectiveness of both these approaches for effective decision-making regarding the security of web applications. Here we present a comparative study between WAF and RASP simulated settings, with the aim to compare their effectiveness and efficiency against different categories of attacks. For this, we used computation of different metrics and sorted their results using F-Score index. We found that RASP tools scored better than WAF tools. In this study, we also developed a new experimental methodology for the objective evaluation of web protection tools since, to the best of our knowledge, no method specifically evaluates web protection tools

A new multi-label dataset for Web attacks CAPEC classification using machine learning techniques

Context: There are many datasets for training and evaluating models to detect web attacks, labeling each request as normal or attack. Web attack protection tools must provide additional information on the type of attack detected, in a clear and simple way. Objectives: This paper presents a new multi-label dataset for classifying web attacks based on CAPEC classification, a new way of features extraction based on ASCII values, and the evaluation of several combinations of models and algorithms. Methods: Using a new way to extract features by computing the average of the sum of the ASCII values of each of the characters in each field that compose a web request, several combinations of algorithms (LightGBM and CatBoost) and multi-label classification models are evaluated, to provide a complete CAPEC classification of the web attacks that a system is suffering. The training and test data used for training and evaluating the models come from the new SR-BH 2020 multi-label dataset. Results: Calculating the average of the sum of the ASCII values of the different characters that make up a web request shows its usefulness for numeric encoding and feature extraction. The new SR-BH 2020 multi-label dataset allows the training and evaluation of multi-label classification models, also allowing the CAPEC classification of the various attacks that a web system is undergoing. The combination of the two-phase model with the MultiOutputClassifier module of the scikit-learn library, together with the CatBoost algorithm shows its superiority in classifying attacks in the different criticality scenarios. Conclusion: Experimental results indicate that the combination of machine learning algorithms and multi-phase models leads to improved prediction of web attacks. Also, the use of a multi-label dataset is suitable for training learning models that provide information about the type of attack. (c) 2022 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/

Comparativa de la eficacia de herramientas WAF y RASP frente a ataques

In this Master’s degree final project, the effectiveness of different WAF and RASP tools has been evaluated, protecting web applications against various attacks. Several scenarios have been simulated, interposing the protection tool to be assessed between the application to be protected – simulated by two benchmarks – and the attacking machine. The results obtained from the different protection tools have been analyzed using different metrics and have been sorted by the F-Score index. From the analysis of the obtained results, the superiority in most indexes of RASP against WAF tools is concluded, as well as the practical absence of differences in the score obtained in the different metrics of the two WAF tools. The tool that obtained the best results is Contrast.En este trabajo de fin de máster, se ha evaluado la eficacia de diferentes soluciones WAF y RASP protegiendo a aplicaciones web frente a diversos ataques. Se han simulado diversos escenarios, interponiendo las soluciones a evaluar entre la aplicación a proteger – simulada por dos bancos de pruebas – y la máquina atacante. Los resultados producidos por las distintas soluciones, se han analizado mediante diversas métricas y se han ordenado mediante la puntuación F-Score. Del análisis de los resultados obtenidos se concluye la superioridad de las soluciones RASP frente a WAF en la mayoría de los índices, así como la práctica inexistencia de diferencias en la puntuación obtenida en las distintas métricas, de las dos soluciones WAF. La solución que mejores resultados ha obtenido es Contrast

Prevention and fighting against web attacks through anomaly detection technology. A systematic review

Numerous techniques have been developed in order to prevent attacks on web servers. Anomaly detection techniques are based on models of normal user and application behavior, interpreting deviations from the established pattern as indications of malicious activity. In this work, a systematic review of the use of anomaly detection techniques in the prevention and detection of web attacks is undertaken; in particular, we used the standardized method of a systematic review of literature in the field of computer science, proposed by Kitchenham. This method is applied to a set of 88 papers extracted from a total of 8041 reviewed papers, which have been published in notable journals. This paper discusses the process carried out in this systematic review, as well as the results and findings obtained to identify the current state of the art of web anomaly detection

Combinatorial method with static analysis for source code security in web applications

Security weaknesses in web applications deployed in cloud architectures can seriously affect its data confidentiality and integrity. The construction of the procedure utilized in the static analysis tools of source code security differs and therefore each tool finds a different number of each weakness type for which it is designed. To utilize the possible synergies different static analysis tools may process, this work uses a new method to combine several source codes aiming to investigate how to increase the performance of security weakness detection while reducing the number of false positives. Specifically, five static analysis tools will be combined with the designed method to study their behavior using an updated benchmark for OWASP Top Ten Security Weaknesses (OWASP TTSW). The method selects specific metrics to rank the tools for different criticality levels of web applications considering different weights in the ratios. The findings show that simply including more tools in a combination is not synonymous with better results; it depends on the specific tools included in the combination due to their different designs and techniques