Web Application Attacks Detection Using Deep Learning

Picture 7. Picture 4. Web Application Attacks Detection Using Deep Learning.

Content Placeholder 4. Nicolas Montes. Speaker’s BIO Data Scientist with a bachelor degree in Statistics. Currently finishing a MSc in Machine Learning and Data Science from the Engineering School of Universidad de la Republica, UDELAR..

Content Placeholder 6. AUTHORS & AFFILIATIONS. Nicolas Montes Gustavo Betarte (1) Rodrigo Martínez (1) Alvaro Pardo (2) (1) Instituto de Computación, Facultad de IngenieríaUniversidad de la República, Uruguay (2) Departamento de Ingeniería, Facultad de Ingeniería y TecnologíasUniversidad Católica del Uruguay, Uruguay.

Outline. Problem definition: attacks on web applications web application firewalls (WAF) Application of machine learning to improve WAF Advanced NLP approaches to text encoding and a review of the RoBERTa architecture Proposed solution based on two step learning: use of RoBERTa language model as a feature extractor One-class classification using OCSVM Results and conclusions.

Web Application attacks. Content Placeholder 4. Picture 4.

ML pipeline. One of the most challenging problems when applying machine learning based anomaly detection for web application security is how to extract features from the raw network data We treat a HTTP request as raw text and investigate advanced approaches in NLP for text encoding Transforming the HTTP into a vector of numbers (feature extraction). Then we use it as input for a one-class classifier.

Classic text encoding. Words are represented as atomic units (one-hot).

Text encoding with embeddings. Content Placeholder 4.

RoBERTa high level architecture. Self-supervised Masked Language Model Stack of L identical encoder layers Each encoder layer contains two sub-layers. Multi-head self attention and feedforward network. Input representation.

Our proposed t wo-step learning framework. HTTP request are treated as raw text 1st step: training a RoBERTa language model 2nd step: extract features from RoBERTa and perform one-class SVM classification.

Design decisions. 1) Convert each request into a numeric feature vector with the RoBERTa model. Using the centroid of the token representations.

Results. Content Placeholder 4. Picture 4. CurvasROC5 (1).pdf.

Conclusion. The experimental results show that the proposed approach outperforms the ones of the classic rule-based MODSECURITY configured with a vanilla CRS without requiring the participation of a security expert to define the features We used a performance metric proposed by Wee Sun Lee and collaborators to automatically obtain the operational point of the OCSVM As further work we intend to re-train the pre-trained Language Model with more HTTP request for an extended DRUPAL dataset. We also plan to use a set of attacks and explore the fine-tuning approach for RoBERTa.

Content Placeholder 4. Thank you!. Website: www.ciarp25.org Email: info@codan-consulting.com Twitter: @CiarpCongress Facebook: @CIARPcongress.