Automatically Repairing Web Application Firewalls Based on Successful SQL Injection Attacks

Appelt, Dennis; Panichella, Annibale; Briand, Lionel

doi:10.1109/ISSRE.2017.28

Download

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Automatically Repairing Web Application Firewalls Based on Successful SQL Injection Attacks

Appelt, Dennis; Panichella, Annibale; Briand, Lionel

2017 • In The 28th IEEE International Symposium on Software Reliability Engineering (ISSRE)

Peer reviewed

Permalink
https://hdl.handle.net/10993/31877

DOI
10.1109/ISSRE.2017.28

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

ISSRE2017.pdf

Author preprint (380.09 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Web Application Firewalls; Regular Expression Inference; Web Security

Abstract :

[en] Testing and fixing WAFs are two relevant and complementary challenges for security analysts. Automated testing helps to cost-effectively detect vulnerabilities in a WAF by generating effective test cases, i.e., attacks. Once vulnerabilities have been identified, the WAF needs to be fixed by augmenting its rule set to filter attacks without blocking legitimate requests. However, existing research suggests that rule sets are very difficult to understand and too complex to be manually fixed. In this paper, we formalise the problem of fixing vulnerable WAFs as a combinatorial optimisation problem. To solve it, we propose an automated approach that combines machine learning with multi-objective genetic algorithms. Given a set of legitimate requests and bypassing SQL injection attacks, our approach automatically infers regular expressions that, when added to the WAF's rule set, prevent many attacks while letting legitimate requests go through. Our empirical evaluation based on both open-source and proprietary WAFs shows that the generated filter rules are effective at blocking previously identified and successful SQL injection attacks (recall between 54.6% and 98.3%), while triggering in most cases no or few false positives (false positive rate between 0% and 2%).

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)

Disciplines :

Computer science

Author, co-author :

Appelt, Dennis ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Panichella, Annibale ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

Automatically Repairing Web Application Firewalls Based on Successful SQL Injection Attacks

Publication date :

23 October 2017

Event name :

The 28th IEEE International Symposium on Software Reliability Engineering (ISSRE)

Event place :

Toulouse, France

Event date :

from 23-10-2017 to 26-10-2017

Audience :

International

Main work title :

The 28th IEEE International Symposium on Software Reliability Engineering (ISSRE)

Publisher :

IEEE

ISBN/EAN :

978-1-5386-0941-5

Pages :

339-350

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR4800382 - Black-box Security Testing For Web Applications And Services, 2012 (01/10/2012-30/06/2016) - Dennis Appelt

Available on ORBilu :

since 13 August 2017

Statistics

Number of views

332 (29 by Unilu)

Number of downloads

1010 (26 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

E. Al-Shaer, H. Hamed, R. Boutaba, M. Hasan. Conflict classification and analysis of distributed firewall policies. IEEE journal on Selected Areas in Communications, 23(10):2069-2084, 2005.
E. S. Al-Shaer and H. H. Hamed. Modeling and management of firewall policies. IEEE Transactions on Network and Service Management, 1(1):2-10, 2004.
D. Appelt, N. Alshahwan, L. Briand. Assessing the impact of firewalls and database proxies on sql injection testing. In Proceedings of the 1st International Workshop on Future Internet Testing, 2013.
D. Appelt, C. Nguyen, L. Briand. Behind an application firewall, are we safe from sql injection attacks In Software Testing, Verification and Validation (ICST), 2015 IEEE 8th International Conference on, pages 1-10, April 2015.
D. Appelt, C. D. Nguyen, L. C. Briand, N. Alshahwan. Automated testing for sql injection vulnerabilities: An input mutation approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis, ISSTA 2014, pages 259-269, New York, NY, USA, 2014. ACM.
D. Appelt, D. C. Nguyen, L. Briand. Automated testing of web application firewalls. Technical report, 2016.
A. Arcuri and L. Briand. A practical guide for using statistical tests to assess randomized algorithms in software engineering. In 2011 33rd International Conference on Software Engineering (ICSE), pages 1-10. IEEE, 2011.
A. Arcuri and G. Fraser. On parameter tuning in search based software engineering. In International Symposium on Search Based Software Engineering, pages 33-47. Springer, 2011.
R. Babbar and N. Singh. Clustering based approach to learning regular expressions over large alphabet for noisy unstructured text. In Proceedings of the fourth workshop on Analytics for noisy unstructured text data, pages 43-50. ACM, 2010.
R. Barnett. Dynamic DAST/WAF integration: Realtime virtual patching.
R. Barnett. Owasp virtual patching survey results.
A. Bartoli, G. Davanzo, A. De Lorenzo, M. Mauri, E. Medvet, E. Sorio. Automatic generation of regular expressions from examples with genetic programming. In Proceedings of the 14th annual conference companion on Genetic and evolutionary computation, pages 1477-1478. ACM, 2012.
A. Bartoli, A. De Lorenzo, E. Medvet, F. Tarlao. Inference of regular expressions for text extraction from examples. IEEE Transactions on Knowledge and Data Engineering, 28(5):1217-1230, 2016.
C. Basile and A. Lioy. Analysis of application-layer filtering policies with application to http. IEEE/ACM Transactions on Networking (TON), 23(1):28-41, 2015.
J. Bergstra and Y. Bengio. Random search for hyperparameter optimization. J. Mach. Learn. Res., 13:281-305, Feb. 2012.
G. J. Bex, F. Neven, T. Schwentick, K. Tuyls. Inference of concise dtds from xml data. In Proceedings of the 32nd international conference on Very large data bases, pages 115-126. VLDB Endowment, 2006.
S. W. Boyd and A. D. Keromytis. Sqlrand: Preventing sql injection attacks. In Applied Cryptography and Network Security, pages 292-302. Springer, 2004.
F. Brauer, R. Rieger, A. Mocan, W. M. Barczynski. Enabling information extraction by inference of regular expressions from sample entities. In Proceedings of the 20th ACM international conference on Information and knowledge management, pages 1285-1294. ACM, 2011.
G. Buehrer, B. W. Weide, P. A. Sivilotti. Using parse tree validation to prevent sql injection attacks. In Proceedings of the 5th international workshop on Software engineering and middleware, pages 106-113. ACM, 2005.
M. Ceccato, C. D. Nguyen, D. Appelt, L. C. Briand. Sofia: An automated security oracle for black-box testing of sql-injection vulnerabilities. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering, pages 167-177. ACM, 2016.
J. Clarke. SQL injection attacks and defense. Elsevier, 2009.
F. Cuppens, N. Cuppens-Boulahia, J. Garcia-Alfaro, T. Moataz, X. Rimasson. Handling stateful firewall anomalies. In IFIP International Information Security Conference, pages 174-186. Springer, 2012.
K. Deb, A. Pratap, S. Agarwal, T. Meyarivan. A fast and elitist multiobjective genetic algorithm: Nsga-ii. Evolutionary Computation, IEEE Transactions on, 6(2):182-197, 2002.
C. L. Goues, T. Nguyen, S. Forrest, W. Weimer. Genprog: A generic method for automatic software repair. IEEE Transactions on Software Engineering, 38(1):54-72, Jan 2012.
W. Halfond, J. Viegas, A. Orso. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, volume 1, pages 13-15. IEEE, 2006.
W. G. Halfond, S. Anand, A. Orso. Precise interface identification to improve testing and analysis of web applications. In Proceedings of the 18th International Symposium on Software Testing and Analysis (ISSTA '09), pages 285-296, 2009.
W. G. Halfond and A. Orso. Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174-183. ACM, 2005.
W. G. J. Halfond and A. Orso. Preventing SQL injection attacks using AMNESIA. In Proceedings of the 28th International Conference on Software Engineering (ICSE' 06), pages 795-798, 2006.
M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, I. H. Witten. The weka data mining software: An update. SIGKDD Explor. Newsl., 11(1):10-18, Nov. 2009.
M. Harman, S. A. Mansouri, Y. Zhang. Search-based software engineering: Trends, techniques and applications. ACM Comput. Surv., 45(1):11:1-11:61, Dec. 2012.
K. L. Ingham, A. Somayaji, J. Burge, S. Forrest. Learning dfa representations of http for protecting web applications. Computer Networks, 51(5):1239-1255, 2007.
M. Kiani, A. Clark, G. Mohay. Evaluation of anomaly based character distribution models in the detection of sql injection attacks. In Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, pages 47-55. IEEE, 2008.
A. Kieyzun, P. J. Guo, K. Jayaraman, M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09), pages 199-209, 2009.
J. Knowles, L. Thiele, E. Zitzler. A Tutorial on the Performance Assessment of Stochastic Multiobjective Optimizers. TIK Report 214, Computer Engineering and Networks Laboratory (TIK), ETH Zurich, Feb. 2006.
C. Kruegel and G. Vigna. Anomaly detection of webbased attacks. In Proceedings of the 10th ACM conference on Computer and communications security, pages 251-261. ACM, 2003.
C. Kruegel, G. Vigna, W. Robertson. A multi-model approach to the detection of web-based attacks. Computer Networks, 48(5):717-738, 2005.
T. Krueger, C. Gehl, K. Rieck, P. Laskov. Tokdoc: A selfhealing web application firewall. In Proceedings of the 2010 ACM Symposium on Applied Computing, pages 1846-1853. ACM, 2010.
Y. Li, R. Krishnamurthy, S. Raghavan, S. Vaithyanathan, H. Jagadish. Regular expression learning for information extraction. In Proceedings of the Conference on Empirical Methods in Natural Language Processing, pages 21-30. Association for Computational Linguistics, 2008.
A. Liu, Y. Yuan, D. Wijesekera, A. Stavrou. Sqlprob: A proxy-based architecture towards preventing sql injection attacks. In Proceedings of the 2009 ACM Symposium on Applied Computing, SAC '09, pages 2054-2061, New York, NY, USA, 2009. ACM.
S. Luke. Essentials of metaheuristics. Lulu Com, 2013.
A. Mayer, A. Wool, E. Ziskind. Offline firewall analysis. International Journal of Information Security, 5(3):125-144, 2006.
M. Mitchell. An introduction to genetic algorithms. MIT press, 1998.
K. Murthy, P. Deepak, P. M. Deshpande. Improving recall of regular expressions for information extraction. In International Conference on Web Information Systems Engineering, pages 455-467. Springer, 2012.
A. J. Nebro, J. J. Durillo, M. Vergne. Redesigning the jmetal multi-objective optimization framework. In Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, GECCO Companion '15, pages 1093-1100, New York, NY, USA, 2015. ACM.
H. D. T. Nguyen, D. Qi, A. Roychoudhury, S. Chandra. Semfix: Program repair via semantic analysis. In Proceedings of the 2013 International Conference on Software Engineering, ICSE '13, pages 772-781, Piscataway, NJ, USA, 2013. IEEE Press.
Y. Qi, X. Mao, Y. Lei, Z. Dai, C. Wang. The strength of random search on automated program repair. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 254-265, New York, NY, USA, 2014. ACM.
J. R. Quinlan. Induction of decision trees. Mach. Learn., 1(1):81-106, Mar. 1986.
W. Robertson, G. Vigna, C. Kruegel, R. A. Kemmerer, et al. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In NDSS, 2006.
L. K. Shar and H. B. K. Tan. Defeating sql injection. Computer, (3):69-77, 2013.
L. K. Shar, H. B. K. Tan, L. Briand. Mining sql injection and cross site scripting vulnerabilities using hybrid program analysis. In Software Engineering (ICSE), 2013 35th International Conference on, pages 642-651, 2013.
Y. Song, A. D. Keromytis, S. J. Stolfo. Spectrogram: A mixture-of-markov-chains model for anomaly detection in web traffic. In NDSS, volume 9, pages 1-15. Citeseer, 2009.
D. Stuttard and M. Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. John Wiley & Sons, 2011.
F. Valeur, G. Vigna, C. Kruegel, E. Kirda. An anomalydriven reverse proxy for web applications. In Proceedings of the 2006 ACM symposium on Applied computing, pages 361-368. ACM, 2006.
S. Varrette, P. Bouvry, H. Cartiaux, F. Georgatos. Management of an Academic HPC Cluster: The UL Experience. In Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014), pages 959-967, Bologna, Italy, July 2014. IEEE.
S. Wang, S. Ali, T. Yue, Y. Li, M. Liaaen. A practical guide to select quality indicators for assessing pareto-based search algorithms in search-based software engineering. In Proceedings of the 38th International Conference on Software Engineering, pages 631-642. ACM, 2016.
A. Wool. A quantitative study of firewall configuration errors. Computer, 37(6):62-67, 2004.
A. Wool. Trends in firewall configuration errors: Measuring the holes in swiss cheese. Internet Computing, IEEE, 14(4):58-65, 2010.