In contemporary cybersecurity landscapes, safeguarding web applications against diverse malicious attacks remains paramount for organizations. While conventional defense systems like WAF and IDS offer mitigation strategies, they are susceptible to circumvention or compromise. A more effective strategy involves implementing runtime application self-protection (RASP) directly within the web application. This approach has proven its efficacy by facilitating early detection of attacks. However, RASP often generates a significant number of false alarms and struggles to detect unknown attacks, necessitating extensive human scrutiny. To address these challenges, this paper introduces a novel approach by integrating unsupervised deep learning with Runtime Application Self-Protection (RASP) systems. Our method aims to detect genuine attacks from false alarms generated by RASP systems. To achieve this, we propose a novel fused neural network models capable of extracting features from various fields. Then we train an autoencoder model on RASP logs of normal behaviors (white samples). This model reconstructs features of white samples better than black samples, which can be used to detect real attacks by setting a threshold. Through extensive experimentation conducted on a real-world dataset comprising 260k RASP logs covering 11 types of attacking, our approach demonstrates exceptional efficacy, achieving a remarkable recall rate of 99.32% and a notably low false alarm rate of 0.66%.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Enhancing Runtime Application Self-Protection with Unsupervised Deep Learning

  • Bolun Wu,
  • Futai Zou,
  • Mingyi Huang,
  • Xin Sun,
  • Jiajia Han

摘要

In contemporary cybersecurity landscapes, safeguarding web applications against diverse malicious attacks remains paramount for organizations. While conventional defense systems like WAF and IDS offer mitigation strategies, they are susceptible to circumvention or compromise. A more effective strategy involves implementing runtime application self-protection (RASP) directly within the web application. This approach has proven its efficacy by facilitating early detection of attacks. However, RASP often generates a significant number of false alarms and struggles to detect unknown attacks, necessitating extensive human scrutiny. To address these challenges, this paper introduces a novel approach by integrating unsupervised deep learning with Runtime Application Self-Protection (RASP) systems. Our method aims to detect genuine attacks from false alarms generated by RASP systems. To achieve this, we propose a novel fused neural network models capable of extracting features from various fields. Then we train an autoencoder model on RASP logs of normal behaviors (white samples). This model reconstructs features of white samples better than black samples, which can be used to detect real attacks by setting a threshold. Through extensive experimentation conducted on a real-world dataset comprising 260k RASP logs covering 11 types of attacking, our approach demonstrates exceptional efficacy, achieving a remarkable recall rate of 99.32% and a notably low false alarm rate of 0.66%.