基于循环神经网络的Web应用防火墙加固方案  被引量：5

作　　者：朱思猛 杜瑞颖[1,2] 陈晶[1,2] 何琨[1,2] ZHU Simeng;DU Ruiying;CHEN Jing;HE Kun(Key Laboratory of Aerospace Information Security and Trusted Computing,Ministry of Education,School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China;Rizhao Institute of Information Technology,Wuhan University,Rizhao,Shandong 276827,China)

机构地区：[1]武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室,武汉430072 [2]武汉大学日照信息技术研究院,山东日照276827

出　　处：《计算机工程》2022年第11期120-126,共7页Computer Engineering

基　　金：国家重点研发计划(2021YFB2700200);国家自然科学基金(U1836202,61772383,61702379,62172303)。

摘　　要：Web应用防火墙(WAF)基于一组规则检测和过滤进出Web应用程序的HTTP流量,鉴于恶意流量的复杂性,需要对WAF规则进行不断更新以抵御最新的攻击。然而,现有的WAF规则更新方法都需要专业知识来人工设计关于某种攻击的恶意测试流量,并针对该恶意流量生成防护规则,这种方法十分耗时且不能扩展到其他类型的攻击。提出一种基于循环神经网络(RNN)的Web应用防火墙加固方案,在不依赖任何专业知识的情况下自动化加固WAF。使用RNN模型生成恶意攻击样本,从中找到能够绕过WAF的恶意攻击,发现WAF规则存在的安全风险。在此基础上,通过设计评分函数找到恶意攻击样本的重要字符串来生成加固签名,阻止后续类似的攻击,并设计简化的正则表达式作为加固签名的表达形式。在4款WAF上针对SQL注入、跨站脚本攻击和命令注入这3种攻击进行测试,结果显示,该方案成功生成了大量绕过WAF的恶意样本,WAF针对这些样本的平均拦截率仅为52%,与传统突变方案和SQLMap工具相比能够生成更多绕过恶意攻击,在应用加固签名后,WAF的恶意攻击拦截率提升至90%以上且误报率维持为0,表明加固签名成功阻止了这些绕过攻击,验证了所提方案的有效性。Web Application Firewall(WAF)detects and filters HTTP traffic to and from a Web application via a set of rules.Owing to the complexity of malicious traffic,WAF rules must be constantly updated to defend against latest or advanced attacks.However,existing methods for updating WAF rules require high degree of human expertise to manually design malicious test traffic for a particular attack and generate protection rules for malicious traffic,which is time-consuming and cannot be adapted to other types of attacks.In this study,a WAF reinforcement scheme based on Recurrent Neural Network(RNN)is proposed to automate the reinforcement of the WAF without relying on any human expert knowledge.It generates malicious payloads through RNN and discovers bypassing malicious payloads against WAF from the payloads,that is,to discover the security risks of the WAF rules.Then it designs scoring functions to find the important strings of the malicious payloads to generate signatures and block subsequent similar attacks,and designs a simplified regular expression as the expression of the strengthened signature.We test four WAFs and examine three types of attacks:SQL injection,Cross-Site Scripting(XSS)and Command Injection(CI).The results show that the proposed scheme successfully generates a large number of malicious payloads that bypass the WAF,and the average blocking rate of the WAF is only 52%.We also generate more bypassed malicious attacks compared with traditional mutation schemes and SQLMap.After applying the signatures,the WAF malicious attack blocking rate increased to over 90%and maintained a false positive rate of 0.This shows that the signatures successfully block these bypassed attacks,thereby validating the effectiveness of the proposed scheme.

关 键 词：WEB应用防火墙 循环神经网络 SQL注入 跨站脚本 命令注入 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]