ModSec-Learn: Boosting ModSecurity with Machine Learning
CoRR(2024)
Abstract
ModSecurity is widely recognized as the standard open-source Web Application
Firewall (WAF), maintained by the OWASP Foundation. It detects malicious
requests by matching them against the Core Rule Set (CRS), identifying
well-known attack patterns. Each rule is manually assigned a weight based on
the severity of the corresponding attack, and a request is blocked if the sum
of the weights of matched rules exceeds a given threshold. However, we argue
that this strategy is largely ineffective against web attacks, as detection is
only based on heuristics and not customized on the application to protect. In
this work, we overcome this issue by proposing a machine-learning model that
uses the CRS rules as input features. Through training, ModSec-Learn is able to
tune the contribution of each CRS rule to predictions, thus adapting the
severity level to the web applications to protect. Our experiments show that
ModSec-Learn achieves a significantly better trade-off between detection and
false positive rates. Finally, we analyze how sparse regularization can reduce
the number of rules that are relevant at inference time, by discarding more
than 30
https://github.com/pralab/modsec-learn and
https://github.com/pralab/http-traffic-dataset, respectively.
MoreTranslated text
AI Read Science
Must-Reading Tree
Example
![](https://originalfileserver.aminer.cn/sys/aminer/pubs/mrt_preview.jpeg)
Generate MRT to find the research sequence of this paper
Chat Paper
Summary is being generated by the instructions you defined