A Closer Look at SWAP’s Logic-Based Detection Engine
Background: How did SWAP (Smart Web Application Protection) come to be?
As many are aware, Cloudbric entered the web application security field with the support of Penta Security Systems, Asia’s top cybersecurity vendor. Cloudbric spun off as its own independent cloud security company bringing over 20 years of IT experience. Now, we offer SWAP, DDoS protection, and SSL-as-a-service together as a cloud-based solution for complete web protection.
The web application firewall (WAF) market was valued at USD 2.76 billion in 2018 and is expected to reach USD 6.89 billion by 2024. While the WAF market is growing, the increasing number of web application attacks has created a fragmented space with different types of web security vendors. Cloudbric SWAP was created with enterprises in mind and addresses two of the main challenges that come with web application firewalls: cost and performance.
Web application firewalls inspect all incoming and outgoing traffic at the application layer and therefore require the most accurate detection capabilities in order to perform adeptly and protect enterprises from cyberattacks.
SWAP provides industry-leading detection precision thanks to our proprietary logic analysis engine. This logic-based detection engine relies on the patented technology known as COCEP (COntents Classification and Evaluation Processing), developed by in-house security developers.
How does the logic-based detection engine work?
A web application firewall, or any web protection tool, is only as good as its rules. Unlike other WAF vendors which may require your team to manually create security policies like ModSecurity or AWS WAF, Cloudbric’s SWAP comes with built-in rules that supersede protection beyond the OWASP top ten threats. SWAP fully encompasses the scope of the most dangerous cyberattacks that target that web application layer.
COCEP is simply a means to perform a web application layer interpretation and verification based on heuristic analysis, semantic analysis, and pattern matching mechanisms using 27 detections “rules,” or policies.
Pattern Matching, Semantic, and Heuristic Analysis
Pattern matching analysis focuses on detecting and blocking known web attack patterns. It detects attacks by comparing known attack lists to the web application’s incoming traffic. This process is executed using pre-existing white and blacklists of user IP addresses, size of requests, regex, and malicious code.
Meanwhile, semantic analysis focuses on analyzing the context of traffic using a special processing method. This process thereby allows for counteracting against modified web attacks.
And finally, heuristic analysis focuses on the predictive detection and elimination of attacks by using multi-criteria analysis, testing, and verification processes. It also focuses on defining what could most likely be attack patterns by analyzing hacker behavior patterns over a long observation period.
Together, they create the 27 rule sets for SWAP’s logic-based detection engine to precisely detect and block both known and unknown web attacks and modified attacks. These detection rules can be classified as follows:
|Heuristic Analysis||Semantic Analysis||Pattern Matching|
|Cookie poisoning||Cross-site scripting||Buffer overflow|
|IP block||Include injection||Directory listing|
|Parameter tampering||Invalid HTTP||Error handling|
|Suspicious access||Invalid URI||Extension filtering|
|URI access control||Parameter tampering||File upload|
|Privacy file filtering||Input content filtering|
|Privacy input filtering||IP filtering|
|Privacy output filtering||Request method filtering|
|Request header filtering||Response header filtering|
|SQL injection||User defined pattern|
|Stealth commanding||Web site defacement|
|Unicode directory traversal|
How does the logic-based detection engine differ from other WAF detection engines?
Many WAF (Web Application Firewall) vendors traditionally rely on signature-based pattern-matching techniques, which is not often effective because hackers constantly change their attack methods.
Meanwhile, the logic-based detection engine works by recognizing the characteristics of hackers and applies that learning to recognize the characteristics of hacking attempts from both incoming and outgoing traffic.
This is extremely useful because it takes into account the variations in attacks. By using the 27 unique security rulesets to conduct a detailed analysis of web traffic and automatically filters out malicious traffic.
Low False Positives
Compared to other detection engines that use the pattern-matching techniques, this is considerably faster and churns out lower false positives. Instead of manually matching all the signatures, it recognizes the logic behind attacks and utilizes its logic-based engine to detect and proactively block these attacks.
SWAP also eliminates the need to fine-tune any WAF policy because it uses a proprietary 27-rule set that requires zero constant updates of known signatures of attacks.
By using signature-less technology, SWAP offers an innovative way to eliminate operational burdens and maintain false positives rates at a minimum low. This logic-based detection engine is one component of SWAP, which also uses AI technology.
To learn more visit: cloudbric.com/website-security.