Threat detection is at the core of a WAF’s capabilities to accurately identify and block incoming attacks. However, not all threat engines are built the same.
Many WAF vendors use ModSecurity’s engine, an open-source web application firewall, for their core ruleset.
This core rule set contains a set of generic attack detection rules that provide protection against many common attack categories, including SQL Injection (SQLi), Cross Site Scripting (XSS), Local File Inclusion (LFI), Remote File Inclusion (RFI), and more.
As mentioned, ModSecurity’s threat detection engine is a free-to-use, open software that forms the basis of many WAF engines.
However, there are some WAF vendors using their own proprietary technology that doesn’t just rely on ModSecurity’s core rule set to protect web applications against zero-day type attacks and other sophisticated web attacks.
Some of these techniques and methods include using signatures, application learning, and AI.
Take a look below at some of the threat detection techniques that are being applied for WAFs and decide for yourself what kind of WAF might be able to withstand today’s evolving threat landscape.
Signature-based threat detection
Signature-based (or pattern-matching) models are mostly associated with traditional WAFs.
A signature represents a pattern containing pieces of code that make up a known attack on an operating system, web server, or website.
A signature-based WAF will take a string of suspicious code and run it against its signatures. And if it matches a signature, it is subsequently blocked.
Sounds simple enough.
However, this may create problems such as false positives and false negatives. This can also possibly block actual users from getting access to the web application (i.e. website). Furthermore, if a malicious string of code is not recognized because no signature for it exists, then it also goes undetected and does not get blocked by the threat detection engine.
Hackers can easily add code to the string that does not match any of the signatures, thereby bypassing the firewall and accessing the web application.
As a result, signature-based WAFs are only able to protect applications from known vulnerabilities and cannot effectively protect against new web attacks.
Signature-free/signature-less threat detection
In general, third-generation WAFs will want to use both signature (pattern matching) techniques and “signature-less” techniques for threat detection.
A signature-less or signature-free WAF simply means that the WAF’s threat engine does rely on signatures to identify and block attacks.
Instead the WAF uses its own rulesets (either combined with ModSecurity’s core rule set or rule set developed in-house) to intelligently identify the characteristics of an attack that does not rely on signatures.
This type of WAF threat engine can detect while blocking unknown vulnerabilities, protecting applications from never-before-seen threats.
This is not to say that signature-based models are not useful. However, unless there are regular updates to the signatures, those not updated become less useful over time. Updates may also incur additional costs.
With signature-free techniques, signature updates are not required. For WAF customers, this means more cost savings.
Application learning/behavior-based threat detection
The parameter of an application includes value ranges for form fields, HTTP methods, cookies, etc.
An application learning model develops a “profile” by looking at data entries and other facets of the behaviors of users as it relates to each of these parameters.
A behavior-based WAF can detect whether or not an application is behaving the way it should through these parameters. User actions are compared against expected behaviors to recognize anomalies and then trigger alerts.
Over time, as the WAF’s threat engine updates these profiles by gathering more data on user behavior, the application-learning technology monitors responses to certain data inputs to learn what responses to expect in the future.
Behavior not within this profile scope and previously unobserved by the WAF threat engine triggers an alert to the security team.
Behaviors that trigger an alert even though it’s not malicious might cause incoming web application traffic to be blocked entirely. So when a new trend emerges, it may be blocked until an actual person can review the trend and decide whether it’s truly a threat or not.
This creates several problems. First, this means more resources (i.e. people) are required to manage the WAF engine due to the manual checkups. Second, it can increase the false positive rate.
While these setbacks are also associated with conventional WAFs, a behavior-based WAF is still a significant improvement.
As the WAF’s threat engine gathers more information on user behavior, the profile gets updated to learn what types of responses (i.e grant or block access) to give.
Artificial intelligence (AI)/machine learning-based threat detection
Reducing the high resource requirements sometimes needed in managing a WAF is something most companies seek to avoid.
To combat the human resource issue, machine learning powered-automated tasks can be created to constantly learn the newest data (threat data or otherwise) without human intervention.
Machine learning enables the WAF engine to classify files and data sources much more accurately and distinguish between legitimate and illegitimate threats.
Very few WAFs have incorporated this type of machine learning that uses an “automated calculation of the probability that a user or application behavior represents a threat requiring a security response.”
The WAF in turn, uses these predefined rules that ultimately determine the likelihood of the threat to respond to any behavior anomalies.
This significantly reduces false positives as compared to application learning and also reduces the need to allocate valuable staff resources to resolve false positives issues.
Machine learning can build predictive models to detect similarities between attack patterns and discover unknown patterns.
Deep learning-based threat detection
As a subset of machine learning, deep learning for WAF threat detection is just beginning to be explored.
Deep learning methods are already being used for Intrusion Detection Systems (IDS) in the cybersecurity arena.
One way deep learning is being used to detect web attacks is through the usage of a CNN (Convolutional Neural Network), which can be used specifically to analyze HTTP request packets. This makes it possible to also analyze a diverse set of attack inputs and data.
CNN is widely used in computer vision area and image-related tasks. In one example, deep learning capabilities are being used to convert web attacks into in UTF-8 hexadecimal format.
It is then turned into an image and is fed into a deep learning machine. With this, the machine will be able to recognize web traffic and learn as more data is fed through it. Read more.
Combined with core WAF capabilities, deep learning can enhance the threat detection of any WAF to more intelligently find new types of web attacks and also accurately distinguish legitimate users and illegitimate users.
WAF technologies are now evolving to meet the new and more sophisticated types of web threats that are arising across organizations.
Some of the ways in which WAFs are evolving is the incorporation of new technologies to their threat engines as they move away from traditional signatures to include application learning/behavioral analysis methods, signature-free methods, and AI.
Furthermore, big data is also making its way into WAF threat engines. One way it is being used is through the analysis of global threats across individual clients’ WAFs to be a block one kind of attack and apply it rapidly to other clients.
Now that the threat landscape calls for more precise detection of both known and unknown attacks, it seems like organizations will also seek to deploy WAFs that hold greater capabilities than their predecessors.