Towards automated web application logic reconstruction for application level security

TL;DR

This paper proposes an automated approach to modeling web application logic to enhance the accuracy and adaptability of web application firewalls (WAFs) for better security and intrusion detection.

Contribution

It introduces a multi-layer modeling framework that captures web application behavior for security, enabling automatic adaptation of WAFs to specific applications.

Findings

Models improve WAF accuracy in detecting intrusions

Automated reconstruction reduces manual fine-tuning

Multi-layer approach captures complex application behaviors

Abstract

Modern overlay security mechanisms like Web Application Firewalls (WAF) suffer from inability to recognize custom high-level application logic and data objects, which results in low accuracy, high false positives rates, and overhelming manual effort for fine tuning. In this paper we propose an approach to web application modeling for security purposes that could help next-generation WAFs to adapt to specific web applications, and do it automatically whenever possible. We aim at creating multi-layer models that adequately simulate various aspects of web application functionality that are significant for intrusion detection and prevention, including request parsing and routing, reconstruction of actions and data objects, and action interdependencies.