AppMine: Behavioral Analytics for Web Application Vulnerability Detection

TL;DR

AppMine is a lightweight, unsupervised system that detects unknown web application vulnerabilities in Docker environments using anomaly detection with neural networks, significantly outperforming traditional methods.

Contribution

It introduces a novel neural network-based anomaly detection approach for web vulnerabilities in containerized environments, trained solely on legitimate workloads.

Findings

Neural network models achieve up to 0.97 AUC on Apache Struts.

Traditional models like PCA and SVM achieve lower AUC scores.

AppMine effectively detects unknown web vulnerabilities.

Abstract

Web applications in widespread use have always been the target of large-scale attacks, leading to massive disruption of services and financial loss, as in the Equifax data breach. It has become common practice to deploy web application in containers like Docker for better portability and ease of deployment. We design a system called AppMine for lightweight monitoring of web applications running in Docker containers and detection of unknown web vulnerabilities. AppMine is an unsupervised learning system, trained only on legitimate workloads of web application, to detect anomalies based on either traditional models (PCA and one-class SVM), or more advanced neural-network architectures (LSTM). In our evaluation, we demonstrate that the neural network model outperforms more traditional methods on a range of web applications and recreated exploits. For instance, AppMine achieves average AUC scores as high as 0.97 for the Apache Struts application (with the CVE-2017-5638 exploit used in the Equifax breach), while the AUC scores for PCA and one-class SVM are 0.81 and 0.83, respectively.