ModSec-Learn: Boosting ModSecurity with Machine Learning

TL;DR

ModSec-Learn enhances ModSecurity by integrating machine learning to adapt rule contributions for improved attack detection and reduced false positives, outperforming traditional heuristic-based methods.

Contribution

This work introduces a machine learning approach that tunes CRS rule weights based on application-specific data, improving detection accuracy and reducing false positives.

Findings

Achieves better detection and false positive trade-off.

Reduces over 30% of CRS rules at inference time.

Provides open-source code and dataset for reproducibility.

Abstract

ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.