GSR-IconBannerAd_v1d

Security Advisories

Trustwave Press Releases

« Oracle DBMS_Scheduler Fun on Windows! | Main | Analysing X-Cart Compromises »

20 September 2012

Comments

I like this approach (I use bayesian for other process as adult sites detection, malware detection,..) , which should be generalized with others VARS (REMOTE_ADDRESS, autonomous system number, HOUR, etc..)

But I have some difficulties : ham.cfc is growing, not spam.cfc, even with an sqlmap...

It's seems that, if a rule match, modsecurity never goes to the bayesian rules. Even with SecAction id 900004...

Am I missing something ?

@lotek - No one detection technique is adequate to combat today's web attacks. The value of this concept lies within the collaboration between blacklist filtering and Bayesian analysis. As the attackers are fine tuning their attack payloads to bypass the blacklist filters, they are also training the SPAM classifiers. This makes the Bayes classifier better able to identify the attack payload that evades the RegEx.

Keep in mind that the real goal of all of this defensive stuff is two-fold:

1) To raise the bar of compromise - meaning that when you consider Time-base-Security metrics, we want to make a successful evasion take significantly longer than with RegEx alone, and

2) This increased amount of time allows Defenders and Incident Response personnel time to react. This may be to virtually patch a previously unknown vulnerability or to take other action against the attacker.

The goal of this concept is not to be 100% evasion proof.

I think Bayes is not a suitable algorithm for attack detection in WAFs, because it can be easily bypassed by inserting a large number of data pieces that resemble ham. One should remember that the true name of Bayes algo is Naive Bayes Classifier.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment