Bye-Bye False Positives: Using AI to Improve Detection

Presented at BSidesSF 2019, March 3, 2019, 3:30 p.m. (30 minutes).

Mainstream IPS/IDS solutions including WAF, NGWAF, and RASPs produce so many false positives they are almost impossible to manage. The reason for that is that they rely on outdated detection mechanisms like signatures, human-defined rules, regexps, etc. In this talk we want to suggest a better method, based on neural network, provide an overview and comparison for several AI-based injection detection architectures, and release a specific architecture and implementation which has produced the best results. To illustrate the application of this methodology, we will review in detail the implementation of AI-based false-positive detection for a SQL injection. The insight is to represent the injection as time series which then lets us apply the same AI-approach as those used in time-series classification. To find the difference between normal requests and attacks/injections, we normalize query to the sequence of tokens/lexemes and pass them to our recurrent-based neural network model which predicts the probability that is the injection. The best architecture to apply here was proven to be bidirectional recurrent neural network with LSTM cells. As a result, it was possible to achieve 96.07% false positive detection quality at the false\_positives dataset of 433 samples from libinjection (https://github.com/client9/libinjection/blob/master/data/false\_positives.txt). The implementation of presented model is already used in production at Wallarm for reducing false positive events. Attendees will take away understanding of most modern AI injection detecting methods, a methodology for building their own RNN network for detection, understanding of the training and test datasets and methodology for accuracy testing.

Presenters:

  • Ivan Novikov
    Ivan Novikov is a white hat security professional with over 12 years of experience in security services and products. He is an inventor of memcached injection and SSRF exploit class as well as a recipient of bounty awards from Google, Facebook, and others. Ivan has recently been a speaker at HITB, Blackhat, and other industry events. Currently, Ivan serves as the CEO of Wallarm.

Links:

Similar Presentations: