Development of Web Application Firewall Interface ...

4th International Conference on Advanced Technology & Sciences (ICAT’Rome) November 23-25, 2016 Rome - Italy _____________________________________________________________________________________________________________

Development of Web Application Firewall Interface (WAFI) Adem Tekerek*, mer Faruk Bay+ *

Gazi University, Department of Information Technology, Ankara, Turkey [email protected] + Gazi University, Department of Electrical and Electronic Engineering Ankara, Turkey [email protected] Abstract Web application firewall (WAF) is a web server plugin, filter or a dedicated application that applies a set of rules to HTTP requests and responses. Generally, these rules cover common web based attacks such as SQL injection and cross site scripting (XSS). By customizing the rules of WAF, web based attacks can be identified and blocked according to the application or system administrator preferences. User interface (UI) design focuses on anticipating what users might need to do and ensuring that the interface has elements that are easy to access, understand, and use to facilitate actions [1]. WAF UI is as important as WAF detection performance. In this study, a WAF user interface (UI) was developed which was named WAFI. WAFI is a flexible interface that can manage detection of web based attacks. Therefore, the proposed UI is being thought to contribute to the WAF literature. Keywords

Firewall, Web Application Firewall, User Interface

I. INTRODUCTION Web applications are software that allow website visitors to submit and retrieve data from a database through the Internet. The data is then presented to the user within their browser as information is generated dynamically by the web application through a web server [2]. In Figure 1 dynamic web applications running schema is given. Dynamic web page is an application that is controlled by server processing server-side scripts. In server-side scripting, parameters determine how the assembly of every new web page proceeds, including the setting up of more client-side processing. Dynamic web applications have 3 layer, layer 1 is user client layer, and users connects to internet and requests any web page from web application. Layer 2 is web application layer that connects to database server, selects data from database according to client requests and produce response to client. Layer 3 is database server.

Figure 1: Web application running schema Web applications are the most easily accessible systems. The complexity of web applications increases, while at the same time, there is a significant increase in security requirements and vulnerabilities of web applications. This situation makes them the most vulnerable applications. Web application security is a

branch of information security that deals specifically with the security of web applications. It differs from other branches of information security in that, the web application security is focused on vulnerabilities within the application code that is exposed during a user session on the internet [3]. A majority of the attacks against web servers are increased through network firewalls and through the HTTP. Some of the most commonly used attack techniques include denial of service, command injection, directory traversal, cross-site scripting and SQL injection [4]. These attacks are aimed to prevent services provided by web applications. The most commonly used tool to detect and to prevent of web based attack is WAF. WAF is a hardware, software or plugin devices positioned to monitor HTTP traffic, with the ability to enforce policy on web server [5]. WAF is a security measure to protect web applications from external or internal attacks that exploit vulnerabilities in web applications [6]. WAF enables to detect known web based attacks and unknown zero-days attacks. To detect web based known attacks, signature based model is used and to detect unknown zero-day attacks, anomaly based model is used. Signature based model matches the signatures of already known attacks that are stored into the database to detect the attacks in the computer system. Anomaly based model detects the anomaly behaviour in the computer networks. The deviation from the normal behaviour is considered as attack. The profiles are built using metrics which may number of anomaly HTTP request. These profiles are called normal profiles because these are created using attack free data. Anomaly based detection compares the new traffic with the already created profiles [7]. In this study, WAF user interface that was named WAFI was proposed. WAFI allows system administrators to change the configurations and regulations of WAF detection structure practically. WAFI gives the opportunity to manage detection of these two types of detection models by flexible interface. WAFI brings together concepts from interaction, visual design, and information architecture. Interface elements include navigational and informational component and containers. In this way, this system can be adapted to different WAF applications. By using the developed WAFI, WAF

_____________________________________________________________________________________________________________ 125


configurations can be updated easily. Besides, related detection results of WAF presents detailed results to the system administrator and also visualize of results. WAFI through which a user interacts with web application security. WAFI determines how commands are given to the WAF and how information is displayed on the screen. WAFI have three main types of visual interaction (1) Instructions: the user needs to know the WAF and web application security specific instructions. (2) Menus: user choose the commands from the menus, displayed on the screen and manage the attack detection of web application. (3) Graphical user interface (GUI): user gives commands by selecting and clicking on icons displayed on the screen. With the proposed WAFI, it seems to provide convenience to system administrators for both system setup and evaluation of results.

Several different ANN models can be created through proposed WAFI. Trained ANN models can be implemented separately by using developed WAFI for detection of web based attacks to web applications. Besides WAFI detection features allows detection of different architecture web applications and datasets simultaneously. ANN models that uses training parameter given in Figure 2.1 is seen in Figure 2.2. Weights of each ANN models are given in Figure 2.3. Moreover, WAFI also allows to retrain of ANN model that does not give sufficient detection results.

This manuscript consists of four sections. In section 2, design of the WAFI design is explained. In section 3, results are presented and in section 4 conclusion is given. II. WAFI DESIGN Proposed WAFI hybrid application consists of two stages. The first stage is used to perform the detection of the known web based attacks like SQL injection, XSS injection and command injection, which is known as misused, expressed as signature-based process. The second stage is anomaly based process. Anomaly HTTP detection process is developed based on artificial intelligence. Anomaly HTTP request detection was implemented by artificial intelligence that used artificial neural networks (ANN). As a result, developed WAF is a hybrid model that is used both signature based model and anomaly based model. WAFI is a WAF interface that enables the creation of neural network model and the necessary performance values for the ANN training. ANN creation model for anomaly based detection was given at figure 2.1. Firstly, it is necessary to determine the weights. The training of the weights of a neural network model, which was given at figure 2.2., carried out according to learning rate, momentum, number of neurons, the margin of error, iteration, and the training parameter values of training test rate.

Figure 2.2. ANN trained models As shown in the ANN models in Figure 2.3, weights of ANN models are grouped as, from the input layer to the hidden layer, from the hidden layer to the output layer, from bias to the hidden layer and from bias to the output layer. Thus, how many weights were produced between input and output layers of ANN model is indicated by WAFI.

Figure 2.3. ANN trained weight values For example, the created model consists of one input layer with three input features, one hidden layer with ten neurons, one output layer with one output feature and bias layer. In the other words, totally 51 weights are produced. After the creation of the ANN model, web based attacks detection can be implemented, which is given in Figure 2.4. Three different mechanisms have been created for detection of HTTP request. These are detection of single HTTP request, detection of HTTP datasets and detection of real time HTTP streaming data.

Figure 2. 1. ANN Performance parameter

_____________________________________________________________________________________________________________ 126


can be detected by signature based detection model, with generated signature. Signature generation feature can be managed WAFI and improves system detection speed performance. Because signature based type have high speed performance than anomaly based type.

Figure 2.4. WAFI HTTP request detection screen

Signature based category definition implemented in Figure 2.6. Known web based attacks like SQL injection, XSS injection, directory traversal and command injection etc. are implemented by using signature based detection. By using Figure 2.6 known web-based attacks can be defined by system administrators.

Single HTTP request detection is detection of one HTTP request detection to examine whether or not HTTP request contains any web based attack. Detection of HTTP dataset is an evaluation method to determine whether a dataset contains HTTP requests which involves any web based attack. This method also analyzes the dataset and presents detailed statistics such as, anomaly request, SQL injection, XSS injection etc. on the related dataset. Detection of HTTP streaming is an identification of real time web applications whether or not HTTP request that comes to web application is contains any web based attack. Real time detection of web application is an evaluation method to determine whether an HTTP request contains any web based attack. This method also analyzes the dataset and presents detailed statistics such as, anomaly request, SQL injection, XSS injection etc. on the related web applications. In Figure 2.5 anomaly HTTP requests, which have been identified as anomaly, as a result of the ANN based anomaly HTTP request detection process. Anomaly HTTP request can be updated if HTTP request identified incorrectly. By using the Figure 2.5 system administrators have opportunities to edit anomaly HTTP request, identified as false positive or false negative.

Figure 2.6. Known web based attack definition Signature definitions are implemented of detection for known web-based attacks for each attack where defined at Figure 2.6. The WAFI screen, where given by Figure 2.7, is used to signature definition of SQL injection, XSS injection, directory traversal and command injection etc. specifically. Signature based detection can be performed not only for these 4 known attack types but also for other OWASP web based attack types.

Figure 2.7. Known web based attacks signatures Figure 2.5. Anomaly HTTP Requests Also normal HTTP requests which are identified incorrectly can be edited using Figure 2.5. This feature of WAFI helps to minimize true negative. Proposed WAF enable to generate signature as a result of ANN based anomaly detection. Requests that was identified as anomaly, when comes to the web application second time, it

III. RESULT Real time detection of the proposed WAF was applied on Gazi University web content management system to identify web based attacks. Real time results give full information to system administrators about detection statistics. System administrator can understand whether an HTTP request is classified as normal or anomaly, and blocked or directed to web application. Besides, the detection results of HTTP requests are identified by using signature based or anomaly based models. Furthermore, the feature values and the

_____________________________________________________________________________________________________________ 127


classification results that are used for anomaly-based detection provided by WAFI. Figure 2.8 shows that how WAFI gives HTTP detection results to administrator.

Figure 2.8. WAFI HTTP detection results screen IV. CONCLUSIONS In this study, a WAF user interface, named WAFI, was proposed. The WAFI uses, previously developed signaturebased and anomaly-request detection, a hybrid WAF. WAFI is user interface of proposed WAF. WAFI provides a user friendly control platform for web based attacks to web applications. To inform the system administrator, visually and comprehensively about any web-based attack is as important as successfully block and prevent the attack. WAFI have indicated that the analysis reports and visualizations are useful in terms of system administrators to understand attack results. REFERENCES [1] https://www.usability.gov/what-and-why/user-interface-design.html, 25.10.2016. [2] http://www.acunetix.com/websitesecurity/web-applications/, 26.10.2016. [3] Information and Education Technology, Vol:5, No:2, 2015. [4] [5] [6]

[7]

Corporation, SapientNitro, March 22, 2011. Stephan, J.J., Mohammed, S.D. Abbas, M.K., Neural Network Approach to Web Application Protection, International Journal of Information and Education Technology, Vol. 5, No. 2, 2015. Ahmad, A., Anwar, Z., Hur, A., and Ahmad, H.F., Formal Reasoning of Web Application Firewall Rules through Ontological Modelling, Multitopic Conference (INMIC), 2012 15th International, Islamabad, 2012, pp. 230-237. T. Kaur, S. Kaur, "Comparative Analysis of Anomaly Based and Signature Based Intrusion Detection Systems Using PHAD and Snort", http://www.cse.iitk.ac.in/users/sps2013/SPSymposiumfiles/SPsymposiumpapers/ SPsymposium-paper37.pdf

_____________________________________________________________________________________________________________ 128