The problem of Web Application Firewalls (WAF) did not seem like a big problem until I really started to deepen the current discussion in this area. It usually seems that suppliers are trying to convince customers and themselves that everything is fine and that there is no problem. In reality, however, customers are no longer buying it and the WAF industry is under significant pressure, which is constantly lacking in quality.
The use of RASP (Runtory Application Self-Protection) technology has also triggered red flags. There is now a tendency to integrate the mitigation/defense side into the application and compile it into the code. Self-protection of the runtime application is considered a shortcut for software security, which is also compounded by performance issues.
This seems like a desperate solution to replace the WAFs because nobody really likes to mix their “security appliance” in the application code, which is exactly what the RASP providers currently offer to their customers. However, some providers are adopting RASP technology.
In general, the WAF client is disappointed by the lack of automation, scalability, and coverage of emerging threats that are becoming critical as modern zombie networks become more and more efficient and aggressive. These botnets are now created by an artificial intelligence (AI) feature that adds to the “old” Internet of Things (IoT) botnets that are becoming more and more versatile in their ability to attack with different vectors.
WAF Supports By Artificial Intelligence (AI)
The features offered by the classic WAF have become a subject of discontent, while the new generation WAFs, which were born as AI systems capable of handling such a multidimensional threat complexity, are rather rare.
There are not much artificial intelligence/machine learning (AI / ML) solutions in the network cyber defense and application defense segment. However, more and more AI and ML solutions are beginning to emerge as a major success against DDoS and especially against the world of DDoS application, presented by L7 Defense with its unsupervised learning approach. Such technology can also play a crucial role in WAF solutions, defending against the same networks of versatile zombies.
We are starting to see an evolution in the use of ML for the WAF in the cloud. This is evidenced by the fact that this year Oracle has purchased Zenedge, a provider of cloud-based and cloud-based cyber security solutions. Zenedge offers a WAF, which shows the signs of automation required by the Oracle cloud offering, although it is not enough to make the difference with traditional WAF features, lack of significant technological advances to cover the essential spectrum of threat.
AI and ML are the tools used for predictive analysis. Without a doubt, they are indispensable for the future and survival of cloud-based WAF environments.
Problems with the classic WAF and the cloud
The classic WAF poses scalability issues. We can play with server load balancing and elastic services, but the scale is not something that was originally built into the WAF. Although you can generate cases, the fact is that it was not designed for elasticity. This means that conventional WAFs are not designed for cloud architecture. As far as this is concerned, they have been redeveloped, but scaling and automation remained a problem. It seems to have been accepted not because it’s good, but because there is no alternative.
In addition, WAFs have never been flexible with dynamic threats from advanced zombie networks, but primarily designed to protect against “SQL injection” attacks. They are certainly not good for protecting against attacks such as cramming credentials.
Both aspects of the problem require human resources to customize and manage WAF in any environment. However, what was sufficient for the on-site environment cannot be buried now in the fully automated cloud environment.
WAF attacks & application layer (DDoS)
DDoS application is a major private case for the WAF. Not so long ago, cloning was a complementary solution to the WAF, as the problem became more and more serious and demanding, while DDoS was still considered an operational problem rather than an application problem. A DDoS attack at the application layer occurs when attackers target the layer 7 Open Systems Interconnection (OSI) layer.
They search for features and functionality specific to their website in order to disable and disrupt them. Attacks can have a low traffic rate, usually, less than 1 Gbps combined and generally little differentiated from normal traffic. As a result, it is very difficult to detect traditional network defense tools such as WAFs, which generally operate on the basis of known signatures or by detecting bold characters. behaviors, none are relevant for this category of attacks.
As for the DDoS application layer, we have the same autonomous IoT botnet networks with AI, but in this case, we use specific and harmful application vectors while using the same camouflage techniques, in order to mislead the defender they used in the world of DDoS. Therefore, it makes sense for the next logical step that the WAF is now connected to the DDoS problem.
AI improved IOT botnet attacks
Now, if you do not use artificial intelligence with the WAF, you have to be ready to “Fail to prepare, get ready for failure.” We started with static requests and then moved on to dynamic requests. We have migrated looped scripts to automated attacks based on AI. The automatic spread of malware has been a major turning point and we are now starting to see fully automated DDoS attacks.
There is evidence that zombie networks combined with evolution can be applied to attack the WAF. However, instead of trying to bring your system offline with a DDoS, bad actors are trying to extract data from the system or damage it somehow.
There are still two objectives, which have now been brought together in a complementary way. The first is that, at the operational level, your application must support a DDoS to remain operational. Secondly, no bad actors should infiltrate the application, abuse your customers and damage the data.
Artificial Intelligence improved IOT botnet attacks
Using the same principle described in my article last year on NetworkWorld – “The rise of DDoS attacks with artificial intelligence” – the attack vectors themselves could be classic vectors such as SQL injection or more updated such as the endowment of identifiers. Standard attack tools such as w3af and Grabber can be used to perform complex multi-vector attacks for those types in which you want to attack specific features in the Web domain. Yet you have no knowledge of the defender and how he will hit.
The improved AI attack mechanism is for efficiency. The application of specific vectors, which range from cramming credentials to an abusive user, will send several requests with a username and password, hoping that something will intercept. This stems from the belief that people use the same passwords in multiple places.
With AI, he can manage the battlefield while changing tactics based on the defender’s response, which is even more fatal. On the side of the attackers, the AI can optimize the attack towards a specific target and do it automatically, without human intervention. As a result, the same advances in C & C IoT botnets, principles, and servers can be used in other application attacks that WAF should process.
There is something that comes dynamically to you with the same intensity as that presented in the form of the AI DDoS C & C server. Therefore, it has the potential to slide under any radar or threshold. Artificial intelligence has the ability to optimize on the fly so as not to be noticed by a fixed model used by the defense. Here, a static defense against flexible attacks will not work.
On the defense side, traditional methods use a dictionary or database of known vulnerabilities. However, this no longer works because the vectors can now be randomized. They can come from several sources with several models.
The vectors will not be detected and the defense side will not be dynamic enough to effectively mitigate. If you search for specific models, you will fail with a hard landing.
How can this be solved?
I imagine several IA machines working on the resolution of the Web page and the API, named WAF-AI. In this way, you now have a system that automatically protects each of your websites independently. Each AI machine protects a specific web page or API.
Without high-resolution learning of the application baseline, it is impossible to effectively defend against multiple-vector attacks or human-imitation attacks, or simply to minimize query-rate attacks.
The WAF should be able to combat various multi-vector attacks, such as SQL injection, remote command execution, remote file inclusion, local file inclusion, PHP injection, LDAP injection, Memcache injection and cross-site scripting (XSS); all at once. We need the expertise to identify these types of attacks and categorize them with the greatest precision from the first request. Objectively, this is the essential part to identify from the “very first request”.
False positives and false negatives should be limited, which would be close to zero on the web page. If you know what you are looking for and are specific, you will not miss anything. Remember that you are in a war zone here. DDoS is only part of what we will see in the WAF. The WAF is at the heart of many providers, while DDoS is at the heart of other providers. However, in the past, DDoS has been excluded from the WAF.
However, the fact is that the WAF is well connected to the DDoS. They are part of the same problem. Finally, with this reflection, we can make a difference.
The right way to go
We need to find a solution that uses the same artificial intelligence concepts as DDoS applications. We need to add specific categorizations in addition to the ability to dynamically and algorithmically identify all types of attacks on the fly.
First, you need to identify the type of attack, for example an attack on the login page, and then take preventative measures to stop the attack. The WAF needs additional capabilities to be able to accurately determine whether an aggregate of traffic from your web interface is coming to you.
What is needed is the ability to identify what goes in through specific fields to impact specific web pages. This is the highest resolution possible. If you work at this resolution, you can control everything that happens in the application. This is where you really need to be on your guard.
Companies like L7Defense apply the same unsupervised learning algorithm used with great excellence for the Applicative DDoS challenge, with the ability to identify any WAF-related attacks from the first request. They protect against traditional threats on Web systems (OWASP 10), more sophisticated automated threats (OWASP 20) and attacks on APIs. From their demo, it seems to have captured very complex attack scenarios, with several zero-day models used by attackers, while maintaining the level of errors on the right side, very close to zero, false positive and negative.
From their online demo, it seems that F5 is making progress too. After my thorough research, I found that most likely it does not support multi-vector capabilities, nor flexible intelligent model. According to their online demo DDoS Hybrid Defender, it seems to be a classic behavioral analysis based on manually or globally defined adaptive thresholds. However, they do not claim any machine learning capability, whereas, traditionally, behavioral analysis has not done so for the WAF.