This module apply machine learning techniques to improve the detection capabilities of the WAF ModSecurity giving particular importance to the task of diminishing the false positives generated by this tool when is set out to protect a web application without reducing the true positive rate.
This module applies machine learning techniques to improve the
detection capabilities of the ModSecurity WAF, giving particular
importance to diminishing the false positives generated by this tool
when it is set out to protect a web application, without reducing the
true positive rate.
This project integrates ModSecurity using LUA with an anomaly detection evaluator implemented in Java. A more detailed description on the evaluator could be found in [this article](https://arxiv.org/abs/1803.05529).
The anomaly detection model has to be trained to protect a Web Application. In this project we provide a train model using a Drupal dataset.
The anomaly detection model has to be trained to protect a Web Application. In this project we provide a model trained using a Drupal dataset.
## Installation
This module have the following prerequisites:
This module has the following prerequisites:
- Apache Server
- ModSecurity module
- Java virtual machine
In Fedora install as follow:
In Fedora, install as follows:
dnf -y install httpd mod_security java
To install the last ML module version you should clone as shown:
To install the latest ML module version you should clone as shown:
Finally include the execution of the script in the ModSecurity configuration. An example of the rule could be found at `lua_rule.conf` and restart the Apache Server.
Finally, include the execution of the script in the ModSecurity
configuration and restart the Apache Server. An example of the rule
can be found at `lua_rule.conf`.
## Configuration
This prototype of the ML Module comes with an evaluator model using an anomaly detection approach. The Java implementation of the anomaly detection evaluator could be found in [this repository](https://gitlab.fing.edu.uy/gsi/waf-ml-oneclass).
This prototype of the ML Module comes with an evaluator model that
uses an anomaly detection approach. The Java implementation of the
The model's configuration could be found in the `data` folder of the project. This folder has the following structure:
The model configuration is located in the `data` folder of the project
and has the following structure:
+-- data
| +-- mydictionary.dic (contains the tokens used by the algorithm as features)
| +-- clusterData (contains one file for each cluster with the model configuration)
The `clusterData` should be train for each new application. For the training process valid requests to the application are needed. We'll be publishing a new application to train the model parameters.
The `clusterData` should be trained using valid requests for each new
application. We plan to release a separate program to do the training