Protecting Websites through Semantics-Based Malware Detection

简介: Malware detection is a fundamental feature of web security and serves as the first line of defense for most websites.

Path_to_a_trusted_front_end_Code_protection

Abstract: Malware detection is a fundamental feature of web security and serves as the first line of defense for most websites. For the past decade, malware detection using rule-based detection engines have dominated the market. However, this approach is vulnerable to modern web attack techniques, such as virus obfuscation. To cope with these attacks, semantics-based malware detection engines have become increasingly popular over the past two years.

Malware detection is a fundamental feature of web security and serves as the first line of defense for most websites. For the past decade, malware detection using rule-based detection engines have dominated the market. Up until now, most web application firewalls are designed based on rules to detect attacks. In this design, a detection engine runs each session through a series of security tests by comparing against a number of rules. Requests that match the rules are denied.

However, this approach is vulnerable to modern web attack techniques, such as virus obfuscation. To cope with these attacks, semantics-based malware detection engines have become increasingly popular over the past two years. It offers more accurate, intelligent, and humanized detection, capable of detecting threats regardless of how it is presented. Alibaba Cloud has recently released a web application firewall (WAF) equipped with a semantically intelligent detection engine.

Rule-based WAF can effectively prevent known security issues. However to achieve this, security O&M personnel must understand all the features of the attack first and develop rules according to these features. Therefore, rule-based WAF requires a powerful rule library, and the rule library must be updated constantly to deal with the latest attacks.

Although rule-based WAF sounds quite simple, its weakness lies in the lack of flexibility. For security O&M personnel, the number and complexity of rules can be overwhelming, resulting in difficulties in maintaining the rule library. Moreover, O&M personnel often fail to justify the meanings of some rules and the reasons for writing the rule the way that they do. For example, look at the following rule:

01

It is challenging to decipher the rule shown in the figure above without any context.

In addition, maintaining a large rule library is an enormous challenge for O&M personnel. This is because the WAF rules' descriptive power is limited and some attack methods and scenarios may fail to be fully covered in the rules.

Let us examine the shortcomings of rule-based detection. Suppose that the string "The greatest truth dwell in ultimate simplicity!" is an attack request. After the WAF successfully blocked the request once, it will update a rule: any requests that contain the strings "ultimate," "simplicity," and "!" is an attack. However if the next time a normal request arrives with the string "Simplicity is the ultimate sophistication!" the WAF will categorize it as an attack, producing false alarms.

In addition, attackers may also obfuscate attacks to achieve their goals. It is impossible for a rule to cover every single form of an attack. In the example above, if the attacker obfuscates the attack into "The greatest truth lies in plainness" the WAF will not be able to detect the attack, underreporting the attack.

Many attacks expose the defects and shortcomings of regular expressions. Take a simple web SQL injection attack request for example:

www.vuln.com/?id=1' union select version() from dual

This web SQL injection attack request reads the database version information. A regular expression to describe this attack may be written like this:

union\s+select\s+version\(\)\s+from\s+dual

The role of "s+" is to match one or more invisible characters, such as spaces, line breaks and other symbols. Obviously, attackers familiar with SQL statements can bypass this regular expression check using some database features, for example: replace the space with an annotator "/*11*/", or "--%0". To cope with this attack, the expression can be improved by writing:

union(s+|/*[sS]*/|--[sS]?x0a)select(s+|/*[sS]*/|--[sS]?x0a)version()(s+|/*[sS]*/|--[sS]?x0a)from(s+|/*[sS]*/|--[sS]?x0a)dual

It is obvious that the updated regular expression is much more complicated, and the logic does not immediately obvious. More importantly, it is still possible to bypass such a protection rule.

After simple fuzz mining, you can see the new "features" of MySQL to bypass the security rule. For example, the normal structure of a MySQL function call is "function_name()", but other syntax features are also supported. The function_name/*111111*/(), function_name(), function_name`(), function_name--% 0a(), function_name/**/(), and function_name/*111*/--11%0() are all equivalent.

Therefore, the above regular expression rules need to be upgraded:

union(\s+|/\*[\s\S]*\*/|--[\s\S]*?\x0a)select(\s+|/\*[\s\S]*\*/|--[\s\S]*?\x0a)version(\s+|/\*[\s\S]*\*/|--[\s\S]*?\x0a|`)\(\)(\s+|/\*[\s\S]*\*/|--[\s\S]*?\x0a)from(\s+|/\*[\s\S]*\*/|--[\s\S]*?\x0a)dual

This simple example reveals that using regular expressions to describe web SQL injection attacks harbors many flaws. Typically, the discovery of a new "feature" leads to the update of more than 100 rules , which is a difficult process for an operation personnel. This is why engines using regular expressions for detection are at risk of being bypassed.

Rule-based detection cannot effectively guard against unknown threats, such as attack variants and zero-day vulnerabilities. In addition, for corporate security O&M personnel, regular expression engines carry high maintenance pressure and costs. Ideally, a detection engine should be able to cope with ever-changing attacks with minimal manual maintenance.

To cope with these attacks, Alibaba Cloud has developed an intelligent detection engine capable of understanding the semantics of attacks.

_20_1_

The unique power of the semantics-based detection engine lies in the fact that it uses semantics, sequences, and situations in natural language into account. It identifies a feature as an attack in one situation and sequence, but not in all situations or sequences. Let's go back to the example of the attack string "The greatest truth dwell in ultimate simplicity!"

Rule-based engine:

This method identifies attacks by checking for the strings "ultimate," "simplicity," and "!" in a request, with a high false alarm rate.

Intelligent semantics-based detection engine:

1."The greatest truth dwell in ultimate simplicity!" is an attack.
2."Simplicity is the ultimate sophistication!" is not an attack because the semantics do not match the one in the attack.
3.The rule is able to identify that "The greatest truth lies in plainness" is a variant of the attack through semantics.

From this example, it is obvious that semantics-based detection can anticipate multiple forms of an attack. Intelligent semantics-based detection engine is particularly effective for preventing unknown threats such as zero-day vulnerabilities.

_20_2_

Let's explore how intelligent semantics-based detection work.

Normalization

The normalization process involves aggregating the same types of attack behavior and features into one attack feature. Multiple behavioral features of the attack form a specific permutation and combination to represent the same type of attacks so that we can understand and describe the same type of attacks with natural language semantics. The permutation and combination of attack features is the semantization of attacks. The multiple behavioral characteristics of an attack form a specific set of combinations to represent the same kind of attack, so that we can understand and describe the same kind of attacks in terms of the semantics of the natural language. The combination and permutation of attack characteristics is the semantics of attack.

By describing the attack behavior semantically, we can easily disregard the variants of complex attacks.

The following is an example of semanticized analysis of a web SQL injection attack. First, a normalized semantic analysis of the SQL statement is made, and the analysis results are searched in the abnormal attack set. If such a result is found, it indicates that the request is a web SQL injection attack.

_20_3_

For example, consider the following rule:

(select|from|\band|\bor|\bxor|=|,|;)[\s\+\(`)*?(sleep[\s\+`]*?\(|version[\s\+`]*?\(|pg_sleep[\s\+`]*?\(|extractvalue[\s\+`]*?\(|updatexml[\s\+`]*?\(|dbms_pipe.receive_message\(|st_latfromgeohash\(|st_longfromgeohash[\s\+`]*?\(|analyse[\s\+`]*?\(|gtid_subset[\s\+`]*?\(|gtid_subtract\(|st_pointfromgeohash\(|convert[\s\+`]*?\(|md5[\s\+`]*?\(|count[\s\+`]*?\(|char[\s\+`]*?\(|benchmark[\s\+`]*?\(|hex[\s\+`]*?\(|@@version|db_name[\s\+`]*?\(|user[\s\+`]*?\(|cast[\s\+`]*?\(|concat[\s\+`]*?\(|unhex[\s\+`]*?\(|floor[\s\+`]*?\(|length[\s\+`]*?\(|ascii[\s\+`]*?\(|substring[\s\+`]*?\(|substr[\s\+`]*?\(|substring_index[\s\+`]*?\(|instr[\s\+`]*?\(|left[\s\+`]*?\(|right[\s\+`]\()

After normalization, the rule can be described as: "select from "sensitive keyword" "function operation()". You can use the characters "a, b, c, d, and e" to represent them. Such attacks can then be semantically described as: SQL expressions with sensitive keywords and function operations.

Exception-Based Protection

The prevention of known web security issues alone is passive and lagging. Exception-based protection is more effective.

The basic idea of exception-based protection is to establish a statistical model based on valid application data, and use the model to identify whether the actual communication data is under attack.

In theory, the system can detect any anomalies as soon as the action is made. This eliminates the need for rule libraries, and the detection of zero-day vulnerabilities is no longer a problem.

Alibaba Cloud Security WAF builds a library of intelligent semantic exception attacks based on Alibaba Cloud's own operation data. WAF builds models for normal web applications, differentiates exceptions from the normal model, and then forms an exception attack set by extracting an exception attack model from a large number of web attacks.

_20_4_

Conclusion

In the future, the intelligent semantics-based detection engine will evolve into a real-time big data analysis engine. The key to the evolution includes the optimization of algorithms, increase of computing capabilities, reduction in costs, and advancement of data clustering and cleaning technologies.

Alibaba Cloud Web Application Firewall (WAF) intelligent detection engine detects various web attacks through semantic attacking behavior and exception-based protection. By describing attacks semantically, Alibaba Cloud WAF intelligent detection engine is able to deal with a wide variety of attacks and their complex variants. Additionally, the security model based on exception statistical detection can not only prevent known web security threats, but also prevent unknown security threats.

_20_5_

目录
相关文章
|
机器学习/深度学习 自然语言处理 算法
TASLP21-Reinforcement Learning-based Dialogue Guided Event Extraction to Exploit Argument Relations
事件抽取是自然语言处理的一项基本任务。找到事件论元(如事件参与者)的角色对于事件抽取至关重要。
103 0
|
算法 计算机视觉 知识图谱
ACL2022:A Simple yet Effective Relation Information Guided Approach for Few-Shot Relation Extraction
少样本关系提取旨在通过在每个关系中使用几个标记的例子进行训练来预测句子中一对实体的关系。最近的一些工作引入了关系信息
130 0
|
机器学习/深度学习 自然语言处理 PyTorch
Re6:读论文 LeSICiN: A Heterogeneous Graph-based Approach for Automatic Legal Statute Identification fro
Re6:读论文 LeSICiN: A Heterogeneous Graph-based Approach for Automatic Legal Statute Identification fro
Re6:读论文 LeSICiN: A Heterogeneous Graph-based Approach for Automatic Legal Statute Identification fro
|
SQL 编译器 API
Efficiently Compiling Efficient Query Plans for Modern Hardware 论文解读
这应该是SQL查询编译的一篇经典文章了,作者是著名的Thomas Neumann,主要讲解了TUM的HyPer数据库中对于CodeGen的应用。 在morsel-driven那篇paper 中,介绍了HyPer的整个执行框架,会以task为单位处理一个morsel的数据,而执行的处理逻辑(一个pipeline job)就被编译为一个函数。这篇paper则具体讲如何实现动态编译。
451 0
Efficiently Compiling Efficient Query Plans for Modern Hardware 论文解读
|
算法
Whole-Genome Expression Microarray Combined with Machine Learning to Identify Prognostic Biomarke...
摘要 本研究的目的是建立一个框架,以更好地了解高级别胶质瘤(HGG)预后相关的生物标志物。进行全基因组基因表达微阵列以鉴定HGG和低级弥漫性神经胶质瘤之间的差异表达基因。
1437 0
|
人工智能 自然语言处理 搜索推荐