Intelligent WAPPLESNew Appproach to Web Application Security

2009. 7. 21

Characteristics of Application-layer Attacks Not all the abnormal behaviors are attacks.

Application attacks are usually unknown.

Security policy cannot reflect the complexity and frequent updates of application.

Attacks are highly sophisticated, intellectualized, and can be widely varied. (ex : SQL Injection, Cross Site Script, Cookie poisoning)

A new approach is needed for application security.

Only intellectualized security software can detect and block application-layer attack.

WAPPLES is the most advanced Web Application Firewall in the aspect of intelligence

Design products based on knowing Application-layer Attacks and researching methods to judge.

Not using old attack detection or defense of Firewall and IPS, but new development.

Intelligent COCEP (Contents Classification and Evaluation Processing) Engine

WAPPLES engine to process logical analysis and test to judge Application-layer

Only Intelligent S/W Can Protect Web Applications!

Key : Positive Security Model to protect from Application-layer Attack Basic Idea : Protect from unknown attacks ； allow defined applications ； and block others.

Accomplish Positive Security Model using White List Access Control

Conventional Web Application Firewall (WAF) White & Black List Layered Architecture

• Most WAFs use pattern matching engine to accomplish black list/white list access control.• Black list access control uses signature to detect and block existing known attacks.• White list access control uses pattern matching engine to accomplish positive security model by

registering reliable web application.

Conventional Approach

Positive SecurityProtection from unknown threats and vulnerabilities

Negative Security• Protection from known threats and vulnerabilities• Signatures

White List Access Control

PatternDB

Web Application Firewall Engine

Pattern MatchingEngine

Black List Access Control

Conventional WAF Architecture

Characteristics of White List Access Control Allow services that includes information in White List, block exceptions.

Web Services can be blocked White List does not hold a matching entry

• Should be updated frequently to reflect changes of Web Application.• It’s important to create White List reflecting Web Application correctly and rapidly.

Characteristics of Black List Access Control Block connection type that has information included in Black List.

Major method to accomplish Black List Access Control is to test patterns registered at Pattern DB using Pattern Matching Engine.

Black Lists for detecting attacks are made using forms called a pattern; a pattern for detecting an attack is called a Signature.

Pattern registered to detect attacks should detect attack correctly.

• A Pattern is made of String type below,.• Errors (False Positives) occur when the system regards a data-packet to be an attack when it is not.

Example of Pattern Regular Expression: "[^\d]531\d[-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[-\.\s\\\/=]?\d{4}[^\d]{1}“

White List & Black List Access Control

WAF detection is operated by administrator’s ability Administrator registers information for White List to accomplish Access Control

Patterns for white list increase the managing burden of administrator, as the patterns should be managed with high intelligence and frequency to ensure accuracy.

Frequenly, it occurs that white list access control cannot be used effectively because it is out of date.

To avoid false positives using a black list, administrators have to optimize the patterns before registering them.

• Administrator have to accomplish for pattern optimization. Only expert can control it.• Administrators can purchase specialized pattern information and use. Operating costs increase.

1) Register optimization for signatures and consulting services for control2) Connect update Sever provided by manufacturer and use.

• Generally more than 3000 patterns generate load to system performance.

1st Generation WAF “Web Application Firewall”

White List Access Control

Matching Engine

Black List Access Control

PatternDBPattern Matching Engine

RegisterApp. Info.

Registerpatterns

Admin

1st Generation Web Application Firewall

ApplicationList

Learning

UpdatingSignatures

Adoption Module for creating White List Designed to reinforce automatic module for reducing operational burden for White List

updating.

• Administer decides White List because it uses the Auto-Mining concept, not Auto-Learning’s. If White List is created automatically, it can be a problem to run services.

• In the case of Daily Updated Web Application, Auto-Mining data is incorrect. There are chances that changes in application cannot be immediately applied. Auto-learning needs at least 2 weeks or more to create available white lists. Administer needs to modify Auto-Mining from White List.

Function of Black List is similar to 1st Generation WAFs

Cannot overcome limitations of 1st Generation WAF

2nd Generation WAF “Web Application Firewall”

White List Access Control

Matching Engine

Black List Access Control

PatternDBPattern Matching Engine

MiningApp. Info.

Registerpatterns

Admin

2nd Generation Web Application Firewall

ApplicationList

Automation

UpdatingSignatures

ConfirmationLearning

COCEP Engine made up of Intelligent Rules provides Intelligence 26 predefined rules that have been already optimized to detect and block web attacks. Our

security engineers have designed these rules by analyzing the characters of web attacks.

• Only web traffic that successfully passes through all 26 rules are delivered to the web server.• Provides consistent performance in both test environment and real operation environment.

– Different from existing WAF that whose performance is changed by the number of registered patterns.• Logical Analysis Processing can detect all sorts of altered attacks, so the rules can identify and detect

attacks even though the type or pattern of the attacks has been changed or is varied.

Administrator only sets the security level for each rule greatly enhances the ease of operation.

3rd Generation WAF “Intelligent WAPPLES”

WAPPLES

Admin

Long-termPolicy

Decision

Security LevelAdjustment

Intelligent Engine is similar to human brain!

No!!! - Coping with each attack

No!!! - Recognition of each attack’s patterns

Yes!!! - Protects the vulnerabilities of web application

Yes!!! - Blocks core mechanism of attack using logical analysis engine

Yes!!! - Distinguishes not only the type of attack, but also attacker’s characteristics.

WAPPLES Rules (1/2)

Web application program

Attack #1

Attack #2

Attack #3

Attack # 4Attack # 5

Attack # 6 Attack # 7

Copes with each attacks Need to renew attack patterns. Weak in new attack recognition. White list needs to be

regularly updated.

Attack # 8

Web application program

Attack #1

Attack #2

Attack #3

Attack # 4Attack # 5

Attack # 6Attack # 7

Protects web limitations. Blocks core mechanism of attack Can recognize and block new attacks Distinguishes and block attacks.

Attack # 8Attacker

WAPPLES1st/2nd Generation WAFS

WAPPLES Rules (2/2)

Each Rule has been optimized to detect and block a form of Web attack Each rule is composed as a union of logic with filters/tests to accurately detect web attacks.

Each logic is formed as a fusion of white lists and black lists.

To satisfy a user’s configuration needs, additional patterns can be registered to each rule.

The Security Level is controlled by adjusting each rule’s parameters.

Higher Security Extremely low possibility of false positive attack – applies a very accurate attack detection

process for the web application.

Includes the ability to detect/recognize modified attacks.

Higher Performance No additional system load by inputting new patterns.

No difference in performance, in both test environment and actual production environment.

Ease of Use and Less Maintenance Typically installed with zero/few changes to the server and network settings.

Comparatively small managing/support burden for the administrator.

Low operation/support cost – receives no signature updates service, only periodic software updates.

Intelligent WAPPLES Features

Conventional WAFs WAF is a kind of container that administrator can store intelligence and later use it.

Administrator have to register patterns and White List that represent intelligence.

Intelligent WAF : WAPPLES WAPPLES engine is intelligent by itself.

Summary

Conventional WAFs

Intelligent WAPPLES