Visible to the public ZeroWall: Detecting Zero-Day Web Attacks through Encoder-Decoder Recurrent Neural Networks

TitleZeroWall: Detecting Zero-Day Web Attacks through Encoder-Decoder Recurrent Neural Networks
Publication TypeConference Paper
Year of Publication2020
AuthorsTang, R., Yang, Z., Li, Z., Meng, W., Wang, H., Li, Q., Sun, Y., Pei, D., Wei, T., Xu, Y., Liu, Y.
Conference NameIEEE INFOCOM 2020 - IEEE Conference on Computer Communications
Date PublishedJuly 2020
PublisherIEEE
ISBN Number978-1-7281-6412-0
Keywordsanomaly detection, composability, computer network security, defense, digital signatures, encoder-decoder recurrent neural network, existing signature-based WAF, existing WAF, Firewalls (computing), Hidden Markov models, historical Web requests, Internet, Metrics, pubcrawl, real-time detection, Recurrent neural networks, resilience, Resiliency, security of data, Semantics, Syntactics, web security, widely-deployed signature-based Web Application Firewalls, Zero day attacks, zero-day attack request, Zero-day attacks, zero-day Web attacks, ZeroWall
Abstract

Zero-day Web attacks are arguably the most serious threats to Web security, but are very challenging to detect because they are not seen or known previously and thus cannot be detected by widely-deployed signature-based Web Application Firewalls (WAFs). This paper proposes ZeroWall, an unsupervised approach, which works with an existing WAF in pipeline, to effectively detecting zero-day Web attacks. Using historical Web requests allowed by an existing signature-based WAF, a vast majority of which are assumed to be benign, ZeroWall trains a self-translation machine using an encoder-decoder recurrent neural network to capture the syntax and semantic patterns of benign requests. In real-time detection, a zero-day attack request (which the WAF fails to detect), not understood well by self-translation machine, cannot be translated back to its original request by the machine, thus is declared as an attack. In our evaluation using 8 real-world traces of 1.4 billion Web requests, ZeroWall successfully detects real zero-day attacks missed by existing WAFs and achieves high F1-scores over 0.98, which significantly outperforms all baseline approaches.

URLhttps://ieeexplore.ieee.org/document/9155278
DOI10.1109/INFOCOM41043.2020.9155278
Citation Keytang_zerowall_2020