ZeroWall: Detecting Zero-Day Web Attacks through Encoder-Decoder Recurrent Neural Networks
Title | ZeroWall: Detecting Zero-Day Web Attacks through Encoder-Decoder Recurrent Neural Networks |
Publication Type | Conference Paper |
Year of Publication | 2020 |
Authors | Tang, R., Yang, Z., Li, Z., Meng, W., Wang, H., Li, Q., Sun, Y., Pei, D., Wei, T., Xu, Y., Liu, Y. |
Conference Name | IEEE INFOCOM 2020 - IEEE Conference on Computer Communications |
Date Published | July 2020 |
Publisher | IEEE |
ISBN Number | 978-1-7281-6412-0 |
Keywords | anomaly detection, composability, computer network security, defense, digital signatures, encoder-decoder recurrent neural network, existing signature-based WAF, existing WAF, Firewalls (computing), Hidden Markov models, historical Web requests, Internet, Metrics, pubcrawl, real-time detection, Recurrent neural networks, resilience, Resiliency, security of data, Semantics, Syntactics, web security, widely-deployed signature-based Web Application Firewalls, Zero day attacks, zero-day attack request, Zero-day attacks, zero-day Web attacks, ZeroWall |
Abstract | Zero-day Web attacks are arguably the most serious threats to Web security, but are very challenging to detect because they are not seen or known previously and thus cannot be detected by widely-deployed signature-based Web Application Firewalls (WAFs). This paper proposes ZeroWall, an unsupervised approach, which works with an existing WAF in pipeline, to effectively detecting zero-day Web attacks. Using historical Web requests allowed by an existing signature-based WAF, a vast majority of which are assumed to be benign, ZeroWall trains a self-translation machine using an encoder-decoder recurrent neural network to capture the syntax and semantic patterns of benign requests. In real-time detection, a zero-day attack request (which the WAF fails to detect), not understood well by self-translation machine, cannot be translated back to its original request by the machine, thus is declared as an attack. In our evaluation using 8 real-world traces of 1.4 billion Web requests, ZeroWall successfully detects real zero-day attacks missed by existing WAFs and achieves high F1-scores over 0.98, which significantly outperforms all baseline approaches. |
URL | https://ieeexplore.ieee.org/document/9155278 |
DOI | 10.1109/INFOCOM41043.2020.9155278 |
Citation Key | tang_zerowall_2020 |
- real-time detection
- ZeroWall
- zero-day Web attacks
- Zero-day attacks
- zero-day attack request
- Zero day attacks
- widely-deployed signature-based Web Application Firewalls
- web security
- Syntactics
- Semantics
- security of data
- Resiliency
- resilience
- Recurrent neural networks
- Anomaly Detection
- pubcrawl
- Metrics
- internet
- historical Web requests
- Hidden Markov models
- Firewalls (computing)
- existing WAF
- existing signature-based WAF
- encoder-decoder recurrent neural network
- digital signatures
- defense
- computer network security
- composability