Visible to the public Runtime Recovery of Web Applications under Zero-Day ReDoS Attacks

TitleRuntime Recovery of Web Applications under Zero-Day ReDoS Attacks
Publication TypeConference Paper
Year of Publication2021
AuthorsBai, Zhihao, Wang, Ke, Zhu, Hang, Cao, Yinzhi, Jin, Xin
Conference Name2021 IEEE Symposium on Security and Privacy (SP)
Date Publishedmay
KeywordsAdversarial Machine Learning, Data models, Databases, deep neural networks, Feedback loop, Online Feedback Loop, privacy, Prototypes, pubcrawl, Regular expression Denial of Service (ReDoS), resilience, Resiliency, Runtime, System recovery, Web servers
AbstractRegular expression denial of service (ReDoS)-- which exploits the super-linear running time of matching regular expressions against carefully crafted inputs--is an emerging class of DoS attacks to web services. One challenging question for a victim web service under ReDoS attacks is how to quickly recover its normal operation after ReDoS attacks, especially these zero-day ones exploiting previously unknown vulnerabilities.In this paper, we present RegexNet, the first payload-based, automated, reactive ReDoS recovery system for web services. RegexNet adopts a learning model, which is updated constantly in a feedback loop during runtime, to classify payloads of upcoming requests including the request contents and database query responses. If detected as a cause leading to ReDoS, RegexNet migrates those requests to a sandbox and isolates their execution for a fast, first-measure recovery.We have implemented a RegexNet prototype and integrated it with HAProxy and Node.js. Evaluation results show that RegexNet is effective in recovering the performance of web services against zero-day ReDoS attacks, responsive on reacting to attacks in sub-minute, and resilient to different ReDoS attack types including adaptive ones that are designed to evade RegexNet on purpose.
DOI10.1109/SP40001.2021.00077
Citation Keybai_runtime_2021