このページは http://www.slideshare.net/tadashisatoh94/avtokyo20135-en の内容を掲載しています。

掲載を希望されないスライド著者の方は、こちらよりご連絡下さい。

2年以上前 (2014/02/17)にアップロードinテクノロジー

- Web Intrusion Detection with Bayesian Network

Kanatoko

Chief Tech Officer

Bitforest Co.,Ltd.

@kinyuka

http://www.jumperz.net/

http://www.scutum.jp/

1

15/02/17

Copyright (c) Bitforest Co., Ltd. - Who am I?

– Kanatoko

– Web Application Firewall Developer

– My mission: Building accurate WAF

• Reduce false positives/false negatives

2 - Bayes’ theorem

– Used when we want to calculate P(A|B) when P(B|

A) is known

– P(B|A) : the probability of event B given event A

– Not so hard to understand

3 - What is Bayesian Network?

– probabilistic graphical model (a type of statistical

model) that represents a set of random variables

and their conditional dependencies via a

graph(Wikipedia)

Hacker

Drunken

AVTokyo

Beer in

hand

4 - Famous sprinkler example

•Nodes and Edges represent cause and effect

•Probabilities are shown as tables (CPT: conditional probability table)

•Observations(=Evidences) are used as Input to nodes

•Unobservable nodes are used as Output (= What want to know )

•“Glass is wet. What is the probability it rained?”

5 - Weka

– OSS, Java, Data mining software

– GUI/lib/tools

– (Sprinkler Demo)

6 - Web Intrusion Detection with Bayesian Network

•Probability that the HTTP request is an attack: 1%

•Probability that the HTTP request is NOT an attack: 99%

•Probability that the HTTP request contains ‘alert’ given

that the request is an attack: 8%

•Probability that the HTTP request contains ‘alert’ given

that the request is NOT an attack: 92%

•Probability that the HTTP request contains ‘alert’ given

that the request is NOT an attack: 0.2%

•Probability that the HTTP request NOT contains ‘alert’

given that the request is NOT an attack: 99.8%

What is the probability that the HTTP request is an attack?

1%

What is the probability that the HTTP request is an attack

Given that the HTTP request contains ‘alert’

28.8%

7 - Spam filter and Naïve Bayes

8 - Building Accurate Intrusion Detection System / Web Application Firewall

– Signature-based ( Blacklist)

• If ‘alert’ then die!

• Simple and has some advantages

– Clear

– Performance: Stable / Fast enough

– Maintainable/Human readable

• Disadvantage: High false positive rate

9 - Building Accurate Intrusion Detection System / Web Application Firewall(cont)

– Threshold model (vs. simple signature/blacklist model)

• Inc/Dec scores on each signature matching

• Treated as an attack when total score exceeds the certain

threshold

• Low false positives (good)

• Hard to change/maintenance(bad)

• Example rule 1: score +5 on ‘UNION’

• Example rule 2: score +5 on ‘SELECT’

• When both ‘UNION’ and ‘SELECT’ found… score +10 ?

• Example rule 3: score +20 on ‘UNION and SELECT’

• Too complicated

10 - Building Accurate Intrusion Detection System / Web Application Firewall(cont)

– Threshold model (vs. simple signature/blacklist model)

– Score +5 on ‘Alert’ ( XSS )

– Score +5 on ‘UNION’ ( SQLi )

– Score +10 on “Alert UNION”?

– Should distinct XSS and SQLi (classes)

11 - Building Accurate Intrusion Detection System / Web Application Firewall(cont)

– Bayesian Network

• Resolves almost all problems of the threshold model

12 - Advantages of Bayesian Network

– Complicated relations can be modeled as network

(GUI)

– Computation result is expressed as probability

– Easy to maintain

– Corresponds to expert knowledge

13 - Complicated relations can be modeled as network (GUI)

– One to many, weak/strong relations can be expressed

– Models can be developed in GUI tool and then can be

used to compute the probabilities

– We use Weka Bayesian Network Editor

– Example: XSS/CMS

– Example: VA/User in Japan

– Example: ‘eval’ and Programming languages(Java,

Ruby, JavaScript, Perl, PHP… )

14 - Computation result is expressed as probability

– ‘UNION’ only ( not special )

– ‘SELECT’ only ( not special )

– Both ‘UNION’ and ‘SELECT’ ( should be marked )

– The probability of ‘rare case’ is calculated as high by

Bayes Theorem

15 - Easy to maintain

– Intermediate nodes(mediating variables) play

important role

– Influences are as expected when we update the

values in CPT

– Can be improved little by little because it is not a

black box such as Neural Network

16 - Corresponds to expert knowledge

“If A and B, then maybe C …”

Is expressed as probability

Similarity between human decision making process

and Bayesian Network

17 - Conclusion

Bayesian Network can be used to make decisions

based on observations

If “Human(Expert) can detect attacks”

Then, We want the computer to do that

Use Bayesian Network!

18 - We’re hiring!

– Bitforest Co.,Ltd.

– Web Application Security Expert

– Data Science Expert

– Contact to @kinyuka

19