WAF Signature Generation from Real-Time Information on the Web using Similarity to CVE

Kumazaki, Masahito; Yamaguchi, Yukiko; Shimada, Hajime; Hasegawa, Hirokazu

Home // International Journal On Advances in Security, volume 14, numbers 1 and 2, 2021 // View article

WAF Signature Generation from Real-Time Information on the Web using Similarity to CVE

Authors:
Masahito Kumazaki
Yukiko Yamaguchi
Hajime Shimada
Hirokazu Hasegawa

Keywords: Application Firewall(WAF), Zero-day Attack, Vulnerability Information, Real-time Information.

Abstract:
Zero-day attacks and attacks based on publicly disclosed vulnerability information are major threats to network security. To cope with such attacks, it is important to collect related information and deal with vulnerabilities as soon as possible. We have developed a system that collects vulnerability information related to web applications from real-time open information on the web, such as that found on Twitter and other discussion-style web sites, and generates web application firewall (WAF) signatures for them. In this study, first, we collected vulnerability information containing a specified keyword from the National Vulnerability Database (NVD) data feed and generated WAF signatures automatically. Then, we examined the suitability of the WAF signature generation from one tweet. Finally, we extracted tweets that might contain vulnerability information and labeled them using a filtering algorithm. We then further experimented on gathering and extracting vulnerability information for a target web application. First, we gathered past CVE descriptions of the target web application and used them to generate a Doc2Vec model and word vectors. We also used the trained Doc2Vec model to generate word vectors gathered from open information sources such as Twitter, Stack Overflow, and Security StackExchange. After that, we extracted vulnerability information for the target web application by calculating the cosine similarity between the word vectors of the open information and the CVE descriptions. Experimental results demonstrated that our Doc2Vec-based extraction process can be easily adapted to individual web applications.

Pages: 26 to 36

Publication date: December 31, 2021

Published in: journal

ISSN: 1942-2636