ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set (CRS), identifying well-known attack patterns. Each rule is manually assigned a weight based on the severity of the corresponding attack, and a request is blocked if the sum of the weights of matched rules exceeds a given threshold. However, we argue that this strategy is largely ineffective against web attacks, as detection is only based on heuristics and not customized on the application to protect. In this work, we overcome this issue by proposing a machine-learning model that uses the CRS rules as input features. Through training, ModSec-Learn is able to tune the contribution of each CRS rule to predictions, thus adapting the severity level to the web applications to protect. Our experiments show that ModSec-Learn achieves a significantly better trade-off between detection and false positive rates. Finally, we analyze how sparse regularization can reduce the number of rules that are relevant at inference time, by discarding more than 30% of the CRS rules. We release our open-source code and the dataset at https://github.com/pralab/modsec-learn and https://github.com/pralab/http-traffic-dataset, respectively.

Abstract--This paper investigates citizens' counter-strategies to We further identified factors that increase the propensity for counter-strategies. These perceptions are linked to citizens' decisions about For instance, protesters may don uniform clothing, goggles and face masks I. Also, an increasing number of recommendations and tools emerge to obfuscate, Artificial Intelligence (AI) is a critical asset for law enforcement'confuse' or even'weaponize own data' against data collection agencies' (LEAs) efficiency and effectiveness, e.g., efforts [2], [5], [6]. Simultaneously, to avoid government entities collecting data about them [7] there are legitimate concerns about their usage, chief amongst and over half decided against products or services because them that algorithms can reinforce social inequalities (e.g., they worried about collection of personal information [8]. Such with respect to minority groups or genders), lead to faulty changes in mass-behaviors have operational consequences for decisions with dramatic real-life consequences and create LEAs [3], including training and long-term viability of AI inflexible, insensitive procedures that fail to take into account applications. In this paper, we investigate citizens' counter-strategies, This project has received funding from the European Union's Horizon 2020 research and innovation program under grant agreement No 883596 (AIDA The information in this paper reflects only the authors' view and We further captured about current and future AI applications.

ModSecurity is widely recognized as the standard open-source Web Application Firewall (WAF), maintained by the OWASP Foundation. It detects malicious requests by matching them against the Core Rule Set, identifying well-known attack patterns. Each rule in the CRS is manually assigned a weight, based on the severity of the corresponding attack, and a request is detected as malicious if the sum of the weights of the firing rules exceeds a given threshold. In this work, we show that this simple strategy is largely ineffective for detecting SQL injection (SQLi) attacks, as it tends to block many legitimate requests, while also being vulnerable to adversarial SQLi attacks, i.e., attacks intentionally manipulated to evade detection. To overcome these issues, we design a robust machine learning model, named AdvModSec, which uses the CRS rules as input features, and it is trained to detect adversarial SQLi attacks. Our experiments show that AdvModSec, being trained on the traffic directed towards the protected web services, achieves a better trade-off between detection and false positive rates, improving the detection rate of the vanilla version of ModSecurity with CRS by 21%. Moreover, our approach is able to improve its adversarial robustness against adversarial SQLi attacks by 42%, thereby taking a step forward towards building more robust and trustworthy WAFs.