Code injection is an attack technique that attackers often use, for example in zero-day exploits, to launch arbitrary code on victims' machines via vulnerable applications. Why signatures are not enough for intrusion prevention systems - how machine learning can help.
Given the popularity of code injection for exploits, Palo Alto Networks has found that pattern-matching signatures are often used to identify network traffic anomalies. However, injections can come in many forms, and a simple injection can easily bypass a signature-based solution by adding foreign strings. Therefore, signature-based solutions often fail due to the Proof of Concept (PoC) variants of Common Vulnerabilities and Exposures (CVEs).
Deep learning models more robust against attackers
Intrusion Prevention System (IPS) signatures have long proven to be an efficient solution to cyber attacks. Depending on predefined signatures, IPS can accurately detect known threats with few or no false positives. However, creating IPS rules requires a proof of concept or technical analysis of specific vulnerabilities, making it difficult for IPS signatures to detect unknown attacks due to lack of knowledge.
For example, remote code execution exploits are often built with vulnerable URI/parameters and malicious payload, and both parts should be identified to ensure threat detection. On the other hand, in zero-day attacks, both parts can be either unknown or obfuscated, making it difficult to achieve the required IPS signature coverage.
Challenges for threat researchers
- False negative results. Variations and zero-day attacks occur every day, and IPS cannot cover all of them due to a lack of upfront attack details.
- False positive results. To cover variants and zero-day attacks, generic rules are created with relaxed conditions, which inevitably introduces the risk of a false positive.
- Latency. The time lag between the discovery of vulnerabilities, the implementation of protections by security vendors, and the application of security patches by customers provides attackers with a significant window of opportunity to exploit the end user.
While these issues are inherent in IPS signatures, machine learning techniques can address these shortcomings. Based on real-world zero-day attacks and harmless traffic, Palo Alto Networks trained machine learning models to detect common attacks such as remote code execution and SQL injection. Recent research shows that these models can be very useful in detecting zero-day exploits, as they are both more robust and responsive than traditional IPS methods.
Machine learning test results
To detect zero-day exploits, Palo Alto Networks researchers trained two machine learning models: one to detect SQL injection attacks and one to detect command injection attacks. Researchers emphasized a low false positive rate to minimize the negative impact of using these models for detection. For both models, they trained HTTP GET and POST requests. To generate these records, they combined multiple sources including malicious traffic generated by tools, live traffic, internal IPS records, and more.
- For ~1,15 million benign and ~1,5 million malicious patterns containing SQL queries, the SQL model achieved a 0,02 percent false positive rate and a 90 percent true positive rate.
- With ~1 million benign and ~2,2 million malignant samples containing web searches and possible command injections, the command injection model achieved a 0,011 percent false positive rate and a 92 percent true positive rate.
These detections are particularly useful because they can provide protection against new zero-day attacks while being resistant to small changes that might bypass traditional IPS signatures.
Conclusion
Command and SQL injection attacks remain among the most common and worrying threats affecting web applications. While traditional signature-based solutions are still effective against out-of-the-box exploits, they often fail to detect variants; a motivated attacker can make minimal changes and bypass such solutions.
To combat these ever-evolving threats, Palo Alto Networks developed a context-based deep learning model that has proven effective in detecting the latest high-profile attacks. The models were able to successfully detect zero-day exploits such as the Atlassian Confluence vulnerability, the Moodle vulnerability, and the Django vulnerability. This type of flexible detection will prove critical for comprehensive defense in an ever-evolving malware landscape.
More at PaloAltoNetworks.com
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.
Matching articles on the topic