BSidesSF 2019 has ended
Back To Schedule
Sunday, March 3 • 3:30pm - 4:00pm
Bye-Bye False Positives: Using AI to Improve Detection

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Mainstream IPS/IDS solutions including WAF, NGWAF, and RASPs produce so many false positives they are almost impossible to manage. The reason for that is that they rely on outdated detection mechanisms like signatures, human-defined rules, regexps, etc. In this talk we want to suggest a better method, based on neural network, provide an overview and comparison for several AI-based injection detection architectures, and release a specific architecture and implementation which has produced the best results. To illustrate the application of this methodology, we will review in detail the implementation of AI-based false-positive detection for a SQL injection. The insight is to represent the injection as time series which then lets us apply the same AI-approach as those used in time-series classification. To find the difference between normal requests and attacks/injections, we normalize query to the sequence of tokens/lexemes and pass them to our recurrent-based neural network model which predicts the probability that is the injection. The best architecture to apply here was proven to be bidirectional recurrent neural network with LSTM cells. As a result, it was possible to achieve 96.07% false positive detection quality at the false_positives dataset of 433 samples from libinjection (https://github.com/client9/libinjection/blob/master/data/false_positives.txt).
The implementation of presented model is already used in production at Wallarm for reducing false positive events.

Attendees will take away understanding of most modern AI injection detecting methods, a methodology for building their own RNN network for detection, understanding of the training and test datasets and methodology for accuracy testing.


Ivan Novikov

Ivan Novikov is a white hat security professional with over 12 years of experience in security services and products. He is an inventor of memcached injection and SSRF exploit class as well as a recipient of bounty awards from Google, Facebook, and others. Ivan has recently been a... Read More →

Sunday March 3, 2019 3:30pm - 4:00pm PST
City View