The problem of identifying and eliminating web-based malicious attacks has always been difficult for cybersecurity experts who use traditional Web Application Firewalls (WAFs).
WAFs are the first line of defense against attackers whenever you’re publishing an internet-facing application or website. They can prevent attacks against your web infrastructure – which otherwise could result in costly data breaches.
But WAFs are not perfect. In this article, we’ll discuss some of the most common issues with modern WAFs, and how the Oracle WAF uses machine learning to overcome these problems. Let’s get started.
Traditional WAFs – Rule-Based And Inflexible
Traditional WAFs essentially work the same way as antivirus software. They use a rule-based approach, meaning that you must set up a set of “rules” to disallow traffic and recognize attacks and prevent them.
This means that you must set up rules that look for signatures of known attack vectors, compare them to a database, and identify them. If the attack is identified, it’s blocked, preventing any potential security risks.
And this is an effective method of protecting your web security – or at least, it would be, in a perfect world where you have a database of every cyber attack, and hackers did not innovate and try new hacking techniques.
This is where traditional, rule-based security WAFs fall short. They can only identify what they know. Not only that, but even similar attacks that do not share the same signatures may not be prevented. There is also no way to protect against “zero-day” attacks and vulnerabilities, which are, by nature, unknown until the attack occurs.
In addition, traditional WAFs require quite a bit of care, attention, and setup from cybersecurity professionals. Someone must be responsible for adding new rules, tuning the static rules, and making sure that legitimate traffic is not blocked – which is a real concern.
Improper or poorly implemented rules can also result in application downtime, as legitimate traffic and functionality could be interrupted if you add a rule that is not properly formatted, or that does not work as intended.
Oracle’s WAF – Using Machine Learning (ML) Technology To Recognize And Prevent Attacks
So, what’s the solution to a traditional WAF that requires manual rule-setting, and has a rigid, set database with today’s most common threats? Oracle believes that Machine Learning (ML) algorithms hold the key.
By using supervised Machine Learning (ML) techniques, you can train an algorithm to recognize the similarities and hallmarks of a potentially dangerous attack, even if the vector is not completely the same.
A machine learning engine can quickly begin to recognize the difference between legitimate and illegitimate web traffic and find common patterns that mark a particular request as malicious.
The Oracle WAF, by doing this, can eventually begin automatically blocking traffic requests that may be dangerous. Risk is scored from 0 (legitimate traffic) to 100 (malicious attack). If the score exceeds a certain threshold, a security analyst can be alerted, and automatic blocks are usually performed at an 80-85% certainty score.
Of course, this does not mean that the Oracle WAF does not need tuning. Like all ML algorithms, it must be “trained” by security experts. The difference is that most of this training happens automatically, without the need for an IT professional to monitor the entire process.
This process is very important. Machine learning, on its own, is not “smart”. Each Oracle WAF user must train the engine to distinguish between “good “ and “bad” attacks. This is done at the time of the deployment of the system – and as the system continues to be used, it can iterate upon what it knows, and become “smarter”.
The chief benefit of this system is that, by using the “rules” and information gathered during training, you are able to block suspicious web traffic – even if it does not the share identical attributes of a previous attack. As long as it’s similar, the machine learning algorithm will be able to recognize it.
The same is true of “day zero” attacks. As long as a request has some kind of identifying the marker that the ML algorithm has been trained to recognize, it can be flagged and stopped, protecting your data.
Many larger enterprises are already using this system and similar systems, but we expect that the adoption of this kind of ML WAF will become more prevalent in the future. As web attacks become more difficult to deal with, and the value of data continues to grow, hackers will continue to use more sophisticated techniques to try to steal data.
Machine Learning – The Future Of WAFs
Using an ML algorithm with a Web Application Firewall has a number of benefits – less oversight by cybersecurity experts, fast responses to malicious attacks, and easier recognition of novel attack vectors, just to name a few.
For these reasons – and many more – we expect that most companies will move away from traditional, rule-based WAFs, and adopt an approach that emphasizes machine learning and faster threat detection, using a tool like the new Oracle Cloud WAF.
