Proposal for a new plugin: Machine Learning on ModSecurity #2067

fggillie · 2021-05-07T08:56:36Z

This PR is a proposal for a plugin to ease the integration of Machine Learning (ML) in ModSecurity.

How it works

The core idea is to use ML in combination with the CRS, by having a double-check on suspicious requests. For this reason, ML is triggered only for requests for which the anomaly score exceeds the threshold. This is performed by chaining rule 949110 with a "ML rule".

The "ML rule" is a Lua script calling the ML model running on a server in an external container/pod. This obviously adds latency due to communication overhead but has the advantage of only loading and instantiating the ML model once at server start and not for each incoming request.

Attached is an example of a server running the ML model that can be reached by the Lua script. It uses the Flask library, definitely not the fastest option.
dummy_app.txt

What needs to be discussed

I'd be glad to discuss the following (and any other suggestion you may have) with you:

With this framework, the anomaly score is set but can be ignored if ML decides not to block the request...can bring confusion in the logs
This framework is for the case where we would like to call ML for suspicious requests only. Maybe we would like something more general?
Is there a way and would it be interesting to parallelize the ML and CRS execution?

azurit · 2021-05-07T09:04:42Z

My very first, maybe dump, question: What is ML?

airween · 2021-05-07T09:08:27Z

My very first, maybe dump, question: What is ML?

same question from me :)

fggillie · 2021-05-07T09:12:50Z

ML = machine learning, oops :)
I fixed the name in the PR

dune73 · 2021-05-07T10:36:06Z

Thank you for your submission @fggillie. That was fast.

For the record: I asked @fggillie to submit her work (-> EPFL Master Thesis) here so it could be polished into an official plugin. We do not yet have a proper process to discuss / refine new plugins, so I thought it fitting to draft the PR here and when we deem it done, we create a separate repo for the new plugin.

This is a good base for a start and it has been a long standing desire to take the pain out of Machine Learning an CRS. The problem is that people need to learn ModSec/CRS first before they can concentrate on ML despite their interest being with ML.

As listed above, there are several open questions around this functionality.

Here are a few thoughts

The extension to 949110 (that we need to pluginize somehow) sets the terminal tx.inbound_anomaly_score, yet in a chained rule it decides it is not good enough to actually block the request, since the ML rig counseled against it. It's like combining CRS with an external / 3rd party rule (set) and we're only blocking when both agree it should be blocked. This is a means to reduce false positives: It is an AND connection between CRS AND ML.

This is an interesting concept, yet it is a new concept and we have to think it through. As Floriane mentioned it will lead to situations where the anomaly threshold is reached, yet the request is not blocked. In fact there won't be a trace in the log in such a case the way it is done in the PR now.

An alternative way to call the external ML would be to integrate a scoring rule that does the ML call. That would then not be used to fight false positives, but simply an additional detection rule that would score. I think the plugin should allow this as well, or primarily this option. That would result in an OR connection between CRS and ML: CRS scores, or the new plugin scores and if one or the combination of the two result in a high anomaly score, we have a hit. Performancewise, this is a big difference, though, and it is possible that executing lua for every request is too heavy. (Thought: Only execute ML for certain requests, like POST requests, or those requests where the anomaly threshold is within reach. No need to execute ML, when the anomaly score is 0, this is the last rule to execute and it can only score 5 with 10 being the limit. In this situation you should only execute the ML rule if the score is already greater or equal to 5 since only in this situation there is the potential to actually hit or exceed the anomaly threshold.)

A big potential of ML is to take the context / the session into consideration when examining a request. It is possible to do this with ModSecurity, but it's really tedious. However, with ML you can follow the flow of the application really easily. Piece of cake. However, the way the lua script presents itself, it does not forward the client's cookies, nor the client's IP address. So that would be a useful addition.

It might be interesting from a performance perspective to parallelize the execution. Right now, we branch into the lua script after the threshold is reached. Maybe we could branch very early in the request, execution continues and then in 949110, we poll for the result of the ML call.

We ought to look into the scanning of the responses too, since there is a substantial potential for ML to detect data leakages, since these cases will differ significantly from the standard RESPONSE_BODY.

azurit · 2021-05-07T10:47:01Z

I think most of problems you mentioned can be easily resolved inside a lua script.

azurit · 2021-05-07T10:48:44Z

Are we talking about any concrete ML solution or is it supposed to be some kind of generic ML integration?

dune73 · 2021-05-07T11:45:10Z

Ideally generic. What we see so far is generic. One could then accompany it with a reference use case in the form of a blog post / tutorial.

fzipi · 2021-08-02T19:08:44Z

JFYI: we have a similar project that would generate a generic plugin by extending modsecurity with a new operator. Nothing productive yet, but I'm expecting to have something in the next quarter.

vloup · 2021-11-08T17:04:39Z

My 2 cents on this PR that I saw way too late.

client.lua could use cjson to parse json. You just need to ensure that lua-cjson is available (on top of lua-socket). The inside of the lua main could look like this:

-- client.lua
local ltn12 = require("ltn12")
local http = require("socket.http")
local cjson = require("cjson")

local url = 'http://ml-server-name:5000/'
function main()
  local method = m.getvar("REQUEST_METHOD")
  local path = m.getvar("REQUEST_FILENAME")
  local hour = m.getvar("TIME_HOUR")
  local day = m.getvar("TIME_DAY")
  local args = m.getvars("ARGS")

  local args_dict = {}
  -- transform the args array into a string following JSON format
  if args ~= nil then
    for k,v in pairs(args) do
      name = v["name"]
      value = v["value"]
      value = value:gsub('"', "$#$") -- not a fan of this, but if it depends on the external service, don't change it.
      args_dict[name] = value
    end
  end
  local args_str = cjson.encode(args_dict)

--... rest of the function stays identical...

dune73 · 2021-11-08T20:11:53Z

Thank you for chiming in. Are you working on ML as well?

vloup · 2021-11-20T15:39:26Z

@dune73 No. @fggillie plugged her work on the modsecurity instance I manage and it lacked cjson. Since then, I installed this lua dependency. It really took me 6 months to discover this PR and talk about this change.

dune73 · 2021-11-22T14:47:38Z

Thanks for the info, @vloup. Care contacting me via DM? folini@netnea.com

franbuehler · 2022-09-29T12:28:50Z

@deepshikha-s created the Machine Learning Integration Plugin as CRS plugin as a Google Summer of Code 2022 project.
The public and available work has been integrated into this referenced plugin. Unfortunately, the model used in this PR here was not public data.

This PR can be closed. All work has been integrated into the referenced CRS Machine Learning Integration Plugin.

proposal of ml integration in modsec

8c1c680

fggillie changed the title ~~Proposal for a new plugin: ML on ModSecurity~~ Proposal for a new plugin: Machine Learning on ModSecurity May 7, 2021

dune73 mentioned this pull request Jun 3, 2021

Monthly Chat Agenda June (2021-06-07 and 2021-06-21) #2074

Closed

dune73 mentioned this pull request Jul 2, 2021

Monthly Chat Agenda July (2021-07-05 and 2021-07-19) #2141

Closed

dune73 mentioned this pull request Aug 2, 2021

Monthly Chat Agenda August 2021 (2021-08-02 and 2021-08-16) #2169

Closed

dune73 mentioned this pull request Sep 2, 2021

Monthly Chat Agenda September 2021 (2021-09-06 and 2021-09-20) False Positive Meeting Agenda #2185

Closed

dune73 mentioned this pull request Oct 4, 2021

Monthly Chat Agenda October 2021 (2021-10-04 and 2021-10-18) #2197

Closed

dune73 mentioned this pull request Nov 1, 2021

Monthly Chat Agenda November 2021 (2021-11-01 and 2021-11-15) #2239

Closed

dune73 added the 👀 Needs action label Dec 6, 2021

dune73 mentioned this pull request Dec 6, 2021

Monthly Chat Agenda December 2021 (2021-12-06 and 2021-12-20) #2291

Closed

fzipi mentioned this pull request Jan 2, 2022

Monthly Chat Agenda January 2022 (2022-01-03 and 2022-01-17) #2330

Closed

fzipi mentioned this pull request Feb 7, 2022

Monthly Chat Agenda February 2022 (2022-02-07 and 2022-02-21) Meeting Agenda #2350

Closed

fzipi mentioned this pull request Mar 6, 2022

Monthly Chat Agenda March 2022 (2022-03-07 and 2022-03-21) Meeting Agenda #2401

Closed

fzipi mentioned this pull request Apr 4, 2022

Monthly Chat Agenda April 2022 (2022-04-04 and 2022-04-18) #2453

Closed

dune73 mentioned this pull request May 2, 2022

Monthly Chat Agenda May 2022 (2022-05-02 and 2022-05-16) #2503

Closed

fzipi mentioned this pull request Jun 5, 2022

Monthly Chat Agenda June (2022-06-06 and 2022-06-20) #2539

Closed

theseion marked this pull request as draft June 8, 2022 18:19

dune73 mentioned this pull request Jul 4, 2022

Monthly Chat Agenda July (2022-07-04 and 2022-07-18) #2675

Closed

fzipi mentioned this pull request Aug 1, 2022

Monthly Chat Agenda August 2022 (2022-08-01 and 2022-08-15) #2690

Closed

fzipi mentioned this pull request Sep 5, 2022

Monthly Chat Agenda September 2022 (2022-09-05 and 2022-09-19) #2755

Closed

franbuehler closed this Sep 29, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Proposal for a new plugin: Machine Learning on ModSecurity #2067

Proposal for a new plugin: Machine Learning on ModSecurity #2067

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Proposal for a new plugin: Machine Learning on ModSecurity #2067

Proposal for a new plugin: Machine Learning on ModSecurity #2067

Uh oh!

Conversation

Uh oh!

How it works

What needs to be discussed

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Here are a few thoughts

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!