Machine Learning Based Web Application Firewall

Datasets

• CICIDS (various years) — network/HTTP attacks
• UNSW-NB15 — labeled traffic
• OWASP ModSecurity CRS logs and rule sets
• Public WAF/IDS corpora and community datasets
• Synthetic traffic generators and fuzzers for coverage
• CSIC2010

Data Collection

1. Run a DVWA locally
2. Open Burpsuite and start intercepting the web request through Burpsuite using FoxyProxy
3. Normal Web Request Data:
   • Browse the DVWA normally for normal web request data.
   • Now save the collected web request data from Burpsuite in csv file.
4. Malicious Web Request Data:
   • Run an automated SQLi Attack using different tools.
   • Now save the collected web request data from Burpsuite in csv file.
5. Now combine both the csv files.

Training the model

1. Preprocessing
   • Feature Extraction
   • Train-Test Split
2. Building Pipeline
3. Training the model: Training the model pipeline on collected web request data.
4. Testing the model
5. Building the WAF reverse proxy

Usage Guide (Proxy Based Setup)

1. Run a DVWA locally
2. Install FoxyProxy extension in your browser
3. Add your laptop's IP address in FoxyProxy as new proxy as http://[ip]:8081
4. Access the DVWA in your browser by visiting http://[ip]/DVWA
5. Turn on your new proxy (your waf proxy) from FoxyProxy
6. Run your proxy server by running

python proxy_server.py

7. Now you can normally browse the DVWA, while browsing it your can see your proxy server will display those request's as approved (Green Flag), those are legit requests, but when you try to attempt a SQLi (SQL Injection) Attack in 'SQL Injection' tab in DVWA, then you can see that this request will be flaged as malicious (Red Flag) and the request will be blocked by the firewall proxy.