open-appsec is an open-source Web Application & API Security solution, which provides automatic security using machine learning. Its uniqueness comes from the fact that it is not signature-dependent but uses contextual machine learning instead. Therefore, it can effectively protect against zero-day and OWASP-Top-10 attacks.
As signatures for new attacks, by design, can only be created after new attacks have been published, a WAF solution that relies solely on signatures will never protect preemptively (in advance) against zero-day attacks. This is especially important as a vulnerability usually exists for a long time within an affected code of a software or a library, before the first public disclosure of a corresponding CVE record describing it.
At the heart of open-appsec is the contextual machine-learning-based enforcement engine which works in three stages:
In stage 1, the engine is parsing and decoding the Payload (analyzing all fields of HTTP requests, base64 decoding, etc.)
In stage 2, the engine looks for short attack indicators within the HTTP request, to test the likelihood of the request being used to exploit a vulnerability. This evaluation is based on a supervised, offline Machine Learning model, which was built in an on-going offline supervised training process using millions of malicious and benign requests. Scores, representing the indicator’s likelihood of being part of an attack, are assigned not only to each indicator by itself but also to pairs of indicators. Aggregating the scores of the indicators to a total stage 1-score allows open-appsec to make an effective and accurate initial decision about the attack likelihood of the HTTP request.
In stage 3, requests which are considered potentially malicious based on the indicators analysis which happened in stage 2 are further analyzed in the contextual machine learning evaluation engine, in order to gain the best-possible confidence that any HTTP request, which was indicated as being potentially malicious, is indeed an attack, and to rule out false positives effectively. To do this, open-appsec considers different additional contexts like the application structure, how users generally or individually interact with the content, and more. This evaluation is done with an online, non-supervised ML model, which is built and updated continuously in real-time for the specific, protected environment based on the inbound traffic.
To explain the inner mechanics of open-appsec’s contextual machine learning engine, we created a detailed video session, led by open-appsec Product Manager, Christopher Lutat. In the video you will get the full story:
The open-appsec project in short
The challenges that result from the use of static signatures in today’s common WAF solutions
Short recap of Log4j 0-day vulnerabilities (“Log4Shell”)
Deep-dive into open-appsec’s signature-less, ML-based approach for preemptive web app and API protection
The contextual ML explained based on specific examples and a demo to illustrate open-appsec’s capabilities
Click here to watch!