FortWeb as a Service Machine Learning - Anomaly Detection

Introduction

Machine learning that automatically and continuously models your application and eliminates manual tuning.

Especially useful for businesses that don't have a web application security specialist.

1. Setup

  • After you login you will see the Applications view

  • Click on your Web# in this example Web1, this will open you Application Dashboard.

Notice During the onboarding exercise we set the Site in Blocking Mode.

  • When you set the site to Blocking Mode during the onboarding, this enables DDoS Prevention, we need to disable this before we do the Machine Learning Anomaly Detection.

  • Navigate to the DDOS PREVENTION menu

  • Toggle the DDoS Prevention to OFF and Save

  • Navigate to the BOT MITIGATION menu

  • Toggle the Known Bad Bots to OFF and Save

  • Check Machine Learning Anomaly Detection is enabled
  • Navigate to the ADD MODULES menu

  • Enable Application Delivery -> Rewriting Request.

  • From within the Application Delivery - Rewriting Request, the X-Forwarded-For http header needs to be enabled for this lab exercise to allow ML-AD to build the model. FortiWeb-Cloud prevents the pollution of the learning model, by only allowing 30 unique requests per IP address for model building.

This is not best practice, but required for the Lab only!

2. ML - Anomaly Detection

  • Click on Overview
  • This will be empty

  • Click on TreeView
  • This will be empty

  • Your environment is now ready to build the ML-AD

3. ML- Building

  • Log into your webserver with SSH from your laptop on port 2222.
  • Replace # with your your assigned attendee number.
    The password is fortinet

ssh -p 2222 user#@stepstone.fortiworkshop.nl

  • Run the following command to start traffic generator tool.

ml-ad-simulator

The traffic generator tool will provide you with some menu options.

  • Select option 1, to send 3000 reguests to your website

  • Go back to the FWBaaS GUI and look at the TreeView
  • FWBaaS is now collcting data to build the ML-AD model.

  • Refresh and you will see FWBaaS model building

  • At the end of the script, FWBaaS will move the parameters it learned into Running mode.

4. Testing

  • Attack the page using an attack pattern from the list at the bottom of this page.

Note Some of these may no longer be unknown attacks.

  • Example attack

  • The attack is blocked

  • The Attack Log is now under Threat Analytics

  • The Attack Log is now displayed.

  • Expand the error by clicking down arrow

  • You can see the attack was blocked by Machine Learning

  • More detail on the attack be found by expanding the data packet detail

  • This workshop is now complete.

5. Sample Attacks

Example manual tests (Command Injection, XSS, SQL, Format strings, and Zero-day)

Command injection
    * /%3F%3F%3F/1%3F - /???/1?
    * C;~/r.sh- c;~/r.sh

SQLi
    * 24-1EwfJWguQV
    * A%20’DIV’%20B – A ‘DIV’ B

Cross Site Scripting
    * Window%20\[‘ale’+’rt’](1) = window ‘aler’+’rt’](1)
    * 1%5D%3Ba%3Deval%3b%3Dalert%3Ba(b(17))%3B%2F%2F – 1];a=eval;b=alert;a(b(17));//
    * ___=1%3F’ert(123)’:0,%20_20=1%3F’al’:0.%20__=1%3F’ev’:0.%20k=window,%20[__%2B_](_%2B___) - ___=1?’ert(123)’:0, _=1?’al’:0, __=1?’e’

Format string attacks
    * %X%X%X%X%X%X%X%X%X%X - %X%X%X%X%X%X%X%X%X%X
    * %p%P%P%P%P%P%P%P%P%P%P - %P%P%P%P%PP%P%P%P%PO

Zero-day attacks for Machine Learning
    * Zero-day Remote Exploit         = %X%X%X%X%X%X%X%X%X%X - %X%X%X%X%X%X%X%X%X%X
    * Zero-day SQLinjection (SQLi)    = abc;$compress_message%253dgzcompress("hack%2520message",%252012)