Peiyang Li (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University and Ant Group), Fukun Mei (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University), Ye Wang (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University), Zhuotao Liu (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University), Ke Xu (DCST and the State Key Laboratory of Internet Architecture, Tsinghua University and Zhongguancun Laboratory), Chao Shen (Xi’an Jiaotong University), Qian Wang (Wuhan University), Qi Li (INSC and the State Key Laboratory of Internet Architecture, Tsinghua University and Zhongguancun Laboratory)

Web attacks pose a significant threat to Web applications. While deep learning-based systems have emerged as promising solutions for detecting Web attacks, the lack of interpretability hinders their deployment in production. Existing interpretability methods are unable to explain Web attacks because they overlook the structure information of HTTP requests. They merely identify some important features, which are not understandable by security operators and fail to guide them toward effective responses.

In this paper, we propose WebSpotter that achieves interpretable Web attack detection, which enhances existing deep learning-based detection methods by locating malicious payloads of the HTTP requests. It is inspired by the observation that malicious payloads often have a significant impact on the predictions of detection models. WebSpotter identifies the importance of each field of HTTP requests, and then utilizes a machine learning model to learn the correlation between the importance and malicious payloads. In addition, we demonstrate how WebSpotter can assist security operators in mitigating attacks by automatically generating WAF rules. Extensive evaluations on two public datasets and our newly constructed dataset demonstrate that WebSpotter significantly outperforms existing methods, achieving at least a 22% improvement in localization accuracy compared to baselines. We also conduct evaluations on real-world attacks collected from CVEs and real-world Web applications to illustrate the effectiveness of WebSpotter in practical scenarios.

View More Papers

Chasing Shadows: Pitfalls in LLM Security Research

Jonathan Evertz (CISPA Helmholtz Center for Information Security), Niklas Risse (Max Planck Institute for Security and Privacy), Nicolai Neuer (Karlsruhe Institute of Technology), Andreas Müller (Ruhr University Bochum), Philipp Normann (TU Wien), Gaetano Sapia (Max Planck Institute for Security and Privacy), Srishti Gupta (Sapienza University of Rome), David Pape (CISPA Helmholtz Center for Information Security),…

Read More

PathProb: Probabilistic Inference and Path Scoring for Enhanced and...

Yingqian Hao (Computer Network Information Center, Chinese Academy of Sciences; University of Chinese Academy of Sciences), Hui Zou (Computer Network Information Center, Chinese Academy of Sciences; University of Chinese Academy of Sciences), Lu Zhou (Computer Network Information Center, Chinese Academy of Sciences; University of Chinese Academy of Sciences), Yuxuan Chen (Computer Network Information Center, Chinese…

Read More

MUTATO: Enhancing Fuzz Drivers with Adaptive API Option Mutation

Shuangxiang Kan (University of New South Wales), Xiao Cheng (Macquarie University), Yuekang Li (University of New South Wales)

Read More