AppMine: Behavioral Analytics for Web Application Vulnerability Detection
This addresses security risks for web application operators by providing a lightweight detection tool, though it is incremental as it builds on existing anomaly detection methods.
The paper tackles the problem of detecting unknown web vulnerabilities in containerized applications by designing AppMine, an unsupervised learning system that monitors behavioral analytics, achieving an average AUC of 0.97 for specific exploits like CVE-2017-5638.
Web applications in widespread use have always been the target of large-scale attacks, leading to massive disruption of services and financial loss, as in the Equifax data breach. It has become common practice to deploy web application in containers like Docker for better portability and ease of deployment. We design a system called AppMine for lightweight monitoring of web applications running in Docker containers and detection of unknown web vulnerabilities. AppMine is an unsupervised learning system, trained only on legitimate workloads of web application, to detect anomalies based on either traditional models (PCA and one-class SVM), or more advanced neural-network architectures (LSTM). In our evaluation, we demonstrate that the neural network model outperforms more traditional methods on a range of web applications and recreated exploits. For instance, AppMine achieves average AUC scores as high as 0.97 for the Apache Struts application (with the CVE-2017-5638 exploit used in the Equifax breach), while the AUC scores for PCA and one-class SVM are 0.81 and 0.83, respectively.