Libdetection: Introducing New Generation of Attacks Detection

In the latest version of Wallarm Node, we integrated a new attack detection engine that will work with a combination of current detects. Libdetection is a unique open-source project (https://github.com/wallarm/libdetection), that provides a signature-free payloads detection by implementing a syntax analysis and the base theory of grammars.

Libdetection uses a formal model for attack detection, which allows it to make a decision based on the type of attack. This approach allows us to implement the library without specifying precedents of attacks (without a signature of each specific attack). Here you will not find the files with fingerprints or static rules with regular expressions.

Determination of the attack — the user input (string coming to the input of the library) can be processed as a sequence of data, among which there will be at least one syntax instruction.

For example, in the string 123 union select there are one data token and two instructions (commands). And the string is considered to be an attack. But it’s not complete as there are no names of columns and tables used.

Within the library, each parser state (where line processing begins) is called a context. Contexts are formulated in such a way to reduce the number of false positives of a similar type.

The library supports a variety of contexts (the parser states) with two main groups - injection attacks and commanding attacks. This approach allows us to share all the attacks on the two groups suitable for subsequent analysis and attribution to vulnerabilities in the code.

For example, for phpMyAdmin or similar tools, a set of parameters for query parameters will take attacks such commanding as legitimate. Such attacks will consist entirely of SQL syntax for initial parsing state: ? Query = SELECT id FROM users … . At the same time the defective syntax of SQL injection attacks in these parameters can be easily blocked, for example: ? Query = 123 UNION SELECT id FROM users - a- .

For ease of understanding, you can distinguish injections and commanding attacks in the following way. In the case of injection attacks, at least one user input must be handled entirely as data. In the case of commanding attacks, any user input will contain at least one instruction.

Since the first release 5 years ago, the project continually refined to improve performance and detection quality. Nowadays, an open-source version of libdetection provides the following three syntaxes: SQL, Bash, and Path Traversal. An engine is extendable; therefore, everyone who can create re2c lexers and now about BNF is more than welcome to add HTML, JavaScript, and other grammars relevant to web attacks payloads.

Current tests demonstrate that libdetection dramatically reduces the number of false positives and bypasses against RegEx like ModSecurity CoreRuleSet. We can refer to some statistics in this article https://lab.wallarm.com/testing-modsecurity-for-false-positives-by-books-texts/.

The Wallarm team will continue to improve libdetection and spread its implementation in Wallarm Node.