Traditional WAF can't prevent web attacks? Let SANGFOR help you !

29/09/2018 09:02:49

The next-generation WAF should evolve in a more intelligent direction.


Undoubtedly, WAF products, powerful tools against application layer attacks, are still the priority for many companies when dealing with complicated and changing application layer attacks. However, on the one hand, the means of attack keep increasing, on the other hand, corporate applications are becoming more and more complicated, which resulting in that traditional WAFs find it harder to provide corporate applications with protection. Many companies are becoming disappointed with the accuracy and ability of WAF in threat identification and defense against attacks.

Analyzing from the working principle of existing WAF products, it is not difficult to find that the root cause of this result is the inefficiency of the rule detection engine and regular expression matching method adopted by traditional WAF products in processing performance and methods of attack detection and interception when facing complicated and varied Web application attacks.

Drawbacks of traditional WAF defense engines are outstanding


The traditional WAF defense system has such characteristics as poor performance, high misdetection rate and false positive rate.



Drawbacks of traditional rule engines


1. Full traffic processing, leading to extremely performance bottleneck of devices

As the applications continue to be enriched, the application layer traffic in the network is increasing. However, during security defense process, traditional WAF devices need to perform security detection on all traffic. This full traffic detection mode is just the root cause for the bottleneck of the processing performance of the WAF devices. Full traffic detection means that a device needs to unpack, restore, and perform characteristic comparison on the traffic whether it is good or bad, which greatly consumes device performance.

2. Business content cannot be effectively parsed and are difficult to be analyzed in depth

When a hacker launches an application layer attack, a traditional WAF device will firstly parse and restore the application traffic. For example, if the hacker attacks components such as IIS, Apache and Weblogic, the WAF device will parse the contents of all components relying on the content recovery engine to identify. Whether the attacking traffic is targeted to the component and whether the business content parsing and restoring capabilities are strong enough will directly affect the detection result of application layer threats. In the business content analysis environment, the biggest difficulty for WAF is how to fully cover the heterogeneous components of different versions in the customer environment.

In general, there are heterogeneous components of different versions of components in the user environment. Security vendors need to conduct continuous offensive and defensive research and drills as well as continuous update and iteration. However, the uneven abilities of the vendors in restoring business content have led to the inability of traditional WAF devices to effectively ensure the components of the servers to be fully identified and effectively restored. When a hacker strikes a targeted attack, there is a risk of bypassing the rules.

3. Web threats cannot be accurately identified, and false positive rate and misdetection rate cannot be guaranteed

False positive and misdetection cases of WAF products are also concerns of users. The essential cause of false positive lies in the similarity between attack traffic and traffic flow, while misdetection is caused by the camouflage of attack data, making WAF unable to accurately identify it.

In terms of technical means, the regular matching method adopted by current WAF devices is relatively simple, and the static and fixed rules cannot effectively cope with the variants of threats at application layer. Characteristic detection mechanism will judge based on the characteristics dispersing in normal business statements. For example, some business statements, sentences and articles in business are often regarded as attack characteristics, which causes false positive; however, attack statements with various codes and attack confusion means may often disguise as normal traffic and bypass rule judgment executed by WAF.


Next Generation WAF Defense Engine

To make up for the deficiency of traditional WAF defense architecture and better respond to increasingly complex Web application attack, traditional WAF defense architecture must be upgraded. Introduce semantic and lexical analysis algorithm based on the single regular expression matching security detection technical base and provide traditional WAF with in-depth security capability in combination of machine learning and artificial intelligence technology and by utilizing AI technology, so that the smarter next-generation WAF defense engine can be built.



SANGFOR NGAF - Next-generation WAF defense engine

1. Improve the overall device processing efficiency with deep learning capability of traffic

By introducing the machine learning, collect the characteristics of blank traffic in traffic layer, make legitimate traffic flow fast and double the device performance improvement.

SANGFOR's next-generation firewall adopts blank traffic filtering on WAF engine, executes deep learning based on application-layer interactive content, establishes deep traffic learning model on this layer, and implements monitoring, learning and comparison for each web element. The whole process is completed by the self-learning capability of device without manual intervention. Also, make self-adaptive adjustment according to web’s traffic change, and form blank traffic filtering capability. If there is traffic that obviously deviates from normal traffic pattern, import it to follow-up security detection process for handling in order to ensure that legitimate traffic may flow fast. It is just like that airport security inspection machine identifying the package containing forbidden objects, and then unpacking inspection is executed, while normal packages may directly go through. It greatly improves the processing efficiency compared with traditional WAF architecture of unpacking inspection in sequence.

2. Integrate business parse with recovery capability through business intelligence fusion engine

SANGFOR NGAF matches business environment in smart manner with business intelligence fusion engine, and matches parsing and recovery capability based on business dynamic characteristics. It has the capability of accommodating diverse businesses at the backend, including reverting business-specific content fast, executing security detection, and providing comprehensive solution for various attacks. Take the following sql injection attack statement for example:



Because, by default, IIS supports the decoding capability for %u code by default, this segment of data is ultimately reverted to:



This statement may be successfully executed on IIS server, and consequently, application server is attacked. However, parsing engine of SANGFOR NGAF business intelligence fusion may accurately identify the confusion method used by attack so as to parse, detect and intercept it. Compared with traditional WAF defense method, if WAF does not have the business adaptability and fails to parse and revert the statement in the corresponding business environment, it is unable to identify the attack in effective manner, and as a result, the hacker may bypass WAF for the purpose of attacking business server at the backend.

In addition to business intelligence fusion engine, SANGFOR NGAF has absolute advantage in traditional technology. Based on the continuous offensive and defensive research and drills for many user business environment, SANGFOR NGAF is fully aware of characteristics and response method of user business, thoroughly migrates the business parsing capability to WAF, and implements the deep recovery of business content.

3. Accurately identify Web threat with threat depth detection engine

SANGFOR NGAF threat depth detection engine integrates lexical algorithm with syntactic algorithm, and fully adopts artificial intelligence to implement depth analysis for threat, can provide comprehensive solution for the complex business, business data, development approach etc. in real environment, and locate and process abnormality the first time.

Behavior-based data models may be established after acquiring AI learning experience data. Predict target event with these data models, which makes the core security capability have the characteristics of self-learning, model self-development and business self-adaption. As shown below, sort SQL attacks by lexical parsing method:


SQL injection statement parsing indication


On the one hand, generate lots of attack sequences and legal sequences with big data in the cloud, execute supervised learning, and generate attack data model with many known attack samples, then predict other unknown attack types through these models. AI engine that is built in this method may not only protect against evolving attacks, but also automatically exclude false identification through continuous business learning after WAF goes live.

On the other hand, with the combination of supervised and unsupervised learning based on artificial intelligence technology, unsupervised learning is in control of normal business pattern, supervised one may detect the characteristic of attack, and execute data generalization through manual indication, so that such complementation may accurately identify attacks in business flow.

SANGFOR NGAF, based on the security concept of facing the future and effective protection, adopts the next-generation WAF defense engine that can provide user business with effective defense capability in comparison with the traditional WAF defense method.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.