Screening HTTP traffic can be something really tricky and attacks to applications are becoming increasingly complex day by day. By analyzing thousands upon thousands of infections, we noticed that regular blacklisting is increasingly failing so we started research on a new approach to mitigate the problem. We started with reverse engineering the most popular CMS applications such as Joomla, vBulletin and WordPress, which led to us to creating a way to detect attackers based on whitelist protection in combination with behavior analysis. Integrating traffic analysis with log correlation has resulted in more than 2500 websites now being protected, generating 2 to 3 million alerts daily with a low false positive rate. In this presentation we will share some of our research, our results and how we have maintained WAF (Web Application Firewall) using very low CPU processes and high detection rates.
October 21, 2014 | Tech 3 (801b) | 13:25 – 14:25