Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls

Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls

Web Application Firewalls (WAFs) are widely deployed to protect key web applications against multiple security threats, so it is important to test WAFs regularly to prevent attackers from bypassing them easily. Machine-learning-based black-box WAF testing is gaining more attention, though existing l...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2024-01, Vol.21 (1), p.1-15
Hauptverfasser: Liang, Hongliang, Li, Xiangyu, Xiao, Da, Liu, Jie, Zhou, Yanjie, Wang, Aibo, Li, Jin
Format: Artikel
Sprache:eng
Schlagworte:
Adaptation models
Applications programs
black-box testing
Data models
Effectiveness
Firewalls
Grammar
Machine learning
Payloads
Reinforcement learning
Security
Testing
Transformer
Web Application Firewall
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 15
container_issue 1
container_start_page 1
container_title IEEE transactions on dependable and secure computing
container_volume 21
creator Liang, Hongliang
Li, Xiangyu
Xiao, Da
Liu, Jie
Zhou, Yanjie
Wang, Aibo
Li, Jin
description Web Application Firewalls (WAFs) are widely deployed to protect key web applications against multiple security threats, so it is important to test WAFs regularly to prevent attackers from bypassing them easily. Machine-learning-based black-box WAF testing is gaining more attention, though existing learning-based approaches have strict requirements on the source and scale of payload data and suffer from the local optimum problem, limiting their effectiveness and practical application. We propose GPTFuzzer, a practical and effective generation-based approach to test WAFs by generating attack payloads token-by-token. Specifically, we fine-tune a Generative Pre-trained Transformer language model with reinforcement learning to make GPTFuzzer have the least restrictions on payload data and thus more applicable in practice, and we use reward modeling and KL-divergence penalty to improve the effectiveness of our approach and mitigate the local optimum issue. We implement GPTFuzzer and evaluate it on two well-known open-source WAFs against three kinds of common attacks. Experimental results show that GPTFuzzer significantly outperforms state-of-the-art approaches, i.e. ML-Driven and RAT, finding up to 7.8× (3.2× on average) more bypassing payloads within 1,250,000 requests, or finding out all bypassing payloads using up to 8.1× (3.3× on average) fewer requests.
doi_str_mv 10.1109/TDSC.2023.3252523
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_2915735071</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10059237</ieee_id><sourcerecordid>2915735071</sourcerecordid><originalsourceid>FETCH-LOGICAL-c294t-b38db6d466dc3d670afe37211fd29c57ad5916f5bd164ad497177b4c3b721d993</originalsourceid><addsrcrecordid>eNpNUE1LAzEQDaJgrf4AwcOC56353DTHWm0VCoqueAzZzaykbLNrslX892apB5nDDI_33sw8hC4JnhGC1U1597qcUUzZjFGRih2hCVGc5BiT-XGaBRe5UJKcorMYtxhTPld8gmANHoIZ3BdkzwHyIRjnwWZlMD42XdhByG9NTMgLOJ-AGnbgh2wDJnjnP7IEZSXEYZzfocoWfd-6Ohl2Plu5AN-mbeM5OmlMG-Hir0_R2-q-XD7km6f143KxyWuq-JBXbG6rwvKisDWzhcSmASYpIY2lqhbSWKFI0YjKkoIby9M7Ula8ZlUiWaXYFF0ffPvQfe7TVXrb7YNPKzVVREgmsCSJRQ6sOnQxBmh0H9zOhB9NsB7T1GOaekxT_6WZNFcHjQOAf3wsFGWS_QKUJ3Gw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2915735071</pqid></control><display><type>article</type><title>Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls</title><source>IEEE Electronic Library (IEL)</source><creator>Liang, Hongliang ; Li, Xiangyu ; Xiao, Da ; Liu, Jie ; Zhou, Yanjie ; Wang, Aibo ; Li, Jin</creator><creatorcontrib>Liang, Hongliang ; Li, Xiangyu ; Xiao, Da ; Liu, Jie ; Zhou, Yanjie ; Wang, Aibo ; Li, Jin</creatorcontrib><description>Web Application Firewalls (WAFs) are widely deployed to protect key web applications against multiple security threats, so it is important to test WAFs regularly to prevent attackers from bypassing them easily. Machine-learning-based black-box WAF testing is gaining more attention, though existing learning-based approaches have strict requirements on the source and scale of payload data and suffer from the local optimum problem, limiting their effectiveness and practical application. We propose GPTFuzzer, a practical and effective generation-based approach to test WAFs by generating attack payloads token-by-token. Specifically, we fine-tune a Generative Pre-trained Transformer language model with reinforcement learning to make GPTFuzzer have the least restrictions on payload data and thus more applicable in practice, and we use reward modeling and KL-divergence penalty to improve the effectiveness of our approach and mitigate the local optimum issue. We implement GPTFuzzer and evaluate it on two well-known open-source WAFs against three kinds of common attacks. Experimental results show that GPTFuzzer significantly outperforms state-of-the-art approaches, i.e. ML-Driven and RAT, finding up to 7.8× (3.2× on average) more bypassing payloads within 1,250,000 requests, or finding out all bypassing payloads using up to 8.1× (3.3× on average) fewer requests.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2023.3252523</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Adaptation models ; Applications programs ; black-box testing ; Data models ; Effectiveness ; Firewalls ; Grammar ; Machine learning ; Payloads ; Reinforcement learning ; Security ; Testing ; Transformer ; Web Application Firewall</subject><ispartof>IEEE transactions on dependable and secure computing, 2024-01, Vol.21 (1), p.1-15</ispartof><rights>Copyright IEEE Computer Society 2024</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c294t-b38db6d466dc3d670afe37211fd29c57ad5916f5bd164ad497177b4c3b721d993</citedby><cites>FETCH-LOGICAL-c294t-b38db6d466dc3d670afe37211fd29c57ad5916f5bd164ad497177b4c3b721d993</cites><orcidid>0000-0001-6877-780X ; 0009-0008-2732-5776</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10059237$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,777,781,793,27905,27906,54739</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10059237$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Liang, Hongliang</creatorcontrib><creatorcontrib>Li, Xiangyu</creatorcontrib><creatorcontrib>Xiao, Da</creatorcontrib><creatorcontrib>Liu, Jie</creatorcontrib><creatorcontrib>Zhou, Yanjie</creatorcontrib><creatorcontrib>Wang, Aibo</creatorcontrib><creatorcontrib>Li, Jin</creatorcontrib><title>Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Web Application Firewalls (WAFs) are widely deployed to protect key web applications against multiple security threats, so it is important to test WAFs regularly to prevent attackers from bypassing them easily. Machine-learning-based black-box WAF testing is gaining more attention, though existing learning-based approaches have strict requirements on the source and scale of payload data and suffer from the local optimum problem, limiting their effectiveness and practical application. We propose GPTFuzzer, a practical and effective generation-based approach to test WAFs by generating attack payloads token-by-token. Specifically, we fine-tune a Generative Pre-trained Transformer language model with reinforcement learning to make GPTFuzzer have the least restrictions on payload data and thus more applicable in practice, and we use reward modeling and KL-divergence penalty to improve the effectiveness of our approach and mitigate the local optimum issue. We implement GPTFuzzer and evaluate it on two well-known open-source WAFs against three kinds of common attacks. Experimental results show that GPTFuzzer significantly outperforms state-of-the-art approaches, i.e. ML-Driven and RAT, finding up to 7.8× (3.2× on average) more bypassing payloads within 1,250,000 requests, or finding out all bypassing payloads using up to 8.1× (3.3× on average) fewer requests.</description><subject>Adaptation models</subject><subject>Applications programs</subject><subject>black-box testing</subject><subject>Data models</subject><subject>Effectiveness</subject><subject>Firewalls</subject><subject>Grammar</subject><subject>Machine learning</subject><subject>Payloads</subject><subject>Reinforcement learning</subject><subject>Security</subject><subject>Testing</subject><subject>Transformer</subject><subject>Web Application Firewall</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNUE1LAzEQDaJgrf4AwcOC56353DTHWm0VCoqueAzZzaykbLNrslX892apB5nDDI_33sw8hC4JnhGC1U1597qcUUzZjFGRih2hCVGc5BiT-XGaBRe5UJKcorMYtxhTPld8gmANHoIZ3BdkzwHyIRjnwWZlMD42XdhByG9NTMgLOJ-AGnbgh2wDJnjnP7IEZSXEYZzfocoWfd-6Ohl2Plu5AN-mbeM5OmlMG-Hir0_R2-q-XD7km6f143KxyWuq-JBXbG6rwvKisDWzhcSmASYpIY2lqhbSWKFI0YjKkoIby9M7Ula8ZlUiWaXYFF0ffPvQfe7TVXrb7YNPKzVVREgmsCSJRQ6sOnQxBmh0H9zOhB9NsB7T1GOaekxT_6WZNFcHjQOAf3wsFGWS_QKUJ3Gw</recordid><startdate>20240101</startdate><enddate>20240101</enddate><creator>Liang, Hongliang</creator><creator>Li, Xiangyu</creator><creator>Xiao, Da</creator><creator>Liu, Jie</creator><creator>Zhou, Yanjie</creator><creator>Wang, Aibo</creator><creator>Li, Jin</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0001-6877-780X</orcidid><orcidid>https://orcid.org/0009-0008-2732-5776</orcidid></search><sort><creationdate>20240101</creationdate><title>Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls</title><author>Liang, Hongliang ; Li, Xiangyu ; Xiao, Da ; Liu, Jie ; Zhou, Yanjie ; Wang, Aibo ; Li, Jin</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c294t-b38db6d466dc3d670afe37211fd29c57ad5916f5bd164ad497177b4c3b721d993</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Adaptation models</topic><topic>Applications programs</topic><topic>black-box testing</topic><topic>Data models</topic><topic>Effectiveness</topic><topic>Firewalls</topic><topic>Grammar</topic><topic>Machine learning</topic><topic>Payloads</topic><topic>Reinforcement learning</topic><topic>Security</topic><topic>Testing</topic><topic>Transformer</topic><topic>Web Application Firewall</topic><toplevel>online_resources</toplevel><creatorcontrib>Liang, Hongliang</creatorcontrib><creatorcontrib>Li, Xiangyu</creatorcontrib><creatorcontrib>Xiao, Da</creatorcontrib><creatorcontrib>Liu, Jie</creatorcontrib><creatorcontrib>Zhou, Yanjie</creatorcontrib><creatorcontrib>Wang, Aibo</creatorcontrib><creatorcontrib>Li, Jin</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Liang, Hongliang</au><au>Li, Xiangyu</au><au>Xiao, Da</au><au>Liu, Jie</au><au>Zhou, Yanjie</au><au>Wang, Aibo</au><au>Li, Jin</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2024-01-01</date><risdate>2024</risdate><volume>21</volume><issue>1</issue><spage>1</spage><epage>15</epage><pages>1-15</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Web Application Firewalls (WAFs) are widely deployed to protect key web applications against multiple security threats, so it is important to test WAFs regularly to prevent attackers from bypassing them easily. Machine-learning-based black-box WAF testing is gaining more attention, though existing learning-based approaches have strict requirements on the source and scale of payload data and suffer from the local optimum problem, limiting their effectiveness and practical application. We propose GPTFuzzer, a practical and effective generation-based approach to test WAFs by generating attack payloads token-by-token. Specifically, we fine-tune a Generative Pre-trained Transformer language model with reinforcement learning to make GPTFuzzer have the least restrictions on payload data and thus more applicable in practice, and we use reward modeling and KL-divergence penalty to improve the effectiveness of our approach and mitigate the local optimum issue. We implement GPTFuzzer and evaluate it on two well-known open-source WAFs against three kinds of common attacks. Experimental results show that GPTFuzzer significantly outperforms state-of-the-art approaches, i.e. ML-Driven and RAT, finding up to 7.8× (3.2× on average) more bypassing payloads within 1,250,000 requests, or finding out all bypassing payloads using up to 8.1× (3.3× on average) fewer requests.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2023.3252523</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0001-6877-780X</orcidid><orcidid>https://orcid.org/0009-0008-2732-5776</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2024-01, Vol.21 (1), p.1-15
issn 1545-5971
1941-0018
language eng
recordid cdi_proquest_journals_2915735071
source IEEE Electronic Library (IEL)
subjects Adaptation models
Applications programs
black-box testing
Data models
Effectiveness
Firewalls
Grammar
Machine learning
Payloads
Reinforcement learning
Security
Testing
Transformer
Web Application Firewall
title Generative Pre-trained Transformer-Based Reinforcement Learning for Testing Web Application Firewalls
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-19T11%3A42%3A20IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Generative%20Pre-trained%20Transformer-Based%20Reinforcement%20Learning%20for%20Testing%20Web%20Application%20Firewalls&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Liang,%20Hongliang&rft.date=2024-01-01&rft.volume=21&rft.issue=1&rft.spage=1&rft.epage=15&rft.pages=1-15&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2023.3252523&rft_dat=%3Cproquest_RIE%3E2915735071%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2915735071&rft_id=info:pmid/&rft_ieee_id=10059237&rfr_iscdi=true