Article Id 248953

This article explains the Machine Learning enhancement feature that was released in the FortiWeb Cloud 23.1 software release.

Scope FortiWeb VM, FortiWeb Cloud 23.1 and above.

Machine Learning:


Machine Learning (ML) is the process of training a machine/computer without programming it.


One example of machine learning is online shopping recommendations. When a customer purchases certain items, the shopping system learns from these choices and uses them to predict items the customer is likely to buy. The system then presents these items as recommendations, or may present items related to items currently in checkout - especially if they were frequently bought together by other customers.


The program has learned from the choices of previous purchases and has built a model to reflect additional interests.


Machine Learning can also be used to keep data safe. Security systems like Fortinet’s FortiWeb Cloud WAF-as-a-Service can look at user interactions and, with the power of Machine Learning, determine if a user’s activities are malicious or not. This article will explore the concepts.    


FortiWeb ML:


In the FortiWeb Web Application Firewall, as HTTP/HTTPS requests are made to a specific URL of a web application with unique values or parameters, the following events take place:




1) FortiWeb will build a statistical model for that URL with parameters and values in the collecting phase.

2) After collecting enough samples, the mathematical model is built and is moved to the running phase. As new URL requests are made, the parameters will be compared to the already trained model. If the new request parameter value is not legitimate and may be a potential attack, FortiWeb will mark that request as a benign anomaly and will send it to the second layer of ML.

3) For the second layer of ML, FortiWeb uses thousands of previously trained threat models from FortiGuard labs. The triggered anomaly will be compared with the threat models and, based on the outcome, the request will be blocked if it’s a real attack or will be ignored if it’s a benign anomaly.


To demonstrate the enhanced ML feature, consider an example of a Juice Shop application on AWS which is protected by FortiWeb. This OWASP app is similar to a real-world retail app with a collection of various items for sale and has a search parameter to filter the desired results in the Juice Shop.




Upon right-clicking and inspecting the web page, the REST call made to the backend application can be seen, together with the URI path and parameter (/rest/products/search?q=).




FortiWeb, when receiving unique requests to this URL from different IP addresses and with different search combinations, will build a mathematical model specific to the URL. When the parameter is initially learned, these ML events can be seen in the overview section. The image below shows that FortiWeb transitioned the parameter from 'None to Collecting' in the learning phase.




As more unique requests are being made and the samples are being collected, the progress in the tree view tab shows the learning progress of the parameter, 'q'.




With enough samples collected, the ML model changes to the 'Running' phase. The FortiWeb ML takes effect during this stage:




FortiWeb scans all of the URLs in a domain and will build anomaly detection models for all parameters attached to the URLs.


After an anomaly detection model is built, the system will continue calculating the probability of the new samples and compare it against the model. If the probability of the new samples varies to a large extent for a long period, the system determines this parameter has changed and automatically rebuilds the model based on the new samples.






As an example, this article will show what happens when this zero-day attack payload is run and demonstrate how ML anomaly detection will intercept this kind of attack.


In this example, a simple SQL injection payload ‘))-- was used. This payload can be modified to be a zero-day payload by appending SQL statements like UNION or SELECT or other SQL commands. The payload was used to test by making a simple request to the Juice Shop. The result was a 403 blocked page:



In the attack logs, FortiWeb ML can be seen blocking this request and marking the payload as SQL injection after comparing with the previous training of the FortiGuard Threat Analytics model.  Threat models are previously trained ML models built by analyzing thousands of attack samples. For any new attacks released, the FortiGuard team will analyze and update the ML threat models.




As shown above: the FortiWeb ML model, in addition to FortiGuard Signatures, helps to protect web applications from zero-day and sophisticated attacks. As developers make code changes, the ML feature will help to add additional layers of security along with FortiGuard signatures. It does this by re-learning the already existing parameters accordingly or by learning new parameters with code changes. To learn more, see this blog article that shows how FortiWeb’s ML protects against zero-day JSON attacks.


To obtain a free trial of FortiWeb Cloud, sign up through one of Fortinet's cloud marketplace options.