Intelligent WAF Rules with Machine Learning
Intelligent WAF Rules with Machine Learning
Modern WAFs use machine learning for adaptive protection:
# Custom WAF logic with ML-based detection
import joblib
import numpy as np
from sklearn.feature_extraction.text import TfidfVectorizer
class IntelligentWAF:
def __init__(self):
# Load pre-trained model
self.model = joblib.load('sql_injection_detector.pkl')
self.vectorizer = joblib.load('tfidf_vectorizer.pkl')
# Static rules for immediate blocking
self.high_risk_patterns = [
r"UNION\s+SELECT",
r"SELECT\s+.*\s+FROM\s+information_schema",
r"(?:exec|execute)\s*\(",
r"';.*?--",
r"1\s*=\s*1",
r"OR\s+1\s*=\s*1"
]
def analyze_request(self, request_data):
# Combine all request data
full_text = ' '.join([
request_data.get('path', ''),
request_data.get('query_string', ''),
request_data.get('body', ''),
' '.join(request_data.get('headers', {}).values())
])
# Check high-risk patterns first
for pattern in self.high_risk_patterns:
if re.search(pattern, full_text, re.IGNORECASE):
return {
'block': True,
'reason': 'High-risk SQL injection pattern detected',
'confidence': 1.0,
'pattern': pattern
}
# ML-based detection for sophisticated attacks
features = self.vectorizer.transform([full_text])
prediction = self.model.predict_proba(features)[0]
sql_injection_probability = prediction[1]
if sql_injection_probability > 0.85:
return {
'block': True,
'reason': 'ML model detected potential SQL injection',
'confidence': sql_injection_probability,
'recommendation': 'Manual review recommended'
}
elif sql_injection_probability > 0.6:
return {
'block': False,
'monitor': True,
'reason': 'Suspicious pattern detected',
'confidence': sql_injection_probability
}
return {
'block': False,
'confidence': sql_injection_probability
}
def update_model(self, false_positives, false_negatives):
"""Retrain model with new data to reduce false positives/negatives"""
# Implementation for continuous learning
pass