Part 8/8: ML Based Web App Firewall : Testing the IPS in Real Time

Debasish Mandal

20 Oct 202008:15

Summary

TLDRIn this informative video, Devashesh demonstrates how to deploy and test a machine learning model for a Web Application Intrusion Prevention System (IPS) using the Pikered library. The model is integrated with a proxy server to intercept HTTP requests in real-time, analyzing them to determine if they are malicious. Viewers witness a live test using Firefox, where the model successfully detects SQL injection attacks, highlighting the real-time capabilities of the IPS. Devashesh acknowledges the need for further refinement in feature extraction and promises ongoing improvements to enhance the model's precision and accuracy.

Takeaways

😀 The video is a tutorial by Devashesh on deploying a machine learning model using the Piker server library.
🛡️ The model being discussed is an Intrusion Prevention System (IPS) designed to detect malicious HTTP requests in real-time.
💡 The process involves creating a proxy server that integrates with the machine learning model to intercept and analyze HTTP requests.
🔍 The model extracts features from the HTTP requests to determine if they are 'good' or 'bad' in nature.
📈 The video demonstrates using a Jupyter notebook to set up the environment and apply a K-means clustering model with two clusters.
📚 It references a previous dataset saved in 'data.csv' for training the model.
🌐 The testing is done using a Firefox web browser configured to send all requests through the proxy server.
🔬 The model is tested against a dummy website, 'demo.testfire.net', which is a known vulnerable web application.
🚀 The video shows real-time feature extraction and model execution on HTTP requests sent by the browser.
🛑 The model successfully identifies some SQL injection payloads as malicious, printing 'intrusion detected'.
🔄 The presenter acknowledges the need for further work on feature extraction to improve the IPS's overall quality and accuracy.

Q & A

What is the main topic of the video?
-The main topic of the video is deploying and testing a machine learning model for a web application intrusion prevention system (IPS) in real-time using a proxy server.
What library was mentioned for deploying the model in the last video?
-The library mentioned for deploying the model in the last video is 'pikered'.
What is the purpose of the proxy server in this context?
-The purpose of the proxy server in this context is to intercept HTTP requests and integrate with the machine learning model to determine whether the requests are good or bad in nature.
What tool is the presenter using to demonstrate the real-time feature extraction from HTTP requests?
-The presenter is using a Jupyter notebook to demonstrate the real-time feature extraction from HTTP requests.
What is the method used for training the model in the script?
-The method used for training the model is K-means clustering, with the number of clusters set to 2.
What is the data source for training the model mentioned in the script?
-The data source for training the model is a dataset saved in 'data.csv'.
How is the Firefox web browser configured in the demonstration?
-The Firefox web browser is configured to send all requests through the proxy server created in the Jupyter notebook.
What website is used for testing the IPS in the video?
-The website used for testing the IPS is 'demo.testfire.net', a known vulnerable web application.
What type of payloads are used to test the IPS for detecting bad requests?
-SQL injection payloads taken from the internet are used to test the IPS for detecting bad requests.
What is the presenter's plan for improving the IPS after the demonstration?
-The presenter plans to continue working on the feature extraction from the training data and tuning the clustering model to make it more precise and accurate.
How does the presenter conclude the video?
-The presenter concludes the video by asking viewers to stay subscribed for updates on the IPS development and improvement.