Global AppSec Tel Aviv 2019

Word2Vec is a popular Natural Language Processing approach, which was imported by different domains (as Something2Vec), embedding domain objects in Euclidean spaces for similarity/distance calculation, clustering, visualization and more.
We will present our research on importing the Word2Vec to Web Application Security. Looking at malicious web requests as words and at their sequences as sentences, we applied a variant of Word2Vec to embed web attack vectors in an Euclidean space and to analyze their contextual relations. This embedding allows identification of attack vectors that tend to come together, either of the same attack category, like different SQL Injection attempts, or from “adjacent” attack types like File Upload and Backdoor Communication.
We will discuss practical applications of this research, like modeling web scanning tools and popular attack flows, assessment of accuracy and effectiveness of security rules, isolation of attacks belonging to the same campaign and telling targeted attacks from web scans