A Machine Learning-Driven Evolutionary Approach for Testing Web Application Firewalls

Dennis Appelt, Cu D. Nguyen, Annibale Panichella, Lionel G. Briand

Research output: Contribution to journalArticleScientificpeer-review

38 Citations (Scopus)


Web application firewalls (WAF) are an essential protection mechanism for online software systems. Because of the relentless flow of new kinds of attacks as well as their increased sophistication, WAFs have to be updated and tested regularly to prevent attackers from easily circumventing them. In this paper, we focus on testing WAFs for SQL injection attacks, but the general principles and strategy we propose can be adapted to other contexts. We present ML-Driven, an approach based on machine learning and an evolutionary algorithm to automatically detect holes in WAFs that let SQL injection attacks bypass them. Initially, ML-Driven automatically generates a diverse set of attacks and submit them to the system being protected by the target WAF. Then, ML-Driven selects attacks that exhibit patterns (substrings) associated with bypassing the WAF and evolve them to generate new successful bypassing attacks. Machine learning is used to incrementally learn attack patterns from previously generated attacks according to their testing results, i.e., if they are blocked or bypass the WAF. We implemented ML-Driven in a tool and evaluated it on ModSecurity, a widely used open-source WAF, and a proprietary WAF protecting a financial institution. Our empirical results indicate that ML-Driven is effective and efficient at generating SQL injection attacks bypassing WAFs and identifying attack patterns.
Original languageEnglish
Pages (from-to)733-757
Number of pages25
JournalIEEE Transactions on Reliability
Issue number3
Publication statusPublished - 2018
Externally publishedYes


  • Software Security Testing
  • SQL Injection
  • Web Application Firewall
  • Evolutionary Algorithms
  • Machine Learning


Dive into the research topics of 'A Machine Learning-Driven Evolutionary Approach for Testing Web Application Firewalls'. Together they form a unique fingerprint.

Cite this