Archivio Istituzionale della RicercaThe higher complexity introduced by virtualization in computer networks has made web-based threats more impactful, due to a larger attack surface and increased function heterogeneity. The traditional manual approaches for the configuration of Web Application Firewalls are no longer feasible in this environment, as they would be excessively time-consuming, error-prone, and unoptimized. Even if configuration automation may represent a solution to the problem, it has been investigated in the literature only for other firewall types, mainly packet filters. In order to fill this gap, this paper proposes a novel configuration approach for distributed Web Application Firewalls, which combines security automation, formal verification, and optimization by leveraging policy-based management and formulating the problem as a Maximum Satisfiability Modulo Theories instance. This approach can automatically establish both filtering rules defined over specific HTTP attributes or based on the OWASP Core Rule Set, thus providing high expressiveness and effectiveness in mitigating different threats. The scalability validation conducted on the framework developed to implement this method showed that it can solve large configuration problems in a few seconds.
Improving Web Protection in Virtual Networks with Automatic WAF Configuration / Bringhenti, Daniele; Pizzato, Francesco; Valenza, Fulvio. - ELETTRONICO. - (In corso di stampa). ( 2026 IEEE 12th International Conference on Network Softwarization (NetSoft) Berlin (DE) 29 June - 3 July 2026).
Improving Web Protection in Virtual Networks with Automatic WAF Configuration
Daniele Bringhenti;Francesco Pizzato;Fulvio Valenza
In corso di stampa
Abstract
The higher complexity introduced by virtualization in computer networks has made web-based threats more impactful, due to a larger attack surface and increased function heterogeneity. The traditional manual approaches for the configuration of Web Application Firewalls are no longer feasible in this environment, as they would be excessively time-consuming, error-prone, and unoptimized. Even if configuration automation may represent a solution to the problem, it has been investigated in the literature only for other firewall types, mainly packet filters. In order to fill this gap, this paper proposes a novel configuration approach for distributed Web Application Firewalls, which combines security automation, formal verification, and optimization by leveraging policy-based management and formulating the problem as a Maximum Satisfiability Modulo Theories instance. This approach can automatically establish both filtering rules defined over specific HTTP attributes or based on the OWASP Core Rule Set, thus providing high expressiveness and effectiveness in mitigating different threats. The scalability validation conducted on the framework developed to implement this method showed that it can solve large configuration problems in a few seconds.
| File | Dimensione | Formato | |
|---|---|---|---|
|
NetSoft2026_AcceptedManuscript.pdf
accesso aperto
Tipologia:
2. Post-print / Author's Accepted Manuscript
Licenza:
Pubblico - Tutti i diritti riservati
Dimensione
744.56 kB
Formato
Adobe PDF
|
744.56 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/3010477