Search

US-20260129024-A1 - Intelligent Dynamic Security Profiles for Web Application Firewalls

US20260129024A1US 20260129024 A1US20260129024 A1US 20260129024A1US-20260129024-A1

Abstract

Systems and methods for intelligent dynamic security profiles for Web Application Firewalls (WAFs) include receiving raw data related to operation of a plurality of Web Application Firewall (WAF) agents, wherein the plurality of WAF agents are distributed across multiple tenants globally over the Internet; normalizing and sanitizing the raw data; analyzing the normalized and sanitized data with a machine learning algorithm to determine prioritization of rules in a given WAF agent based on the raw data and an objective; and providing a security profile to the given WAF agent where the security profile includes a selection of the rules based on the prioritization and the objective.

Inventors

  • Juan C. Gomez

Assignees

  • ZSCALER, INC.

Dates

Publication Date
20260507
Application Date
20241107

Claims (20)

  1. 1 . A method comprising steps of: receiving raw data related to operation of a plurality of Web Application Firewall (WAF) agents, wherein the plurality of WAF agents are distributed across multiple tenants globally over the Internet; normalizing and sanitizing the raw data; analyzing the normalized and sanitized data with a machine learning algorithm to determine prioritization of rules in a given WAF agent based on the raw data and an objective; and providing a security profile to the given WAF agent where the security profile includes a selection of the rules based on the prioritization and the objective.
  2. 2 . The method of claim 1 , wherein the objective is to maximize threat detection and minimize latency and compute resources.
  3. 3 . The method of claim 1 , wherein the raw data includes specific rule hits over a time period, additional latency and compute power for application of a given rule, geographic location of specific rule hits over the time period, number of recent threats block or detected by a given rule, and quantification of threat impact of each rule.
  4. 4 . The method of claim 1 , wherein the raw data includes geographic location of specific rule hits over a time period, and wherein the prioritization is based on a geographic location of the given WAF agent.
  5. 5 . The method of claim 1 , wherein the machine learning algorithm is trained to perform the prioritization based on the objective.
  6. 6 . The method of claim 1 , wherein the machine learning algorithm uses one of a Random Forest, Gradient Boosting Machines, K-Means Clustering, Reinforcement Learning, and Neural Networks.
  7. 7 . The method of claim 1 , wherein the objective includes one or more of location, latency, and usage.
  8. 8 . The method of claim 1 , wherein the plurality of WAF agents include a set having statically configured security profiles for generating corresponding raw WAF data for use in the analyzing.
  9. 9 . The method of claim 1 , wherein the plurality of WAF agents include a set having security profiles for allowing all traffic for generating corresponding raw WAF data for use in evaluating effectiveness of various rules.
  10. 10 . A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform steps of: receiving raw data related to operation of a plurality of Web Application Firewall (WAF) agents, wherein the plurality of WAF agents are distributed across multiple tenants globally over the Internet; normalizing and sanitizing the raw data; analyzing the normalized and sanitized data with a machine learning algorithm to determine prioritization of rules in a given WAF agent based on the raw data and an objective; and providing a security profile to the given WAF agent where the security profile includes a selection of the rules based on the prioritization and the objective.
  11. 11 . The non-transitory computer-readable medium of claim 10 , wherein the objective is to maximize threat detection and minimize latency and compute resources.
  12. 12 . The non-transitory computer-readable medium of claim 10 , wherein the raw data includes specific rule hits over a time period, additional latency and compute power for application of a given rule, geographic location of specific rule hits over the time period, number of recent threats block or detected by a given rule, and quantification of threat impact of each rule.
  13. 13 . The non-transitory computer-readable medium of claim 10 , wherein the raw data includes geographic location of specific rule hits over a time period, and wherein the prioritization is based on a geographic location of the given WAF agent.
  14. 14 . The non-transitory computer-readable medium of claim 10 , wherein the machine learning algorithm is trained to perform the prioritization based on the objective.
  15. 15 . The non-transitory computer-readable medium of claim 10 , wherein the machine learning algorithm uses one of a Random Forest, Gradient Boosting Machines, K-Means Clustering, Reinforcement Learning, and Neural Networks.
  16. 16 . The non-transitory computer-readable medium of claim 10 , wherein the objective includes one or more of location, latency, and usage.
  17. 17 . The non-transitory computer-readable medium of claim 10 , wherein the plurality of WAF agents include a set having statically configured security profiles for generating corresponding raw WAF data for use in the analyzing.
  18. 18 . The non-transitory computer-readable medium of claim 10 , wherein the plurality of WAF agents include a set having security profiles for allowing all traffic for generating corresponding raw WAF data for use in evaluating effectiveness of various rules.
  19. 19 . A Web Application Firewall (WAF) security profile generation system comprising circuitry configured to: receive raw data related to operation of a plurality of WAF agents, wherein the plurality of WAF agents are distributed across multiple tenants globally over the Internet; normalize and sanitize the raw data; analyze the normalized and sanitized data with a machine learning algorithm to determine prioritization of rules in a given WAF agent based on the raw data and an objective; and provide a security profile to the given WAF agent where the security profile includes a selection of the rules based on the prioritization and the objective.
  20. 20 . The WAF security profile generation system of claim 19 , wherein the raw data includes specific rule hits over a time period, additional latency and compute power for application of a given rule, geographic location of specific rule hits over the time period, number of recent threats block or detected by a given rule, and quantification of threat impact of each rule.

Description

FIELD OF THE DISCLOSURE The present disclosure generally relates to network and cloud security. More particularly, the present disclosure relates to systems and methods for intelligent dynamic security profiles for Web Application Firewalls (WAFs). BACKGROUND OF THE DISCLOSURE A Web Application Firewall (WAF) is a security system that protects web applications by monitoring and filtering Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS) traffic to prevent attacks like Structured Query Language (SQL) injection and cross-site scripting. Operating at the application layer (Layer 7), WAFs can be deployed in network-based, host-based, or cloud-based configurations. While essential for web security, WAFs face challenges such as false positives and negatives, performance impacts, complex rule management, and susceptibility to advanced evasion techniques and zero-day vulnerabilities. Additionally, inspecting encrypted traffic can complicate deployment and raise privacy concerns. To be effective, WAFs require careful configuration, regular updates, and integration with other security measures. Traditionally, WAF solutions use static security profiles that apply pattern-matching rules to web traffic for protection. While adding more rules increases security, it also requires more resources and causes higher inspection delays. Optimizing a security profile to balance maximum protection with minimal resource use and latency is a complex problem, and the ideal profile changes daily. BRIEF SUMMARY OF THE DISCLOSURE The present disclosure relates to systems and methods for intelligent dynamic security profiles for Web Application Firewalls (WAFs). The intelligent dynamic security profiles are determined by a machine learning process that leverages global data generated by WAF agents distributed across a large number of tenants and distributed globally over the Internet. As such, the intelligent dynamic security profiles are improved compared to statically configured policies. These may be considered to be optimized based on the current global data and the associated risks on the Internet, to use minimal resources, minimal latency, and maximal threat detection, in terms of WAF agent processing. Cybersecurity is always a trade off between user experience and threat detection—it is possible to detect almost every threat, but the latency and compute resources lead to poor user experience. Conversely, minimizing the processing improves latency and user experience, but leads to missed threats. The approach described herein removes user configuration from determining the ideal security profiles and leverages real-world data to automatically configure such policies given the current state of threats. In various embodiments, the present disclosure includes a method having steps, a processing device configured to implement the steps, a cloud-based system configured to implement the steps, and as a non-transitory computer-readable medium storing instructions for programming one or more processors to execute the steps. The steps include receiving raw data related to operation of a plurality of Web Application Firewall (WAF) agents, wherein the plurality of WAF agents are distributed across multiple tenants globally over the Internet; normalizing and sanitizing the raw data; analyzing the normalized and sanitized data with a machine learning algorithm to determine prioritization of rules in a given WAF agent based on the raw data and an objective; and providing a security profile to the given WAF agent where the security profile includes a selection of the rules based on the prioritization and the objective. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure is illustrated and described herein with reference to the various drawings, in which like reference numbers are used to denote like system components/method steps, as appropriate, and in which: FIG. 1 illustrates a network diagram of three example network configurations of cybersecurity monitoring and protection of a user. FIG. 2 illustrates a logical diagram of the cloud operating as a zero-trust platform. FIG. 3 illustrates a block diagram of a server. FIG. 4 illustrates a block diagram of a computing device. FIG. 5 illustrates a network diagram of a network including a plurality of WAF agents communicatively coupled to a WAF security profile generation system. FIG. 6-11 are screenshots associated with a centralized WAF management platform for configuring WAF security profiles for the WAF agents. FIG. 12 illustrates a flowchart of a process for intelligent dynamic security profiles for Web Application Firewalls. DETAILED DESCRIPTION OF THE DISCLOSURE Again, the present disclosure relates to systems and methods for intelligent dynamic security profiles for Web Application Firewalls (WAFs) that are continuously generated and updated using machine learning and artificial intelligence techniques. As such, WAF agents, whether network-based, host-based, or cloud-based,