If you want to cite us, please use the following (BibTeX) reference:
@InProceedings{10.1007/978-3-031-76459-2_3,
author="Scano, Christian
and Floris, Giuseppe
and Montaruli, Biagio
and Demetrio, Luca
and Valenza, Andrea
and Compagna, Luca
and Ariu, Davide
and Piras, Luca
and Balzarotti, Davide
and Biggio, Battista",
editor="Mehmood, Rashid
and Hern{\'a}ndez, Guillermo
and Pra{\c{c}}a, Isabel
and Wikarek, Jaroslaw
and Loukanova, Roussanka
and Monteiro dos Reis, Ars{\'e}nio
and Skarmeta, Antonio
and Lombardi, Eleonora",
title="ModSec-Learn: Boosting ModSecurity with Machine Learning",
booktitle="Distributed Computing and Artificial Intelligence, Special Sessions I, 21st International Conference",
year="2025",
publisher="Springer Nature Switzerland",
address="Cham",
pages="23--33",
isbn="978-3-031-76459-2"
}
- Compile and install ModSecurity v3.0.10
- Install pymodsecurity
- Clone the OWASP CoreRuleSet
- Run experiments
First of all, you will need to install ModSecurity v3.0.10 on your system. Currently, this is a tricky process, since you will need to build ModSecurity v3.0.10 from source (although some distros might have an updated registry with ModSecurity 3.0.10 already available)
In modsec-learn ModSecurity methods are implemented via pymodsecurity.
Since development on the official repository stopped on ModSecurity v3.0.3, the current workaround is: clone this fork and build it from source
To detect incoming payloads, you need a Rule Set. The de facto standard is the OWASP CoreRuleSet, but of course, you can choose any Rule Set you want, or customize the OWASP CRS.
To run the recommended settings, just clone the OWASP CRS in the project folder:
git clone --branch v4.0.0 [email protected]:coreruleset/coreruleset.git
All experiments can be executed using the Python scripts within the scripts folder. The scripts must be executed starting from the project's root.
python3 scripts/run_experiments.py