Abstract
Web applications are exposed to many threats and, despite the best
defensive efforts, are often successfully attacked. Reverting the
effects of an attack on the state of such an application requires a
profound knowledge about the application, to understand what data did
the attack corrupt. Furthermore, it requires knowing what steps are
needed to revert the effects without modifying legitimate data created
by legitimate users. Existing intrusion recovery systems are capable of
reverting the effects of the attack but they require modifications to
the source code of the application, which may be unpractical. We present
Sanare, a pluggable intrusion recovery system designed for web
applications that use different data storage systems to keep their
state. Sanare does not require any modification to the source code of
the application or the web server. Instead, it uses Matchare, a new deep
learning scheme we introduce to learn the matches between the HTTP
requests and the database statements, file system operations and web
services requests that the HTTP requests caused. We evaluated Sanare
with three open source web applications: WordPress, GitLab and ownCloud.
In our experiments Matchare achieved precision and recall higher than
97.5%.