BACAD: AI-based framework for detecting vertical broken access control attacks

Abstract

Vertical Broken Access Control (VBAC) vulnerability is one of the most commonly identified issues in web applications, posing significant risks. Consequently, addressing this pervasive threat is crucial for ensuring system confidentiality and integrity. Broken access control attack detector (BACAD) is a novel framework that leverages advanced AI techniques to neutralize VBAC exploits and attacks in real-time using a dynamic and practical technique. The detection process consists of two steps. The first step is user role classification using an advanced artificial intelligence (AI) model created in a learning phase. The learning phase includes BACAD initial configuration and application user roles traffic generation used for AI model training. The AI model at the core of BACAD analyzes web requests and responses utilizing a robust feature extraction, and dynamic hyperparameter tuning to ensure optimal performance across diverse scenarios. The second step is the decision step, which determines whether the incoming request–response pair is benign or an attack by validating it vs the BACAD session information set. The evaluation against a spectrum of real-world and demonstration web applications highlights remarkable efficiency in detecting VBAC exploits, providing robust application protection against different sets of VBAC attacks. Furthermore, it shows that BACAD addresses the VBAC problem by presenting an applicable, dynamic, flexible, and technology-independent solution to counter VBAC vulnerability risks. Thus, BACAD contributes significantly to the ongoing efforts aimed at enhancing web application security.