Home Journals Articles Updates About
CN
image
收藏切换
“Ourboros”:an automated WAF security testing framework based on symbol-enhanced networks and deep reinforcement learning
收藏切换
PDF
Pengcheng LU1, 2, Xiaofeng ZHONG1, 2, Jie CHEN1, 2, Wenbo XU1, 2, Yongjie WANG1, 2
Information Countermeasure Technology | 2025, 4(5) : 66 - 76
Less
收藏切换
Information Countermeasure Technology | 2025, 4(5): 66-76
Research Articles
“Ourboros”:an automated WAF security testing framework based on symbol-enhanced networks and deep reinforcement learning
Full
Pengcheng LU1, 2, Xiaofeng ZHONG1, 2, Jie CHEN1, 2, Wenbo XU1, 2, Yongjie WANG1, 2
Affiliations
  • 1College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
  • 2Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China
doi: 10.12399/j.issn.2097-163x.2025.05.005
Outline
收藏切换

Web application firewall(WAF)is critical defensive mechanisms against persistent threats,yet its security assessment has long been challenging. Traditional manual testing methods are inefficient and resource-intensive,while existing reinforcement learning(RL)based methods suffer from two major limitations:first,attackers cannot perceive the opaque rule logic of WAF,leading to low efficiency in black-box testing; second,the Boolean feedback of WAF causes the problem of sparse/delayed rewards—sparse rewards tend to trap intelligent agents in blind exploration,and delayed rewards hinder the association between early actions and final outcomes,seriously impairing learning efficiency. To break through these bottlenecks,this study proposed“Ouroboros”—ablack-box WAF testing framework—for the first time.Its core lies in converting the extracted WAF rules into an interpretable recurrent neural network(RNN)to provide fine-grained confidence scores,and integrating these scores with outcome-level rewards to drive RL-based testing.Experiments show that this framework can achieve a maximum bypass success rate of 89.2% on feature-based WAF. This not only alleviates the sparse reward problem and provides an efficient black-box testing solution,but also offers important references for optimizing WAF rules.

deep reinforcement learning  /  regular expression  /  SQL injection  /  WAF security testing
Pengcheng LU, Xiaofeng ZHONG, Jie CHEN, Wenbo XU, Yongjie WANG. “Ourboros”:an automated WAF security testing framework based on symbol-enhanced networks and deep reinforcement learning[J]. Information Countermeasure Technology, 2025 , 4 (5) : 66 -76 . DOI: 10.12399/j.issn.2097-163x.2025.05.005
Appendix
Less
Year 2025 volume 4 Issue 5
PDF
89
35
Cite this Article
BibTeX
Article Info
doi: 10.12399/j.issn.2097-163x.2025.05.005
  • Receive Date:2025-07-11
  • Online Date:2026-04-23
Article Data
Affiliations
History
  • Received:2025-07-11
  • Revised:2025-08-20
Affiliations
    1College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
    2Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China
References
Share
https://castjournals.cast.org.cn/joweb/xxdkjs/EN/10.12399/j.issn.2097-163x.2025.05.005
Share to
QR

Scan QR to access full text

Cite this article
BibTeX
Citations
表12种不同金属材料的力学参数

Family		 属数
Number of
genus		 种数
Number of
species		 占总种数比例
Percentage of
total species (%)
Genus		 种数
Number of
species		 占总种数比例
Percentage of total
species (%)
鹅膏菌科Amanitaceae 2 11 5.26 鹅膏菌属 Amanita 10 4.78
小菇科 Mycenaceae 2 12 5.74 丝盖伞属 Inocybe 5 2.39
多孔菌科 Polyporaceae 8 14 6.70 蜡蘑属 Laccaria 5 2.39
红菇科 Russulaceae 3 23 11.00 小皮伞属 Marasmius 6 2.87
小菇属 Mycena 11 5.26
光柄菇属 Pluteus 5 2.39
红菇属 Russula 17 8.13
栓菌属 Trametes 5 2.39
关闭全屏
  • BibTeX
  • EndNote
  • RefWorks
  • TxT
Links
Articles
Latest Articles
Most Read
Collections
Updates
Events
News
Multimedia
About
About Us
Contact
No. 86 Xueyuan South Road, Haidian District, Beijing
100081
010-62199257
qkjq@cast.org.cn

Copyright © 2025 China Association for Science and Technology. All rights reserved. For all open access content, the relevant licensing terms apply.
Sponsored by the Office of the Leading Group for Cybersecurity and Informatization of CAST, and supported by Science and Technology Review Publishing House