Attacker group detection method based on HTTP payload analysis
Annotation
Attacks on web applications are a frequent vector of attack on information resources by attackers of various skill levels. Such attacks can be investigated through analysis of HTTP requests made by the attackers. The possibility of identifying groups of attackers based on the analysis of the payload of HTTP requests marked by IDS as attack events has been studied. The identification of groups of attackers improves the work of security analysts investigating and responding to incidents, reduces the impact of alert fatigue in the analysis of security events, and also helps in identifying attack patterns and resources of intruders. Identification of groups of attackers within the framework of the proposed method is performed based on the sequence of stages. At the first stage, requests are split into tokens by a regular expression based on the features of the HTTP protocol and attacks that are often encountered and detected by intrusion detection systems. Then the tokens are weighted using the TF-IDF method, which allows to further give a greater contribution when comparing requests to the coincidence of rare words. At the next stage the main core of requests is separated based on their distance from the origin. Thus, requests not containing rare words, the coincidence of which allows us to talk about the connectedness of events, are separated. Manhattan distance is used to determine the distance. Finally, clustering is carried out using the DBSCAN method. It is shown that HTTP request payload data can be used to identify groups of attackers. An efficient method of tokenization, weighting and clustering of the considered data is proposed. The use of the DBSCAN method for clustering within the framework of the method is proposed. The homogeneity, completeness and V-measure of clustering obtained by various methods on the CPTC-2018 dataset were evaluated. The proposed method allows obtaining a clustering of events with high homogeneity and sufficient completeness. It is proposed to combine the resulting clustering with clusters obtained by other methods with high clustering homogeneity to obtain a high completeness metric and V-measure while maintaining high homogeneity. The proposed method can be used in the work of security analysts in SOC, CERT and CSIRT, both in defending against intrusions including APT and in collecting data on attackers’ techniques and tactics. The method makes it possible to identify patterns of traces of tools used by attackers, which allows attribution of attacks.
Keywords
Постоянный URL
Articles in current issue
- Analysis of frequency-robust multivariable dynamical systems
- Fractal micro- and nanodendrites of silver, copper and their compounds for photocatalytic water splitting
- Mathematical modelling of tri-layer dielectric OTFT based on pentacene semiconductor for enhancing the electrical characteristics
- Researching carbon dioxide hydrates in thin films via FTIR spectroscopyat temperatures of 11–180 K
- Method for increasing the information value of video data based on the removal of redundant frames and entropy estimation
- Attacker group detection method based on HTTP payload analysis
- Facial keypoints detection using capsule neural networks
- Review of national and international standards for categorizing of critical information infrastructure objects
- Criterion of the network infrastructure security
- A novel approach to feature collection for anomaly detection in Kubernetes environment and agent for metrics collection from Kubernetes nodes
- Time parameters linear approximation method in elastic systems
- Role discovery in node-attributed public transportation networks: the study of Saint Petersburg city open data
- Exploring the possibility of predicting users’ career guidance preferences based on analysis of community topics and the gender in the online social network users’ profiles
- Blindness detection in diabetic retinopathy using Bayesian variant-based connected component algorithm in Keras and TensorFlow
- Joint recognition of text and layout in historical Russian documents
- Intelligent clinical decision support for small patient datasets
- Assessment of the readiness of a computer system for timely servicing of requests when combined with information recovery of memory after failures
- Buckling analysis of an orthotropic cylindrical shell structure in the ANSYS Mechanical APDL software package
- Justification of the choice of mobile broadband access technology for building radio communication networks of railway transport
- Comparative performance analysis of DVR & DSTATCOM for distributed generation with gravitational search algorithm
- Estimation of the moments of a quantized random variable
- Experimental method for estimating the dynamic error of devices and sensors under their operating conditions
- Method of type-C liquified natural gas tank modeling based on volume optimization for future “milk-run” exploitation
- Optical properties of borate family nonlinear crystals and their application in sources of intense terahertz radiation
- A model of a refractive fiber optic sensor sensing element based on MMF-SMF-MMF structure using surface plasmon resonance