Attacker group detection method based on HTTP payload analysis
Journal: Scientific and Technical Journal of Information Technologies, Mechanics and Optics (Vol.23, No. 3)Publication Date: 2023-06-21
Authors : Pavlov A.V. Voloshina N.V.;
Page : 500-505
Keywords : attacker groups; complex attacks; intrusion detection; alert correlation;
Abstract
Attacks on web applications are a frequent vector of attack on information resources by attackers of various skill levels. Such attacks can be investigated through analysis of HTTP requests made by the attackers. The possibility of identifying groups of attackers based on the analysis of the payload of HTTP requests marked by IDS as attack events has been studied. The identification of groups of attackers improves the work of security analysts investigating and responding to incidents, reduces the impact of alert fatigue in the analysis of security events, and also helps in identifying attack patterns and resources of intruders. Identification of groups of attackers within the framework of the proposed method is performed based on the sequence of stages. At the first stage, requests are split into tokens by a regular expression based on the features of the HTTP protocol and attacks that are often encountered and detected by intrusion detection systems. Then the tokens are weighted using the TF-IDF method, which allows to further give a greater contribution when comparing requests to the coincidence of rare words. At the next stage the main core of requests is separated based on their distance from the origin. Thus, requests not containing rare words, the coincidence of which allows us to talk about the connectedness of events, are separated. Manhattan distance is used to determine the distance. Finally, clustering is carried out using the DBSCAN method. It is shown that HTTP request payload data can be used to identify groups of attackers. An efficient method of tokenization, weighting and clustering of the considered data is proposed. The use of the DBSCAN method for clustering within the framework of the method is proposed. The homogeneity, completeness and V-measure of clustering obtained by various methods on the CPTC-2018 dataset were evaluated. The proposed method allows obtaining a clustering of events with high homogeneity and sufficient completeness. It is proposed to combine the resulting clustering with clusters obtained by other methods with high clustering homogeneity to obtain a high completeness metric and V-measure while maintaining high homogeneity. The proposed method can be used in the work of security analysts in SOC, CERT and CSIRT, both in defending against intrusions including APT and in collecting data on attackers' techniques and tactics. The method makes it possible to identify patterns of traces of tools used by attackers, which allows attribution of attacks.
Other Latest Articles
- The Effect of Leverage, Financial Distress and Profitability on Accounting Conservatism
- Method for increasing the information value of video data based on the removal of redundant frames and entropy estimation
- A COMPARATIVE STUDY OFLIGATION OF INTERSPHINCTERIC FISTULA TRACT AND FISTULECTOMY IN THE MANAGEMENT OF TRANS SPHINCTERIC FISTULA IN ANO
- Researching carbon dioxide hydrates in thin films via FTIR spectroscopy at temperatures of 11–180 K
- Mathematical modelling of tri-layer dielectric OTFT based on pentacene semiconductor for enhancing the electrical characteristics
Last modified: 2023-07-10 19:44:08