Attacker group detection method based on HTTP payload analysis
Attacks on web applications are a frequent vector of attack on information resources by attackers of various skill levels. Such attacks can be investigated through analysis of HTTP requests made by the attackers. The possibility of identifying groups of attackers based on the analysis of the payload...
Gespeichert in:
| Veröffentlicht in: | Nauchno-tekhnicheskiĭ vestnik informat͡s︡ionnykh tekhnologiĭ, mekhaniki i optiki Jg. 23; H. 3; S. 500 - 505 |
|---|---|
| Hauptverfasser: | , |
| Format: | Journal Article |
| Sprache: | Englisch |
| Veröffentlicht: |
ITMO University
01.12.2024
|
| Schlagworte: | |
| ISSN: | 2226-1494, 2500-0373 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Attacks on web applications are a frequent vector of attack on information resources by attackers of various skill levels. Such attacks can be investigated through analysis of HTTP requests made by the attackers. The possibility of identifying groups of attackers based on the analysis of the payload of HTTP requests marked by IDS as attack events has been studied. The identification of groups of attackers improves the work of security analysts investigating and responding to incidents, reduces the impact of alert fatigue in the analysis of security events, and also helps in identifying attack patterns and resources of intruders. Identification of groups of attackers within the framework of the proposed method is performed based on the sequence of stages. At the first stage, requests are split into tokens by a regular expression based on the features of the HTTP protocol and attacks that are often encountered and detected by intrusion detection systems. Then the tokens are weighted using the TF-IDF method, which allows to further give a greater contribution when comparing requests to the coincidence of rare words. At the next stage the main core of requests is separated based on their distance from the origin. Thus, requests not containing rare words, the coincidence of which allows us to talk about the connectedness of events, are separated. Manhattan distance is used to determine the distance. Finally, clustering is carried out using the DBSCAN method. It is shown that HTTP request payload data can be used to identify groups of attackers. An efficient method of tokenization, weighting and clustering of the considered data is proposed. The use of the DBSCAN method for clustering within the framework of the method is proposed. The homogeneity, completeness and V-measure of clustering obtained by various methods on the CPTC-2018 dataset were evaluated. The proposed method allows obtaining a clustering of events with high homogeneity and sufficient completeness. It is proposed to combine the resulting clustering with clusters obtained by other methods with high clustering homogeneity to obtain a high completeness metric and V-measure while maintaining high homogeneity. The proposed method can be used in the work of security analysts in SOC, CERT and CSIRT, both in defending against intrusions including APT and in collecting data on attackers’ techniques and tactics. The method makes it possible to identify patterns of traces of tools used by attackers, which allows attribution of attacks. |
|---|---|
| AbstractList | Attacks on web applications are a frequent vector of attack on information resources by attackers of various skill levels. Such attacks can be investigated through analysis of HTTP requests made by the attackers. The possibility of identifying groups of attackers based on the analysis of the payload of HTTP requests marked by IDS as attack events has been studied. The identification of groups of attackers improves the work of security analysts investigating and responding to incidents, reduces the impact of alert fatigue in the analysis of security events, and also helps in identifying attack patterns and resources of intruders. Identification of groups of attackers within the framework of the proposed method is performed based on the sequence of stages. At the first stage, requests are split into tokens by a regular expression based on the features of the HTTP protocol and attacks that are often encountered and detected by intrusion detection systems. Then the tokens are weighted using the TF-IDF method, which allows to further give a greater contribution when comparing requests to the coincidence of rare words. At the next stage the main core of requests is separated based on their distance from the origin. Thus, requests not containing rare words, the coincidence of which allows us to talk about the connectedness of events, are separated. Manhattan distance is used to determine the distance. Finally, clustering is carried out using the DBSCAN method. It is shown that HTTP request payload data can be used to identify groups of attackers. An efficient method of tokenization, weighting and clustering of the considered data is proposed. The use of the DBSCAN method for clustering within the framework of the method is proposed. The homogeneity, completeness and V-measure of clustering obtained by various methods on the CPTC-2018 dataset were evaluated. The proposed method allows obtaining a clustering of events with high homogeneity and sufficient completeness. It is proposed to combine the resulting clustering with clusters obtained by other methods with high clustering homogeneity to obtain a high completeness metric and V-measure while maintaining high homogeneity. The proposed method can be used in the work of security analysts in SOC, CERT and CSIRT, both in defending against intrusions including APT and in collecting data on attackers’ techniques and tactics. The method makes it possible to identify patterns of traces of tools used by attackers, which allows attribution of attacks. |
| Author | Voloshina, N.V. Pavlov, A.V. |
| Author_xml | – sequence: 1 givenname: A.V. orcidid: 0000-0001-8567-5469 surname: Pavlov fullname: Pavlov, A.V. – sequence: 2 givenname: N.V. orcidid: 0000-0001-9435-9580 surname: Voloshina fullname: Voloshina, N.V. |
| BookMark | eNo9kEtLAzEQgIMoWGv_Qw5eV_PYPBZEKEVtoaCHeg6zSbZu3W5Ksh767822KswkM5nwDXw36LIPvUfojpJ7qoSWD4wxWdCyKgtGGC9y8EIQklNcoAkbS8IVv8z1389rNEtpRwihKh-MTdDTfBjAfvmItzF8H7Dzg7dDG3q898NncLiG5B3O_XKzeccHOHYBHIYeumNq0y26aqBLfvZ7T9HHy_NmsSzWb6-rxXxdWKq4KJiWTkhO886G1JWWFXjleE0E6MZy66WmjOjactlAbRulrXKktNJSx_OET9HqzHUBduYQ2z3EownQmtNDiFsDcWht542omKh4VVtf0pKyEhRQAOUzyTtLIbMezywbQ0rRN_88SsxJrRmFmVGYGdWaHNxknzkF_wF19G0y |
| ContentType | Journal Article |
| DBID | AAYXX CITATION DOA |
| DOI | 10.17586/2226-1494-2023-23-3-500-505 |
| DatabaseName | CrossRef Directory of Open Access Journals |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: DOA name: Directory of Open Access Journals url: https://www.doaj.org/ sourceTypes: Open Website |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Engineering |
| EISSN | 2500-0373 |
| EndPage | 505 |
| ExternalDocumentID | oai_doaj_org_article_5925939bce414124a7a1aa7e1d3edc1a 10_17586_2226_1494_2023_23_3_500_505 |
| GroupedDBID | 642 AAYXX ADBBV AFKRA ALMA_UNASSIGNED_HOLDINGS BCNDV BENPR BPHCQ BYOGL CITATION GROUPED_DOAJ KQ8 PIMPY PQQKQ PROAC VCL VIT |
| ID | FETCH-LOGICAL-c1735-286d5631002f0b9869ae7d3b05a8fc3ce681208bc36fabcf78c7d04c6c1d31203 |
| IEDL.DBID | DOA |
| ISSN | 2226-1494 |
| IngestDate | Mon Nov 03 22:03:39 EST 2025 Sat Nov 29 03:57:45 EST 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 3 |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c1735-286d5631002f0b9869ae7d3b05a8fc3ce681208bc36fabcf78c7d04c6c1d31203 |
| ORCID | 0000-0001-9435-9580 0000-0001-8567-5469 |
| OpenAccessLink | https://doaj.org/article/5925939bce414124a7a1aa7e1d3edc1a |
| PageCount | 6 |
| ParticipantIDs | doaj_primary_oai_doaj_org_article_5925939bce414124a7a1aa7e1d3edc1a crossref_primary_10_17586_2226_1494_2023_23_3_500_505 |
| PublicationCentury | 2000 |
| PublicationDate | 2024-12-01 |
| PublicationDateYYYYMMDD | 2024-12-01 |
| PublicationDate_xml | – month: 12 year: 2024 text: 2024-12-01 day: 01 |
| PublicationDecade | 2020 |
| PublicationTitle | Nauchno-tekhnicheskiĭ vestnik informat͡s︡ionnykh tekhnologiĭ, mekhaniki i optiki |
| PublicationYear | 2024 |
| Publisher | ITMO University |
| Publisher_xml | – name: ITMO University |
| SSID | ssj0001700022 ssib026971427 |
| Score | 2.275618 |
| Snippet | Attacks on web applications are a frequent vector of attack on information resources by attackers of various skill levels. Such attacks can be investigated... |
| SourceID | doaj crossref |
| SourceType | Open Website Index Database |
| StartPage | 500 |
| SubjectTerms | группы атакующих кибербезопасность корреляция событий безопасности обнаружение вторжений сложные атаки |
| Title | Attacker group detection method based on HTTP payload analysis |
| URI | https://doaj.org/article/5925939bce414124a7a1aa7e1d3edc1a |
| Volume | 23 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVAON databaseName: Directory of Open Access Journals customDbUrl: eissn: 2500-0373 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0001700022 issn: 2226-1494 databaseCode: DOA dateStart: 20010101 isFulltext: true titleUrlDefault: https://www.doaj.org/ providerName: Directory of Open Access Journals |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwrV3PS8MwFA4yRPQg_sT5ixx2DWuapkkvwhTHTmOHCbuF_AQ9zDGrf7_vtXXUkxchOTSlJXwJfd8Lr99HyEhHkessRBYFT5CgxJwBqc-Zy4PTkLUUIaXGbELN53q1qhY9qy-sCWvlgVvgxrICgi4q52PB0SnZKsutVZEHEYPnDTUC1tNLpmAn5WWleNHpW761IjEYrdBpDvgGg7SgOCAj_GIAXy7Hu0GGbuIMmmAyy6DLX_GqJ-vfxJ_pCTnuiCOdtBM-JXtxfUaOenKC5-RhUtcWyyRo868GDbFuCq3WtPWJphiyAoXr2XK5oBtM1m2gttMluSAv0-fl04x1_gjMcyUky3UZZIkn9HnKXKXLykYVhMuk1ckLH1FbLNPOizJZ55PSXoWs8KUH8OCOuCSD9fs6XhGqXbIJGKyWqEcEsIrEZQyuEDYpW8UhkT8omE0rg2EwfUD0DKJnED2D6BlowgB60OWQPCJku2dQzLoZgCU23RKbv5b4-j9eckMOYXZFW4lySwb19jPekX3_Vb9-bO-b3fMNgvnBfQ |
| linkProvider | Directory of Open Access Journals |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Attacker+group+detection+method+based+on+HTTP+payload+analysis&rft.jtitle=Nauchno-tekhnicheski%C4%AD+vestnik+informat%CD%A1s%EF%B8%A1ionnykh+tekhnologi%C4%AD%2C+mekhaniki+i+optiki&rft.au=Pavlov%2C+A.V.&rft.au=Voloshina%2C+N.V.&rft.date=2024-12-01&rft.issn=2226-1494&rft.volume=23&rft.issue=3&rft.spage=500&rft.epage=505&rft_id=info:doi/10.17586%2F2226-1494-2023-23-3-500-505&rft.externalDBID=n%2Fa&rft.externalDocID=10_17586_2226_1494_2023_23_3_500_505 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2226-1494&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2226-1494&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2226-1494&client=summon |