Visible to the public Distinguishing between Web Attacks and Vulnerability Scans Based on Behavioral Characteristics

TitleDistinguishing between Web Attacks and Vulnerability Scans Based on Behavioral Characteristics
Publication TypeConference Paper
Year of Publication2014
AuthorsGoseva-Popstojanova, K., Dimitrijevikj, A.
Conference NameAdvanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on
Date PublishedMay
Keywordsattacks, behavioral characteristics, behavioral clustering analysis, Blogs, classification of malicious cyber activities, computer network security, Encyclopedias, feature extraction, feature selection method, high-interaction honey pots, honeypots, Internet, malicious cyber activities, radio access networks, Support vector machines, vulnerability scans, Web 2.0, Web applications, Web attacks, Web systems
Abstract

The number of vulnerabilities and reported attacks on Web systems are showing increasing trends, which clearly illustrate the need for better understanding of malicious cyber activities. In this paper we use clustering to classify attacker activities aimed at Web systems. The empirical analysis is based on four datasets, each in duration of several months, collected by high-interaction honey pots. The results show that behavioral clustering analysis can be used to distinguish between attack sessions and vulnerability scan sessions. However, the performance heavily depends on the dataset. Furthermore, the results show that attacks differ from vulnerability scans in a small number of features (i.e., session characteristics). Specifically, for each dataset, the best feature selection method (in terms of the high probability of detection and low probability of false alarm) selects only three features and results into three to four clusters, significantly improving the performance of clustering compared to the case when all features are used. The best subset of features and the extent of the improvement, however, also depend on the dataset.

DOI10.1109/WAINA.2014.15
Citation Key6844611