Abstract
Web scan is one of the most common network attacks on the Internet, in which an adversary probes one or more websites to discover exploitable information in order to perform further cyber attacks. For a coordinated web scan, an adversary controls multiple sources to achieve a large-scale scanning as well as detection evasion. In this paper, a novel detection approach based on hierarchical correlation is proposed to identify coordinated web campaigns from the labelled malicious sources. The semantic correlation is used to identify the malicious sources scanning the similar contents, and the temporal-spatial correlation is employed to identify malicious campaigns from the semantic correlation results. In both correlation phases, we convert the clustering problem into the group partition problem and propose a greedy algorithm to solve it. The evaluation shows that our algorithm is effective in detecting coordinated web scan attacks, since the metric Precision for detection can achieve 1.0, and the metric Rand Index for clustering is 0.984.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Security Newspaper. https://www.securitynewspaper.com/2016/01/23/web-reconnaissance-attack-infects-3500-websites-possibly-wordpress/. Accessed 20 Nov 2018
Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 251–261. ACM (2003)
Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of SQL attacks. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 123–140. Springer, Heidelberg (2005). https://doi.org/10.1007/11506881_8
Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Annual Network & Distributed System Security Symposium (NDSS) (2006)
Xie, G., Hang, H., Faloutsos, M.: Scanner hunter: understanding HTTP scanning traffic. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 27–38. ACM (2014)
Shancang, L.I., Romdhani, I., Buchanan, W.: Password pattern and vulnerability analysis for web and mobile applications. ZTE Commun. 14(S1), 32–36 (2016)
Mimura, M., Tanaka, H.: Heavy log reader: learning the context of cyber attacks automatically with paragraph vector. In: Shyamasundar, R.K., Singh, V., Vaidya, J. (eds.) ICISS 2017. LNCS, vol. 10717, pp. 146–163. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72598-7_9
Yang, J., Wang, L., Xu, Z.: A novel semantic-aware approach for detecting malicious web traffic. In: Qing, S., Mitchell, C., Chen, L., Liu, D. (eds.) ICICS 2017. LNCS, vol. 10631, pp. 633–645. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89500-0_54
Green, J., Marchette, D.J., Northcutt, S., Ralph B.: Analysis techniques for detecting coordinated attacks and probes. In: Proceedings of workshop on Intrusion Detection and Network Monitoring, pp. 1–9 (1999)
Braynov, S., Jadliwala, M.: Detecting malicious groups of agents. In: Proceedings of the First IEEE Symposium on Multi-Agent Security and Survivability, pp. 90–99. IEEE (2004)
Gates, C.: Coordinated scan detection. In: Annual Network & Distributed System Security Symposium (NDSS) (2009)
Zhou, C.V., Leckie, C., Karunasekera, S.: A survey of coordinated attacks and collaborative intrusion detection. Comput. Secur. 29, 124–1402 (2010)
Elias, B.H., Mourad, D., Chadi, A.: On fingerprinting probing activities. Comput. Secur. 43, 35–48 (2014)
Mazel, J., Fontugne, R., Fukuda, K.: Identifying coordination of network scans using probed address structure. In: Traffic Monitoring and Analysis-8th International Workshop, pp. 7–8 (2016)
Jacob, G., Kirda, E., Kruegel, C., Vigna, G.: PUBCRAWL: protecting users and businesses from CRAWLers. In: Proceedings of 21st Usenix Conference on Security Symposium, pp. 507–512. Usenix (2013)
Blondel, V.D., Guillaume, J.L., Lambiotte, R., Etienne, L.: Fast unfolding of communities in large networks. J. Stat. Mech. Theory Exp. 2008(10), P10008 (2008)
Paxson, V.: Bro: a system for detecting network intruders in real-time. In: Proceedings of 7th USENIX Security Symposium. Usenix (1998)
Acknowledgments
This paper is supported by the National Key R&D Program of China (2017YFB0801900).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Yang, J., Wang, L., Xu, Z., Wang, J., Tian, T. (2019). Coordinated Web Scan Detection Based on Hierarchical Correlation. In: Li, J., Liu, Z., Peng, H. (eds) Security and Privacy in New Computing Environments. SPNCE 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 284. Springer, Cham. https://doi.org/10.1007/978-3-030-21373-2_30
Download citation
DOI: https://doi.org/10.1007/978-3-030-21373-2_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21372-5
Online ISBN: 978-3-030-21373-2
eBook Packages: Computer ScienceComputer Science (R0)