Skip to main content

Advertisement

Springer Nature Link
Log in

Early web application attack detection using network traffic analysis

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

The number of deployed web applications and the number of web-based attacks in the last decade are constantly increasing. One group of tools that gained the attention of cyber security specialists are Dynamic Application Security Testing (DAST) tools, which is used to assess the security posture of web applications. DAST tools have similar purpose for web applications as network scanners and mappers have for local networks and computers—to scan web applications, enumerate as much as possible information from them and this way potentially reveal existing vulnerabilities. The tools are not only used by security analysts but also by the attackers in the reconnaissance and enumeration phases of the attack. This paper analyses DAST tools’ network behaviour patterns, characteristic features that distinguish them from other traffic and methods to detect their operation using classical supervised machine learning methods. Unlike most of the work related to web application security and web application attack detection, which relies on HTTP logs, the research presented here is based on network traffic traces and flow statistics. This allows malicious scanning detection on the network traffic path even in the case of encrypted web traffic. Experimental results show that an accurate and reliable detection of four analysed DAST tools, ZAP, Nikto, Vega and Arachni, is possible. Flow classification of the existing DAST tools has high precision because DAST tools still do not deploy any mechanisms to hide their operation and mimic web application browsing by human users. Additionally, the paper contains an analysis of fast malicious behaviour detection through an analysis of the detection of malicious behaviour, while the flows are still active. The experimental results show that it is possible to detect malicious behaviour with a relatively high accuracy after only 15 packets in a flow.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Data Availability

Data is publicly available at [47]

References

  1. Collins V.: The Decline Of The Native App And The Rise Of The Web App. https://www.forbes.com/sites/victoriacollins/2019/04/05/ why-you-dont-need-to-make-an-app-a-guide-for-startups-who-want-to-make-an-app/?sh=597b75f26e63 (2019). Accessed 11 April 2021

  2. The Future Is the Web! How to Keep It Secure? https://www.acunetix.com/white-papers/the-future-is-the-web-how-to-keep-it-secure/. Accessed 11 Aug 2021

  3. HTTPS encryption on the web, https://transparencyreport.google.com/https/overview?hl=en. Accessed 11 April 2021

  4. ENISA Threat Landscape Web application attacks, from January 2019 to April 2020, https://www.enisa.europa.eu/publications/web-application-attacks/at_download/fullReport. Accessed 11 April 2021

  5. Moustafa, N., Hu, J., Slay, J.: A holistic review of network anomaly detection systems: a comprehensive survey. J. Netw. Comput. Appl. 128, 33–55 (2019)

    Article  Google Scholar 

  6. Gibert, D., Mateu, C., Planes, J.: The rise of machine learning for detection and classification of malware: research developments, trends and challenges. J. Netw. Comput. Appl. 2, 153 (2020)

    Google Scholar 

  7. Tahsien, S.M., Karimipour, H., Spachos, P.: Machine learning based solutions for security of Internet of Things (IoT): a survey. J. Netw. Comput. Appl. 2, 161 (2020). https://doi.org/10.1016/j.jnca.2019.102630

    Article  Google Scholar 

  8. Lin, W.C., Ke, S.W., Tsai, C.F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl.-Based Syst. 78, 13–21 (2015)

    Article  Google Scholar 

  9. Adetunmbi, A.O., Falaki, S.O., Adewale, O.S., Alese, B.K.: Network intrusion detection based on rough set and k-nearest neighbour. Int. J. Comput. ICT Res. 2(1), 60–66 (2008)

    Google Scholar 

  10. Syarif, A.R., Gata, W.: Intrusion detection system using hybrid binary PSO and K-nearest neighborhood algorithm. In: 2017 11th International Conference on Information and Communication Technology and System (ICTS), pp. 181–186. IEEE (2017)

  11. Ma Z., Kaban A.: K-Nearest-Neighbours with a novel similarity measure for intrusion detection. In: 2013 13th UK Workshop on Computational Intelligence (UKCI), pp. 266–271. IEEE (2013)

  12. Saleh, A.I., Talaat, F.M., Labib, L.M.: A hybrid intrusion detection system (HIDS) based on prioritized k-nearest neighbors and optimized SVM classifiers. Artif. Intell. Rev. 51(3), 403–443 (2019)

    Article  Google Scholar 

  13. Gu, J., Lu, S.: An effective intrusion detection approach using SVM with naïve Bayes feature embedding. Comput. Secur. 2, 103 (2021). https://doi.org/10.1016/j.cose.2020.102158

    Article  Google Scholar 

  14. Liao, Y., Vemuri, V.R.: Use of k-nearest neighbor classifier for intrusion detection. Comput. Secur. 21(5), 439–448 (2002)

    Article  Google Scholar 

  15. Ferrag, M.A., Maglaras, L., Moschoyiannis, S., Janicke, H.: Deep learning for cyber security intrusion detection: approaches, datasets, and comparative study. J. Inform. Secur. Appl. 50, 102419 (2020). https://doi.org/10.1016/j.jisa.2019.102419

    Article  Google Scholar 

  16. Panigrahi, R., Borah, S.: A detailed analysis of CICIDS2017 dataset for designing Intrusion Detection Systems. Int. J. Eng. Technol. 7(3.24), 479–482 (2018)

    Google Scholar 

  17. Ustebay S., Turgut Z., Aydin M.A.: Intrusion detection system with recursive feature elimination by using random forest and deep learning classifier. In: 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT), pp. 71–76. IEEE (2018)

  18. Aksu D., Üstebay S., Aydin M.A., Atmaca T.: Intrusion detection with comparative analysis of supervised learning techniques and fisher score feature selection algorithm. In: International Symposium on Computer and Information Sciences, pp. 141–149. Springer, Cham. https://doi.org/10.1007/978-3-030-00840-6_16 (2018)

  19. Stiawan, D., Idris, M.Y.B., Bamhdi, A.M., Budiarto, R.: CICIDS-2017 dataset feature analysis with information gain for anomaly detection. IEEE Access 8, 132911–132921 (2020)

    Article  Google Scholar 

  20. Tekerek, A.: A novel architecture for web-based attack detection using convolutional neural network. Comput. Secur. 100, 102096 (2021). https://doi.org/10.1016/j.cose.2020.102096

    Article  Google Scholar 

  21. Rong, W., Zhang, B., Lv, X.: Malicious Web Request Detection Using Character-Level CNN. In: Chen, X., Huang, X., Zhang, J. (eds.) Machine Learning for Cyber Security. ML4CS 2019. Lecture Notes in Computer Science, vol. 11806. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30619-9_2

  22. Pan, Y., Sun, F., Teng, Z., White, J., Schmidt, D.C., Staples, J., Krause, L.: Detecting web attacks with end-to-end deep learning. J. Internet Serv. Appl. 10(1), 16 (2019). https://doi.org/10.1186/s13174-019-0115-x

    Article  Google Scholar 

  23. Goseva-Popstojanova, K., Anastasovski, G., Dimitrijevikj, A., Pantev, R., Miller, B.: Characterization and classification of malicious Web traffic. Comput. Secur. 42, 92–115 (2014). https://doi.org/10.1016/j.cose.2014.01.006

    Article  Google Scholar 

  24. Daud, N.I., Bakar, K.A.A., Hasan, M.S.M.: A case study on web application vulnerability scanning tools. In: 2014 Science and Information Conference, pp. 595–600. IEEE (2014)

  25. Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), pp. 365–372. IEEE (2007)

  26. Esposito, D., Rennhard, M., Ruf, L., Wagner, A.: Exploiting the potential of web application vulnerability scanning. In: ICIMP 2018 the Thirteenth International Conference on Internet Monitoring and Protection, Barcelona, Spain, 22–26 July 2018, pp. 22–29 IARIA (2018)

  27. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: 2010 IEEE Symposium on Security and Privacy, pp. 332–345, IEEE (2010)

  28. Huang, Y.W., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Non-detrimental web application security scanning. In: 15th International Symposium on Software Reliability Engineering, pp. 219–230, IEEE (2004)

  29. Rovetta, S., Suchacka, G., Masulli, F.: Bot recognition in a Web store: an approach based on unsupervised learning. J. Netw. Comput. Appl. 157, 102577 (2020). https://doi.org/10.1016/j.jnca.2020.102577

    Article  Google Scholar 

  30. Vulnerability Scanning Tools, OWASP, https://owasp.org/www-community/Vulnerability_Scanning_Tools. Accessed 14 April 2021

  31. CIRT Nikto 2, https://cirt.net/Nikto2

  32. Subgraph Vega vulnerability scanner, https://subgraph.com/vega/

  33. Arachni, Web application security scanner framework, https://www.arachni-scanner.com/

  34. OWASP Zed Attack Proxy (ZAP), https://www.zaproxy.org/

  35. OWASP WebGoat, https://owasp.org/www-project-webgoat/

  36. DVWA - Damn Vulnerable Web Applicaiton, https://github.com/digininja/DVWA

  37. Google Gruyere, https://google-gruyere.appspot.com/

  38. OWASP Multillidae, https://github.com/webpwnized/mutillidae

  39. Sharafaldin, I., Gharib, A., Lashkari, A.H., Ghorbani, A.A.: Towards a reliable intrusion detection benchmark dataset. Softw. Netw. 5, 177–200 (2017). https://doi.org/10.13052/jsn2445-9739.2017.009

    Article  Google Scholar 

  40. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy - ICISSP, ISBN 978-989-758-282-0; ISSN 2184-4356, pp. 108–116 (2018). https://doi.org/10.5220/0006639801080116

  41. Lashkari, A.H., Gil, G.D., Mamun, M.S.I., Ghorbani, A.A.: Characterization of tor traffic using time based features. Science 5, 253–262 (2017). https://doi.org/10.5220/0006105602530262

    Article  Google Scholar 

  42. Lashkari, A.H., Gil, G.D., Mamun, M.S.I., Ghorbani, A.A.: Characterization of encrypted and VPN traffic using time-related features (2016). https://doi.org/10.5220/0005740704070414

  43. Iyengar, J., Thomson, M.: QUIC: A UDP-Based Multiplexed and Secure Transport, Internet draft (2021). https://datatracker.ietf.org/doc/draft-ietf-quic-transport/

  44. Kurniabudi, Stiawan D., Darmawijoyo, Idris M.Y.B.., Bhamdi, A., Budiarto, R.: CICIDS-2017 dataset feature analysis with information gain for anomaly detection. IEEE Access 2, 774 (2020)

    Google Scholar 

  45. Eibe, F., Hall, M.A., Witten, I.H.: The WEKA Workbench. Online Appendix for “Data Mining: Practical Machine Learning Tools and Techniques’’, 4th edn. Morgan Kaufmann, Burlington, MA (2016)

    Google Scholar 

  46. Jurkiewicz, P., Rzym, G., Boryło, P.: Flow length and size distributions in campus Internet traffic. Comput. Commun. 167, 15–30 (2021). https://doi.org/10.1016/j.comcom.2020.12.016

    Article  Google Scholar 

  47. Rajić B., Stanisavljević Ž., Vuletić P.: DAST scanning sessions dataset, Mendeley Data, V3 (2022). https://data.mendeley.com/datasets/ctkh2zy6s3/3

Download references

Funding

No funds, grants, or other support was received.

Author information

Authors and Affiliations

  1. School of Electrical Engineering, University of Belgrade, Bulevar Kralja Aleksandra 73, Belgrade, Serbia

    Branislav Rajić, Žarko Stanisavljević & Pavle Vuletić

Authors
  1. Branislav Rajić
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Žarko Stanisavljević
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pavle Vuletić
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

BR contributed to data curation, investigation, methodology, software, writing—original draft. PV contributed to conceptualization, methodology, investigation, resources, writing—review and editing, validation, supervision ZS contributed to investigation, validation, writing—review and editing

Corresponding author

Correspondence to Branislav Rajić.

Ethics declarations

Conflict of interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors

Code availability

Not applicable

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rajić, B., Stanisavljević, Ž. & Vuletić, P. Early web application attack detection using network traffic analysis. Int. J. Inf. Secur. 22, 77–91 (2023). https://doi.org/10.1007/s10207-022-00627-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-022-00627-1

Keywords