Understanding attacker behavior in HTTP-based cyber threats is crucial for developing robust security defenses. Traditional methods of mapping attacker activities to MITRE ATT&CK primarily rely on single event-based analysis, which treats each event independently, leading to fragmented detection and misclassification. This study presents Attack Session-Based Analysis, an approach that systematically identifies and correlates attacker activities within a single attack session, providing a structured mapping of attacker tactics and overcoming theTambunan, A.Lim, C.Silaen, K. limitations of single-event analysis. By leveraging Idle Time-Based and Variable-Based Session Identification, this method systematically groups related attack events and maps them to the ATT&CK framework. Using a custom HTTP honeypot, a large number of recorded attacks were analyzed, identifying how multiple events within an attack session are related and structured. Our findings demonstrate that a session-based analytical approach transforms attack detection by correlating multiple events into a coherent narrative. This approach demonstrates capacity for reducing misclassification risks and false positives, while facilitating a structured representation of attacker tactics within an attack session.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Attack Session-Based Analysis to Reveal HTTP Attacker Behavior

  • Andi Parada Tambunan,
  • Charles Lim,
  • Kalpin Erlangga Silaen

摘要

Understanding attacker behavior in HTTP-based cyber threats is crucial for developing robust security defenses. Traditional methods of mapping attacker activities to MITRE ATT&CK primarily rely on single event-based analysis, which treats each event independently, leading to fragmented detection and misclassification. This study presents Attack Session-Based Analysis, an approach that systematically identifies and correlates attacker activities within a single attack session, providing a structured mapping of attacker tactics and overcoming theTambunan, A.Lim, C.Silaen, K. limitations of single-event analysis. By leveraging Idle Time-Based and Variable-Based Session Identification, this method systematically groups related attack events and maps them to the ATT&CK framework. Using a custom HTTP honeypot, a large number of recorded attacks were analyzed, identifying how multiple events within an attack session are related and structured. Our findings demonstrate that a session-based analytical approach transforms attack detection by correlating multiple events into a coherent narrative. This approach demonstrates capacity for reducing misclassification risks and false positives, while facilitating a structured representation of attacker tactics within an attack session.