Attack Session-Based Analysis to Reveal HTTP Attacker Behavior
摘要
Understanding attacker behavior in HTTP-based cyber threats is crucial for developing robust security defenses. Traditional methods of mapping attacker activities to MITRE ATT&CK primarily rely on single event-based analysis, which treats each event independently, leading to fragmented detection and misclassification. This study presents Attack Session-Based Analysis, an approach that systematically identifies and correlates attacker activities within a single attack session, providing a structured mapping of attacker tactics and overcoming theTambunan, A.Lim, C.Silaen, K. limitations of single-event analysis. By leveraging Idle Time-Based and Variable-Based Session Identification, this method systematically groups related attack events and maps them to the ATT&CK framework. Using a custom HTTP honeypot, a large number of recorded attacks were analyzed, identifying how multiple events within an attack session are related and structured. Our findings demonstrate that a session-based analytical approach transforms attack detection by correlating multiple events into a coherent narrative. This approach demonstrates capacity for reducing misclassification risks and false positives, while facilitating a structured representation of attacker tactics within an attack session.