Information Technology Reference
In-Depth Information
Visualizing Web Attack Scenarios in Space
and Time Coordinate Systems
Tran Tri Dang
(
)
and Tran Khanh Dang
Ho Chi Minh City University of Technology, VNU-HCM, Ho Chi Minh City, Vietnam
{tridang,khanh}@cse.hcmut.edu.vn
Abstract.
Intrusion Detection Systems can detect attacks and notify responsible
people of these events automatically. However, seeing individual attacks,
although useful, is often not enough to understand about the whole attacking
process as well as the skills and motivations of the attackers. Attacking step is
usually just a phase in the whole intrusion process, in which attackers gather in-
formation and prepare required conditions before executing it, and clear log
records to hide their traces after executing it. Current approaches to construct-
ing attack scenarios require pre-defining of cause and effect relationships be-
tween events, which is a difficult and time-consuming task. In this work, we
exploit the linking nature between pages in web applications to propose an at-
tack scenario construction technique without the need of cause and effect rela-
tionships pre-definition. Built scenarios are then visualized in space and time
coordinate systems to support viewing and analysis. We also develop a proto-
type implementation based on the proposal and use it to experiment with differ-
ent simulated attack scenarios.
Keywords:
Web attack visualization · Attack scenario construction · Attack
scenario visualization · Security visualization · Web security · Web attack un-
derstanding.
1
Introduction
Although traditional Intrusion Detection Systems (IDSs) can detect individual attacks
and notify responsible people of these events automatically, they usually lack the
capability of synthesizing and presenting related attacks (or related events) to human
users in an intuitive way. We argue that seeing separate attacks does not provide
responsible people much support in understanding the big picture about the whole
attacking process. This big picture contains not only the attack step, but also the in-
formation gathering and preparation steps before it, as well as the exploitation and
identity hiding steps after it, among others. Therefore, having a tool to access this big
picture is a real need for security administrators. Using this tool, the security adminis-
trators can see the whole intrusion process and may understand the motivations, the
techniques, and the skills of attackers. This understanding is not only useful to make a
counterattack immediately, but also to plan appropriate future defense strategies.
Search WWH ::
Custom Search