Automated Classification of Web-Application Attacks for Intrusion Detection

Bhagwani, Harsh; Negi, Rohit; Dutta, Aneet Kumar; Handa, Anand; Kumar, Nitesh; Shukla, Sandeep K.

doi:10.1007/978-3-030-35869-3_10

Cited by 7 publications

(2 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nonetheless, there are numerous training challenges like networking, web, cryptography, defensive cyber security etc., where we can extend the support for hybrid scoring. Harsh et al [2] mentioned that using server logs, one can identify participant's behaviour. Web request can be classified into attacks such as SQL Injection, Cross-Site Scripting, Path-traversal, Command Injection, Cross-site request forgery etc.…”

Section: Discussionmentioning

confidence: 99%

Automated Flag Detection and Participant Performance Evaluation for Pwnable CTF

Singh

Negi

Shukla

2022

Silicon Valley Cybersecurity Conference

Self Cite

View full text Add to dashboard Cite

The demand for cyber security awareness, education, evaluation of learning levels of students etc., has increased in the past few years. In order to meet this rising demand, several cyber security learning and training platforms have been developed. Capture the flag (CTF) platforms and cyber ranges have become primary tools that facilitate education, training and recruitment of cyber security personnel. These tools evaluate and rank the participants on the basis of challenges solved by them. A discrete evaluation mechanism focusing only on flags solved, fails to ensure that the effort and knowledge demonstrated by the participants while solving the challenge, are factored into the scoring system. Most of these tools do not even distinguish between participants actually solving the flags vs. those who might copy a captured flag without actually working on the problem. Further, in flag only scoring systems, participants feel discouraged as they fail to score without finding the flags – despite putting in enormous time and effort. In this paper, we present our novel approach to quantify participant’s learning, efforts, and any unethical practices. We award partial scores by automatically capturing their behavior while solving the CTF problems. We also provide an accurate ranking system with automated solved challenge detection which replaces the need for manual flag submission. In our system, participants get hybrid scores based on their efforts, and organizations get a better and an effective evaluation tool.

show abstract

Section: Discussionmentioning

confidence: 99%

Automated Flag Detection and Participant Performance Evaluation for Pwnable CTF

Singh

Negi

Shukla

2022

Silicon Valley Cybersecurity Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…We modified the IDS developed by Bhagwani Et Al. [6] to predict SQLi, XSS, and OSC attacks on HTTP servers. The SOAR Engine uses these machine learning models to detect attacks in the logs of the initial HTTP honeypot deployed and then deploy HTTP honeypots in other IPs with specific vulnerabilities like SQLi, XSS, and OSC.…”

Section: ) Http Ids Botnet and Ddos Detectionmentioning

confidence: 99%

Security Orchestration, Automation, and Response Engine for Deployment of Behavioural Honeypots

Bartwal,

Mukhopadhyay,

Negi

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Cyber Security is a critical topic for organizations with IT/OT networks as they are always susceptible to attack, whether insider or outsider. Since the cyber landscape is an ever-evolving scenario, one must keep upgrading its security systems to enhance the security of the infrastructure. Tools like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), Information Technology Service Management (ITSM), along with other defensive techniques like Intrusion Detection System (IDS), Intrusion Protection System (IPS), and many others enhance the cyber security posture of the infrastructure. However, the proposed protection mechanisms have their limitations, they are insufficient to ensure security, and the attacker penetrates the network. Deception technology, along with Honeypots, provides a false sense of vulnerability in the target systems to the attackers. The attacker deceived reveals threat intel about their modus operandi. We have developed a Security Orchestration, Automation, and Response (SOAR) Engine that dynamically deploys custom honeypots inside the internal network infrastructure based on the attacker's behavior. The architecture is robust enough to support multiple VLANs connected to the system and used for orchestration. The presence of botnet traffic and DDOS attacks on the honeypots in the network is detected, along with a malware collection system. After being exposed to live traffic for four days, our engine dynamically orchestrated the honeypots 40 times, detected 7823 attacks, 965 DDOS attack packets, and three malicious samples. While our experiments with static honeypots show an average attacker engagement time of 102 seconds per instance, our SOAR Engine-based dynamic honeypots engage attackers on average 3148 seconds.

show abstract