Empirical Analysis of Attackers Activity on Multi-tier Web Systems

“…Facing the lack of publicly available, recent data on malicious attacker activities, we developed and deployed highinteraction honeypots as a means to collect such data [10], [11]. These honeypots ran off-the shelf operating systems and applications that followed typical security guidelines and did not include user accounts with nil or weak passwords.…”

“…Instead of phpMyAdmin, two Web 2.0 applications were installed: the most widely used wiki software MediaWiki (version 1.9.0), which is used as an application base for Wikipedia, and the most downloaded open source blogging software Wordpress (version 2.1.1). From the honeypot with this configuration, we collected two data sets: Web sessions, each defined as a sequence of requests from the same source IP address to port 80, with a time between two successive request not exceeding a threshold of thirty minutes [10], [11], were extracted automatically from the logs of the front-end Web servers (i.e., Apache and ISS). Since honeypots could not be accessed directly by human users because of the 'transparent linking' approach used for advertising, the only non-malicious sessions in the logs consisted of system management traffic generated by our team and legitimate Web crawlers such as Google and MSNbot.…”

“…Two of the four datasets considered in this paper were used in our previous work [10], [11] which was focused on descriptive analysis of different types of attacks and vulnerability scans and inferential statistical analysis of characteristics of malicious TCP [10] and HTTP traffic [11]. Neither [10] nor [11] included classification of malicious traffic using machine learning methods.…”

“…Our honeypots were configured in a three-tier architecture (consisting of a front-end Web server, application server, and a backend database) and had meaningful functionality [10], [11]. Furthermore, they ran standard off-the-shelf operating system and applications which followed typical security guidelines and did not include user accounts with nil or weak passwords.…”

“…Neither [10] nor [11] included classification of malicious traffic using machine learning methods. The two additional datasets were collected since the publication of [10], [11].…”

Classification of Malicious Web Sessions

“…Facing the lack of publicly available, recent data on malicious attacker activities, we developed and deployed highinteraction honeypots as a means to collect such data [10], [11]. These honeypots ran off-the shelf operating systems and applications that followed typical security guidelines and did not include user accounts with nil or weak passwords.…”

“…Instead of phpMyAdmin, two Web 2.0 applications were installed: the most widely used wiki software MediaWiki (version 1.9.0), which is used as an application base for Wikipedia, and the most downloaded open source blogging software Wordpress (version 2.1.1). From the honeypot with this configuration, we collected two data sets: Web sessions, each defined as a sequence of requests from the same source IP address to port 80, with a time between two successive request not exceeding a threshold of thirty minutes [10], [11], were extracted automatically from the logs of the front-end Web servers (i.e., Apache and ISS). Since honeypots could not be accessed directly by human users because of the 'transparent linking' approach used for advertising, the only non-malicious sessions in the logs consisted of system management traffic generated by our team and legitimate Web crawlers such as Google and MSNbot.…”

“…Two of the four datasets considered in this paper were used in our previous work [10], [11] which was focused on descriptive analysis of different types of attacks and vulnerability scans and inferential statistical analysis of characteristics of malicious TCP [10] and HTTP traffic [11]. Neither [10] nor [11] included classification of malicious traffic using machine learning methods.…”

“…Our honeypots were configured in a three-tier architecture (consisting of a front-end Web server, application server, and a backend database) and had meaningful functionality [10], [11]. Furthermore, they ran standard off-the-shelf operating system and applications which followed typical security guidelines and did not include user accounts with nil or weak passwords.…”

“…Neither [10] nor [11] included classification of malicious traffic using machine learning methods. The two additional datasets were collected since the publication of [10], [11].…”

Classification of Malicious Web Sessions

An Analysis of Open Ports and Port Pairs in EC2 Instances

Internet-Wide Scanner Fingerprint Identifier Based on TCP/IP Header