Attacker group detection method based on HTTP payload analysis

Attacks on web applications are a frequent vector of attack information resources by attackers various skill levels. Such attacks can be investigated through analysis HTTP requests made the attackers. The possibility identifying groups based payload marked IDS as events has been studied. identification improves work security analysts investigating and responding to incidents, reduces impact alert fatigue in events, also helps patterns intruders. Identification within framework proposed method is performed sequence stages. At first stage, split into tokens regular expression features protocol that often encountered detected intrusion detection systems. Then weighted using TF-IDF method, which allows further give greater contribution when comparing coincidence rare words. next stage main core separated their distance from origin. Thus, not containing words, us talk about connectedness separated. Manhattan used determine distance. Finally, clustering carried out DBSCAN method. It shown request data identify An efficient tokenization, weighting considered proposed. use for homogeneity, completeness V-measure obtained methods CPTC-2018 dataset were evaluated. obtaining with high homogeneity sufficient completeness. combine resulting clusters other obtain metric while maintaining homogeneity. SOC, CERT CSIRT, both defending against intrusions including APT collecting attackers’ techniques tactics. makes it possible traces tools attackers, attribution attacks.