TY - JOUR
T1 - Graph-based forensic analysis of web honeypot
AU - Studiawan, Hudan
AU - Djanali, Supeno
AU - Pratomo, Baskoro Adi
N1 - Publisher Copyright:
© 2016, National Institute of Telecommunications. All rights reserved.
PY - 2016
Y1 - 2016
N2 - Honeypot still plays an important role in network security, especially in analyzing attack type and defining attacker patterns. Previous research has mainly focused on detecting attack pattern while categorization of type has not yet been-comprehensively discussed. Nowadays, the web application is the most common and popular way for users to gather information, but it also invites attackers to assault the system. Therefore, deployment of a web honeypot is important and its forensic analysis is urgently required. In this paper, authors propose attack type analysis from web honeypot log for forensic purposes. Every log is represented as a vertex in a graph. Then a custom agglomerative clustering to categorize attack type based on PHP-IDS rules is deployed. A visualization of large graphs is also provided since the actual logs contain tens of thousands of rows of records. The experimental results show that the proposed model can help forensic investigators examine a web honeypot log more precisely.
AB - Honeypot still plays an important role in network security, especially in analyzing attack type and defining attacker patterns. Previous research has mainly focused on detecting attack pattern while categorization of type has not yet been-comprehensively discussed. Nowadays, the web application is the most common and popular way for users to gather information, but it also invites attackers to assault the system. Therefore, deployment of a web honeypot is important and its forensic analysis is urgently required. In this paper, authors propose attack type analysis from web honeypot log for forensic purposes. Every log is represented as a vertex in a graph. Then a custom agglomerative clustering to categorize attack type based on PHP-IDS rules is deployed. A visualization of large graphs is also provided since the actual logs contain tens of thousands of rows of records. The experimental results show that the proposed model can help forensic investigators examine a web honeypot log more precisely.
KW - Access log
KW - Attack type
KW - Graph agglomerative clustering
KW - Visualization of large graphs
UR - http://www.scopus.com/inward/record.url?scp=84977125905&partnerID=8YFLogxK
M3 - Article
AN - SCOPUS:84977125905
SN - 1509-4553
VL - 2016
SP - 60
EP - 65
JO - Journal of Telecommunications and Information Technology
JF - Journal of Telecommunications and Information Technology
IS - 2
ER -