Real-Time Reconnaissance Detection for Web Applications

Computer networks play an important role in many areas of life which makes them attractive targets for hackers. This work explores a potential approach to detect cyberattacks at an early stage, i.e. to identify whether a client interacting with a single monitored system is adversarial or not. In order to provide actionable events, the implemented system works in real-time. Since security analysts have to analyze security alerts, this work focuses on detecting reconnaissance attempts with high accuracy while keeping the number of false alarms to a minimum. For this, a hybrid approach combining a specification-ased classification and an anomaly detection system was implemented. A binary classifier is trained to use user-defined functions to determine whether a received message is malicious or not. In parallel, an anomaly detection approach is used to detect novel attack techniques For the reliable identification of malicious clients, a Bayesian approach is used which forms and maintains a belief about each client. Every probabilistic prediction made by either model is used as evidence to update the belief about the respective client. Along with the prediction, the importance of the features used for the prediction is stored. The proposed system is designed to provide analysts with useful explanations and information about the raised alarms in order to facilitate the assessment of incidents.