Visualizing web server attacks: patterns in PHPIDS logs

The prevalence and severity of application‐layer vulnerabilities increase dramatically their corresponding attacks. In this paper, we present an extension to PHPIDS, an open source intrusion detection and prevention system for PHP‐based web applications, to visualize its security log. Our usage of s...

Full description

Saved in:
Bibliographic Details
Published in:Security and communication networks 2015-07, Vol.8 (11), p.1991-2003
Main Authors: Alsaleh, Mansour, Alarifi, Abdulrahman, Alqahtani, Abdullah, Al-Salman, AbdulMalik
Format: Article
Language:English
Subjects:
Computer information security
Correlation analysis
Data visualization
intrusion detection systems
log visualization
Logs
network monitoring
Security
security data visualization
Servers (computers)
Visualization
web server attacks
World Wide Web
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The prevalence and severity of application‐layer vulnerabilities increase dramatically their corresponding attacks. In this paper, we present an extension to PHPIDS, an open source intrusion detection and prevention system for PHP‐based web applications, to visualize its security log. Our usage of security data visualization is motivated by the fact that most security defense systems are mainly based on text‐based logs for recording security‐related events, which are difficult to analyze and correlate. The proposed extension analyzes PHPIDS logs, correlates these logs with the corresponding web server logs, and plots the security‐related events. We use a set of tightly coupled visual representations of hypertext transfer protocol server requests containing known and suspicious malicious content, to provide system administrators and security analysts with fine‐grained visual‐based querying capabilities. We present multiple case studies to demonstrate the ability of our PHPIDS visualization extension to support security analysts with analytic reasoning and decision making in response to ongoing web server attacks. Experimenting the proposed PHPIDS visualization extension on real‐world datasets shows promise for providing complementary information for effective situational awareness. Copyright © 2014 John Wiley & Sons, Ltd. This paper presents a visualization extension for PHPIDS that analyzes PHPIDS logs, correlates the logs with the corresponding web server logs, and plots the security‐related events. Our usage of security data visualization is motivated by the fact that most security defense systems are mainly based on text‐based logs for recording security‐related events, which are difficult to analyze and correlate.
ISSN:1939-0114
1939-0122
DOI:10.1002/sec.1147