The Research On Mining Attack Sequence Pattern In Web Logs

In modern times,Web applications have penetrated into daily life gradually,and the interaction between human and Web applications are by Web servers.As a crucial part of Web Server,Web logs record information about client requests and the health of the server.Logs contain the traversal sequence of malicious users while record normal users operation.Making full use of Web logs contributes to learning the operation of the website on an operating basis.Furthermore,it can help webmaster to detect hacking and protect website at a security level by analysing the operation of the malicious users.However,regular methods to analyse on Web logs have a tendency to mining the need of ordinary users,improve users experience or improve the Website structure,rather than finding attack behavior by mining attack records from Web logs in security.We intend to explore a method to mining the attack records in Web logs,and makes it more convenient for the site administrator to find the attacking path and vulnerable place in the Website.In this paper,a method of mining attack frequent sequence from Web logs is presented.We use the improved PrefixSpan algorithm to mining the attack frequent sequence,and show the graphic result of attack sequential pattern to users.The results can serve idea to strengthen Website,and it may discover the potential vulnerabilities.Even more,it can prevent attackers' further damage to Websites.And the main process are as following,in data collecting stage,we collect the raw access logs and Web pages information.More than that,gathering the structure of the log and payloads for each vulnerability.Then preprocessing logs according to payloads file to get the attack sequence database.And preprocessing is consisted of following steps:matching attack signature,clean the URL,user identification,distinguish between malicious users and vulnerability scanners,session identification.The algorithm of improved PrefixSpan algorithm is implement to mining attack frequent sequence patterns from the malicious users' sequence database and vulnerability scanners sequence database separately.Lastly,visualizing attack sequence be realized by the graphical language,before that analysis the patterns generated in the mining stage.According to the steps above,this paper improve the algorithm of PrefixSpan,and realize the system by Java.Results obtained from experiments on real Web logs in server demonstrate that our method achieve the goal of attacker sequential patterns mining,and generate the visual graphics.