A Web Back-End Database Leakage Incident Reconstruction Framework Over Unlabeled Logs

Abstract

In this article, we propose a web back-end database leakage incident reconstruction framework (WeB-DLIR) over unlabeled logs, designed to improve the intelligence and automation of reconstructing web back-end database leakage incidents triggered by web-based attacks in unannotated logging environments. Using WeB-DLIR, analysts can reduce the manual workload of tracing and responding to data leakage incidents. Specifically, we first design web front-end and back-end anomaly identification methods based on neural network models with a pruning strategy and fine-grained grouping clustering analysis, respectively, for completely identifying web-related abnormal events in unlabeled logs. To remove redundant abnormal events and reduce subsequent inspection work for false alarm cases, we then propose an anomaly detection result decision fusion method (DFADR). Moreover, to visualize the attack chain reflected by abnormal events, based on the decision fusion results, we propose an attack graph modeling method that can reflect the basic process of data leakage from multiple perspectives. Finally, based on the modeling results, the topology of the data leakage scenario reconstruction can be completed by further auditing the relevant logs. Experimental results using real-world datasets show that the proposed WeB-DLIR is efficient and feasible for practical applications.