PWAGAT: Potential Web attacker detection based on graph attention network

Abstract

Attacker probing behavior detection is a notch in the current security defense system. Most cyber-attack detection research focuses on real-time payload interception and attack source tracing. However, the defense system cannot predict the attack behavior before the attack launches and cannot provide sufficient reaction and preparation time for the network administrators. Therefore, the current security system urgently needs to be improved by detecting cyber-attack precursors. We propose a potential Web attacker identification method based on a graph attention network (PWAGAT) by studying the features of the attacker’s behavior pattern before launching a Web attack. The core of PWAGAT is to identify the probing behavior of attackers and find those suspicious users with a high probability of carrying out Web attacks. The PWAGAT trains the embedding learning representation of each behavioral node from the Web attack behavior graph (WABG) through GAT and then uses the deep forest algorithm to train a classification model that recognizes probing behaviors. On the WAB-dataset provided by the Institute of Information Security of Sichuan University, the experiment proved that PWAGAT performed better than other graph learning methods in performing node embedding and classification of hacking behaviors. The results showed that identifying hacker probing behavior could help discover potential Web attackers, alerting defenders to assist in subsequent attack detection.