<< Back to Blog

Web security detection methods

Every website, irrespective of its’ popularity, gets attacked almost every day. A huge number of security bots constantly scan random websites trying to find vulnerabilities that can be used for intrusion. These vulnerabilities are then used by malefactors to manually hack the compromised website.

RST Cloud Website Security, Anomaly detection

RST Cloud solution automatically parses the event logs from the well-known Web-servers such as Apache, Nginx and IIS, processes them, looks for attacks and anomalies, and displays the results of the analysis in the interactive web interface. RST Cloud has patterns for over than 50 attack types which rely on signature-based detection. In addition to attack signatures, the RST Cloud system uses Big Data-based machine learning mechanisms to detect behavioral anomalies in the user requests. In the process of request data analysis the system automatically builds a web application profile. After the profile is ready, the system analyzes each incoming request and assigns to it an unexpectedness value. This value defines how much the current request differs from the requests the system “saw” at the learning stage.

Let us consider an example with the well-known security bot that looks for vulnerabilities in PHP-websites and uses the “Morfeus Fucking Scanner” useragent. This bot often requests the /user/soapCaller.bs or /soapCaller.bs pages to check if it is possible to use a particular set of vulnerabilities. When it gets a return status of 200, it adds the website to its’ database for further analysis.

192.168.1.1 - - [23/Nov/2015:05:16:18 -0500] "GET /user/soapCaller.bs HTTP/1.1" 301 552 "-" "Morfeus Fucking Scanner"

Thus, if your website does not use PHP, such request is obviously suspicious, and you can block it with a WAF (Web Application Firewall) rule or using means provided by your Web-server. Otherwise, you have two options:

  1. Blocking
  2. Monitoring

The first option assumes that the bot’s actions need to be terminated as soon as possible. The second assumes that there is no immediate danger and it is helpful to see what attacks will follow, because the malefactor’s further actions might help to find vulnerabilities in your application. It’s worth noting that often websites are hosted with third-party platforms (hosting, VPS, dedication server, collocation) that might make installation and support of a WAF-class solution infeasible or impossible due to other circumstances. In this case RST Cloud can assist you in detecting the attack and its’ method of implementation, thus, enabling you to take timely defensive action and eliminate possible risks to your business.

If you are currently using a WAF-class solution, RST Cloud website security analytics will help you to make sure that your WAF is properly tuned and is preventing attacks effectively.

 



Posted on December 18, 2015 by Yury Sergeev