Predicting Cybersecurity Attacks Using Compound Analysis with Classification Algorithms

Table of content

  1. Abstract
  2. Introduction
  3. Problem Statement
  4. Aim and Objectives
  5. Related works
  6. Methodology
  7. Experiment Setup and Implementation
  8. Results and Analysis
  9. Conclusion
  10. Publications
  11. Links

Abstract

The increasing sophistication of cyber threats targeting web applications poses significant challenges for traditional security mechanisms. Identifying the vulnerable components of a web application during a cyber attack is crucial for mitigating security risks and enhancing system resilience. Attackers exploit weaknesses in web applications and APIs, often bypassing conventional security defenses.

In this work, we propose a framework to detect and analyze vulnerable components by correlating system logs and access logs with identified cyber attacks. First, network traffic is classified to distinguish between normal requests and attack patterns. If an attack is detected, the corresponding application logs are retrieved based on the time interval of the attack. By analyzing these logs, we determine which application function, service, or module is susceptible to exploitation.

The framework employs a three-stage classification approach. Initially, supervised classifiers are used to identify known attack patterns. Next, an anomaly detection model, specifically a One-Class SVM, classifies previously unseen or anomalous traffic. Finally, a root cause analysis component processes application logs within the detected attack timeframe to accurately determine the vulnerable component.

Designed for seamless integration into existing security infrastructures, such as web application firewalls (WAFs) and API gateways, the proposed framework operates efficiently without disrupting normal workflows. Performance evaluation is conducted based on detection accuracy, computational efficiency, and adaptability to evolving cyber threats. This approach enhances application-layer security by providing actionable insights into vulnerable components, aiding in proactive threat mitigation during software development and deployment.

Keywords: Cyber Attacks, Web Application Firewalls, Compound Prediction, Neural Networks, Network Security Situation.

Introduction

Background

The rapid digital transformation has led to a significant increase in cyber threats, particularly at the application layer, where web applications and microservices are prime targets for attackers. Traditional Intrusion Detection Systems (IDS) and Web Application Firewalls (WAFs) primarily rely on rule-based or signature-based mechanisms to detect malicious activities. However, these approaches struggle against modern cyber threats, such as zero-day attacks and sophisticated obfuscation techniques, which bypass conventional security measures.

Research Motivation

The motivation for this research stems from the need for an advanced intrusion detection approach that addresses the limitations of current IDS solutions. The proposed framework integrates multiple detection techniques into a structured, hierarchical architecture, enhancing scalability, accuracy, and adaptability to diverse and evolving cyber threats.

Key Challenges Addressed

Problem Statement

Modern cyber threats increasingly target the application layer of web infrastructures, exploiting vulnerabilities in web applications and APIs while bypassing traditional security measures. A major limitation of current security solutions is their inability to correlate attack indicators across multiple layers, including system logs, application logs, and network activity.

The primary objective of this research is to develop a hierarchical, multi-stage intrusion detection framework that not only detects cyberattacks but also identifies the specific vulnerable component of the application during an attack.

Aim and Objectives

Aim

To design, implement, and evaluate a hierarchical, multistage detection system capable of identifying both known and unknown web application attacks as well as the application component which is vulnerable during the cyber attacks with high accuracy, scalability, and adaptability, thereby enhancing overall application-layer security.

Objectives

  1. To design and develop a hierarchical, multi-stage algorithmic framework
  2. To define measurable security metrics, including classification accuracy, detection precision, computational efficiency, and adaptability
  3. To explore several algorithmic approaches within the hierarchical framework, combining neural networks with ensemble-based machine learning techniques
  4. To design scalable algorithms capable of adapting to future application-layer attack innovations and network expansions
  5. To investigate practical techniques for integrating the proposed framework into real-world application-layer security systems

Key Research Areas

Methodology

Overview

Our hierarchical, multistage approach combines:

  1. Supervised Classification for known threats
  2. Anomaly Detection for suspicious, potentially unknown attacks
  3. Root Cause Analysis for identifying the specific vulnerable application component using log correlation

Data Collection

Data Collection Flow

  1. Setup Vulnerable Server Environment
    • Deploy intentionally vulnerable web applications (DVWA, OWASP Juice Shop, WebGoat)
    • Host on virtual machines or Docker containers
    • Install logging/monitoring tools
  2. Traffic Generation and Labelling
    • Normal traffic: Selenium, JMeter, or Locust for user behavior simulation
    • Attack traffic: OWASP ZAP, Burp Suite for known vulnerabilities
    • Custom scripts for additional malicious payloads
  3. Log Collection and Correlation
    • Web application logs using security tools
    • Database logs (MySQL, MongoDB, PostgreSQL)
    • Centralized logging with ELK Stack or Splunk

Model Development

  1. Supervised Classifier: Logistic Regression, Random Forest, Gradient Boosting, or Neural Networks
  2. Anomaly Detector: One-Class SVM, Isolation Forest, or Autoencoder-based approaches
  3. Vulnerability Identification Component: Correlation analysis to identify vulnerable components

Detection Pipeline

Hybrid Pipeline & Component Identifier

The hierarchical detection pipeline includes:

Experiment Setup and Implementation

Environment Setup

Evaluation Metrics

Experimental Scenarios

  1. Known attacks evaluation
  2. Unknown or mutated attacks testing
  3. Unknown normal cases assessment
  4. Adaptive attack resistance testing

Results and Analysis

[To be updated as the project progresses]

Conclusion

This research proposes a hierarchical, multistage intrusion detection framework focused on application-layer threats. By combining supervised classification for known malicious patterns with anomaly detection for novel exploits, the proposed system aims to improve:

The framework integrates seamlessly into existing WAFs and API gateways, minimizing overhead while maximizing security benefits for web applications and APIs.

Publications

Timeline

Research Timeline

Key milestones include:

Team

Supervisors