Ahmad Zaenal Awaludin LOG ANALYTICS SYSTEM FOR WEB ATTACK DETECTION
By
Ahmad Zaenal Awaludin
MASTER’S DEGREE in
MASTER OF INFORMATION TECHNOLOGY FACULTY OF ENGINEERING
SWISS GERMAN UNIVERSITY The Prominence Tower
Jalan Jalur Sutera Barat No. 15, Alam Sutera Tangerang, Banten 15143 - Indonesia
June 2021
Ahmad Zaenal Awaludin LOG ANALYTICS SYSTEM FOR WEB ATTACK DETECTION
By
Ahmad Zaenal Awaludin
MASTER’S DEGREE in
MASTER OF INFORMATION TECHNOLOGY FACULTY OF ENGINEERING
SWISS GERMAN UNIVERSITY The Prominence Tower
Jalan Jalur Sutera Barat No. 15, Alam Sutera Tangerang, Banten 15143 - Indonesia
Revision after Thesis Defense on 15 July 2021
Ahmad Zaenal Awaludin
STATEMENT BY THE AUTHOR
I hereby declare that this submission is my own work and to the best of my knowledge, it contains no material previously published or written by another person, nor material which to a substantial extent has been accepted for the award of any other degree or diploma at any educational institution, except where due acknowledgement is made in the thesis.
AHMAD ZAENAL AWALUDIN
_____________________________________________
Student Date
Approved by:
Dr. Charles lim, Bsc, M.Sc
_____________________________________________
Thesis Advisor Date
Kalpin Erlangga Silaen, S,Si, M.Kom
_____________________________________________
Thesis Co-Advisor Date
Dr. Maulahikmah Galinium, S.Kom., M.Sc
_____________________________________________
Dean Date
Ahmad Zaenal Awaludin
ABSTRACT
LOG ANALYTICS SYSTEM FOR WEB ATTACK DETECTION
By
Ahmad Zaenal Awaludin
Mr. Dr. Charles Lim, Bsc, M.Sc, Advisor Mr. Kalpin Erlangga Silaen, S.Si, M.Kom, Co-Advisor
SWISS GERMAN UNIVERSITY
In this digitalization era, all activities such as studying, shopping, communication, etc.
are carried out online. one of them is to use the media website. A website is very vulnerable to attacks from various groups. There were various reasons or motives for the attack. There are various reasons for this, namely for revenge, politics, or just a show of skill. Behind the ease of access to information on the internet today, there is a big danger that can lurk at any time, namely with various kinds of attacks to try to find weaknesses in the system used. This attack can result in data corruption, data loss, and misuse of data. Etc. Currently there are many web application firewall applications that can be used to protect website applications from attacks, but sometimes there are still attacks that successfully pass through the WAF, so web application damage still often occurs due to these attacks. for that in this study we try to perform analysis of various logs, namely WAF logs, web server logs, network logs, and firewall logs to detect threats or attacks on a web application.
Keywords: Web Attack Detection, Log Analysis, Web Attack Prevention. SQL Injection Detection, XSS Attack Detection, Web Application Firewall
Ahmad Zaenal Awaludin
© Copyright 2021 by Ahmad Zaenal Awaludin
All rights reserved
Ahmad Zaenal Awaludin DEDICATION
I dedicate this works for my parent, my lovely wife, my son, my organization and my country, Indonesia
Ahmad Zaenal Awaludin ACKNOWLEDGEMENTS
Thanks to Allah SWT, for giving grace, guidance, permission and help so i can finished this thesis.
Thanks to my parent that always support me, and not forget thanks to my wife and my son for supporting, patience and understanding throughout the writing of this thesis.
Thanks to my advisor, Mr. Dr. Charles Lim, BSc, M.Sc and co-advisor, Mr. Kalpin Erlangga Silaen, S.Si, M.Kom. for every advice, insights and ideas
Thanks to Mr. Andrie Yuswanto, S.Kom, M.T for all his trust and support in me to be able to continue the master's degree at Swiss German University.
Thank you to Mr. Dr. Eka Budiarto, S.T, M.Sc as the Head of MIT SGU who guided and motivated us, while studying at SGU.
Thank you to Mr. Dr. Ir. Amin Soetomo, M.Sc who gave a lot of insight into knowledge in terms of governance cybersecurity.
Thank you to all the lecturers and all staff Swiss German University who were very patient in guiding us in providing explanations during our study.
Thanks to friends MIT Swiss German University batch 26 for their solidarity.
Ahmad Zaenal Awaludin
TABLE OF CONTENTS
STATEMENT BY THE AUTHOR ... 3
ABSTRACT ... 4
DEDICATION ... 6
TABLE OF CONTENTS ... 8
LIST OF FIGURES ... 10
LIST OF TABLE ... 12
CHAPTER 1 - INTRODUCTION ... 13
1.1. Background ... 13
1.2. Research Problem ... 15
1.3. Research Objective ... 15
1.4. Research Question ... 15
1.5. Significance of The Study ... 16
1.6. Hypothesis ... 16
1.7. Scope and Limitation of Study ... 16
1.8. Thesis Structure ... 16
CHAPTER 2 – LITERATURE REVIEW ... 18
2.1. Protocol ... 18
2.1.1. HTTP ... 18
2.1.2. HTTPS ... 18
2.2. Log Files ... 18
2.2.1. Log Overview ... 18
2.2.2. Log Collection ... 19
2.2.3. Log Visualization ... 19
2.2.4. Log Analysis ... 19
2.3. Web Application ... 20
2.4. Web Application Vulnerability ... 23
2.5. Web Attack ... 24
2.5.1. Common Web Attack ... 25
2.5.2. WAF ... 25
2.6. Web Attack Detection ... 26
2.6.1. Signature Base Attack Detection ... 26
2.6.2. Anomaly Attack Detection ... 26
Ahmad Zaenal Awaludin
2.7. Related Work ... 27
CHAPTER 3 – RESEARCH METHOD ... 31
3.1. Research and Methodolgy ... 31
3.2. System Architecture ... 31
3.3. Research Methodology Framework ... 32
3.3.1. Data Source ... 33
3.3.2. Data Preparation ... 33
3.3.3. Data Preparation ... 33
3.3.4. Data Analysis ... 34
3.3.5. Evaluation ... 34
3.3.6. Validation ... 35
3.3.7. Deployment ... 35
CHAPTER 4 – RESULTS AND DISCUSSION ... 36
4.1. Experiment Setup ... 36
4.1.1. Hardware Setup ... 36
4.1.2. Software Setup ... 36
4.2. Experiment Results ... 36
4.3. Evaluation ... 45
4.3.1. Pattern Matching ... 45
4.3.2. Anomaly ... 47
4.4. Validation ... 48
4.4.1. Pattern Matching ... 48
4.4.2. Anomaly ... 51
4.5. Deployment ... 51
CHAPTER 5 – CONCLUSIONS AND RECOMMENDATIONS ... 52
5.1. Conclusion ... 52
5.2. Recommendation ... 52
5.3. Feature Work ... 52
GLOSSARY ... 53
REFERENCES ... 54
CURRICULUM VITAE ... 59
Ahmad Zaenal Awaludin
LIST OF FIGURES
Figure 1.1 Web Application Attack Statistic (ENISA Threat Landscape 2020 - Web
application attacks) ... 13
Figure 1.2 Attack method used in 2018 (Cybersecurity threatscape 2018) ... 14
Figure 1.3 Web Defacement Statistic (LAPORAN HASIL MONITORING KEAMANAN SIBER TAHUN 2020.pdf) ... 14
Figure 2.2 Web Application architecture Diagram (Iryna Deremuk, 2021) ... 21
Figure 2.3. Vulnerabilities Year by Year. ... 24
(Acunetix Web Application Vulnerability Report 2020) ... 24
Figure 2.4 Top 5 Attack by Type (Web Attack Visualization | Akamai) ... 25
Figure 2.5 Taxonomy of the latest academic researches on anomaly detection methods of web attacks and HTTP attacks (Dong et al., 2018) ... 27
Figure 3.1 Research Method Diagram ... 33
Figure 3.2 System Architecture ... 33
Figure 3.3 Web Attack Detection Research Framework ... 33
Table 4.3 Data Source ... 37
Figure 4.1 Log WAF ... 37
Figure 4.2 Log Web Server ... 37
Figure 4.3 Log Firewall ... 38
Figure 4.4 Log Log Visualization ... 38
Figure 4.6 SQLI Pattern Library ... 39
Figure 4.7 XSS Pattern Library ... 39
Figure 4.8 FLI Pattern Library ... 39
Figure 4.9 SQLI Match Pattern ... 40
Figure 4.10 Attack Detection Dashboard ... 40
Figure 4.11 SQLI Ijection command 1 ... 40
Figure 4.12 SQLI Ijection command 2 ... 41
Figure 4.13 IP Source ... 41
Figure 4.14 IP Source ... 41
Figure 4.15 Result From Crawling Url ... 42
Ahmad Zaenal Awaludin
Figure 4.16 Logstash Config ... 42
Figure 4.17 sanitization ... 43
Figure 4.18 Training Model ... 44
Figure 4.18 Dashboard Correlation ... 44
Figure 4.19 Anomaly Request ... 45
Table 4.4 type of SQL Injection Attack ... 45
Figure 4.20 UNION query based SQLIA ... 46
Figure 4.21 Time base blind SQLI ... 46
Figure 4.22 Error based SQLIA ... 46
Figure 4.23 Suspicious Number Request ... 46
Figure 4.24 Anomaly Analysis ... 47
Figure 4.25 Anomaly Analysis ... 47
Figure 4.26 Anomaly Analysis ... 48
Figure 4.27 Bypass WAF With Normalization method ... 48
Figure 4.28 Bypass WAF With Parameter Pollution ... 49
Figure 4.29 Bypass WAF With Parameter Fragmentation ... 49
Figure 4.30 Bypass WAF With Logical Request ... 49
Figure 4.32 Bypass WAF With Command ... 50
Figure 4.33 Bypass WAF With String ... 50
Figure 4.34 Bypass WAF With Case Changing ... 50
Figure 4.35 Command SQLI From Attacker ... 51
Figure 4.36 Command SQLI From Attacker ... 51
Ahmad Zaenal Awaludin
LIST OF TABLE
Table 2.1 Related Works Summary ... 29
Table 4.1 Hardware Setup ... 36
Table 4.2 Software Setup ... 36
Table 4.3 Data Source ... 37
Table 4.4 type of SQL Injection Attack ... 45