Open Access  Subscription Access

The demands of digital forensics have increased significantly due to the rising number and seriousness of web attacks. Since most digital forensic tasks against web attacks are still manually controlled, the processes of digital forensic tasks are very inefficient and prone to error, especially in cases in which the size of the web server logs experiencing the web attacks is large. In order to acquire evidence of the web attack crime in the web logs efficiently, an automatic mechanism for processing these web logs is urgently needed. To achieve this, an automatic weblog filtering mechanism for web attack digital forensics is presented in this paper. This mechanism can filter out the most valuable web logs as evidence of the web attack and indicate those highly suspicious web events and users involved in the web attack. The proposed mechanism consists of four components: (1) web attack detection; (2) scanning behavior detection, (3) web-shell detection; and (4) user rating. These components can automatically identify web attack events and corresponding users from the web logs based on scores given by each component. To evaluate the effectiveness of this mechanism, an experiment is conducted regarding a web attack event at the Nokia Taiwan website. Based on the scores of the web logs, the experiment results successfully identify the web attack traces, which exactly match the manual security report from a security expert. The proposed mechanism is shown to automatically generate the most valuable evidence from web logs and assist criminal investigators in identifying web attack traces in an accurate and cost-effective manner.

Web log; Web attack; Digital forensics