Flow-Based Web Application Brute-Force Attack and Compromise Detection

Rick Hofstede, Mattijs Jonker, Anna Sperotto, Aiko Pras (Corresponding Author)

    Research output: Contribution to journalArticleAcademicpeer-review

    17 Citations (Scopus)
    58 Downloads (Pure)


    In the early days of network and service management, researchers paid much attention to the design of management frameworks and protocols. Since then the focus of research has shifted from the development of management technologies towards the analysis of management data. From the five FCAPS areas, security of networks and services has become a key challenge. For example, brute-force attacks against Web applications, and compromises resulting thereof, are widespread. Talks with several Top-10 Web hosting companies in the Netherlands reflect that detection of these attacks is often done based on log file analysis on servers, or by deploying host-based intrusion detection systems (IDSs) and firewalls. However, such host-based solutions have several problems. In this paper we therefore investigate the feasibility of a network-based monitoring approach, which detects brute-force attacks against and compromises of Web applications, even in encrypted environments. Our approach is based on per-connection histograms of packet payload sizes in flow data that are exported using IPFIX. We validate our approach using datasets collected in the production network of a large Web hoster in the Netherlands.
    Original languageEnglish
    Pages (from-to)735-758
    Number of pages24
    JournalJournal of network and systems management
    Issue number4
    Publication statusPublished - 2017


    Dive into the research topics of 'Flow-Based Web Application Brute-Force Attack and Compromise Detection'. Together they form a unique fingerprint.

    Cite this