Multi-Dimensional Cyber Threat Profiling Using System and Web Logs for Regional, Behavioural, and Risk-Based Attack Analysis

8 Jul

Authors: Ms. Tejaswini Vikas Patil, Professor Dr. R. N. Patil

Abstract: Cybersecurity monitoring is essential for protecting digital systems from web-based attacks, unauthorized access, and suspicious user activity. Traditional log monitoring usually focuses on individual events and does not provide a complete view of attacker behaviour, geographical origin, risk severity, and response requirements. This paper presents a real-time multi-dimensional cyber threat profiling system that analyses system and web logs for regional, behavioural, and risk-based attack analysis. The developed system uses Logstash for real-time log ingestion and processing, OpenSearch for storing processed security events, and OpenSearch Dashboards for visualization. The system processes simulated JSON security events, Apache web server access logs, and SSH authentication logs. It detects attack categories such as brute-force login attempts, SQL injection, cross-site scripting, directory traversal, web scanning, restricted resource access, insider suspicious access, and normal user activity. GeoIP enrichment is used for regional analysis, while a rule-based threat scoring model classifies each event as Low Risk, Medium Risk, or High Risk. High-risk events are stored in a dedicated alert index, and severe events generate response recommendations such as temporary IP blocking with pending analyst review. The implementation demonstrates real-time log ingestion, attack classification, threat scoring, risk classification, alert generation, and dashboard-based threat visualization.