Discovering abnormal behaviors via HTTP header fields measurement. (2nd August 2016)
- Record Type:
- Journal Article
- Title:
- Discovering abnormal behaviors via HTTP header fields measurement. (2nd August 2016)
- Main Title:
- Discovering abnormal behaviors via HTTP header fields measurement
- Authors:
- Gou, Gaopeng
Bai, Quan
Xiong, Gang
Li, Zhenzhen - Other Names:
- Li Gang guestEditor.
Niu Wenjia guestEditor.
Batten Lynn guestEditor.
Liu Jiqiang guestEditor.
Li Kenli guestEditor.
Wang Lipo guestEditor.
Liu Yong guestEditor. - Abstract:
- Summary: In recent years, more and more intrusion detection systems and firewalls have been used to detect and block malicious applications or unknown protocols in order to enhance the security of systems. Therefore, some malicious applications begin to shape themselves as common ones to escape malicious protocol detection. Being an important protocol for many Internet services, hypertext transfer protocol (HTTP) is responsible for nearly 10% of the traffic volume on the Internet. Therefore, many malicious applications pretend their traffic to be HTTP protocol to go into hiding their malicious behaviors. In the paper, we study the problem of discovering these abnormal behaviors in HTTP protocol traffic. We find that the characteristics of many abnormal behaviors are performed in the header fields of their shaping HTTP such as Tor and malicious web crawlers, and the information of HTTP header fields of HTTP traffic generated by normal application is also discussed. And then, a method based on the measurement of HTTP header fields proposed three patterns that make them specific to detect abnormal behaviors of shaping HTTP protocol. The experimental results indicate that the proposed method is effective for abnormal behaviors by shaping to be HTTP on large‐scale traffic of one Internet service provider. The experimental results also show that the proposed method could be extended to large‐scale and high‐speed network environment for detecting abnormal behaviors of shaping HTTPSummary: In recent years, more and more intrusion detection systems and firewalls have been used to detect and block malicious applications or unknown protocols in order to enhance the security of systems. Therefore, some malicious applications begin to shape themselves as common ones to escape malicious protocol detection. Being an important protocol for many Internet services, hypertext transfer protocol (HTTP) is responsible for nearly 10% of the traffic volume on the Internet. Therefore, many malicious applications pretend their traffic to be HTTP protocol to go into hiding their malicious behaviors. In the paper, we study the problem of discovering these abnormal behaviors in HTTP protocol traffic. We find that the characteristics of many abnormal behaviors are performed in the header fields of their shaping HTTP such as Tor and malicious web crawlers, and the information of HTTP header fields of HTTP traffic generated by normal application is also discussed. And then, a method based on the measurement of HTTP header fields proposed three patterns that make them specific to detect abnormal behaviors of shaping HTTP protocol. The experimental results indicate that the proposed method is effective for abnormal behaviors by shaping to be HTTP on large‐scale traffic of one Internet service provider. The experimental results also show that the proposed method could be extended to large‐scale and high‐speed network environment for detecting abnormal behaviors of shaping HTTP protocol. Copyright © 2016 John Wiley & Sons, Ltd. … (more)
- Is Part Of:
- Concurrency and computation. Volume 29:Number 20(2017)
- Journal:
- Concurrency and computation
- Issue:
- Volume 29:Number 20(2017)
- Issue Display:
- Volume 29, Issue 20 (2017)
- Year:
- 2017
- Volume:
- 29
- Issue:
- 20
- Issue Sort Value:
- 2017-0029-0020-0000
- Page Start:
- n/a
- Page End:
- n/a
- Publication Date:
- 2016-08-02
- Subjects:
- HTTP header fields -- measurement -- abnormal behaviors -- protocol
Parallel processing (Electronic computers) -- Periodicals
Parallel computers -- Periodicals
004.35 - Journal URLs:
- http://onlinelibrary.wiley.com/ ↗
- DOI:
- 10.1002/cpe.3926 ↗
- Languages:
- English
- ISSNs:
- 1532-0626
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3405.622000
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 4715.xml