Classification of HTTP automated software communication behaviour using NoSql database

Application layer attacks pose an ever serious threat to network security for years since it always comes after a technically legitimate connection has been established. In recent years, cyber criminals turn to fully exploit web as a medium of communication environment to lurk a variety of forbidden or illicit activities through spreading malicious automated software(auto-ware) such as adware, spyware or bot. When these malicious auto-ware infect into a user network, they will act like robot and mimic normal behaviour web access to bypass network firewall or IDS. Besides that, in a private and large network, with huge HTTP traffic generated each day, communication behaviour identification and also classification of auto-ware is really a great challenge. In this paper, based on the previous study and analysis of the auto-ware communication behaviour and addition new features, a method classification of HTTP autoware communication is proposed. In that, a NoSql database is applied to handle with large volume unstructured HTTP requests captured every day. The method is experimented with real HTTP traffic data collected through a proxy server of a private network, from which good results are archived in classification and detection of suspicious auto-ware web access.