Abnormal Web Traffic Detection Using Connection Graph

Internal network security threats are becoming increasingly dangerous and difficult to detect when cyber criminals tend to take advantage of web technology as a medium for communication. Web traffic generated by non-human activities such as bot-nets or worms exhausts a network’s resources, deludes people and affects network security. This paper proposes a new method to detect abnormal web traffics in a network. It introduces two features: malicious-server-degree and abnormal-traffic-score , those are based on characteristics of a connection graph model for web access data. These features filter out suspicious clients generated abnormal traffics. The experiment specifically shows different levels of potential anomalous traffics for each suspicious client. The detected abnormal web traffic is easy to be visually seen, and the method is simply implemented even in large networks.

[1]  S. Verma,et al.  Web usage pattern analysis through web logs: A review , 2012, 2012 Ninth International Conference on Computer Science and Software Engineering (JCSSE).

[2]  Reinhard Diestel,et al.  Graph Theory , 1997 .

[3]  Alex Talevski,et al.  Behaviour-Based Web Spambot Detection by Utilising Action Time and Action Frequency , 2010, ICCSA.

[4]  Z. Duan,et al.  GRAPH THEORY AND COMPLEX NETWORKS , 2008 .

[5]  Vyas Sekar,et al.  Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality , 2007 .

[6]  Mark E. J. Newman A measure of betweenness centrality based on random walks , 2005, Soc. Networks.

[7]  Mark Newman,et al.  Networks: An Introduction , 2010 .

[8]  Areej Al-Bataineh,et al.  Analysis and detection of malicious data exfiltration in web traffic , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[9]  L. Freeman Centrality in social networks conceptual clarification , 1978 .

[10]  Maarten van Steen,et al.  Graph Theory and Complex Networks: An Introduction , 2010 .

[11]  Cai Jun,et al.  The structure analysis of user behaviors for web traffic , 2009, 2009 ISECS International Colloquium on Computing, Communication, Control, and Management.

[12]  Ernesto Estrada,et al.  The Structure of Complex Networks: Theory and Applications , 2011 .

[13]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[14]  Michael K. Reiter,et al.  Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs , 2007, RAID.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  Baoyao Zhou,et al.  User Behavior Based Website Link Structure Evaluation and Improvement , 2002, ICWI.

[17]  U. Brandes A faster algorithm for betweenness centrality , 2001 .