A Method for Clustering and Identifying HTTP Automated Software Communication

Application developer has trend to take advantage of web as a communication medium environment to reach users because HTTP protocol is mostly allowed in any network environment nowadays. Unfortunately, cyber criminal is also fully exploit HTTP protocol to launch variety of forbidden actions such as application level attacks or spreading malware. Consequently, normal and malicious HTTP automated software (auto-ware) traffic are transparently merged with each other. Clustering and identifying between HTTP communication are raised as serious challenge in order to early investigate internal threats. In this paper, access graph and key features are suggested, based on which HTTP auto-ware communication behavior are recognized. From there, a novelty method in clustering and identifying HTTP auto-ware is presented. Experiment shows promising results since not just malicious communications are detected but also grayware traffic are clustered into groups and identified as their purposes.

[1]  John Heidemann,et al.  Low-rate, flow-level periodicity detection , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[2]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[3]  Anil K. Jain,et al.  A modified Hausdorff distance for object matching , 1994, Proceedings of 12th International Conference on Pattern Recognition.

[4]  Yi-Shin Chen,et al.  Detect phishing by checking content consistency , 2014, Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration (IEEE IRI 2014).

[5]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[6]  Scott Dick,et al.  Detecting visually similar Web pages: Application to phishing detection , 2010, TOIT.