A Supplementary Method for Malicious Detection Based on HTTP-Activity Similarity Features

— Web based services is increasingly used in wide of the Internet applications such as social networking or cloud computing. In addition, because of the growing cyber security threats, system administrators protect their networks by closing inward ports and permitting outgoing communication only over selected protocols such as HTTP. Therefore, HTTP is a potential communication medium for internal security threats. The distinction of normal and malicious activity by monitoring HTTP traffic is becoming tougher when sophisticated or new model malware generate legal HTTP traffic and having the similar behavior with normal software, however analyzing HTTP-Activity is a still valuable process for malicious detection. In this paper, with a new approach, a supplementary method for malicious detection based on similarity features in HTTPActivity of clients is proposed. In the research, a new definition of clients HTTP-Activity similarity is proposed, and based on this feature, clients are clustered into groups with the similarity of HTTP-Activity. Therefore, if a malicious client is detected, the administrator can quickly point out the suspicion of clients which are in the same group with the detected malicious clients. By doing experimentation, the result shows that proposed method is beneficial for anomaly/malicious detection, the network management, traffic engineering and security.

[1]  Michael Kirchner A framework for detecting anomalies in HTTP traffic using instance-based learning and k-nearest neighbor classification , 2010, 2010 2nd International Workshop on Security and Communication Networks (IWSCN).

[2]  S. Verma,et al.  Web usage pattern analysis through web logs: A review , 2012, 2012 Ninth International Conference on Computer Science and Software Engineering (JCSSE).

[3]  Cai Jun,et al.  The structure analysis of user behaviors for web traffic , 2009, 2009 ISECS International Colloquium on Computing, Communication, Control, and Management.

[4]  Rui Xu,et al.  Survey of clustering algorithms , 2005, IEEE Transactions on Neural Networks.

[5]  Areej Al-Bataineh,et al.  Analysis and detection of malicious data exfiltration in web traffic , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[6]  F. Amblard,et al.  WHICH TIES TO CHOOSE? A SURVEY OF SOCIAL NETWORKS MODELS FOR AGENT-BASED SOCIAL SIMULATIONS , 2002 .

[7]  Christian Biemann,et al.  Chinese Whispers - an Efficient Graph Clustering Algorithm and its Application to Natural Language Processing Problems , 2006 .

[8]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[9]  Sung-Hyuk Cha Comprehensive Survey on Distance/Similarity Measures between Probability Density Functions , 2007 .