Network Monitoring Using MMT: An Application Based on the User-Agent Field in HTTP Headers

Despite recent emerging development in intrusion detection or network monitoring, malicious attacks and misbehavior remain a high-risk issue within network traffic. In this paper, we present a proactive solution called MMT (Montimage1 Monitoring Tool) that allows facilitating network security and performance monitoring and operation troubleshooting. We demonstrate the improvements of MMT in comparison with other similar tools. Especially, we assess MMT to deal with a practical case-study in which we analyze the User-Agent field in HTTP headers to determine abnormal activities. Indeed, novel observations figure out the usefulness of the User-Agent field in HTTP requests as a good source to facilitate abnormal activities detection within an abundant traffic. There are eventually several researches alarming the vulnerabilities of the User-Agent field and proposing some manual solution including a combination of tools. However, existing countermeasures are rather passive and do not allow real-time detection. In the context of our research, MMT provides an automated detection of malicious traffic abusing vulnerable User-Agent field. Analyzing abnormal User-Agent strings is also useful to rapidly detect existing evil objects in the network (e.g., bots). The experimental results confirm the improvements of our implementation in comparison with other intrusion detection system (SNORT) and packet analyzing tool (TCPdump).

[1]  Ana R. Cavalli,et al.  Estimation of QoE of video traffic using a fuzzy expert system , 2013, 2013 IEEE 10th Consumer Communications and Networking Conference (CCNC).

[2]  Vasaka Visoottiviseth,et al.  Evaluation studies of three intrusion detection systems under various attacks and rule sets , 2013, 2013 IEEE International Conference of IEEE Region 10 (TENCON 2013).

[3]  Jeanna Neefe Matthews,et al.  Quantitative analysis of intrusion detection systems: Snort and Suricata , 2013, Defense, Security, and Sensing.

[4]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[5]  A Saritha,et al.  A system for detecting network intruders in real-time , 2016 .

[6]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[7]  Michel Bourdellès,et al.  Events-Based Security Monitoring Using MMT Tool , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[8]  Neil C. Rowe,et al.  A Realistic Experimental Comparison of the Suricata and Snort Intrusion-Detection Systems , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.