Application layer attacks have for years posed an ever-serious threat to network security, since they always come after a technically legitimate connection has been established. In recent years, cyber criminals have turned to fully exploiting the web as a medium of communication to launch a variety of forbidden or illicit activities by spreading malicious automated software (autoware) such as adware, spyware, or bots. When this malicious auto-ware infects a network, it will act like a robot, mimic normal behavior of web access, and bypass the network firewall or intrusion detection system. Besides that, in a private and large network, with huge Hypertext Transfer Protocol (HTTP) traffic generated each day, communication behavior identification and classification of auto-ware is a challenge. In this paper, based on a previous study, analysis of autoware communication behavior, and with the addition of new features, a method for classification of HTTP auto-ware communication is proposed. For that, a Not Only Structured Query Language (NoSQL) database is applied to handle large volumes of unstructured HTTP requests captured every day. The method is tested with real HTTP traffic data collected through a proxy server of a private network, providing good results in the classification and detection of suspicious auto-ware web access.
[1]
Anil K. Jain,et al.
A modified Hausdorff distance for object matching
,
1994,
Proceedings of 12th International Conference on Pattern Recognition.
[2]
Ali A. Ghorbani,et al.
Automatic discovery of botnet communities on large-scale communication networks
,
2009,
ASIACCS '09.
[3]
Yi-Shin Chen,et al.
Detect phishing by checking content consistency
,
2014,
Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration (IEEE IRI 2014).
[4]
N. M. Tahir,et al.
An efficient false alarm reduction approach in HTTP-based botnet detection
,
2013,
2013 IEEE Symposium on Computers & Informatics (ISCI).