Behaviour similarity based to cluster automated HTTP communication

HTTP automated software (auto-ware) are blooming for multiple purposes due to the fast growing of World Wide Web. Beside normal HTTP application are beneficial for users such as operating system or virus definition update software, in recent years, cyber criminals turn to fully exploit web as a medium of communication environment to lurk variety of forbidden or illicit activities through spreading malicious automated software such as adware, spyware or bot. In addition, auto-ware traffic is almost anonymity to users. Therefore, in a private network, due to early detection of internal threats, clustering of auto-ware communication is helpful to network security management. In this paper, based on analysis of the auto-ware communication behaviour, a network level approach in clustering of HTTP auto-ware communication is proposed. The experimentation with real outbound HTTP traffic data which collected through a proxy server of a private network gives a considerable result in clustering HTTP auto-ware traffic. The results can be used as a good resource for further security purposes such as malicious domain/URL detection or investigation of HTTP based malware.

[1]  Niels Provos,et al.  CAMP: Content-Agnostic Malware Protection , 2013, NDSS.

[2]  N. M. Tahir,et al.  An efficient false alarm reduction approach in HTTP-based botnet detection , 2013, 2013 IEEE Symposium on Computers & Informatics (ISCI).

[3]  Dong In Kim,et al.  Resource allocation based on clustering for D2D communications in underlaying cellular networks , 2014, 2014 International Conference on Information and Communication Technology Convergence (ICTC).

[4]  John Heidemann,et al.  Low-rate, flow-level periodicity detection , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[5]  Bhaskara Narottama,et al.  Impact of number of devices and data rate variation in clustering method on device-to-device communication , 2015, 2015 IEEE Asia Pacific Conference on Wireless and Mobile (APWiMob).

[6]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.

[7]  Thamar Solorio,et al.  Lexical feature based phishing URL detection using online learning , 2010, AISec '10.

[8]  José M. F. Moura,et al.  An efficient method to detect periodic behavior in botnet traffic by analyzing control plane traffic , 2013, Journal of advanced research.

[9]  Konrad Rieck,et al.  Adaptive Detection of Covert Communication in HTTP Requests , 2011, 2011 Seventh European Conference on Computer Network Defense.

[10]  Yali Liu,et al.  Disambiguating HTTP: Classifying web Applications , 2011, 2011 7th International Wireless Communications and Mobile Computing Conference.

[11]  Ali A. Ghorbani,et al.  Automatic discovery of botnet communities on large-scale communication networks , 2009, ASIACCS '09.

[12]  Yi-Shin Chen,et al.  Detect phishing by checking content consistency , 2014, Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration (IEEE IRI 2014).

[13]  Anil K. Jain,et al.  A modified Hausdorff distance for object matching , 1994, Proceedings of 12th International Conference on Pattern Recognition.

[14]  Daniel P. Huttenlocher,et al.  Comparing Images Using the Hausdorff Distance , 1993, IEEE Trans. Pattern Anal. Mach. Intell..

[15]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).