IEIE Transactions on Smart Processing and Computing

The Institute of Electronics and Information Engineers (대한전자공학회)
권호 표지
DOI QR코드

DOI QR Code

Classification of HTTP Automated Software Communication Behavior Using a NoSQL Database

  • Received : 2016.02.20
  • Accepted : 2016.04.19
  • Published : 2016.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Application layer attacks have for years posed an ever-serious threat to network security, since they always come after a technically legitimate connection has been established. In recent years, cyber criminals have turned to fully exploiting the web as a medium of communication to launch a variety of forbidden or illicit activities by spreading malicious automated software (auto-ware) such as adware, spyware, or bots. When this malicious auto-ware infects a network, it will act like a robot, mimic normal behavior of web access, and bypass the network firewall or intrusion detection system. Besides that, in a private and large network, with huge Hypertext Transfer Protocol (HTTP) traffic generated each day, communication behavior identification and classification of auto-ware is a challenge. In this paper, based on a previous study, analysis of auto-ware communication behavior, and with the addition of new features, a method for classification of HTTP auto-ware communication is proposed. For that, a Not Only Structured Query Language (NoSQL) database is applied to handle large volumes of unstructured HTTP requests captured every day. The method is tested with real HTTP traffic data collected through a proxy server of a private network, providing good results in the classification and detection of suspicious auto-ware web access.

Keywords

References

  1. Manh Cong Tran and Yasuhiro Nakamura, "In-Host Communication Pattern Observed for Suspicious HTTP-Based Auto-Ware Detection," International Journal of Computer and Communication Engineering, vol4, no. 6, pp. 379-389, 2015. https://doi.org/10.17706/IJCCE.2015.4.6.379-389
  2. Meisam Eslahi, Habibah Hashim and Noorita Tahir, "An Efficient False Alarm Reduction Approach in HTTP-based Botnet Detection," in Proc. IEEE Symposium on Computers & Informatics, pp. 201-205, April 2013.
  3. MarkLogic database, Article (CrossRef Link), last visit: October, 2015.
  4. MarkLogic Development Document, Article (CrossRef Link), last visit: October, 2015.
  5. Dubuisson, M.-P.; Jain, A.K., "A modified Hausdorff distance for object matching," in Pattern Recognition, 1994. Vol. 1 - Conference A: Computer Vision & Image Processing., Proceedings of the 12th IAPR International Conference on, vol.1, pp.566-568, 9-13 Oct 1994.
  6. Daryl Ashley, "An algorithm for http bot detection," University of Texas at Austin - Information Security Office, 2011.
  7. Wei Lu, Mahbod Tavallaee, and Ali Akbar Ghorbani, "Automatic discovery of botnet communities on large-scale communication networks," in Proc. the 4th International Symposium on Information, Computer, and Communications Security, Sydney: Australia, pp. 1-10, 2009.
  8. Bartlett, G.; Heidemann, J.; Papadopoulos, C., "Low-rate, flow-level periodicity detection," in Computer Communications Workshops (INFOCOM WKSHPS), 2011 IEEE Conference on, pp.804-809, April 2011.
  9. Yi-Shin Chen; Yi-Hsuan Yu; Huei-Sin Liu; Pang-Chieh Wang, "Detect phishing by checking content consistency," in Information Reuse and Integration (IRI), 2014 IEEE 15th International Conference on, pp.109-119, Aug. 2014.
  10. Zeus: King of Bots, "Article (CrossRef Link)", last visit: September, 2015.