• Journal of the Korea Society of Computer and Information
• /
• v.17 no.5
• /
• pp.33-40
• /
• 2012

In this paper we propose an anomaly detection scheme to detect new attack paths or new attack methods without false positives by monitoring HTTP Outbound Traffic after efficient training. Our proposed scheme detects web-based attacks by comparing tags or javascripts of HTTP Outbound Traffic with normal behavioral models which apply HMM(Hidden Markov Model). Through the verification analysis under the real-attacked environment, we show that our scheme has superior detection capability of 0.0001% false positive and 96% detection rate.

• Journal of Information Technology and Architecture
• /
• v.10 no.1
• /
• pp.101-111
• /
• 2013

Internet traffic volume has been increasing rapidly due to popularization of various smart devices and Internet development. In particular, HTTP-based traffic volume of smart devices is increasing rapidly in addition to desktop traffic volume. The increased mobile traffic can cause serious problems such as network overload, web security, and QoS. In order to solve these problems of the Internet overload and security, it is necessary to accurately detect applications. Traditionally, well-known port based method is utilized in traffic classification. However, this method shows low accuracy since P2P applications exploit a TCP/80 port, which is used for the HTTP protocol; to avoid firewall or IDS. Signature-based method is proposed to solve the lower accuracy problem. This method shows higher analysis rate but it has overhead of signature generation. Also, previous signature-based study only analyzes applications in HTTP protocol-level not application-level. That is, it is difficult to identify application name. Therefore, previous study only performs protocol-level analysis. In this paper, we propose a signature generation method to classify HTTP-based traffics in application-level using the characteristics of typical semi HTTP header. By applying our proposed method to campus network traffic, we validate feasibility of our method.

• Journal of the Korea Computer Industry Society
• /
• v.6 no.5
• /
• pp.715-724
• /
• 2005

Recently many important systems that used to be operated in a closed environment are now providing web services and these kinds of web-based services are often an easy and common target of attacks. In addition, the great variety of web content and applications cause the development of new various intrusion technologies, while the misuse-based intrusion detection technology cannot keep the peace with the attacks and it seems to lack the capability to deal with such various new security threats, As a result it is necessary to research and develop new types of detection technologies that can detect newly developed attacks and intrusions as well as to be able to deal with previous types of exploits. In this paper, a HTTP traffic model is tested for its anomaly by using a HTTP request traffic pattern analysis and the field information analysis of the HTTP packet. Consequently, the HTTP traffic models by applying anomaly tests is designed and established.

• Journal of Communications and Networks
• /
• v.18 no.5
• /
• pp.826-836
• /
• 2016

Increase of hypertext transfer protocol (HTTP)-based video popularity causes that broadband and Internet service providers' links transmit mainly multimedia content. Network planning, traffic engineering or congestion control requires understanding of the statistical properties of network traffic; therefore, it is desirable to investigate the characteristic of traffic traces generated, among others, by systems which employ adaptive bit-rate streaming. In our work, we investigate traffic originating from 120 client-server pairs, situated in an emulated laboratory environment, and multiplexed onto a single network link. We show that the structure of the traffic is distinct from the structure generated by first and second generation of HTTP video systems, and furthermore, not similar to the structure of general Internet traffic. The obtained traffic exhibits negative correlations, anti-persistence, and its distribution function is skewed to the right. Furthermore, we show that the traffic generated by clients employing the same or similar play-out strategies is positively correlated and synchronised (clustered), whereas traffic originated from different play-out strategies shows negative or no correlations.

• Journal of Internet Computing and Services
• /
• v.5 no.4
• /
• pp.63-76
• /
• 2004

For efficient design and operation of a communication network, precise simulation of network characteristics is essential. This issue has been the focus of research by several groups. In this study, we first modeled the HTTP traffic which would be employed on simulation on the level of application using the real collected traffic data. There are two different viewpoints on the characteristics of web traffic pattern, Poisson distribution and self-similar characteristics. In our study, the results show that web traffic characteristics do not depend on only one type of distribution, but the traffic can be modeled as composition of these depending on the size of response of Web server. This implicates that the web traffic can be modeled as the combination of two characteristics. We also found that the characteristics of Web traffic rely on the properties of web servers. This result was deployed as a traffic generator in implementing the network simulator (NetDAS).

• IEIE Transactions on Smart Processing and Computing
• /
• v.5 no.2
• /
• pp.94-99
• /
• 2016

Application layer attacks have for years posed an ever-serious threat to network security, since they always come after a technically legitimate connection has been established. In recent years, cyber criminals have turned to fully exploiting the web as a medium of communication to launch a variety of forbidden or illicit activities by spreading malicious automated software (auto-ware) such as adware, spyware, or bots. When this malicious auto-ware infects a network, it will act like a robot, mimic normal behavior of web access, and bypass the network firewall or intrusion detection system. Besides that, in a private and large network, with huge Hypertext Transfer Protocol (HTTP) traffic generated each day, communication behavior identification and classification of auto-ware is a challenge. In this paper, based on a previous study, analysis of auto-ware communication behavior, and with the addition of new features, a method for classification of HTTP auto-ware communication is proposed. For that, a Not Only Structured Query Language (NoSQL) database is applied to handle large volumes of unstructured HTTP requests captured every day. The method is tested with real HTTP traffic data collected through a proxy server of a private network, providing good results in the classification and detection of suspicious auto-ware web access.

• Journal of the Korea Society of Computer and Information
• /
• v.14 no.9
• /
• pp.47-54
• /
• 2009

Malicious codes, which are spread through WWW are now evolved with various hacking technologies However, detecting technologies for them are seemingly not able to keep up with the improvement of hacking and newly generated malicious codes. In this paper, we define the requirements of detecting systems based on the analysis of malicious codes and their spreading characteristics, and propose an improved detection scheme which monitors HTTP Outbound traffic and detects spreading malicious codes in real time. Our proposed scheme sets up signatures in IDS with confirmed HTML tags and Java scripts which spread malicious codes. Through the verification analysis under the real-attacked environment, we show that our scheme is superior to the existing schemes in satisfying the defined requirements and has a higher detection rate for malicious codes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.809-817
• /
• 2012

One of the OSI 7 Layer DDoS Attack, HTTP POST DDoS can deny legitimate service by web server resource depletion. This Attack can be executed with less network traffic and legitimate TCP connections. Therefore, It is difficult to distinguish DDoS traffic from legitimate users. In this paper, I propose an anomaly HTTP POST traffic detection algorithm and http each page Content-Length field size limit with defense method for HTTP POST DDoS attack. Proposed method showed the result of detection and countermeasure without false negative and positive to use the r-u-dead-yet of HTTP POST DDoS attack tool and the self-developed attack tool.

• The KIPS Transactions:PartC
• /
• v.9C no.4
• /
• pp.605-614
• /
• 2002

Amount of the web traffic web server handles are explosively increasing, which requires that the performance of the web server should be improved for the various web services. Although the analysis for the HTTP traffic with the proper tuning for the web server is essential, the research relevant to the subject are insignificant. In particular, although most of applications are implemented over HTTP 1.1 protocol, the researches mostly deal with the performance evaluation of the HTTP 1.0 protocol. Consequently, the modeling approach and the performance evaluation over HTTP 1.1 protocol have not been well formed. Therefore, basing on the HTTP 1.1 protocol supporting persistent connection, we present an analytical end-to-end tandem queueing model for web server to consider the specific hardware configuration inside web server beginning at accepting the user request until completing the service. we compare various performances between HTTP 1.0 and HTTP 1.1 under the overloading condition, and then analyze the characteristics of the HTTP traffic that include file size requested to web server, the OFF time between file transfers, the frequency of requests, and the temporal locality of requests. Presented model is verified through the comparing the server throughput according to varying requests rate with the real web server. Thereafter, we analyze the performance evaluation of the web server, according to the interrelation between TCP Listen queue size, the number of HTTP threads and the size of the network buffers.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.36 no.5B
• /
• pp.443-450
• /
• 2011

The Internet has become an essential part in our modern life by providing useful information. So, the volume of Internet traffic has been increasing rapidly, which emphasizes the importance of network traffic analysis for effective network operation and management. Signature based analysis have been commonly used, but it is shown that the increase of signatures due to the increase of applications causes the performance degradation of real-time traffic analysis on high-speed network links. In this paper, we propose OS fingerprinting method for real-time traffic analysis. The previous problems can be solved by utilizing the OS information. The OS fingerprinting method for real-time traffic analysis, proposed in this paper, conducts under passive mode, and improves the limitation of a previous method such as low completeness and accuracy. In this paper, we enlarged an input data to improve completeness, and used the User-Agent field in HTTP packet to extract various OS signatures. Also, we changed an input data from packet to flow to improve accuracy.