HTTP is recognized as the most widely used protocol on the Internet when applications are being transferred more and more by developers onto the web. Due to increasingly complex computer systems, diversity HTTP automated software (autoware) thrives. Unfortunately, besides normal autoware, HTTP malware and greyware are also spreading rapidly in web environment. Consequently, network communication is not just rigorously controlled by users intention. This raises the demand for analyzing HTTP autoware communication behaviour to detect and classify malicious and normal activities via HTTP traffic. Hence, in this paper, based on many studies and analysis of the autoware communication behaviour through access graph, a new method to detect and classify HTTP autoware communication at network level is presented. The proposal system includes combination of MapReduce of Hadoop and MarkLogic NoSQL database along with xQuery to deal with huge HTTP traffic generated each day in a large network. The method is examined with real outbound HTTP traffic data collected through a proxy server of a private network. Experimental results obtained for proposed method showed that promised outcomes are achieved since 95.1% of suspicious autoware are classified and detected. This finding may assist network and system administrator in inspecting early the internal threats caused by HTTP autoware.
In consequence of the growing cyber security threats, normal users and also system administrators are advised to closing inward ports and permitting outgoing communication only over selected protocols. In many decades, the flexibility and interoperability of HTTP make users progressively explore it in a much wider range of applications. Therefore, HTTP is always allowed on the network perimeter. HTTP-based applications could be classified into two types of Internet accesses: passive and active HTTP access applications. Passive type application (i.e. browsers) has just generated requests on users' demands, so users can clarify and control what content they will access and accomplish. On the contrary, active type is called automatic software (auto-ware), which allows completely or partly automatically access to its servers without users' intention. Auto-ware could be normal applications such as virus defining or operating system updating, but also are abnormal processes such as botnet, worms, virus, spywares, and advertising software (adware). Therefore, auto-ware, in a sense, consumes network bandwidth, and it might become internal security threats. Detection of suspicious auto-ware and its traffics are challenge work because the malicious traffic merges sufficiently with legitimate HTTP traffic. In this paper, based on the observation of communication pattern of HTTP auto-ware, it is proposed a detection method of HTTP-based Auto-ware. The experiment results show that the method is useful for host-based detection application.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.