Hviz: HTTP(S) traffic aggregation and visualization for network forensics

Gugelmann, David; Gasser, Fabian; Ager, Bernhard; Lenders, Vincent

doi:10.1016/j.diin.2015.01.005

Cited by 17 publications

(10 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Referring to Hviz [15], we construct a different web request graph according to different users' IP address. In a web request graph, a node which is represented by URL corresponds to an HTTP request and its response.…”

Section: Constructing Web Request Graphmentioning

confidence: 99%

“…(1) We have proposed an approach to detect HTTPbased APT malware infection based on graph reasoning and used Hviz [15] to construct a web request graph. (2) Due to a small percentage of normal requests that do not include a Referer field, we have proposed two methods, namely, redirection refactoring and URL similarity to add "missing" user-initiated requests into the web request graph and refine the web request graph.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

HTTP-Based APT Malware Infection Detection Using URL Correlation Analysis

Niu

Xie

Zhang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

APT malware exploits HTTP to establish communication with a C & C server to hide their malicious activities. Thus, HTTP-based APT malware infection can be discovered by analyzing HTTP traffic. Recent methods have been dependent on the extraction of statistical features from HTTP traffic, which is suitable for machine learning. However, the features they extract from the limited HTTP-based APT malware traffic dataset are too simple to detect APT malware with strong randomness insufficiently. In this paper, we propose an innovative approach which could uncover APT malware traffic related to data exfiltration and other suspect APT activities by analyzing the header fields of HTTP traffic. We use the Referer field in the HTTP header to construct a web request graph. Then, we optimize the web request graph by combining URL similarity and redirect reconstruction. We also use a normal uncorrelated request filter to filter the remaining unrelated legitimate requests. We have evaluated the proposed method using 1.48 GB normal HTTP flow from clickminer and 280 MB APT malware HTTP flow from Stratosphere Lab, Contagiodump, and pcapanalysis. The experimental results have shown that the URL-correlation-based APT malware traffic detection method can correctly detect 96.08% APT malware traffic, and its recall rate is 98.87%. We have also conducted experiments to compare our approach against Jiang’s method, MalHunter, and BotDet, and the experimental results have confirmed that our detection approach has a better performance, the accuracy of which reached 96.08% and the F1 value increased by more than 5%.

show abstract

Section: Constructing Web Request Graphmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

HTTP-Based APT Malware Infection Detection Using URL Correlation Analysis

Niu

Xie

Zhang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Another graph inspired visualization is Hviz [19], which was used successfully by InfoSec Institute to explore and summarize HTTP requests to find common malware like Zeus [20], and also as a tool for forensic analysis [21]. Hviz deserves mention for its versatile use cases and also for creating a heuristic to aggregate HTTP requests by using Frequent Item Mining.…”

Section: Related Workmentioning

confidence: 99%

Pattern-Based and Visual Analytics for Visitor Analysis on Websites

et al. 2019

View full text Add to dashboard Cite

In this paper, We present how we combined visualization and machine learning techniques to provide an analytic tool for web log data.We designed a visualization where advertisers can observe the visits to their different pages on a site, common web analytic measures and individual user navigation on the site. In this visualization, the users can get insights of the data by looking at key elements of the graph. Additionally, we applied pattern mining techniques to observe common trends in user segments of interest.

show abstract

“…Many of event reconstruction methods in the literature use extracted data from hard disk [2-4, 6, 9, 10, 12-25]. However, there are event reconstruction techniques which are based on the extracted pieces of evidence from memory image [26][27][28][29] or network traffic [30][31][32]. It should be noted that, because of the permanent nature of hard disk data, the pieces of evidence which are extracted from hard disk are more reliable.…”

Section: Literature Reviewmentioning

confidence: 99%