Security Monitoring of HTTP Traffic Using Extended Flows

Authors

HUSÁK Martin VELAN Petr VYKOPAL Jan

Year of publication 2015
Type Article in Proceedings
Conference 2015 10th International Conference on Availability, Reliability and Security
MU Faculty or unit

Institute of Computer Science

Citation
Doi http://dx.doi.org/10.1109/ARES.2015.42
Field Informatics
Keywords network monitoring;extended flow;HTTP;crawler;brute-force password attack
Attached files
Description In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP traffic which are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method.

You are running an old browser version. We recommend updating your browser to its latest version.

More info