Security Monitoring of HTTP Traffic Using Extended Flows

Autoři

HUSÁK Martin VELAN Petr VYKOPAL Jan

Rok publikování 2015
Druh Článek ve sborníku
Konference 2015 10th International Conference on Availability, Reliability and Security
Fakulta / Pracoviště MU

Ústav výpočetní techniky

Citace
Doi http://dx.doi.org/10.1109/ARES.2015.42
Obor Informatika
Klíčová slova network monitoring;extended flow;HTTP;crawler;brute-force password attack
Přiložené soubory
Popis In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP traffic which are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method.

Používáte starou verzi internetového prohlížeče. Doporučujeme aktualizovat Váš prohlížeč na nejnovější verzi.

Další info