Security Monitoring of HTTP Traffic Using Extended Flows

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F15%3A00083044" target="_blank" >RIV/00216224:14610/15:00083044 - isvavai.cz</a>

Výsledek na webu

<a href="http://dx.doi.org/10.1109/ARES.2015.42" target="_blank" >http://dx.doi.org/10.1109/ARES.2015.42</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/ARES.2015.42" target="_blank" >10.1109/ARES.2015.42</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Security Monitoring of HTTP Traffic Using Extended Flows

Popis výsledku v původním jazyce

In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP trafficwhich are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method.

Název v anglickém jazyce

Security Monitoring of HTTP Traffic Using Extended Flows

Popis výsledku anglicky

In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP trafficwhich are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method.

Druh

D - Stať ve sborníku

CEP obor

IN - Informatika

OECD FORD obor

—

Projekt

—

Návaznosti

I - Institucionalni podpora na dlouhodoby koncepcni rozvoj vyzkumne organizace

Rok uplatnění

2015

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

2015 10th International Conference on Availability, Reliability and Security

ISBN

9781467365901

ISSN

—

e-ISSN

—

Počet stran výsledku

8

Strana od-do

258-265

Název nakladatele

IEEE

Místo vydání

Toulouse

Místo konání akce

Toulouse

Datum konání akce

1. 1. 2015

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—