A Method for Discovering Malicious Network Behaviors Based on HTTP Content Consistency

A consistent and behavioral technology, applied in the information field, can solve problems such as misconfiguration, false positive rate, and inability to detect in time, and achieve the effect of good discovery ability and high universality.

Active Publication Date: 2019-12-10
INST OF INFORMATION ENG CHINESE ACAD OF SCI
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

On the one hand, this often requires the extraction of known malicious behavior features, and requires the configuration of a large number of feature rules; The ability to detect malicious behaviors, and it is impossible to detect unknown malicious network behaviors that use this phenomenon to spread in time
In addition, about 35% of the packets in the HTTP traffic have inconsistent content declarations, and most of them are caused by misconfigurations. These inconsistent packets are often harmless, and only the HTTP payload content and declarations are detected. Inconsistency has a high false positive rate, which cannot be a good aid in discovering malicious network behaviors

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A Method for Discovering Malicious Network Behaviors Based on HTTP Content Consistency

Examples

Experimental program
Comparison scheme
Effect test

example 1

[0050] Example 1: Using HTTP payload content and statement inconsistency to discover malicious Trojans

[0051] The detection system found that the Content-Type message was declared as: Text / Html, but the actual payload content was an inconsistent sample of executable file type. The sample was uploaded to VirusTotal for detection, and it was found that the sample was a malicious Trojan.

example 2

[0052] Example 2: Using HTTP payload content and statement inconsistency to find format to bypass the attack

[0053] The detection system found that the Content-Type message was declared as: image / png, but the actual format content was the payload of the PHP script. After analysis, it was found that the script was a malicious attack that used the upload vulnerability to bypass the format detection.

[0054] Table 1. Suspicious degree judgment table for HTTP inconsistent packets

[0055] HTTP Content-type Actual HTTP payload type Suspicious degree Any application / octet-stream low Text / html application / x-dosexe high image / any Text / Html in … … …

[0056] Table 2. Storage sample information table

[0057] name value Record Date YYYY-MM-DD HH:MM:SS Request Method GET / POST Host www.example.com URL / 15-8-24 / 30471674.jpg Client IP123.123.123.123 User-Agent Mozilla / 5.0 Sample Path / home / sample / XXXXXX Sample MD5 ff2caa1d0b45082d7a0b767e37fcef64

[0058] In addition to the a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a malicious network behavior discovery method based on HTTP content consistency. The method comprises the following steps: 1) analyzing an HTTP message; 2) performing consistency comparison on a type declared by an HTTP message header and an actual load type of the HTTP message; 3) if the comparison result of step 2) is non-consistency, judging a suspicious degree of inconsistent behaviors according to a specific message header and the actual load type; 4) recording the inconsistent behaviors with the suspicious degree being greater than a set threshold; and 5) scanning and analyzing the recorded suspicious inconsistent behaviors to discover malicious behaviors. By adoption of the malicious network behavior discovery method provided by the invention, very good discovery ability of unknown malicious behaviors is provided, and the shortcomings of the traditional mode of detecting the unknown malicious behaviors based on a regular firewall and an intrusion detection system are compensated.

Description

Technical field [0001] The invention belongs to the technical field of information technology, and specifically relates to a method for discovering malicious network behaviors based on HTTP content consistency. Background technique [0002] Nowadays, with the development of the Internet, more and more network application service providers choose to use the HTTP protocol to provide users with websites and mobile application services, and HTTP traffic occupies a large part of the Internet traffic. Due to the huge, complex, and flexible HTTP traffic, many attacks and malware have begun to use HTTP traffic to hide their propagation and control behavior. Some of these malicious behaviors will forge a Content-type type that is different from the actual type of the HTTP payload. Through the firewall (Firewall) and intrusion detection system (IDS) type detection, it has caused serious hidden dangers to the information security of enterprises and users. [0003] Traditional rule-based fire...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/08H04L29/06
CPCH04L63/1416H04L67/02H04L69/22
Inventor 熊刚曹自刚李镇郭莉
Owner INST OF INFORMATION ENG CHINESE ACAD OF SCI
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap