A method for detecting HTTP obfuscated traffic based on suspiciousness evaluation

A technology of flow detection and suspiciousness, applied in transmission systems, electrical components, etc., can solve problems such as false alarms, confusion, and lack of versatility, and achieve the effect of overcoming high false alarm rates and good adaptability

Active Publication Date: 2021-04-13
NANJING UNIV OF SCI & TECH
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] According to the literature search, it is found that most of the existing detection technologies are based on machine learning classification algorithms. Compared with the traditional method based on rules and patterns, this research method has made great progress, but most of the research objects Obfuscated traffic generated for a specific obfuscated software, and has a designated monitoring environment, not universal
At the same time, the machine learning training of this type of detection scheme is mostly based on limited experimental data, and the effect on relatively closed data sets is even close to 100%. However, the traffic forms in the real network environment are more abundant. Classifier, in the real network environment will produce a large number of false alarms

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method for detecting HTTP obfuscated traffic based on suspiciousness evaluation
  • A method for detecting HTTP obfuscated traffic based on suspiciousness evaluation
  • A method for detecting HTTP obfuscated traffic based on suspiciousness evaluation

Examples

Experimental program
Comparison scheme
Effect test

Embodiment

[0053]In order to verify the effectiveness of the present invention, the following simulation experiment is performed with a certain university campus network.

[0054]First filter network traffic, extract the data stream in the HTTP protocol, analyze the integrity of the protocol header information of the HTTP data stream, three characteristics of the content type ID, and load data type, using the doubts of the features, The weight of the doubts is used as the input of the decision, and the decision is determined by the decision data stream belonging to normal HTTP or confuses HTTP. The specific process is as follows:

[0055]Step 1: Set the data capture, use the data capture to capture network traffic data, and filter out the HTTP traffic, the screening rules apply to the regular expression "[A-ZA-Z] {3, 7}. * Http \ / 1 [0, 1] "and" HTTP \ / 1. [0, 1] [0-9] {0,3} ".

[0056]Step 2: Set the data processor, extract the TCP payload of each packet in the HTTP stream, and reorganize the full p...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an HTTP confusion traffic detection method based on suspicious degree evaluation. First, network traffic is filtered, data streams in the form of HTTP protocol are extracted, and the integrity of protocol header information, content type identification and load data of HTTP data streams are analyzed. Type three features, use the suspiciousness function to calculate the suspiciousness of each feature, and use the weighted number of suspiciousness as the input of the judger, and the judger judges whether the data flow belongs to normal HTTP or confusing HTTP, and the suspiciousness weight exceeds the judgment threshold. If it is confused, otherwise it is judged as normal. The invention does not rely on the variable fingerprint feature of the data flow, has good adaptability, and can adapt to complex situations of different network environments.

Description

Technical field[0001]The present invention relates to network and information security techniques, and more particularly to an HTTP overflow rate detection method based on a doubt-evaluation.Background technique[0002]Traffic Confusion Techniques Use specific means to convert the data of any protocol format into specific protocols, which can be used as a privacy protection method in the network traffic data transmission process, or to counter network security mechanisms, disclosure data or C & C channel, threatens public safety. Especially HTTP confusion technology, because HTTP is widely used by the Internet, the corresponding 80-port carries a lot of necessary applications, so there is almost no firewall blocks the port, which makes HTTP confused very flood. Therefore, detecting the presence of HTTP confusion flow, preventing hazards from occurring, is a crucial link. HTTP Confused Traffic Detection Technology As a very important technology in the field of network security, it has ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06H04L29/08
CPCH04L63/1408H04L67/02
Inventor 郑田宇怡暾刘光杰刘伟伟方俊华纯阳黄书华杨路辉
Owner NANJING UNIV OF SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap