A method for HTTP-tunnel detection based on statistical features of traffic

Author

Ding, Yao-jun ; Cai, Wan-dong

Author_Institution

Dept. of Comput., Northwestern Polytech. Univ., Xi´´an, China

fYear

2011

fDate

27-29 May 2011

Firstpage

247

Lastpage

250

Abstract

HTTP-tunnel is always used by Trojans and backdoors to avoid the detection of firewalls, and it is a threat of network security. HTTP-tunnel traffic is encrypted now, and the only way to detect the HTTP-tunnel traffic is based on statistical features of transport layer. There are a few methods in detection of HTTP-tunnel, and the statistical fingerprinting is an effective method. The method of statistical fingerprinting is instability because the features which the method using is the packet size and the inter-arrival time, and its accuracy is determined by the volume of training set. We suggested a method based on C4.5 algorithm which using the features of packet and flow. Comparing to the algorithm of fingerprint, the C4.5 algorithm had some advantages in stability, accuracy and efficiency in our experiment.

Keywords

computer network security; cryptography; invasive software; statistical analysis; telecommunication traffic; transport protocols; C4.5 algorithm; HTTP-tunnel detection; HTTP-tunnel traffic; Trojans; backdoors; encrypted now; firewalls detection; inter-arrival time; network security threat; statistical features; statistical fingerprinting; transport layer; Algorithm design and analysis; Classification algorithms; Feature extraction; Fingerprint recognition; Protocols; Testing; Training; C4.5 algorithm; HTTP-Tunnel; Network Security; Statistical Fingerprinting;

fLanguage

English

Publisher

ieee

Conference_Titel

Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on

Conference_Location

Xi´an

Print_ISBN

978-1-61284-485-5

Type

conf

DOI

10.1109/ICCSN.2011.6013585

Filename

6013585