Security Monitoring of HTTP Traffic Using Extended Flows
| Authors | |
|---|---|
| Year of publication | 2015 |
| Type | Article in Proceedings |
| Conference | 2015 10th International Conference on Availability, Reliability and Security |
| MU Faculty or unit | |
| Citation | |
| Doi | http://dx.doi.org/10.1109/ARES.2015.42 |
| Field | Informatics |
| Keywords | network monitoring;extended flow;HTTP;crawler;brute-force password attack |
| Attached files | |
| Description | In this paper, we present an analysis of HTTP traffic in a large-scale environment which uses network flow monitoring extended by parsing HTTP requests. In contrast to previously published analyses, we were the first to classify patterns of HTTP traffic which are relevant to network security. We described three classes of HTTP traffic which contain brute-force password attacks, connections to proxies, HTTP scanners, and web crawlers. Using the classification, we were able to detect up to 16 previously undetectable brute-force password attacks and 19 HTTP scans per day in our campus network. The activity of proxy servers and web crawlers was also observed. Symptoms of these attacks may be detected by other methods based on traditional flow monitoring, but detection using the analysis of HTTP requests is more straightforward. We, thus, confirm the added value of extended flow monitoring in comparison to the traditional method. |