Security and Privacy in Communication Networks. 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers

Research Article

A Novel Web Tunnel Detection Method Based on Protocol Behaviors

Download
487 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-04283-1_15,
        author={Fei Wang and Liusheng Huang and Zhili Chen and Haibo Miao and Wei Yang},
        title={A Novel Web Tunnel Detection Method Based on Protocol Behaviors},
        proceedings={Security and Privacy in Communication Networks. 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2014},
        month={6},
        keywords={web tunnel detection protocol behaviors packet analysis feature vector support vector machine},
        doi={10.1007/978-3-319-04283-1_15}
    }
    
  • Fei Wang
    Liusheng Huang
    Zhili Chen
    Haibo Miao
    Wei Yang
    Year: 2014
    A Novel Web Tunnel Detection Method Based on Protocol Behaviors
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-04283-1_15
Fei Wang1,*, Liusheng Huang1, Zhili Chen1, Haibo Miao1, Wei Yang1
  • 1: University of Science and Technology of China
*Contact email: wf616528291@gmail.com

Abstract

The web tunnel is a common attack technique in the Internet and it is very easy to be implemented but extremely difficult to be detected. In this paper, we propose a novel web tunnel detection method which focuses on protocol behaviors. By analyzing the interaction processes in web communications, we give a scientific definition to web sessions that are our detection objects. Under the help of the definition, we extract four first-order statistical features which are widely used in previous research of web sessions. Utilizing the packet lengths and inter-arrival times in the transport layer, we divide TCP packets into different classes and discover some statistical correlations of them in order to extract another three second-order statistical features of web sessions. Further, the seven features are regarded as a 7-dimentional feature vector. Exploiting the vector, we adopt a support vector machine classifier to distinguish tunnel sessions from legitimate web sessions. In the experiment, our method performs very well and the detection accuracies of HTTP tunnels and HTTPS tunnels are 82.5% and 91.8% respectively when the communication traffic is above 500 TCP packets.