Research Article
A Novel Web Tunnel Detection Method Based on Protocol Behaviors
@INPROCEEDINGS{10.1007/978-3-319-04283-1_15, author={Fei Wang and Liusheng Huang and Zhili Chen and Haibo Miao and Wei Yang}, title={A Novel Web Tunnel Detection Method Based on Protocol Behaviors}, proceedings={Security and Privacy in Communication Networks. 9th International ICST Conference, SecureComm 2013, Sydney, NSW, Australia, September 25-28, 2013, Revised Selected Papers}, proceedings_a={SECURECOMM}, year={2014}, month={6}, keywords={web tunnel detection protocol behaviors packet analysis feature vector support vector machine}, doi={10.1007/978-3-319-04283-1_15} }
- Fei Wang
Liusheng Huang
Zhili Chen
Haibo Miao
Wei Yang
Year: 2014
A Novel Web Tunnel Detection Method Based on Protocol Behaviors
SECURECOMM
Springer
DOI: 10.1007/978-3-319-04283-1_15
Abstract
The web tunnel is a common attack technique in the Internet and it is very easy to be implemented but extremely difficult to be detected. In this paper, we propose a novel web tunnel detection method which focuses on protocol behaviors. By analyzing the interaction processes in web communications, we give a scientific definition to web sessions that are our detection objects. Under the help of the definition, we extract four first-order statistical features which are widely used in previous research of web sessions. Utilizing the packet lengths and inter-arrival times in the transport layer, we divide TCP packets into different classes and discover some statistical correlations of them in order to extract another three second-order statistical features of web sessions. Further, the seven features are regarded as a 7-dimentional feature vector. Exploiting the vector, we adopt a support vector machine classifier to distinguish tunnel sessions from legitimate web sessions. In the experiment, our method performs very well and the detection accuracies of HTTP tunnels and HTTPS tunnels are 82.5% and 91.8% respectively when the communication traffic is above 500 TCP packets.