Modeling Web Session for Detecting Pseudo HTTP Traffic

More and more Internet services and applications are transferred by the HTTP protocol due to its openness. This brings new challenges to the security management of network boundary. In this paper, a new approach is proposed to detect the pseudo Web behavior which abuses the general HTTP protocol to pass through the network boundary. A new parameter is defined to extract the features of Web-session based on the inter-arrival time of HTTP requests. A nonlinear mapping function is introduced to protect the weak signals from the interference of the infrequent large values. An hidden Markov model with state duration is applied to describe the normal access behavior of Web sessions. The proposed model is dynamic, and does not rely on presupposed threshold and clientor server-side data which are widely used in traditional session detection approaches. An objective function is derived for predicting the near future behavior of a user’s Web-session. The deviation between the prediction result and the real observation is used for detecting the pseudo Web behavior. Experiments based on real HTTP traces from large-scale Web proxies are implemented to valid the proposal.