| HTTP-Tunnel is a data transmission technique that can cause critical security menace.. Hence, it is urgent for us to find a HTTP-Tunnel detection strategy to eradicate the security menace. This detection strategy should have general applicability on any unidentified HTTP-Tunnel,.In another word, this detection strategy should take GENERALITY as its basic characteristic. Centering on the research of HTTP-Tunnel detection ,this paper gives a solution based on analysis of the three aspects: packet feature, protocol header, request-response behavior. Of course, this solution bears generality.Realization of the generality of this solution is attributed to the"rule"—web browser, which means that we depend on the abstraction of the commonly-shared traits of most HTTP-Tunnel applications,and also depend on the differences between web browser and HTTP-Tunnel ,to implement detection in all the three above-mentioned aspects. Detetion in different aspect is in accordance with different commonly-shared traits and differences:Decision on the objects to be detected: This is the initialization of the detection process, aiming at deciding what kind of running processes should be involved in the oncoming detection. Those selected processes all bears the similarity with HTTP-Tunnel in terms of connection feature.Aggregate-Scatter analysis: In this step, taking packets set as the object for analysis ,we evaluate macro-differences between web browser and the processes selected for detection. In general, high aggregatability characterizes the packets sets of web browser, nevertheless HTTP-Tunnel does not have this character.Unevenness analysis of packets set: This step is to assess differences from another attribute of packets set―― Unevenness. Segmentability and boundedness are characteristic of the packets set of web browser, but HTTP-Tunnel does not possess this trait at all.Protocol header analysis: if HTTP-Tunnel does not intend to imitate the HTTP header structure of web browser, there will exist a lot of distinguishable exceptions with regard to header combination and header value. So, according to these problems, we study and suggest several detection methods.Request- Response behavior detection: HTTP-Tunnel without anti-detection strategy is prone to follow"once receiving, send soon"model. But, web browser is not restricted to this data transmission model.After evaluating the differences of all the aspects above, we yield suspiciousness points.As experiment shows, Aggregate-Scatter analysis and Unevenness analysis of packets set plays a key role in HTTP-Tunnel detection, for which sake these two aspects are the focal points of this paper.Besides the discussion of the HTTP-Tunnel detection techniques, this paper also provides relative data that is directly from experiments. |
PDF Full Text Request