Abstract— Web based services is increasingly used in wide of the Internet applications such as social networking or cloud computing. In addition, because of the growing cyber security threats, system administrators protect their networks by closing inward ports and permitting outgoing communication only over selected protocols such as HTTP. Therefore, HTTP is a potential communication medium for internal security threats. The distinction of normal and malicious activity by monitoring HTTP traffic is becoming tougher when sophisticated or new model malware generate legal HTTP traffic and having the similar behavior with normal software, however analyzing HTTP-Activity is a still valuable process for malicious detection. In this paper, with a new approach, a supplementary method for malicious detection based on similarity features in HTTP-Activity of clients is proposed. In the research, a new definition of clients HTTP-Activity similarity is proposed, and based on this feature, clients are clustered into groups with the similarity of HTTP-Activity. Therefore, if a malicious client is detected, the administrator can quickly point out the suspicion of clients which are in the same group with the detected malicious clients. By doing experimentation, the result shows that proposed method is beneficial for anomaly/malicious detection, the network management, traffic engineering and security.

Index Terms—HTTP-based malware, malicious detection, network security management, similarity.

Cite: Manh Cong Tran and Yasuhiro Nakamura, "A Supplementary Method for Malicious Detection Based on HTTP-Activity Similarity Features," Journal of Communications, vol. 9, no. 12, pp. 923-929, 2014. Doi: 10.12720/jcm.9.12.923-929