Discover abnormal behaviors using HTTP header fields measurement

Abstract

In recent years, in order to be secure, more and more Intrusion Detection Systems (IDS) and firewalls have been used to detect and block malicious applications or even unknown protocols. As a result, some malicious applications begin to shape themselves as common application protocols to get rid of detection. Being an important protocol for many Internet services, HTTP is responsible more than half of the total traffic volume. As a result, many applications choose HTTP protocol as their shaping object, leading to many abnormal behaviors. In the paper, we study the problem of discovering these abnormal behaviors in HTTP protocol. A method based on HTTP header fields’ measurement is proposed. We measure HTTP header fields’ information from HTTP traffic from normal application such as IE-8, find some characteristics and we use them to find abnormal behaviors of shaping HTTP protocol.