Detecting HTTP Tunnels with Statistical Mechanisms

Author

Crotti, Matteo ; Dusi, Maurizio ; Gringoli, F. ; Salgarelli, L.

Author_Institution

Univ. degli Studi di Brescia, Brescia

fYear

2007

fDate

24-28 June 2007

Firstpage

6162

Lastpage

6168

Abstract

Application level gateways and firewalls are commonly used to enforce security policies at network boundaries, especially in large-sized business networks. However, several mechanisms can be used to circumvent these policies and bypass the whole security infrastructure: for example, tunneling an (otherwise blocked) application layer protocol into another one allowed by the policy, such as HTTP. In this paper we propose the application of a statistically-based traffic classification technique to solve this problem. By the analysis of inter-arrival time, size and order of the packets crossing a gateway, we show that it is possible to detect with high accuracy whether an observed flow is carrying a legitimate HTTP session, or the flow is being used to tunnel another protocol. This paper describes how this technique can be used effectively to enhance application level gateways and firewalls, helping to better apply network security policies.

Keywords

authorisation; internetworking; telecommunication security; telecommunication traffic; transport protocols; HTTP tunnel; application level gateways; firewalls; interarrival time; network security; statistically-based traffic classification technique; Communication system traffic control; Communications Society; Data security; IP networks; Information security; Network servers; Protocols; Telecommunication traffic; Tunneling; Web server;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications, 2007. ICC '07. IEEE International Conference on

Conference_Location

Glasgow

Print_ISBN

1-4244-0353-7

Type

conf

DOI

10.1109/ICC.2007.1020

Filename

4289691