• Journal of Information Technology and Architecture
• /
• v.10 no.1
• /
• pp.101-111
• /
• 2013

Internet traffic volume has been increasing rapidly due to popularization of various smart devices and Internet development. In particular, HTTP-based traffic volume of smart devices is increasing rapidly in addition to desktop traffic volume. The increased mobile traffic can cause serious problems such as network overload, web security, and QoS. In order to solve these problems of the Internet overload and security, it is necessary to accurately detect applications. Traditionally, well-known port based method is utilized in traffic classification. However, this method shows low accuracy since P2P applications exploit a TCP/80 port, which is used for the HTTP protocol; to avoid firewall or IDS. Signature-based method is proposed to solve the lower accuracy problem. This method shows higher analysis rate but it has overhead of signature generation. Also, previous signature-based study only analyzes applications in HTTP protocol-level not application-level. That is, it is difficult to identify application name. Therefore, previous study only performs protocol-level analysis. In this paper, we propose a signature generation method to classify HTTP-based traffics in application-level using the characteristics of typical semi HTTP header. By applying our proposed method to campus network traffic, we validate feasibility of our method.

• IEIE Transactions on Smart Processing and Computing
• /
• v.5 no.2
• /
• pp.94-99
• /
• 2016

Application layer attacks have for years posed an ever-serious threat to network security, since they always come after a technically legitimate connection has been established. In recent years, cyber criminals have turned to fully exploiting the web as a medium of communication to launch a variety of forbidden or illicit activities by spreading malicious automated software (auto-ware) such as adware, spyware, or bots. When this malicious auto-ware infects a network, it will act like a robot, mimic normal behavior of web access, and bypass the network firewall or intrusion detection system. Besides that, in a private and large network, with huge Hypertext Transfer Protocol (HTTP) traffic generated each day, communication behavior identification and classification of auto-ware is a challenge. In this paper, based on a previous study, analysis of auto-ware communication behavior, and with the addition of new features, a method for classification of HTTP auto-ware communication is proposed. For that, a Not Only Structured Query Language (NoSQL) database is applied to handle large volumes of unstructured HTTP requests captured every day. The method is tested with real HTTP traffic data collected through a proxy server of a private network, providing good results in the classification and detection of suspicious auto-ware web access.

• Journal of Internet Computing and Services
• /
• v.5 no.4
• /
• pp.63-76
• /
• 2004

For efficient design and operation of a communication network, precise simulation of network characteristics is essential. This issue has been the focus of research by several groups. In this study, we first modeled the HTTP traffic which would be employed on simulation on the level of application using the real collected traffic data. There are two different viewpoints on the characteristics of web traffic pattern, Poisson distribution and self-similar characteristics. In our study, the results show that web traffic characteristics do not depend on only one type of distribution, but the traffic can be modeled as composition of these depending on the size of response of Web server. This implicates that the web traffic can be modeled as the combination of two characteristics. We also found that the characteristics of Web traffic rely on the properties of web servers. This result was deployed as a traffic generator in implementing the network simulator (NetDAS).

• Journal of the Korea Society of Computer and Information
• /
• v.13 no.3
• /
• pp.139-146
• /
• 2008

Despite of information security installation, leakage of personal information in web services has not decreased. This is because traffics to web applications are still vulnerable by permitting external sources to access services in port HTTF 80 and HTTPS 443, even with firewall systems in place. This thesis analyzes various attack patterns resulted from web service environment and vulnerable traffic and categorizes the traffics into normal and abnormal traffics. Also this proposes ways to analyze web application attack patterns from those abnormal traffics based on weak points warned in OWASF(Open Web Application Security Project), design a system capable of detect and isolate attacks in real time, and increase efficiency of preventing attacks.

• Journal of KIISE
• /
• v.44 no.1
• /
• pp.1-12
• /
• 2017

The continuously growing internet service requirements has resulted in a multitier system structure consisting of web server and database (DB) server. In this multitier structure, the existing intrusion detection system (IDS) detects known attacks by matching misused traffic patterns or signatures. However, malicious change to the contents at DB server through hypertext transfer protocol (HTTP) requests at the DB server cannot be detected by the IDS at the DB server's end, since the DB server processes structured query language (SQL) without knowing the associated HTTP, while the web server cannot identify the response associated with the attacker's SQL query. To detect these types of attacks, the malicious user is tracked using knowledge on interaction between HTTP request and SQL query. However, this is a practical challenge because system's source code analysis and its application logic needs to be understood completely. In this study, we proposed a scheme to find the HTTP request associated with a given SQL query using only system log files. We first generated an HTTP request-SQL query map from system log files alone. Subsequently, the HTTP request associated with a given SQL query was identified among a set of HTTP requests using this map. Computer simulations indicated that the proposed scheme finds the HTTP request associated with a given SQL query with 94% accuracy.

• Journal of the Institute of Electronics Engineers of Korea CI
• /
• v.47 no.6
• /
• pp.103-112
• /
• 2010

A study on network traffic analysis and modeling has been exclusively done due to its importance. However, conventional studies on network traffic analysis and modeling only focus on transmitting simple packet stream or traffic features of specific application, such as HTTP. In this paper, we propose a network traffic generator, which reflects the characteristics of multimedia data. To analyze the traffics of online game, which is one of the most popular multimedia contents, we modeled the distribution according to the time between packets and packet size random variable and designed the traffic generator which has the model for input. We generated the traffics of L4D(Left4Dead), WoW(World of Warcraft) with proposed network traffic generator and we found that the generated traffics have similar distributions with real data.

• Journal of the Institute of Electronics Engineers of Korea TC
• /
• v.41 no.5
• /
• pp.37-45
• /
• 2004

As Internet technologies are mature, many new applications that are different characteristics are emerging. Recently we see wide use of P2P(Peer to Peer) applications of which traffic shows different statistical characteristics compared with traditional application such as web(HTTP) and FTP(File Transfer Protocol). In this paper, we measured subscriber network of KT(Korea Telecom) to analyze P2P traffic characteristics. We show flow characteristics of measured traffic. We also estimate Hurst parameter of P2P traffic and compare self-similarity with web traffic. Analysis results indicate that P2P traffic is much bustier than web traffic and makes both upstream traffic and downstream traffic be symmetric. To predict parameters related QoS such as packet loss and delays we model P2P traffic using two self-similar traffic models and predict both loss probability and mm delay then compare their accuracies. With simulation we show that the self-similar traffic models we derive predict the performance of P2P traffic accurately and thus when we design a network or evaluate its performance, we can use the P2P traffic model as reference input traffic.

• Journal of KIISE:Information Networking
• /
• v.29 no.5
• /
• pp.543-552
• /
• 2002

Wireless Session Protocol(WSP) which was updated and supplemented based on HyperText Transfer Protocol(HTTP) was designed by Wireless Application Protocol(WAP) forum regarding the characteristics of wireless environment. WSP improved the performance in wireless network, and introduced various facilities considering wireless environment. In this paper, we more improve the performance of WSP adding protocol message compression capability; we cail improved WSP protocol as WSP+. And, we analysis the performance of each protocol with WSP and WSP+ implementation. As a result of experiment, the capability which proposed in this paper reduced a response traffic about 45%. In $10^{-4}$ bit error rate, we also found the packet loss rate and time delay per transaction of WSP+ was improved over 40%. Finally, we found that the protocol message compression capability reduces message retransmission count in transaction layer and shorten the delay time per transaction by reducing a message size.

• The Transactions of the Korea Information Processing Society
• /
• v.5 no.1
• /
• pp.161-171
• /
• 1998

In this paper, we shows the implementation of Web based performance manager which analyze the traffic of a Web server to support the diagnostics of it. The manager monitors the HTIP traffic by polling and measures and presents is performance on demand. To enhance the adaptability of management interface Web based interfaces with JAVA is used. Recently, the need of traffic management on s Web has grown, because of increasing Web traffic. Therefore, the traffic management of Web service and the effective management of a Web server's performance are needed. We have designed interfaces with which is comprised of Collection-Request, Analysis-Request, Realtime-Monitoring, Comparison-Analysis on a client with Web Browser on a network, and implemented the server system that can analyze these requests. Also we have introduced some perfonnance indicator by referring a Web related MIB. Also, we have designed and developed a message format for communication between the Web client and the server system.

• KNOM Review
• /
• v.22 no.1
• /
• pp.42-51
• /
• 2019

Recently, the amount of internet traffic is increasing due to the increase in speed and capacity of the network environment, and protocol data is increasing due to mobile, IoT, application, and malicious behavior. Most of these private protocols are unknown in structure. For efficient network management and security, analysis of the structure of private protocols must be performed. Many protocol reverse engineering methodologies have been proposed for this purpose, but there are disadvantages to applying them. In this paper, we propose a methodology for inferring a detailed protocol structure based on network trace analysis by hierarchically combining CSP (Contiguous Sequential Pattern) and SP (Sequential Pattern) Algorithm. The proposed methodology is designed and implemented in a way that improves the preceeding study, A²PRE, We describe performance index for comparing methodologies and demonstrate the superiority of the proposed methodology through the example of HTTP, DNS protocol.