HTTP-session Model and Its Application in Anomaly HTTP Traffic Detection

Abstract

Different from most existing studies on Web session identification for commerce purposes, a novel dynamic real time HTTP-session processes description method is presented in this paper for detecting the anomaly HTTP traffic for network boundary. The proposed scheme doesn't rely on presupposed threshold and client/server-side data which are widely used in traditional session detection approaches. A new parameter is defined based on inter-arrival time of HTTP requests. A nonlinear algorithm is introduced for quantization. Trained by the quantized sequences, nonparametric hidden Markov model with explicit state duration is applied to cluster and scout the HTTP-session processes. A probability function is derived for predicting HTTP-session processes. The deviation between the prediction result and the real observation is used for sham Web behavior detection. Experiments based on real HTTP traces of large-scale Web proxies are implemented to valid the proposal.