Abstract
With the increasing amounts of data streams and sophistication of attacks, there is a need for network forensic systems that store and examine very large amounts of network flow data. HTTP, as the most popular protocol on the Internet, is usually exploited to carry malware and evasive attacks besides the normal services. By analyzing HTTP evasive behaviors, a network forensic system can find malware attacks and trace back its origin. In this paper, we study how malware and network attacks in real-world exploit HTTP to hide their malicious activities and present an Evasive Network Attack Forensic System (ENAFS), which can effectively discover evasive network attacks on HTTP and integrally draw the attack samples and their metadata for further analysis. We have run ENAFS on seven days of traffic from the ISP of CSTNET, where it has detected and stored more than 110 million HTTP mismatch instances, covering 1607 different kinds of mismatch types. After further scanning and analyzing these instances, two typical types of evasive attacks have been found. ENAFS can also trace back the origin of an evasive attack which is proved by a case study in this paper.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Urias V, Young J, Hatcher S (2010) Implications of cloud computing on digital forensics. GSTF Int J Comput 1(1):131–137
Stiawan D, Idris MY, Abdullah AH (2015) Penetration testing and network auditing: Linux. J Inf Process Syst (JIPS) 11:104–115
Schneider F, Ager B, Maier G, Feldmann A, Uhlig S (2012) Pitfalls in HTTP traffic measurements and analysis. Passiv Act Meas 7192:242–251
VRT Labs (2014) Content-type mismatch. https://labs.snort.org/papers/contentmi-smatch.html
FireEye (2015) APT30 and the mechanics of a long-running cyber espionage operation. https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
Operation Poisoned Helmand (2014) https://www.threatconnect.com/operation-poisoned-helmand/
Snort (2016). http://www.snort.org/
Khamphakdee N, Benjamas N, Saiyod S (2014) Improving intrusion detection system based on snort rules for network probe attack detection. In: 2nd International Conference on Information and Communication Technology (ICoICT), pp 69–74
Pilli ES, Joshi RC, Niyogi R (2010) Network forensic frameworks: survey and research challenges. Digit Investig 7(1/2):14–27
Gugelmann D, Gasser F, Ager B, Lenders V (2015) Hviz: Http(s) traffic aggregation and visualization for network forensics. Digit Investig 12(Suppl 1):1–11
Mukkamala S, Sung AH (2003) Identifying significant features for network forensic analysis using artificial intelligence techniques. Int J Digit Evid IJDE 1(4):1–17
Boukhtouta A, Mokhov S-A, Lakhdari N-E, Debbabi M, Paquet J (2016) Network malware classification comparison using dpi and flow packet headers. Comput Virol Hacking Tech 12:69–100
Al-Mahrouqi A, Abdalla S, Kechad T (2015) Efficiency of network event logs as admissible digital evidence. In: Science and Information Conference
Parry J, Hunter D, Radke K, Fidge C (2016) A network forensics tool for precise data packet capture and replay in cyber-physical systems. In: Australasian Computer Science Week Multiconference (ACSC2016)
Kaushik AK, Joshi RC (2010) Network forensic system for ICMP attacks. Int J Comput Appl 2(3):14–21
Cohen M (2008) PyFlag—an advanced network forensic framework. Digit Investig 5:112–120
Giura P, Memon N (2010) NetStore: an efficient storage infrastructure for network forensics and monitoring. In: Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection, Ottawa, Ontario, Canada, pp 15–17
Vallentin M, Paxson V, Sommer R (2016) VAST: a unified platform for interactive network forensics. In: 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pp 345–362
Vallentin M, Charousset D, Schmidt TC, Paxson V, Wahlisch M (2014) Native actors: how to scale network forensics. In: Proc. of ACM SIGCOMM, Demo Session, New York, August 2014
Vadrevu P, Rahbarinia B, Perdisci R, Li K, Antonakakis M (2013) Measuring and detecting malware downloads in live network traffic. ESORICS’13, pp 556–573
Invernizzi L, Miskovic S, Torres R, Saha S, Lee S-J, Kruegel C, Vigna G (2014) Nazca: detecting malware distribution in large-scale networks. In: Proceedings of the ISOC Network and Distributed System Security Symposium
Huh J-H, Seo K (2016) Design and test bed experiments of server operation system using virtualization technology. Human-centric computing and information sciences (HCIS). Springer, Berlin, pp 1–21
Comparison of antivirus software (2016) https://en.wikipedia.org/wiki/Compari-son_of_antivirus_software
StatCounter. http://gs.statcounter.com/#desktop-os-ww-monthly-201604-201604-bar
VirusTotal (2015) https://en.wikipedia.org/wiki/Virus-Total
Shahabi C, Kim S-H, Nocera L, Constantinou G, Lu Y, Cai Y-H, Medioni G, Nevatia R, Banaei-Kashani F (2014) Janus-multi source event detection and collection system for effective surveillance of criminal activity. J Inf Process Syst (JIPS) 10(1):1–22
Acknowledgements
Thanks to the collaboration from VirusTotal and the private API, which improve our performance and shorten the online detection time. This work is supported by the National Science and Technology Support Program (No. 2012BAH46B02) and the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06030200).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Li, Z., Pan, H., Liu, W. et al. A network attack forensic platform against HTTP evasive behavior. J Supercomput 73, 3053–3064 (2017). https://doi.org/10.1007/s11227-016-1924-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-016-1924-3