¹ School of Information Science and Technology, Sun Yat-Sen University, Guangzhou 510275, P.R. China.
² Department of Engineering Technology, Missouri Western State University St. Joseph, MO 64507, US
³ Network and Information Technology Center, Sun Yat-Sen University, Guangzhou 510275, P.R. China.
⁴ School of Computer Science and Eng., Guilin University of Electronic Tech.,Guilin 541004, China

---

Abstract—More and more Internet services and applications are transferred by the HTTP protocol due to its openness. This brings new challenges to the security management of network boundary. In this paper, a new approach is proposed to detect the pseudo Web behavior which abuses the general HTTP protocol to pass through the network boundary. A new parameter is defined to extract the features of Web-session based on the inter-arrival time of HTTP requests. A nonlinear mapping function is introduced to protect the weak signals from the interference of the infrequent large values. An hidden Markov model with state duration is applied to describe the normal access behavior of Web sessions. The proposed model is dynamic, and does not rely on presupposed threshold and client- or server-side data which are widely used in traditional session detection approaches. An objective function is derived for predicting the near future behavior of a user’s Web-session. The deviation between the prediction result and the real observation is used for detecting the pseudo Web behavior. Experiments based on real HTTP traces from large-scale Web proxies are implemented to valid the proposal.

Index Terms—Web session, modeling, detection

[PDF]

Cite: Yi Xie, Shengsheng Tang, Xiangnong Huang, and Chenghua Tang, " Modeling Web Session for Detecting Pseudo HTTP Traffic," Journal of Computers vol. 8, no. 2, pp. 341-348, 2013.