AIRCC's International Journal of Computer Science and Information Technology

Open Access Open Access  Restricted Access Subscription Access

A Novel Exploit Traffic Traceback Method Based on Session Relationship


Affiliations
1 State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
 

Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. We propose a traffic traceback method of vulnerability exploitation to solve the above problems based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.

Keywords

Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis.
User
Notifications
Font Size


  • A Novel Exploit Traffic Traceback Method Based on Session Relationship

Abstract Views: 326  |  PDF Views: 172

Authors

Yajing Liu
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Ruijie Cai
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Xiaokang Yin
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Shengli Liu
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China

Abstract


Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. We propose a traffic traceback method of vulnerability exploitation to solve the above problems based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.

Keywords


Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis.

References