Skip to main content
Springer Nature Link
Log in

Detection of suspicious internet traffic based on differential analysis and logical rules

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Internet services and web-based applications are used in important and sensitive areas such as e-commerce, e-learning, e-health care, and e-payment. The protection of those services and applications has become a major issue. This paper proposes a new method based on differential analyses. The main idea is to detect sudden changes in the statistical distribution of some characteristics of the traffic including its origin and its destination (IP address, protocol and ports). First, the difference between traffic distributions related to neighbor slices of times is measured using techniques such as Kullback–Leibler(KL)-Divergence or cosine similarity. After that, we apply clustering algorithms to decide whether the traffic involves sudden changes. We also endow the approach with a special kind of temporal logic to give end users a wide expressiveness during the specification of malicious traffics.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Availability of data and materials

Available Dataset.

References

  1. Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1), 1–22 (2019)

    Article  Google Scholar 

  2. Sureda, R.T., Higuera, J.R.B., Higuera, J.B., Herraiz, J.J.M., Montalvo, J.A.S.: Prevention and fighting against web attacks through anomaly detection technology. A systematic review. Sustainability 12(12), 1–45 (2020)

    Google Scholar 

  3. Aldwairi, M., Abu-Dalo, A.M., Jarrah, M.: Pattern matching of signature-based IDS using Myers algorithm under MapReduce framework. EURASIP J. Info. Securi. 2017, 9 (2017)

    Article  Google Scholar 

  4. Li, W., Tug, S., Meng, W., Wang, Y.: Designing collaborative blockchained signature-based intrusion detection in IoT environments. Future Generat. Comput. Syst. 96, 481–489 (2019)

    Article  Google Scholar 

  5. The Snort Project. The Snort Users Manual 2.9.16. 2020. [online] https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/249/original/snort_manual.pdf. Accessed 15 Oct 2021

  6. Scheidell, M.: SECNAP Network Security LLC, Intrusion detection system. U.S. Patent 7,603,711 (2009)

  7. Khraisat, A., Gondal, I., Vamplew, P., Kamruzzaman, J.: Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1), 1–22 (2019)

    Article  Google Scholar 

  8. Hoang, X.D., Nguyen, N.T.: Detecting website defacements based on machine learning techniques and attack signatures. Computers 8(2), 35 (2019)

    Article  Google Scholar 

  9. Khalid, M.N., Farooq, H., Iqbal, M., Alam, M.T., Rasheed, K.: Predicting web vulnerabilities in web applications based on machine learning. In: International Conference on Intelligent Technologies and Applications, pp. 473–484. Springer, Singapore (2018)

  10. Babenyshev, S., Rybakov, V.: Linear temporal logic LTL: basis for admissible rules. J. Logic Comput. 21(2), 157–177 (2011)

    Article  MathSciNet  Google Scholar 

  11. Lamport, L.: What good is temporal logic? Information Proceeding. Elsevier Science Publisher (1983)

  12. Joyce, J.M., Lovric, M.: Kullback-Leibler Divergence. International Encyclopedia of Statistical Science, pp. 720–722. Springer, Berlin (2011)

    Book  Google Scholar 

  13. Li, B., Han, L.,Yin, H., Tang, K., Gao, Y., Klawonn, F., Lee, M., Weise, T., Li, B., Yao, X.: Distance weighted cosine similarity measure for text classification. In: Intelligent Data Engineering and Automated Learning–IDEAL 2013, pp 611–618. Springer, Berlin

  14. Sammut, C., Webb, G.: TF-IDF. Encyclopedia of Machine Learning, pp. 986–987. Springer, Berlin (2010)

    Book  Google Scholar 

  15. Keogh E., Lonardi, S., Ratanamahatana C.: Towards parameter-free data mining. In: Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Seattle, pp. 206–215 (2004)

  16. Kanungo, T., Mount, D.M., Netanyahu, N.S., Piatko, C.D., Silverman, R., Wu, A.Y.: An efficient k-means clustering algorithm: analysis and implementation. IEEE Trans. Pattern Anal. Mach. Intell. 24(7), p881-892 (2002)

    Article  Google Scholar 

  17. Dempster, A.P., Laird, N.M., Rubin, D.: Maximum likelihood from incomplete data via the EM algorithm. J. R. Stat. Soc. Ser. B (Methodological) 39(1), 1–38 (1977)

    MathSciNet  MATH  Google Scholar 

  18. Ketchen, D.J., Jr., Shook, C.L.: The application of cluster analysis in strategic management research: an analysis and critique. Strat. Manag. J. 17(6), 441–458 (1996)

    Article  Google Scholar 

  19. Rousseeuw, P.J.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. J. Comput. Appl. Math. 20, 53–65 (1987)

    Article  Google Scholar 

  20. Thinsungnoen T., Kaoungku N., Durongdumronchai P., Kerdprasop K.: The clustering validity with silhouette and sum of squared errors. In: International Conference on Industrial Application Engineering. Japan (2015)

  21. Gottron, T.: Of sampling and smoothing: approximating distributions over linked open data. In: Proceedings of the Workshop on Dataset ProfiIling and Federated Search for Linked Data, PROFILES’14. Greece (2014)

  22. Pukkawanna, S., Kadobayashi, Y.,Yamaguchi, S.: Network-based mimicry anomaly detection using divergence measures. In: 2015 International Symposium on Networks, Computers and Communications (ISNCC), pp. 1–7. IEEE (2015)

  23. Chandran, T.: Revealed: 10 countries from where most cyber attacks originate. [online] https://gulfbusiness.com/revealed-10-countries-from-where-most-cyber-attacks-originate/. Accessed 24 Dec 2019

  24. Sarafzadeh, M.: Malicious Traffic - Anomaly Detection. [online] https://www.kaggle.com/matthew2001/malicious-traffic-anomaly-detection. Accessed 15 Oct 2021

  25. Najafabadi, M. M., Khoshgoftaar, T. M., Calvert, C., Kemp, C.: User behavior anomaly detection for application layer DDoS attacks. In: IEEE International Conference on Information Reuse and Integration (IRI), pp. 154–161. IEEE (2017)

  26. Betarte, G., Giménez, E., Martínez, R., Pardo, Á.: Machine learning-assisted virtual patching of web applications. arXiv preprint arXiv:1803.05529 (2018)

  27. Owasp.org. OWASP ModSecurity Core Rule Set. [online] https://owasp.org/www-project-modsecurity-core-rule-set/. Accessed 5 Apr 2021

  28. Wang, L., Cao, S., Wan, L., Wang, F.: Web anomaly detection based on frequent closed episode rules. In: IEEE Trustcom/BigDataSE/ICESS, pp. 967–972. IEEE (2017)

  29. Bronte, R., Shahriar, H., Haddad, H.: Information theoretic anomaly detection framework for web application. In: IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 394-399. IEEE (2016)

  30. Ren, X., Hu, Y., Kuang, W., Souleymanou, M.B.: A web attack detection technology based on bag of words and hidden Markov model. In: IEEE 15th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), pp. 526–531. IEEE (2018)

  31. Clement, A.: On network-based mimicry anomaly detection using divergence measures and machine learning. Master Thesis, AIMS Senegal (2020)

  32. Münz, G., Li, S., Carle, G.: Traffic anomaly detection using k-means clustering. In: GI/ITG Workshop MMBnet, pp. 13–14 (2007)

  33. Asselin, E., Aguilar-Melchor, C., Jakllari, G.: Anomaly detection for web server log reduction: a simple yet efficient crawling based approach. In: IEEE Conference on Communications and Network Security (CNS), pp. 586–590. IEEE (2016)

  34. Swarnkar, M., Hubballi, N.: Rangegram: a novel payload based anomaly detection technique against web traffic. In: 2015 IEEE International Conference on Advanced Networks and Telecommuncations Systems (ANTS), pp. 1–6. IEEE (2015)

Download references

Funding

Not applicable.

Author information

Authors and Affiliations

  1. Sudan University of science and technology, Khartoum, Sudan

    Mohammed Ali Elsiddig

  2. Computer Science Department, Laval University, Quebec, Canada

    Mohammed Mejri

Authors
  1. Mohammed Ali Elsiddig
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Mohammed Mejri
    View author publications

    You can also search for this author inPubMed Google Scholar

Contributions

Both authors have equal contributions.

Corresponding author

Correspondence to Mohammed Ali Elsiddig.

Ethics declarations

Conflicts of interest

we have no conflicts of interest to disclosure.

Code availability

Not applicable.

Ethics approval

Not applicable.

Consent to participate

Not applicable.

Consent for publication

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ali Elsiddig, M., Mejri, M. Detection of suspicious internet traffic based on differential analysis and logical rules. J Comput Virol Hack Tech 18, 347–365 (2022). https://doi.org/10.1007/s11416-022-00421-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-022-00421-6

Keywords