Entropy-based analyzing anomaly WEB traffic

2020 ◽  
Vol 26 (4) ◽  
pp. 255-266
Author(s):  
Mehrdad Nasseralfoghara ◽  
HamidReza Hamidi
Keyword(s):  
Detection Method ◽  
Covert Channel ◽  
Web Traffic ◽  
Timing Channel ◽  
The Creation ◽  
Covert Timing Channel ◽  
Http Protocol ◽  
Controlling Measures ◽  
Different Levels

The application nature of HTTP protocol allows the creation of a covert timing channel based on different features of this protocol (or different levels) that has not been addressed in previous research. In this article, the entropy-based detection method was designed and implemented. The attacker can adjust the amount of channel entropy by controlling measures such as changing the channel’s level or creating noise on the channel to protect from the analyzer’s detection. As a result, the entropy threshold is not always constant for detection. By comparing the entropy from different levels of the channel and the analyzer, we concluded that the analyzer must investigate traffic at all possible levels. We also illustrated that by making noise on a covert channel, its capacity would decrease, but as entropy increases, it would be harder to detect it.

Reliable and double-blind IP covert timing channel

2013 ◽  
Vol 32 (6) ◽  
pp. 1636-1639
Author(s):  
Xing-xing GUAN ◽  
Chang-da WANG ◽  
Zhi-guo LI ◽  
Zhao-jun BO
Keyword(s):  
Double Blind ◽  
Timing Channel ◽  
Covert Timing Channel

scholarly journals Mode Shape-Based Damage Detection Method (MSDI): Experimental Validation

2021 ◽  
Vol 11 (10) ◽  
pp. 4589
Author(s):  
Ivan Duvnjak ◽  
Domagoj Damjanović ◽  
Marko Bartolac ◽  
Ana Skender
Keyword(s):  
Boundary Conditions ◽  
Damage Detection ◽  
Mode Shape ◽  
Experimental Validation ◽  
Detection Method ◽  
Dynamic Properties ◽  
Damage Index ◽  
Main Principle ◽  
The Difference ◽  
Different Levels

The main principle of vibration-based damage detection in structures is to interpret the changes in dynamic properties of the structure as indicators of damage. In this study, the mode shape damage index (MSDI) method was used to identify discrete damages in plate-like structures. This damage index is based on the difference between modified modal displacements in the undamaged and damaged state of the structure. In order to assess the advantages and limitations of the proposed algorithm, we performed experimental modal analysis on a reinforced concrete (RC) plate under 10 different damage cases. The MSDI values were calculated through considering single and/or multiple damage locations, different levels of damage, and boundary conditions. The experimental results confirmed that the MSDI method can be used to detect the existence of damage, identify single and/or multiple damage locations, and estimate damage severity in the case of single discrete damage.

DNS covert channel detection method using the LSTM model

2021 ◽  
Vol 104 ◽  
pp. 102095
Author(s):  
Shaojie Chen ◽  
Bo Lang ◽  
Hongyu Liu ◽  
Duokun Li ◽  
Chuan Gao
Keyword(s):  
Detection Method ◽  
Covert Channel ◽  
Channel Detection ◽  
Covert Channel Detection

Website Fingerprinting in the Age of QUIC

2021 ◽  
Vol 2021 (2) ◽  
pp. 48-69
Author(s):  
Jean-Pierre Smith ◽  
Prateek Mittal ◽  
Adrian Perrig
Keyword(s):  
Transport Protocol ◽  
Limited Data ◽  
Web Traffic ◽  
Common Information ◽  
Feature Importance ◽  
The Common ◽  
Http Protocol

Abstract With the meteoric rise of the QUIC protocol, the supremacy of TCP as the de facto transport protocol underlying web traffic will soon cease. HTTP/3, the next version of the HTTP protocol, will not support TCP. Current website-fingerprinting literature has ignored the introduction of this new protocol to all modern browsers. In this work, we investigate whether classifiers trained in the TCP setting generalise to QUIC traces, whether QUIC is inherently more difficult to fingerprint than TCP, how feature importance changes between these protocols, and how to jointly classify QUIC and TCP traces. Experiments using four state-of-theart website-fingerprinting classifiers and our combined QUIC-TCP dataset of ~117,000 traces show that while QUIC is not inherently more difficult to fingerprint than TCP, TCP-trained classifiers may fail to detect up to 96% of QUIC visits to monitored URLs. Furthermore, classifiers that take advantage of the common information between QUIC and TCP traces for the same URL may outperform ensembles of protocol-specific classifiers in limited data settings.

Sign in / Sign up

Export Citation Format

Share Document