Detecting HTTP Tunneling Activities

In this paper we present a novel intrusion detection sys- tem which makes use of behavior proflles to identify HyperText Transfer Protocol (HTTP) tunneling activities. Behavior proflles correspond to inherent attributes of application network sessions. Our system evaluates network behaviors at two difierent levels: a local multi-packet level and a session level. When suspicious behav- ior is detected, a veriflcation module performs a detailed analysis of the corresponding session data. Currently, our system detects both malicious and unauthorized HTTP tunneling activities. Our experi- mental results show the efiectiveness of our system and demonstrate the validity of using packet features for anomaly detection.