With the increasing amounts of data streams and sophistication of attacks, there is a need for network forensic systems that store and examine very large amounts of network flow data. HTTP, as the most popular protocol on the Internet, is usually exploited to carry malware and evasive attacks besides the normal services. By analyzing HTTP evasive behaviors, a network forensic system can find malware attacks and trace back its origin. In this paper, we study how malware and network attacks in real-world exploit HTTP to hide their malicious activities and present an Evasive Network Attack Forensic System (ENAFS), which can effectively discover evasive network attacks on HTTP and integrally draw the attack samples and their metadata for further analysis. We have run ENAFS on seven days of traffic from the ISP of CSTNET, where it has detected and stored more than 110 million HTTP mismatch instances, covering 1607 different kinds of mismatch types. After further scanning and analyzing these instances, two typical types of evasive attacks have been found. ENAFS can also trace back the origin of an evasive attack which is proved by a case study in this paper.

• 出版日期2017-7
• 单位中国科学院信息工程研究所