keyboard_arrow_up
A Novel Exploit Traffic Traceback Method based on Session Relationship

Authors

Yajing Liu, Ruijie Cai, Xiaokang Yin, and Shengli Liu, State Key Laboratory of Mathematical Engineering and Advanced Computing, China

Abstract

Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. To solve the above problems, we propose a traffic traceback method of vulnerability exploitation based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.

Keywords

Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis

Full Text  Volume 13, Number 7