HTTP flows appointed by this method present behaviour similar to flows tagged by Snort as malicious (priority 1). If you have a host associated with such an alert, you should investigate. Probably, the host is infected by a Malware.
In the event’s note, you can find the domain name involved with the suspicious flow. Search in Google , VirusTotal , Malwr or any other Malware database to certify if the domain name is somehow associated with a malicious code.
Relevant applications to remove Malware
Below some steps of Hogzilla IDS HTTP k-means clustering algorithm are described.
- Select from HBase the features listed in table below for all HTTP flows containing at least two packets
- Normalize the data and cluster the points in 32 clusters using k-means
- Stratify the points by (cluster,flow classification from nDPI)
- Generate alerts for the strata with the proportions of Snort events larger than a threshold
Tests in lab
- Coming soon
- The number 32 was defined heuristically, based on some results in laboratory
- An Introduction to Statistical Learning with Applications in R, by Gareth James, Daniela Witten, Trevor Hastie and Robert Tibshirani. Available for free at http://www-bcf.usc.edu/~gareth/ISL/ , but you should by it!