Radware Ltd.
BASELINING TECHNIQUES FOR DETECTING ANOMALOUS HTTPS TRAFFIC BEHAVIOR

Abstract:

A system and method for detecting anomalous hypertext transfer protocol secure (HTTPS) traffic are provided. The method includes receiving samples of at least rate-base features, wherein the rate-base features demonstrate a normal behavior of at least HTTPS traffic directed to a protected entity; computing a short-term baseline and a long-term baseline based on the received samples, wherein the short-term baseline is adapted to relatively rapid changes in the HTTPS traffic and the long-term baseline is adapted to relatively slow changes in the HTTPS traffic; computing at least one short-term threshold respective of the short-term baseline and at least one long-term threshold respective of the long-term baseline; evaluating each of the at least one threshold against real-time samples of HTTPS traffic to determine whether behavior of the HTTPS traffic is anomalous; and generating alarm when anomaly is detected.