Below are the labeled traces for analysis:
benign trace
scenario (A)
scenario (B)
scenario (C)
Some basic understandings about the benign trace:
- The trace is very complex. Each raw traffic file contains more than 30 HTTP conversations. I manually identified that only the first 5 conversations are related to the SSO. So I have removed all other conversations from the raw traffic.