Method and device for classifying tcp connection carrying http traffic

1 - 15 . (canceled) 16 . A method for classifying a TCP connection carrying HTTP traffic as a trusted or an untrusted TCP connection, the method being performed by an analyser device, the method comprising: detecting an HTTP request message of an HTTP session in the HTTP traffic carried by the TCP connection; obtaining, from headers of the detected HTTP request message, information to build a signature of the HTTP session; comparing the signature of the HTTP session with signatures stored beforehand by the analyser device in a signatures database; classifying the TCP connection as a trusted connection, when the signature of the HTTP session matches a signature that is stored beforehand by the analyser device in the signatures database and that is representative of a trusted HTTP client application; characterized in that the method further comprises: performing an authentication procedure, when the signature of the HTTP session does not match any signature stored beforehand by the analyser device in the signatures database, the authentication procedure requesting a user to provide authentication data; adding the signature of the HTTP session in the signatures database, when valid authentication data are provided by the user, the signature of the HTTP session being representative in the signatures database of a trusted HTTP client application, and classifying the TCP connection as a trusted connection; and otherwise, classifying the TCP connection as an untrusted connection in that the authentication procedure comprises: sending a response to a device having originated the detected HTTP request message, said response redirecting the device having originated the detected HTTP request message toward another URL; receiving from the device having originated the detected HTTP request message another HTTP request message referring to said another URL; sending in response to said another HTTP request message a web page via which the user is able to enter authentication information; and when valid authentication information is received, considering the TCP connection as trusted, otherwise considering the TCP connection as untrusted, in that the web page is adapted to enable the user to enter a login and a password as authentication information, and in that the analyser device compares the entered login and passwords with login and password stored beforehand, or in that the web page is adapted to display a CAPTCHA image and enable the user to enter a string, and in that the analyser device compares the entered string with a predefined string corresponding to the displayed CAPTCHA image, and in that the web page is further adapted to enable the user to select a profile from amongst a set of profiles determined by the analyser device as compatible with the detected HTTP request message, each profile including a list of HTTP mandatory headers expected to be present in each HTTP request message compliant with the signature, a list of HTTP optional headers expected to be present in each HTTP request message compliant with the signature, a list of HTTP mandatory headers having specific values to be present in each HTTP request message compliant with the signature, and information representative of a sequence in which the HTTP mandatory headers appear in the detected HTTP request message. 17 . The method according to claim 16 , characterised in that, when the TCP connection is classified as an untrusted connection following the authentication procedure, the method further comprises: adding the signature of the HTTP session in the signatures database, the signature of the HTTP session being representative in the signatures database of an untrusted HTTP client application. 18 . The method according to claim 17 , characterised in that each signature stored in the signatures database is associated with a first safety indicator representative of whether said signature corresponds to a trusted TCP connection or an untrusted TCP connection. 19 . The method according to claim 16 , characterised in that the signature of the HTTP session includes information representative of HTTP mandatory headers present in the detected HTTP request message, information representative of HTTP optional headers present in the detected HTTP request message, information representative of a sequence in which the HTTP mandatory headers appear in the detected HTTP request message; and information representative of values contained in predefined fields of the HTTP mandatory headers present in the detected HTTP request message. 20 . The method according to claim 16 , characterised in that the signatures stored in the signatures database are associated with a set of at least one IP address, said method comprises: associating the signature of the HTTP session with an IP source address from which is originated the detected HTTP request message, when adding the signature of the HTTP session in the signatures database; checking whether the IP source address is associated with any signature stored beforehand in the signatures database, when comparing the signature of the HTTP session with the signatures stored beforehand in the signatures database; and considering that the signature of the HTTP session does not match any signature in the signatures database, when no signature in the signatures database is associated with the IP source address. 21 . The method according to claim 16 , characterised in that, when valid authentication information is received, the analyser device determines the signature of the HTTP session from the selected profile and headers of the detected HTTP request message. 22 . The method according to claim 16 , characterised in that the method comprises: obtaining information representative of an IP destination address associated with the detected HTTP request message; and attempting classifying the TCP connection as a trusted or an untrusted TCP connection, on the basis of the IP destination address prior to attempting classifying the TCP connection on the basis of the signature. 23 . The method according to claim 22 , characterised in that the method comprises: comparing the IP destination address with IP addresses stored beforehand in an IP addresses database, each IP address stored in the IP addresses database being associated with a second safety indicator representative of whether said IP address corresponds to a trusted device or an untrusted device, each TCP connection implying a trusted destination device being considered as trusted and each TCP connection implying an untrusted destination device being considered as untrusted. 24 . The method according to claim 23 , characterised in that, for populating the IP addresses database, the method comprises: receiving UDP datagrams; detecting a DNS server response in the received UDP datagrams; obtaining, from the detected DNS server response, information of matching between an IP address and domain name information; checking whether said domain name information is present in a domain name database, said domain name database containing domain names associated with a third safety indicator representative of whether said domain name is trusted or untrusted; when said domain name information is present in the domain name database, adding to the IP addresses database the IP address matching said domain name information in association with the third safety indicator. 25 . The method according to claim 16 , characterised in that the method comprises: obtaining, from headers of the detected HTTP request message, information representative of an URL to which refers the HTTP request message; and attempting classifying the TCP connection as a trusted or an