DeepHTTP: Anomalous HTTP Traffic Detection and Malicious Pattern Mining Based on Deep Learning

AbstractHypertext Transfer Protocol (HTTP) accounts for a large portion of Internet application-layer traffic. Since the payload of HTTP traffic can record website status and user request information, many studies use HTTP protocol traffic for web application attack detection. In this work, we propose DeepHTTP, an HTTP traffic detection framework based on deep learning. Unlike previous studies, this framework not only performs malicious traffic detection but also uses the deep learning model to mine malicious fields of the traffic payload. The detection model is called AT-Bi-LSTM, which is based on Bidirectional Long Short-Term Memory (Bi-LSTM) with attention mechanism. The attention mechanism can improve the discriminative ability and make the result interpretable. To enhance the generalization ability of the model, this paper proposes a novel feature extraction method. Experiments show that DeepHTTP has an excellent performance in malicious traffic discrimination and pattern mining.

Download Full-text

Attention-Based Automated Feature Extraction for Malware Analysis

Sensors ◽

10.3390/s20102893 ◽

2020 ◽

Vol 20 (10) ◽

pp. 2893 ◽

Cited By ~ 3

Author(s):

Sunoh Choi ◽

Jangseong Bae ◽

Changki Lee ◽

Youngsoo Kim ◽

Jonghyun Kim

Keyword(s):

Feature Extraction ◽

Short Term Memory ◽

Attention Mechanism ◽

Detection Methods ◽

Malware Analysis ◽

Feature Extraction Method ◽

Detection Model ◽

System Calls ◽

Long Short Term Memory ◽

Program Interface

Every day, hundreds of thousands of malicious files are created to exploit zero-day vulnerabilities. Existing pattern-based antivirus solutions face difficulties in coping with such a large number of new malicious files. To solve this problem, artificial intelligence (AI)-based malicious file detection methods have been proposed. However, even if we can detect malicious files with high accuracy using deep learning, it is difficult to identify why files are malicious. In this study, we propose a malicious file feature extraction method based on attention mechanism. First, by adapting the attention mechanism, we can identify application program interface (API) system calls that are more important than others for determining whether a file is malicious. Second, we confirm that this approach yields an accuracy that is approximately 12% and 5% higher than a conventional AI-based detection model using convolutional neural networks and skip-connected long short-term memory-based detection model, respectively.

Download Full-text

A Payload Based Malicious HTTP Traffic Detection Method Using Transfer Semi-Supervised Learning

Applied Sciences ◽

10.3390/app11167188 ◽

2021 ◽

Vol 11 (16) ◽

pp. 7188

Author(s):

Tieming Chen ◽

Yunpeng Chen ◽

Mingqi Lv ◽

Gongxun He ◽

Tiantian Zhu ◽

...

Keyword(s):

Deep Learning ◽

Supervised Learning ◽

Transfer Learning ◽

Web Application ◽

Data Augmentation ◽

Learning Algorithm ◽

Training Data ◽

Small Data ◽

Detection Model ◽

Traffic Detection

Malicious HTTP traffic detection plays an important role in web application security. Most existing work applies machine learning and deep learning techniques to build the malicious HTTP traffic detection model. However, they still suffer from the problems of huge training data collection cost and low cross-dataset generalization ability. Aiming at these problems, this paper proposes DeepPTSD, a deep learning method for payload based malicious HTTP traffic detection. First, it treats the malicious HTTP traffic detection as a text classification problem and trains the initial detection model using TextCNN on a public dataset, and then adapts the initial detection model to the target dataset based on a transfer learning algorithm. Second, in the transfer learning procedure, it uses a semi-supervised learning algorithm to accomplish the model adaptation task. The semi-supervised learning algorithm enhances the target dataset based on a HTTP payload data augmentation mechanism to exploit both the labeled and unlabeled data. We evaluate DeepPTSD on two real HTTP traffic datasets. The results show that DeepPTSD has competitive performance under the small data condition.

Download Full-text

Automatic Detection of HTTP Injection Attacks using Convolutional Neural Network and Deep Neural Network

Journal of Cyber Security and Mobility ◽

10.13052/jcsm2245-1439.941 ◽

2021 ◽

Author(s):

Victor Odumuyiwa ◽

Analogbei Chibueze

Keyword(s):

Neural Network ◽

Deep Learning ◽

Cyber Security ◽

Web Application ◽

False Positive Rate ◽

Attack Detection ◽

Detection Model ◽

Injection Attacks ◽

Rule Based Approach ◽

The Right

HTTP injection attacks are well known cyber security threats with fatal consequences. These attacks initiated by malicious entities (either human or computer) send dangerous or unsafe malicious contents into the parameters of HTTP requests. Combatting injection attacks demands for the development of Web Intrusion Detection Systems (WIDS). Common WIDS follow a rule-based approach or a signature-based approach which have the common problem of high false-positive rate (wrongly classifying malicious HTTP requests) hence making them restricted to only one type of web application. They are easily bypassed and unable to detect new kinds of malicious attacks as they lack a sufficient model of understanding the representations of HTTP request parameters. In this paper, deep learning techniques are used to develop models that would automatically detect injection attacks in HTTP requests. A special layer called the character embedding layer in the deep learning models is used to allow the learning of the representation of the request parameter of HTTP requests in higher abstract levels and also aid in learning the relationships between the characters of the request parameter. The experimentation results showed that with deep learning, better injection attack detection is possible and given the right dataset, a deep learning detection model would be able to correctly classify HTTP requests for any web application.

Download Full-text

Deep Learning Enabled Data Offloading With Cyber Attack Detection Model in Mobile Edge Computing Systems

IEEE Access ◽

10.1109/access.2020.3030726 ◽

2020 ◽

Vol 8 ◽

pp. 185938-185949

Author(s):

T. Gopalakrishnan ◽

D. Ruby ◽

Fadi Al-Turjman ◽

Deepak Gupta ◽

Irina V. Pustokhina ◽

...

Keyword(s):

Deep Learning ◽

Attack Detection ◽

Edge Computing ◽

Mobile Edge Computing ◽

Cyber Attack ◽

Computing Systems ◽

Data Offloading ◽

Detection Model

Download Full-text

Long Short-Term Memory Neural Network-Based Attack Detection Model for In-Vehicle Network Security

IEEE Sensors Letters ◽

10.1109/lsens.2020.2993522 ◽

2020 ◽

Vol 4 (6) ◽

pp. 1-4

Author(s):

Zadid Khan ◽

Mashrur Chowdhury ◽

Mhafuzul Islam ◽

Chin-Ya Huang ◽

Mizanur Rahman

Keyword(s):

Neural Network ◽

Network Security ◽

Short Term Memory ◽

Attack Detection ◽

Short Term ◽

Term Memory ◽

Detection Model ◽

Long Short Term Memory ◽

Vehicle Network

Download Full-text

DoS and DDoS Attack Detection Using Deep Learning and IDS

The International Arab Journal of Information Technology ◽

10.34028/iajit/17/4a/10 ◽

2020 ◽

Vol 17 (4A) ◽

pp. 655-661

Author(s):

Mohammad Shurman ◽

Rami Khrais ◽

Abdulrahman Yateem

Keyword(s):

Deep Learning ◽

Short Term Memory ◽

Detection System ◽

Denial Of Service ◽

Attack Detection ◽

Target System ◽

Online Systems ◽

Ddos Attack ◽

Long Short Term Memory ◽

Ddos Attack Detection

In the recent years, Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack has spread greatly and attackers make online systems unavailable to legitimate users by sending huge number of packets to the target system. In this paper, we proposed two methodologies to detect Distributed Reflection Denial of Service (DrDoS) attacks in IoT. The first methodology uses hybrid Intrusion Detection System (IDS) to detect IoT-DoS attack. The second methodology uses deep learning models, based on Long Short-Term Memory (LSTM) trained with latest dataset for such kinds of DrDoS. Our experimental results demonstrate that using the proposed methodologies can detect bad behaviour making the IoT network safe of Dos and DDoS attacks

Download Full-text

Automated Individual Cattle Identification Using Video Data: A Unified Deep Learning Architecture Approach

Frontiers in Animal Science ◽

10.3389/fanim.2021.759147 ◽

2021 ◽

Vol 2 ◽

Author(s):

Yongliang Qiao ◽

Cameron Clark ◽

Sabrina Lomax ◽

He Kong ◽

Daobilige Su ◽

...

Keyword(s):

Deep Learning ◽

Short Term Memory ◽

Attention Mechanism ◽

Video Data ◽

Identification Accuracy ◽

Sequence Length ◽

Livestock Farming ◽

Precision Livestock Farming ◽

Learning Framework ◽

Spatio Temporal

Individual cattle identification is a prerequisite and foundation for precision livestock farming. Existing methods for cattle identification require radio frequency or visual ear tags, all of which are prone to loss or damage. Here, we propose and implement a new unified deep learning approach to cattle identification using video analysis. The proposed deep learning framework is composed of a Convolutional Neural Network (CNN) and Bidirectional Long Short-Term Memory (BiLSTM) with a self-attention mechanism. More specifically, the Inception-V3 CNN was used to extract features from a cattle video dataset taken in a feedlot with rear-view. Extracted features were then fed to a BiLSTM layer to capture spatio-temporal information. Then, self-attention was employed to provide a different focus on the features captured by BiLSTM for the final step of cattle identification. We used a total of 363 rear-view videos from 50 cattle at three different times with an interval of 1 month between data collection periods. The proposed method achieved 93.3% identification accuracy using a 30-frame video length, which outperformed current state-of-the-art methods (Inception-V3, MLP, SimpleRNN, LSTM, and BiLSTM). Furthermore, two different attention schemes, namely, additive and multiplicative attention mechanisms were compared. Our results show that the additive attention mechanism achieved 93.3% accuracy and 91.0% recall, greater than multiplicative attention mechanism with 90.7% accuracy and 87.0% recall. Video length also impacted accuracy, with video sequence length up to 30-frames enhancing identification performance. Overall, our approach can capture key spatio-temporal features to improve cattle identification accuracy, enabling automated cattle identification for precision livestock farming.

Download Full-text

Design and Implementation of an Anomaly Network Traffic Detection Model Integrating Temporal and Spatial Features

Security and Communication Networks ◽

10.1155/2021/7045823 ◽

2021 ◽

Vol 2021 ◽

pp. 1-15

Author(s):

Ming Li ◽

Dezhi Han ◽

Xinming Yin ◽

Han Liu ◽

Dun Li

Keyword(s):

Cloud Computing ◽

Deep Learning ◽

Network Traffic ◽

Rapid Development ◽

Widespread Application ◽

Detection Model ◽

Spatial Features ◽

Network Traffic Classification ◽

Temporal And Spatial ◽

Traffic Detection

With the rapid development and widespread application of cloud computing, cloud computing open networks and service sharing scenarios have become more complex and changeable, causing security challenges to become more severe. As an effective means of network protection, anomaly network traffic detection can detect various known attacks. However, there are also some shortcomings. Deep learning brings a new opportunity for the further development of anomaly network traffic detection. So far, the existing deep learning models cannot fully learn the temporal and spatial features of network traffic and their classification accuracy needs to be improved. To fill this gap, this paper proposes an anomaly network traffic detection model integrating temporal and spatial features (ITSN) using a three-layer parallel network structure. ITSN learns the temporal and spatial features of the traffic and fully fuses these two features through feature fusion technology to improve the accuracy of network traffic classification. On this basis, an improved method of raw traffic feature extraction is proposed, which can reduce redundant features, speed up the convergence of the network, and ease the imbalance of the datasets. The experimental results on the ISCX-IDS 2012 and CICIDS 2017 datasets show that the ITSN can improve the accuracy of anomaly network traffic detection while enhancing the robustness of the detection system and has a higher recognition rate for positive samples.

Download Full-text

Argument annotation and analysis using deep learning with attention mechanism in Bahasa Indonesia

Journal Of Big Data ◽

10.1186/s40537-020-00364-z ◽

2020 ◽

Vol 7 (1) ◽

Author(s):

Derwin Suhartono ◽

Aryo Pradipta Gema ◽

Suhendro Winton ◽

Theodorus David ◽

Mohamad Ivan Fanany ◽

...

Keyword(s):

Deep Learning ◽

Short Term Memory ◽

Mother Tongue ◽

Research Field ◽

Attention Mechanism ◽

Argument Analysis ◽

Argumentation Mining ◽

Persuasive Essays ◽

Gated Recurrent Unit ◽

Bahasa Indonesia

Abstract Argumentation mining is a research field which focuses on sentences in type of argumentation. Argumentative sentences are often used in daily communication and have important role in each decision or conclusion making process. The research objective is to do observation in deep learning utilization combined with attention mechanism for argument annotation and analysis. Argument annotation is argument component classification from certain discourse to several classes. Classes include major claim, claim, premise and non-argumentative. Argument analysis points to argumentation characteristics and validity which are arranged into one topic. One of the analysis is about how to assess whether an established argument is categorized as sufficient or not. Dataset used for argument annotation and analysis is 402 persuasive essays. This data is translated into Bahasa Indonesia (mother tongue of Indonesia) to give overview about how it works with specific language other than English. Several deep learning models such as CNN (Convolutional Neural Network), LSTM (Long Short-Term Memory), and GRU (Gated Recurrent Unit) are utilized for argument annotation and analysis while HAN (Hierarchical Attention Network) is utilized only for argument analysis. Attention mechanism is combined with the model as weighted access setter for a better performance. From the whole experiments, combination of deep learning and attention mechanism for argument annotation and analysis arrives in a better result compared with previous research.

Download Full-text

Anomaly Detection Using XGBoost Ensemble of Deep Neural Network Models

Cybernetics and Information Technologies ◽

10.2478/cait-2021-0037 ◽

2021 ◽

Vol 21 (3) ◽

pp. 175-188

Author(s):

Sumaiya Thaseen Ikram ◽

Aswani Kumar Cherukuri ◽

Babu Poorva ◽

Pamidi Sai Ushasree ◽

Yishuo Zhang ◽

...

Keyword(s):

Neural Network ◽

Deep Learning ◽

Anomaly Detection ◽

Deep Neural Network ◽

Short Term Memory ◽

Network Models ◽

Neural Network Models ◽

Detection Model ◽

Detection Systems ◽

Learning Techniques

Abstract Intrusion Detection Systems (IDSs) utilise deep learning techniques to identify intrusions with maximum accuracy and reduce false alarm rates. The feature extraction is also automated in these techniques. In this paper, an ensemble of different Deep Neural Network (DNN) models like MultiLayer Perceptron (MLP), BackPropagation Network (BPN) and Long Short Term Memory (LSTM) are stacked to build a robust anomaly detection model. The performance of the ensemble model is analysed on different datasets, namely UNSW-NB15 and a campus generated dataset named VIT_SPARC20. Other types of traffic, namely unencrypted normal traffic, normal encrypted traffic, encrypted and unencrypted malicious traffic, are captured in the VIT_SPARC20 dataset. Encrypted normal and malicious traffic of VIT_SPARC20 is categorised by the deep learning models without decrypting its contents, thus preserving the confidentiality and integrity of the data transmitted. XGBoost integrates the results of each deep learning model to achieve higher accuracy. From experimental analysis, it is inferred that UNSW_ NB results in a maximal accuracy of 99.5%. The performance of VIT_SPARC20 in terms of accuracy, precision and recall are 99.4%. 98% and 97%, respectively.

Download Full-text