Detecting Malicious HTTP Traffic that Hides Under the Real Traffic


The malware generates malicious network behavior, often hiding it in HTTP traffic to avoid detection. So, in cyber security, detecting malicious traffic is one of the critical issues caused by malware.

However, besides this, all the current methods primarily rely on artificial features and outdated data, lacking generalization. 

The following cybersecurity researchers from their respective universities and organizations have recently unveiled how they detected malicious HTTP traffic that hides within the real traffic:-

  • Xiaochun Yun (National Computer Network Emergency Response Technical Team/Coordination Center of China)
  • Jiang Xie (Institute of Information Engineering, Chinese Academy of Sciences, and School of Cyber Security, University of Chinese Academy of Sciences)
  • Shuhao Li (Institute of Information Engineering, Chinese Academy of Sciences, Key Laboratory of Network Assessment Technology, University of Chinese Academy of Sciences, and School of Cyber Security, University of Chinese Academy of Sciences)
  • Yongzheng Zhang (Institute of Information Engineering, Chinese Academy of Sciences, Key Laboratory of Network Assessment Technology, University of Chinese Academy of Sciences, and School of Cyber Security, University of Chinese Academy of Sciences)
  • Peishuai Sun (Institute of Information Engineering, Chinese Academy of Sciences, and School of Cyber Security, University of Chinese Academy of Sciences)



Document

FREE Demo

Protect your Business Email from threats like tracking, blocking, modifying, phishing, account takeover, business email compromise, malware, and ransomware with Trustifi’s AI-powered email security solution.


HTTP-based Malicious Communication Behavior

HTTP traffic carries much of this behavior, with adversaries mimicking innocent user behavior and hiding negative data within standard fields. 

The similarity to harmless traffic makes the detection challenging, and this scenario also drives the need for advanced techniques.

It is crucial to enhance detection methods’ ability to generalize and identify unknown HTTP-based malicious communication behavior, but it faces two main challenges.

Below, we have mentioned the two challenges:-

  • Feature extract
  • Experimental dataset

Challenges in detecting unknown HTTP-based malicious behavior include the difficulty of feature extraction under adversarial conditions and limited testing on small-scale datasets, which hampers generalization ability.

Below, we have mentioned the four phases into which an HTTP-based malware attack can be divided:-

  • Implantation phase
  • Incubation phase
  • Communication phase
  • Execution phase
Detecting Malicious HTTP Traffic that Hides Under the Real Traffic
HTTP-based malware attack (Source – Arxiv)

Effective detection of HTTP-based malicious behavior occurs in the communication phase by analyzing malware-generated traffic to identify malicious interactions and locate adversaries.

Full-duplex application layer flows involve request and response packets with the same quintuple:- 

  • src_ip
  • src_port
  • dst_ip
  • dst_port
  • TCP

Besides this, the cybersecurity researchers divide flows into packet-level and flow-level to extract hierarchical features.

The HMCD model demonstrates excellent detection performance with F1 at 99.46% in the HMCT-2020 dataset. It also outperforms other models in generalization and real-world traffic experiments, achieving an F1 of 83.66%.

Detecting Malicious HTTP Traffic that Hides Under the Real Traffic
HMCD-Model Methodology (Source – Arxiv)

Experts propose the HMCD-Model for detecting unknown malicious HTTP traffic, using a hybrid neural network with GAN to enhance accurate traffic representation, achieving F1 ≈ 83.66%. 

HMCD improves defense against complex attacks, with plans to expand datasets and refine GAN-based traffic generation.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.





Source link