Research On Malware Detection Based On HTTP Network Traffic

Hypertext Transfer Protocol(HTTP)is one of the most widely used network protocols in the Internet.With the development of the Internet,network traffic contains a large number of HTTP protocol packets.Network security devices such as firewalls generally do not filter HTTP traffic.Many malware choose to use the HTTP protocol for network activity,which can hide their security in a large amount of background HTTP traffic,and increase their penetration through the firewall.Therefore,detecting HTTP network traffic for malware is an important issue in today's network security direction.The existing research methods can be roughly divided into traffic statistics,content features and behavioral features.Although these research methods can identify HTTP traffic of malware,they have their own shortcomings.Most detection methods only focus on a certain type of features.The recall rate is not high.Therefore,how to effectively combine the three types of features and improve the detection effect of malware HTTP traffic is a problem to be solved.In view of the problems of malware HTTP traffic detection,this thesis studies the related knowledge of malware,including malware definition,operation mechanism and network architecture,as well as the causes and characteristics of various HTTP traffic generated by malware.By examining the main methods of detecting malware HTTP traffic in current results,a new detection method is proposed.This thesis proposes a structure2 vec graph embedding detection method based on behavior tree diagram.By transforming HTTP traffic into HTTP behavior tree,the method extracts the traffic statistics,content features and behavior characteristics of each node based on the behavior tree diagram,transforms the behavior tree into a feature tree,and finally passes The structure2 vec algorithm embeds and classifies the feature tree.The detection method of this thesis effectively combines three types of features,broadens the feature dimension of malware HTTP traffic,and innovatively uses the structure2 vec algorithm for network data classification,which improves the detection effect.Finally,this thesis implements a prototype system of structure2 vec graph embedding detection method based on behavior tree diagram,and compares it with other detection methods using public malware traffic dataset,and verifies the method from the accuracy rate recall rate and other indicators.Validity;then by experimenting with the modified structure2 vec algorithm and the original algorithm,the modified algorithm has higher accuracy and higher recall rate,so it is more suitable for the use scenario of this thesis;and then compare the importance of various features through experiments,the three extracted from this thesis The most effective of the class features are statistical features.The prototype system was tested in the actual network environment,indicating that the prototype system can implement malware HTTP traffic detection in the real environment.