Research On Malware Detection Method Combining HTTP Correlation And Multi-dimensional Features

As communication technology and nework application springs up,the Internet has become an indispensable part of people's life.On the other hand,network attacks witnessing malicious software as the carrier are increasingly rampant which includes Dos(denial of service),Ransomware,espionage and the like.Thus,how to identify malware quickly and accurately plays an important role in building a secure and reliable network system.Nowadays,numerous malware use HTTP protocol to communicate,hiding their traffic in great amount of normal HTTP traffic,which not only increases their concealment,but also implements firewall penetration.Although the detection of such malware mainly focusing on the partial characteristics of traffic currently can still work,it faces high false positive rate and false negative rate.As mentioned above,this thesis analyzes the relevance between HTTP traffic generated by user's access,and explores features of HTTP traffic generated by malware.On this basis,this thesis further studies the relevant academic achievements of the existing malware detection and proposes a malware detecting measure combining request correlation and multi-dimensional features of HTTP traffic.This method consists of two parts: reconstructing a HTTP request association graph of the user to filter suspicious traffic and multi-dimensional features detection of suspicious HTTP traffic.The method of reconstructing the user's HTTP request association graph is mainly aimed at filtering suspicious HTTP traffic.This method connects the HTTP request traffic generated by direct or indirect access of the user in a preiod of time according to the hierarchical relationship through multiple fields in HTTP packets as well as machine learning algorithms,so as to filter out the irrelevant suspicious traffic,sharply reducing the amount of data processed by the system and the interference of the normal traffic to the subsequent detection can improve its efficiency and accuracy.The existing detection methods mostly pay attention to local features,the multi-dimensional features detection method extracts associated features,cycle features and content features of each suspicious traffic based on the HTTP request association graph,which broadens the feature dimension of malware HTTP traffic.Finally it can determine the maliciousness of suspicious traffic through LightGBM classfication algorithm and realizes the identification of malware in the monitored host network environment.In the end,this thesis examines and evaluates the proposed method by malicious HTTP traffic datasets such as CTU-13 and compares it with HTTP payload detection method.The experimental result shows that the method proposed in this thesis has better detection effect,the prediction reaches 93.7%,and the recall reaches 94.2%.Furthermore the prototype system of malware detection is designed and implemented according to the proposed method,and the system is tested in the real network conditions which verifies the practicability of the system.