Research On HTTP Tunnel Detection Technology Based On Flow Characteristics

The Internet has infiltrated all aspects of people's production and life,bringing great convenience to people,while cyberspace security is also facing huge challenges.Among them,HTTP tunnel technology is simple and efficient,and it has become a powerful tool for traversing firewalls,greatly damaging national and personal interests.HTTP tunnels have great threats and strong concealment.There are many problems with the existing detection technology.Therefore,the research on HTTP tunnel detection technology has been urgent.In order to solve the problem of HTTP tunnel detection,this paper combines a Spark computing framework,feature engineering and machine learning algorithms to implement a HTTP hidden tunnel detection system based on flow characteristics.The HTTP tunnel detection system has two parts: an offline module and a real-time detection module.The offline module is mainly composed of five parts: data collection,data processing,feature engineering,machine learning,and result display.The data collection module mainly uses multiple tunneling tools to send packets and capture HTTP tunnel data flow.The data processing module uses pcap analysis tool to analyze and distribute the data packets.The feature engineering module is to construct and calculate flow features based on expert feature engineering.The machine learning module utilizes four algorithms: decision tree,SVM,logistic regression,and GBDT for data training and testing.The results show that the offline detection results are written into the csv file according to the format of the user's needs;the real-time module is based on the offline module,and the optimal model is evaluated through the indicators of the four classification algorithms of the offline module,and then the real-time crawl The network data flow through the data processing,the feature engineering module to generate feature vectors,and then use Spark Streaming for real-time stream processing,write results of calling the optimal classification model to the database,Web users can finally observe whether HTTP tunnel data is mixed in the network data stream by visiting the website.At present,the HTTP tunnel detection system has been functionally tested and performance tested.The test results show that the detection model has a certain degree of improvement over previous HTTP tunnel detection model accuracy,speed,and stability.