Detection Of Malicious HTTP Outbound Traffic Based On Random Forest

With the Internet has gradually penetrated into people's lives,cybersecurity issues have affected all aspects of social life,of which trojans and botnets have caused the most damage.In order to avoid the detection on network boundaries,this kind of malwares usually uses HTTP protocol as the application layer protocol to hide its own traffic in a large amount of HTTP background traffic.Traditional detection methods based on traffic pattern matching are often helpless in the face of such disguised malicious traffic.Researchers begin to use machine learning to implement malicious traffic detection.However,these methods are often used for malicious identification of a single HTTP request data stream,with poor recognition effect and high false positives and omissions.Through in-depth researches on various current malicious outbound traffic detection methods and analysis of the characteristics in flow and payload of malicious HTTP outbound traffic,we propose a client-oriented HTTP malicious traffic detection method,and carry out the model implementation and experimental verification of this method in this paper.First,according to the principle of browser fingerprint recognition,the content of HTTP header fields is extracted from the flow to realize the recognition of different clients on the same host,and a separate ID is given to it.After that,for each identified client,the basic information of the client is firstly counted from two aspects of IP data flow and HTTP payload,and then characteristics of the client are extracted from the two aspects according to the basic information.Finally,the random forest algorithm is used to train and test the extracted feature data.The client-oriented HTTP malicious traffic detection model has the advantages of not relying on the malware's organizational structure,requiring fewer features and shorter training time.In the experimental stage,by cross-validating the known data,the accuracy and recall rate of the model reached more than 99%.In the process of testing unknown botnet traffic,the detection capability of this model is also high.Experimental results prove that the client-oriented malicious HTTP outbound traffic detection method for has a better detection effect than the detection method using traffic features or payload features alone.