HTTP Tunnel Detection Based On Deep Learning

HTTP tunnel is a common covert tunnel.Due to the business needs of some organizations and enterprises,the firewall has less power to intercept the communication data based on HTTP protocol.Therefore,through the establishment of HTTP tunnel,the attacking host can successfully send malicious information to the target host,and eventually cause all kinds of harm to it.However,the traditional detection methods have poor identification ability and high requirements for data,which leads to its poor practicability.Therefore,this paper proposes a new method to detect and identify the HTTP tunnel data in detail,which is mainly divided into: 1.By analyzing and identifying the HTTP layer data,find the HTTP tunnel traffic;2.Further classify and identify the HTTP tunnel traffic,and identify the common known attacks;3.Identify and find the unknown attack traffic.In view of the discovery of HTTP tunnel,this paper proposes to use convolutional neural network model combined with HTTP layer traffic data to build recognition model.This method makes full use of the feature extraction ability of convolutional neural network on HTTP tunnel data,making the model have strong classification ability.Experiments show that,compared with the existing recognition methods based on LSTM and C4.5,convolutional neural network method has stronger classification ability.To realize the recognition of specific attack types in HTTP tunnel data,firstly,the excellent feature extraction ability of convolutional neural network can be used,so the convolutional neural network multi classification model is constructed to classify and recognize it.At the same time,since the attack traffic contains temporal characteristics,convolutional neural network combined with recurrent neural network is used for feature extraction and classification,which can identify the common attack traffic in HTTP tunnel.Compared with the existing work based on RF and LS-SVM,this method has higher recognition accuracy.The above detection and identification methods only aim at common known attacks,and can not detect and discover unknown attacks.Therefore,the classification algorithm based on combined SVM is adopted.This method realizes the discovery of unknown attack traffic in HTTP tunnel by combining multiple SVM binary classification models.The classification algorithm based on combined SVM can identify and discover known and unknown attacks.However,the feature extraction method adopted by SVM algorithm can not effectively learn the characteristics of the attack data in HTTP tunnel,which leads to its poor ability to identify known and unknown attacks.Therefore,convolution neural network combined with recurrent neural network is used to extract the features of HTTP tunnel traffic data,fully learn its traffic features and time series features,and use the combined SVM algorithm to identify and classify the extracted features,which can achieve more efficient identification of unknown attacks.Experimental results show that this method has higher recognition accuracy and lower error rate than the existing methods based on single classification and CNN softmax.By combing machine learning with deep learning algorithms,we can effectively solve the problem that the traditional detection methods have poor performance in detecting HTTP tunnel attacks,and achieve efficient detection and identification of HTTP tunnel attack data.