Multi-field relation mining for malicious HTTP traffic detection based on attention and cross network

Abstract

This paper introduces AutoHTTP, a novel end-to-end trainable framework for detecting malicious HTTP traffic. It can automatically analyze plain-text network traffic data without any manual labor and present an interpretable detection report for better human understanding. The purpose of the framework is to detect malicious HTTP traffic by mining multi-field inexplicit semantic characteristics and correlation. To conquer the problems in reality, we first divide the multi-field plain-texts (e.g. user-agent, URL, method) into two types: R-field and S-field. Then, an elementary feature extraction module is proposed to turn these fields into a compact field representation. Finally, the field interactions and significant parts of different fields are simultaneously extracted by feeding the compact feature vector into a newly proposed attention and cross network, which couples two important components, the attention portion and the cross part. We show that the network offers strong interpretability and reliable results for further analysis. Extensive experiments on CTU-13, CICAndMal, and ISCX-URL datasets demonstrate that our approach outperforms existing methods based on manually-designed features and other auto-designed features.