Counterfeit Fingerprint Detection of Outbound HTTP Traffic with Recurrent Neural Network

Most of malwares usually hide their malicious activities into HTTP protocol, such as communicating with the C&C server or accessing some malicious webpages. The previous detection system is mainly based on the blacklist. With the advancement of technology, there are many ways can easily available to evade detection system nowadays, e.g., spoofing the HTTP headers. However, the stealthiest malware still needs to communicate with the destination point. This paper aims to provide a detection system to detect these stealthily malicious activities. Consider machine-learning classifiers with manually handled features have been widely used in malicious URL detection. We propose an end-to-end deep learning framework to learn the URL embedding for application classifier from URL string. We apply the Recurrent Neural Network (RNN) to effectively keep the semantic meaning and sequential patterns in URL strings. The proposed approach is evaluated with real-world data from technology enterprise’s network and compare the performance with the state-of-the-art approach. The result shows that our approach achieves the accuracy rate to 99%, and even the counterfeit fingerprint’s detection reaches up to 100% while the comparison approach failed with the same scenario.