Sec2vec: HTTP流量和恶意url的异常检测

IF 0.4 Q4 COMPUTER SCIENCE, INFORMATION SYSTEMS
Mateusz Gniewkowski, H. Maciejewski, T. Surmacz, Wiktor Walentynowicz
{"title":"Sec2vec: HTTP流量和恶意url的异常检测","authors":"Mateusz Gniewkowski, H. Maciejewski, T. Surmacz, Wiktor Walentynowicz","doi":"10.1145/3555776.3577663","DOIUrl":null,"url":null,"abstract":"In this paper, we show how methods known from Natural Language Processing (NLP) can be used to detect anomalies in HTTP requests and malicious URLs. Most of the current solutions focusing on a similar problem are either rule-based or trained using manually selected features. Modern NLP methods, however, have great potential in capturing a deep understanding of samples and therefore improving the classification results. Other methods, which rely on a similar idea, often ignore the interpretability of the results, which is so important in machine learning. We are trying to fill this gap. In addition, we show to what extent the proposed solutions are resistant to concept drift. In our work, we compare three different vectorization methods: simple BoW, fastText, and the current state-of-the-art language model RoBERTa. The obtained vectors are later used in the classification task. In order to explain our results, we utilize the SHAP method. We evaluate the feasibility of our methods on four different datasets: CSIC2010, UNSW-NB15, MALICIOUSURL, and ISCX-URL2016. The first two are related to HTTP traffic, the other two contain malicious URLs. The results we show are comparable to others or better, and most importantly - interpretable.","PeriodicalId":42971,"journal":{"name":"Applied Computing Review","volume":null,"pages":null},"PeriodicalIF":0.4000,"publicationDate":"2023-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Sec2vec: Anomaly Detection in HTTP Traffic and Malicious URLs\",\"authors\":\"Mateusz Gniewkowski, H. Maciejewski, T. Surmacz, Wiktor Walentynowicz\",\"doi\":\"10.1145/3555776.3577663\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this paper, we show how methods known from Natural Language Processing (NLP) can be used to detect anomalies in HTTP requests and malicious URLs. Most of the current solutions focusing on a similar problem are either rule-based or trained using manually selected features. Modern NLP methods, however, have great potential in capturing a deep understanding of samples and therefore improving the classification results. Other methods, which rely on a similar idea, often ignore the interpretability of the results, which is so important in machine learning. We are trying to fill this gap. In addition, we show to what extent the proposed solutions are resistant to concept drift. In our work, we compare three different vectorization methods: simple BoW, fastText, and the current state-of-the-art language model RoBERTa. The obtained vectors are later used in the classification task. In order to explain our results, we utilize the SHAP method. We evaluate the feasibility of our methods on four different datasets: CSIC2010, UNSW-NB15, MALICIOUSURL, and ISCX-URL2016. The first two are related to HTTP traffic, the other two contain malicious URLs. The results we show are comparable to others or better, and most importantly - interpretable.\",\"PeriodicalId\":42971,\"journal\":{\"name\":\"Applied Computing Review\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.4000,\"publicationDate\":\"2023-03-27\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Applied Computing Review\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3555776.3577663\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Applied Computing Review","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3555776.3577663","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 1

摘要

在本文中,我们展示了如何使用自然语言处理(NLP)中已知的方法来检测HTTP请求和恶意url中的异常情况。目前针对类似问题的大多数解决方案要么是基于规则的,要么是使用手动选择的特征进行训练的。然而,现代NLP方法在获取对样本的深入理解从而改进分类结果方面具有很大的潜力。其他依赖于类似想法的方法往往忽略了结果的可解释性,而这在机器学习中非常重要。我们正在努力填补这一空白。此外,我们还展示了所提出的解决方案在多大程度上能够抵抗概念漂移。在我们的工作中,我们比较了三种不同的矢量化方法:简单的BoW、fastText和当前最先进的语言模型RoBERTa。得到的向量稍后用于分类任务。为了解释我们的结果,我们使用了SHAP方法。我们评估了我们的方法在四个不同数据集上的可行性:CSIC2010、UNSW-NB15、MALICIOUSURL和ISCX-URL2016。前两个与HTTP流量有关,另外两个包含恶意url。我们展示的结果与他人相当或更好,最重要的是-可解释。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Sec2vec: Anomaly Detection in HTTP Traffic and Malicious URLs
In this paper, we show how methods known from Natural Language Processing (NLP) can be used to detect anomalies in HTTP requests and malicious URLs. Most of the current solutions focusing on a similar problem are either rule-based or trained using manually selected features. Modern NLP methods, however, have great potential in capturing a deep understanding of samples and therefore improving the classification results. Other methods, which rely on a similar idea, often ignore the interpretability of the results, which is so important in machine learning. We are trying to fill this gap. In addition, we show to what extent the proposed solutions are resistant to concept drift. In our work, we compare three different vectorization methods: simple BoW, fastText, and the current state-of-the-art language model RoBERTa. The obtained vectors are later used in the classification task. In order to explain our results, we utilize the SHAP method. We evaluate the feasibility of our methods on four different datasets: CSIC2010, UNSW-NB15, MALICIOUSURL, and ISCX-URL2016. The first two are related to HTTP traffic, the other two contain malicious URLs. The results we show are comparable to others or better, and most importantly - interpretable.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Applied Computing Review
Applied Computing Review COMPUTER SCIENCE, INFORMATION SYSTEMS-
自引率
40.00%
发文量
8
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信