Research On The Detection Of Malicious Web Traffic In Cloud Platform

With the vigorous development of mobile Internet,cloud computing,and other network communication technologies,many kinds of network communication services bring convenience to us,but also become a breeding ground for network malicious behavior.As an important entrance for users to access the network,web services have been the main carriers for various types of network malicious behaviors.Using malicious Web pages to carry out network horse-hanging,false information spread,pornographic and violent information dissemination have brought a great threat to the security and order of our country’s cyberspace,it is urgent to identify malicious Web traffic at multi-level network gateways from the massive flow passing through,so that the blocking strategy can be employed timely.For malicious web traffic detection,existing works have proposed various detection methods by using host information,protocol fingerprinting,length and time statistical features,etc.,which have achieved certain detection performance.Nevertheless,in recent years,with the improvement of the service capability of various cloud platforms and the decrease of tariffs,malicious web pages show a trend of large-scale migration to cloud platforms,and the characteristics of dynamic domain names,shared resources,standardized encryption,and multiple services carried by the same IP of malicious pages deployed in cloud platforms lead to a significant weakening of the characterization ability of existing typical traffic features.Thus,there is an urgent need for efficient detection method for malicious page traffic in cloud platforms.In this dissertation,we focus on feature mining,feature utilization,and feature detection.The detection of malicious web traffic under cloud platform is studied from three aspects: feature mining,feature utilization,and correlation analysis.The main work can be concluded as follows:(1)The multi-type and multi-scale spatio-temporal characteristics of malicious web traffic in the cloud platform are analyzed.The differences in the characteristics of web traffic under the two approaches of cloud platform deployment and standalone server deployment are analyzed through the comparison of client-side,server-side,and transmission process.The temporal characteristics of malicious web traffic in the cloud platform are explored by analyzing the arrival interval characteristics and duration characteristics,and the spatial characteristics of malicious web traffic in the cloud platform are explored by analyzing the length sequence distribution of load and resource transmission statistics information.By analyzing and summarizing the effectiveness of spatio-temporal features,we can lay the foundation for the extraction and characterization of features and the design work of detection models.(2)A malicious web traffic detection method based on splitted self-attentive transformation learning of spatio-temporal features is proposed.With the selection of multidimensional spatio-temporal features,a unified representation form of web traffic on cloud platform is designed with a splitted temporal window structure.The self-attentive transformation learning model incorporating Time2 Vec and short-term attention mechanisms is designed for this representation form,which has a strong learning capability for temporal information and adjacent data correlation inherent in the input traffic representation.The proposed detection method for malicious web traffic is tested based on the actual collected malicious web traffic and normal web traffic in the cloud platform,and the experimental results show that the accuracy of the proposed detection method for malicious web traffic in the cloud platform can achieve 95.12%.(3)A method for detecting related pages on cloud platforms that incorporates jumping knowledge is proposed.By mining the usual transition relationship among malicious web pages in the cloud platform,the multi-level page transition features of malicious web traffic are summarized.By modeling and analyzing the page transition behavior for visiting malicious web pages,the feasibility of introducing multi-level page transition features to improve the detection performance is theoretically verified.On this basis,we design a malicious web traffic detection method based on Hidden Markov Model(HMM),which incorporates the multi-level page transition feature into the detection.The experimental results show that the proposed method can effectively improve the detection accuracy for malicious web traffic.(4)A malicious web traffic detection system for cloud platform is designed.Based on the independent malicious web traffic detection method and fusion detection method for related malicious web traffic proposed in this dissertation,the system is designed with four functional modules including traffic collection,traffic management,feature extraction,and traffic detection.The design process of the detection system is described in terms of functional requirements,overall framework,module design,and operation mode.The effectiveness of the system is verified in a small-scale real network traffic environment.This system design scheme can provide a prototype reference for the design of malicious web traffic detection system in a large-scale network environment.Finally,a summary of the work done in the dissertation is presented and an outlook on future issues worthy of further research is given.