Abstract
Command and Control (C&C) malwares are particularly difficult to be detected with traditional technologies due to their explorations of multi-stage attack and encryption technology. Though Artificial Intelligence (AI) methods have shown great potential in malicious attack detection, it is difficult for C&C malwares to collect network traffic covering whole attack commands. The AI model trained with partial attack traffic needs excellent generalizability to detect the uncovered traffic. Our paper firstly analyzes the attacking progress of C&C malwares and finds a suitable way to learn the representation of C&C malicious traffic. Then we propose a hybrid Deep Learning (DL) model named HALNet with better generalizability. HALNet adopts the multi-head attention mechanism and a skip-LSTM structure to learn the two-level representation of byte feature and multi-temporal feature. Experiments show that HALNet can achieve good performance as the previous works on the public traffic dataset CICIDS2017. To better evaluate the generalizability of different models, we collect the real traffic generated by C&C malwares and construct a new malicious traffic dataset named CCE2021. With further experiments on CCE2021, HALNet can result the highest \(97.95\% \) detection accuracy on CCE-II among all the models. The overall results prove that, under approximate detection performance, HALNet has the better generalizability than the other models.
R. Li and Z. Song—contributed equally to this work. This work was supported by the National Key Research and Development Program of China (No. 2018YFB0805004).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)
Hutchins, E.M., Cloppert, M.J., Amin, R.M., et al.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Lead. Issues Inf. Warf. Secur. Res. 1(1), 80 (2011)
Kim, J.Y., Bu, S.J., Cho, S.B.: Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders. Inf. Sci. 460, 83–102 (2018)
Lai, G., Chang, W.C., Yang, Y., Liu, H.: Modeling long-and short-term temporal patterns with deep neural networks. In: The 41st International ACM SIGIR Conference on Research and Development in Information Retrieval. pp. 95–104 (2018)
Lopez-Martin, M., Carro, B., Sanchez-Esguevillas, A., Lloret, J.: Network traffic classifier with convolutional and recurrent neural networks for internet of things. IEEE Access 5, 18042–18050 (2017)
Marín, G., Casas, P., Capdehourat, G.: Deep in the dark-deep learning-based malware traffic detection without expert knowledge. In: 2019 IEEE Security and Privacy Workshops (SPW), pp. 36–42. IEEE (2019)
Panigrahi, R., Borah, S.: A detailed analysis of CICIDS2017 dataset for designing intrusion detection systems. Int. J. Eng. Technol. 7(3.24), 479–482 (2018)
Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., Nicholas, C.: Malware detection by eating a whole exe. arXiv preprint arXiv:1710.09435 (2017)
Selvakumar, B., Muneeswaran, K.: Firefly algorithm based feature selection for network intrusion detection. Comput. Secur. 81, 148–155 (2019)
Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: BlindBox: deep packet inspection over encrypted traffic. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication, pp. 213–226 (2015)
Torres, P., Catania, C., Garcia, S., Garino, C.G.: An analysis of recurrent neural networks for botnet detection behavior. In: 2016 IEEE Biennial Congress of Argentina (ARGENCON), pp. 1–6 (2016)
Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Processing Systems, pp. 5998–6008 (2017)
Velan, P., Čermák, M., Čeleda, P., Drašar, M.: A survey of methods for encrypted traffic classification and analysis. Int. J. Netw. Manage. 25(5), 355–374 (2015)
Wang, Q., et al.: Adversary resistant deep neural networks with an application to malware detection. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1145–1153 (2017)
Wang, W., et al.: Hast-ids: Learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6, 1792–1806 (2017)
Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In: 2017 International Conference on Information Networking (ICOIN), pp. 712–717 (2017)
Yu, Y., Liu, G., Yan, H., Li, H., Guan, H.: Attention-based Bi-LSTM model for anomalous http traffic detection. In: 2018 15th International Conference on Service Systems and Service Management (ICSSSM), pp. 1–6. IEEE (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, R., Song, Z., Xie, W., Zhang, C., Zhong, G., Pei, X. (2021). HALNet: A Hybrid Deep Learning Model for Encrypted C&C Malware Traffic Detection. In: Yang, M., Chen, C., Liu, Y. (eds) Network and System Security. NSS 2021. Lecture Notes in Computer Science(), vol 13041. Springer, Cham. https://doi.org/10.1007/978-3-030-92708-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-92708-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92707-3
Online ISBN: 978-3-030-92708-0
eBook Packages: Computer ScienceComputer Science (R0)