Skip to main content
SpringerLink
Log in

HNOP: Attack Traffic Detection Based on Hierarchical Node Hopping Features of Packets

  • Conference paper
  • First Online:
Computational Science – ICCS 2022 (ICCS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13350))

Included in the following conference series:

  • 1121 Accesses

Abstract

Single packet attack, which is initiated by adding attack information to traffic packets, pose a great threat to cybersecurity. Existing detection methods for single packet attack just learn features directly from single packet but ignore the hierarchical relationship of packet resources, which trends to high false positive rate and poor generalization. In this paper, We conduct an extensive measurement study of the realistic traffic and find that the hierarchical relationship of resources is suitable for identifying single packet attacks. Therefore, we propose HNOP, a deep neural network model equipped with the hierarchical relationship, to detect single packet attacks from raw HTTP packets. Firstly, we construct resource node hopping structure based on the “Referer” field and the “URL” field in HTTP packets. Secondly, hopping features are extracted from the hopping structure of the resource nodes by G_BERT, which are further combined with the lexical features extracted by convolution operation from each node of the structure to form feature vectors. Finally, the extracted features are fed to a classifier, mapping the extracted features to the classification space through a fully connected network, to detect attack traffic. Experiments on the publicly available dataset CICIDS-2017 demonstrate the effectiveness of HNOP with an accuracy of 99.92% and a false positive rate of 0.12%. Furthermore, we perform extensive experiments on dataset IIE_HTTP collected from important service targets at different time. At last, it is verified that the HNOP has the least degraded performance and better generalization compared to the other models.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Akamai 2020 state of the internet/security. https://www.akamai.com/content/dam/site/en/documents/state-of-the-internet/soti-security-financial-services-hostile-takeover-attempts-report-2020.pdf. Accessed 21 Oct 2021

  2. https://en.wikipedia.org/wiki/Occam%27s_razor. Accessed 21 Oct 2021

  3. Chiba, Z., Abghour, N., Moussaid, K., Rida, M., et al.: Intelligent approach to build a deep neural network based ids for cloud environment using combination of machine learning algorithms. Comput. Secur. 86, 291–317 (2019)

    Article  Google Scholar 

  4. Dong, B., Wang, X.: Comparison deep learning method to traditional methods using for network intrusion detection. In: 2016 8th IEEE International Conference on Communication Software and Networks (ICCSN), pp. 581–585. IEEE (2016)

    Google Scholar 

  5. Geng, J., Li, S., Zhang, Y., Liu, Z., Cheng, Z.: LIFH: learning interactive features from http payload using image reconstruction. In: ICC 2021-IEEE International Conference on Communications, pp. 1–6. IEEE (2021)

    Google Scholar 

  6. Gezer, A., Warner, G., Wilson, C., Shrestha, P.: A flow-based approach for trickbot banking trojan detection. Comput. Secur. 84, 179–192 (2019)

    Article  Google Scholar 

  7. Girshick, R.: Fast R-CNN. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 1440–1448 (2015)

    Google Scholar 

  8. Han, W., Xue, J., Yan, H.: Detecting anomalous traffic in the controlled network based on cross entropy and support vector machine. IET Inf. Secur. 13(2), 109–116 (2019)

    Article  Google Scholar 

  9. Kabir, E., Hu, J., Wang, H., Zhuo, G.: A novel statistical technique for intrusion detection systems. Futur. Gener. Comput. Syst. 79, 303–318 (2018)

    Article  Google Scholar 

  10. Le, A., Markopoulou, A., Faloutsos, M.: Phishdef: URL names say it all. In: 2011 Proceedings IEEE INFOCOM, pp. 191–195. IEEE (2011)

    Google Scholar 

  11. Liu, T., Qi, A., Hou, Y., Chang, X.: Method for network anomaly detection based on bayesian statistical model with time slicing. In: 2008 7th World Congress on Intelligent Control and Automation, pp. 3359–3362 (2008)

    Google Scholar 

  12. Moore, A., Zuev, D., Crogan, M.: Discriminators for use in flow-based classification. Technical report (2013)

    Google Scholar 

  13. Patil, P., Rane, R., Bhalekar, M.: Detecting spam and phishing mails using SVM and obfuscation URL detection algorithm. In: 2017 International Conference on Inventive Systems and Control (ICISC), pp. 1–4. IEEE (2017)

    Google Scholar 

  14. Pontes, C., Souza, M., Gondim, J., Bishop, M., Marotta, M.: A new method for flow-based network intrusion detection using the inverse Potts model. IEEE Trans. Network Serv. Manage. 18, 1125–1136 (2021)

    Article  Google Scholar 

  15. Sahoo, D., Liu, C., Hoi, S.C.: Malicious URL detection using machine learning: a survey. arXiv preprint arXiv:1701.07179 (2017)

  16. Stiawan, D., Idris, M.Y.B., Bamhdi, A.M., Budiarto, R., et al.: Cicids-2017 dataset feature analysis with information gain for anomaly detection. IEEE Access 8, 132911–132921 (2020)

    Article  Google Scholar 

  17. Swarnkar, M., Hubballi, N.: OCPAD: One class Naive Bayes classifier for payload based anomaly detection. Expert Syst. Appl. 64, 330–339 (2016)

    Article  Google Scholar 

  18. Vijayanand, R., Devaraj, D., Kannapiran, B.: Intrusion detection system for wireless mesh network using multiple support vector machine classifiers with genetic-algorithm-based feature selection. Comput. Secur. 77, 304–314 (2018)

    Article  Google Scholar 

  19. Wang, B., Su, Y., Zhang, M., Nie, J.: A deep hierarchical network for packet-level malicious traffic detection. IEEE Access 8, 201728–201740 (2020)

    Article  Google Scholar 

  20. Wang, W., et al.: Hast-IDS: learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6, 1792–1806 (2017)

    Article  Google Scholar 

  21. Xie, J., Li, S., Yun, X., Zhang, Y., Chang, P.: HSTF-model: An http-based trojan detection model via the hierarchical spatio-temporal features of traffics. Comput. Secur. 96, 101923 (2020)

    Article  Google Scholar 

  22. Zand, A., Vigna, G., Yan, X., Kruegel, C.: Extracting probable command and control signatures for detecting botnets. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1657–1662 (2014)

    Google Scholar 

Download references

Acknowledgement

This work is supported by the National Key Research and Development Program of China (Grant No.2018YFB0804704), and the National Natural Science Foundation of China (Grant No.U1736218).

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Jinbu Geng, Zhenyu Cheng, Zhicheng Liu, Shuhao Li & Rui Qin

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Jinbu Geng & Shuhao Li

  3. National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing, China

    Zhicheng Liu

Authors
  1. Jinbu Geng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhenyu Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Zhicheng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shuhao Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Rui Qin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhenyu Cheng .

Editor information

Editors and Affiliations

  1. Brunel University London, London, UK

    Derek Groen

  2. University of Amsterdam, Amsterdam, The Netherlands

    Clélia de Mulatier

  3. AGH University of Science and Technology, Krakow, Poland

    Maciej Paszynski

  4. University of Amsterdam, Amsterdam, The Netherlands

    Valeria V. Krzhizhanovskaya

  5. University of Tennessee at Knoxville, Knoxville, TN, USA

    Jack J. Dongarra

  6. University of Amsterdam, Amsterdam, The Netherlands

    Peter M. A. Sloot

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Geng, J., Cheng, Z., Liu, Z., Li, S., Qin, R. (2022). HNOP: Attack Traffic Detection Based on Hierarchical Node Hopping Features of Packets. In: Groen, D., de Mulatier, C., Paszynski, M., Krzhizhanovskaya, V.V., Dongarra, J.J., Sloot, P.M.A. (eds) Computational Science – ICCS 2022. ICCS 2022. Lecture Notes in Computer Science, vol 13350. Springer, Cham. https://doi.org/10.1007/978-3-031-08751-6_31

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-08751-6_31

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-08750-9

  • Online ISBN: 978-3-031-08751-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation