Forecasting Anomalous Behavior from HTTP Logs by Deep Learning

• Main Authors: CHANG, HAO-WEI, 張皓惟
• Other Authors: LIN, PO-CHING
• Format: Others
• Language: en_US
• Published: 2018
• Online Access: http://ndltd.ncl.edu.tw/handle/49w5yw

碩士 === 國立中正大學 === 資訊工程研究所 === 106 === Given the increasing bandwidth and a large number of hosts in a practical network, deploying sufficient detection resources becomes increasingly costly. Thus, it is important to predict in advance where the attacks may happen, and prioritize the detection resources. In this work, we focus on predicting web attacks because they are quite common. We present a deep learning model, namely ParrotNET, to predict anomalous behavior from HTTP logs. Deep learning can automatically learn anomalous features from historical data instead of manually defining features. In this model, we use a long short-term memory (LSTM) layer to summarize context information and convolutional layer to identify complex patterns in URLs. Moreover, we apply natural language processing (NLP) techniques to summarize network behavior by LSTM because sequential network flows can characterize network behavior, where each network flow can be defined as a symbol, and the behavior can be defined as a phrase. In the evaluation from real network traffic in the cybersecurity competition, ParrotNET achieves high accuracy of 98.63% with a low miss rate of 0.99% for short-term prediction time, while still keeping high performance for long-term prediction time. Therefore, ParrotNET is effective to find out risky hosts in advance and helpful for administrators to determine the allocation of defensive resources.