HTTP2vec: Embedding of HTTP Requests for Detection of Anomalous Traffic

TL;DR

This paper introduces HTTP2vec, an unsupervised embedding approach using RoBERTa to detect anomalous HTTP traffic, improving interpretability and performance over existing methods.

Contribution

The paper applies a novel NLP-based embedding technique with RoBERTa for HTTP anomaly detection, emphasizing interpretability and real-world applicability.

Findings

Comparable or better detection accuracy than existing methods

Effective clustering of HTTP requests in embedding space

Model trained solely on legitimate traffic for anomaly detection

Abstract

Hypertext transfer protocol (HTTP) is one of the most widely used protocols on the Internet. As a consequence, most attacks (i.e., SQL injection, XSS) use HTTP as the transport mechanism. Therefore, it is crucial to develop an intelligent solution that would allow to effectively detect and filter out anomalies in HTTP traffic. Currently, most of the anomaly detection systems are either rule-based or trained using manually selected features. We propose utilizing modern unsupervised language representation model for embedding HTTP requests and then using it to classify anomalies in the traffic. The solution is motivated by methods used in Natural Language Processing (NLP) such as Doc2Vec which could potentially capture the true understanding of HTTP messages, and therefore improve the efficiency of Intrusion Detection System. In our work, we not only aim at generating a suitable embedding space, but also at the interpretability of the proposed model. We decided to use the current state-of-the-art RoBERTa, which, as far as we know, has never been used in a similar problem. To verify how the solution would work in real word conditions, we train the model using only legitimate traffic. We also try to explain the results based on clusters that occur in the vectorized requests space and a simple logistic regression classifier. We compared our approach with the similar, previously proposed methods. We evaluate the feasibility of our method on three different datasets: CSIC2010, CSE-CIC-IDS2018 and one that we prepared ourselves. The results we show are comparable to others or better, and most importantly - interpretable.