OMRDetector: A Method for Detecting Obfuscated Malicious Requests Based on Deep Learning

Web malicious request detection aims to identify attacks in the network quickly and accurately. At present, malicious Web requests are complex, heterogeneous, and obfuscated. Conventional detection methods suffer from multiple weaknesses, e.g., depending on experience and rules, easy to be bypassed, high false-positive rates, fail to capture the semantic characteristics of malicious requests. Therefore, they cannot detect unknown network attacks in the first place and deal with obfuscated malicious requests. To this end, this paper designs and applies the three-layer CNN-BiLSTM fusion attention mechanism model to the field of obfuscated malicious request detection for the first time. Also, given the characteristics of obfuscated malicious requests, we optimize and propose an anti-obfuscation malicious request detection model named OMRDetector based on deep learning. This model adopts an anti-obfuscation preprocessing method for the characteristics of malicious requests. It uses a three-layer Convolutional Neural Network(CNN) to obtain the local characteristics of network requests. Then, a Bidirectional Long and Short-Term Memory(BiLSTM) network is designed to capture the long-distance dependence and contextual semantic features of the obfuscated malicious requests. Further, the attention mechanism extracts the key features. Finally, the softmax classifier calculates the detection results of malicious requests to combat obfuscation and detect unknown malicious request attacks. Experimental results show that our model can effectively detect highly stealthy and obfuscated malicious network requests. Compared with the conventional methods, the Precision, Recall, F1-score, and Accuracy are improved, and the corresponding values are 97.734%, 97.737%, 97.735%, and 97.754%. In addition, the OMRDetector model has the lowest number of false negatives(1226) and false positives(1244). The performance is better than conventional machine learning models(including logistic regression, decision tree, naive Bayes, support vector machine, random forest, and AdaBoost) and existing deep learning models(including CNN, TextCNN, LSTM, BiLSTM, and BiLSTM+Attention) in recognition of obfuscated malicious requests. Moreover, this paper combines the characteristics of obfuscated malicious requests and summarizes twelve significant obfuscation types commonly used in malicious request attacks. Such types include case obfuscation, keyword copy obfuscation, comment bypass obfuscation, unique character truncation obfuscation, path bypass obfuscation, URL encoding, particular key word obfuscation, combination rules to bypass logic obfuscation, equivalent function substitution obfuscation, Base64 encoding, DES encryption, and traffic magic change obfuscation. Also, the last two obfuscation types will be used to evaluate the OMRDetector model's ability to detect and confront malicious Web requests of unknown types(no training and learning process). Meanwhile, this paper conducts comparative experiments to verify that the proposed OMRDetector model can detect obfuscated malicious requests better. Finally, the experimental results show that OMRDetector can effectively handle various obfuscation of malicious requests and better perceive unknown network attacks. Therefore, it has promising academic value and applications. © 2022, Science Press. All right reserved.