Abstract

With the booming of malware-based cyber-security incidents and the sophistication of attacks, previous detections based on malware sample analysis appear powerless due to time-consuming and labor-intensive analysis process. The existing detection methods based on traffic analysis rely heavily on the available traffic patterns, which hinder detecting the zero-day attacks caused by malware variants. In this paper, we propose an approach based on deep learning referred to as TrafficGAN, which analyzes (HTTP) traffic sessions to distinguish between malware-related and normal traffic. We first try to explore traffic patterns of malware variants by adding noise and category condition to the Generative Adversarial Networks (GAN), thus generating various similar but slightly different traffic. And then, we use discriminative model to seek the deviation between abnormal traffic and normal traffic by extracting the essential difference. Notablely, we increase the diversity of data by generating samples adversarially, which enhances the robustness of the system to detect zero-day attacks and highlights the lack of sensitive data in the security community. We conduct extensive experiments on the public dataset and our data collected for specific targets. The results demonstrate that our method achieves superior performance to other methods and protects specific targets from the susceptibility of malware.