Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. We propose a traffic traceback method of vulnerability exploitation to solve the above problems based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.
Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis.