Architecture overview of the proposed method. Application layer messages are extracted from captured traffic using tcpflow [39]. -grams are obtained from those messages. They will then be used to build a dictionary of most common -grams and train the RNN-based model (i.e., LSTM and GRU). The trained model outputs a prediction whether the traffic is malicious or benign.