[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN115314268B - Malicious encryption traffic detection method and system based on traffic fingerprint and behavior - Google Patents

Malicious encryption traffic detection method and system based on traffic fingerprint and behavior Download PDF

Info

Publication number
CN115314268B
CN115314268B CN202210896050.7A CN202210896050A CN115314268B CN 115314268 B CN115314268 B CN 115314268B CN 202210896050 A CN202210896050 A CN 202210896050A CN 115314268 B CN115314268 B CN 115314268B
Authority
CN
China
Prior art keywords
word
data stream
word component
recognition model
component matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210896050.7A
Other languages
Chinese (zh)
Other versions
CN115314268A (en
Inventor
李新
齐帅
翟宏伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Guorui Digital Safety System Co ltd
Original Assignee
Tianjin Guorui Digital Safety System Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Guorui Digital Safety System Co ltd filed Critical Tianjin Guorui Digital Safety System Co ltd
Priority to CN202210896050.7A priority Critical patent/CN115314268B/en
Publication of CN115314268A publication Critical patent/CN115314268A/en
Application granted granted Critical
Publication of CN115314268B publication Critical patent/CN115314268B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/289Phrasal analysis, e.g. finite state techniques or chunking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/30Semantic analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Artificial Intelligence (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Computational Linguistics (AREA)
  • Computing Systems (AREA)
  • Bioethics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a malicious encryption flow detection method and a malicious encryption flow detection system based on flow fingerprints and behaviors, which are characterized in that an encryption suite and a digital certificate are extracted from a message load part to generate a flow fingerprint vector, and the flow fingerprint vector and a word component are identified together to judge whether the flow fingerprint vector is an attack or not, so that the success rate of identification is improved; the discretized data stream is obtained by dimension reduction sampling of the data stream, so that the subsequent required operand is reduced; the syntactic model and the semantic analysis model are called to complete sentence breaking and redundant filtering of the data stream, so that automation of feature extraction is realized; the required feature vectors can be further highlighted through convolutional neural network and random forest classification, different classification capacities are integrated, and the problem that the prior art is difficult to detect the attack of time variation is solved.

Description

Malicious encryption traffic detection method and system based on traffic fingerprint and behavior
Technical Field
The application relates to the technical field of network security, in particular to a malicious encryption traffic detection method and system based on traffic fingerprints and behaviors.
Background
The network is rapidly developed, the security problem of which is greatly emphasized by users, and although most traffic is encrypted nowadays, malicious code can already appear in the data encryption process and can be transmitted through encryption. It is very important to be able to identify malicious encrypted traffic.
Meanwhile, the potential malicious code can bring huge destructiveness, means and attack forms of the potential malicious code are changed at any time, and the potential malicious code is difficult to detect. There is a need for an improvement to improve the ability of machine learning.
Therefore, a targeted malicious encryption traffic detection method and system based on traffic fingerprint and behavior are urgently needed.
Disclosure of Invention
The application aims to provide a malicious encrypted traffic detection method and system based on traffic fingerprints and behaviors, which solve the problems that the prior art cannot well identify malicious encrypted traffic and is difficult to detect attacks with means and form changing at any moment.
In a first aspect, the present application provides a malicious encrypted traffic detection method based on traffic fingerprint and behavior, the method comprising:
receiving a data stream sent by an acquisition terminal, extracting the content of a message header field from the data stream, identifying different clients, and generating a single identifier for each client;
extracting an encryption suite and a digital certificate from a message payload portion, and generating a flow fingerprint vector by the identifier and the encryption suite and the digital certificate together;
decrypting the data stream according to the encryption suite, sampling the data stream according to time domain continuity, and obtaining a discrete data stream after dimension reduction;
acquiring the discrete data stream, calling a syntactic model of a server, and performing sentence breaking to obtain a first word component;
inputting the first word components into a semantic analysis model of a server one by one, and receiving the word meanings corresponding to the returned first word components;
filtering redundant information from word meanings according to a first rule to obtain a second word component corresponding to the filtered second word component, and inputting the flow fingerprint vector and the second word component into a matrix template together to obtain a first word component matrix;
inputting the first word component matrix into an input layer of a recognition model, and calculating standard deviations of different word classes, wherein the standard deviations are used for determining the width of a sliding window of a subsequent convolution layer; the identification model is a model architecture based on a random forest and a convolutional neural network;
the output of the input layer is sent to a convolution layer of the recognition model, local word components in the text are selected by utilizing sliding windows with different sizes, the local word components are spliced to obtain a second word component matrix, and the second word component matrix is sent to a pooling layer of the recognition model;
the pooling layer selects and distinguishes the characteristic value with effective word meaning through selecting a pooling function, and then splices again to obtain a third word component matrix;
transmitting the processed third word component matrix to a random forest of the recognition model for classification, wherein the random forest performs n rounds of extraction on the third word component matrix to obtain n training sets, the extracted n training sets are used for training by using a specified quantity characteristic value randomly through column sampling to obtain n decision trees, and the n decision trees obtain classification results according to a voting mode;
judging whether the data stream sent by the acquisition terminal comprises an attack vector according to the classification result, if so, blocking the data stream, otherwise, allowing the data stream.
In a second aspect, the present application provides a malicious encrypted traffic detection system based on traffic fingerprint and behavior, the system comprising:
the preprocessing module is used for receiving a data stream sent by the acquisition terminal, extracting the content of a message header field from the data stream, identifying different clients and generating a single identifier for each client; extracting an encryption suite and a digital certificate from a message payload portion, and generating a flow fingerprint vector by the identifier and the encryption suite and the digital certificate together;
the decryption module is used for decrypting the data stream according to the encryption suite, sampling the data stream according to time domain continuity, and obtaining a discrete data stream after dimension reduction;
the AI module is used for acquiring the discrete data stream, calling a syntax model of the server, and performing sentence breaking to obtain a first word component; inputting the first word components into a semantic analysis model of a server one by one, and receiving the word meanings corresponding to the returned first word components; filtering redundant information from word meanings according to a first rule to obtain a second word component corresponding to the filtered second word component, and inputting the flow fingerprint vector and the second word component into a matrix template together to obtain a first word component matrix;
the recognition module comprises a recognition model, wherein the recognition model is a model framework based on a random forest and a convolutional neural network and is used for receiving the first word component matrix output by the AI module, inputting the first word component matrix into an input layer of the recognition model, calculating standard deviations of different word classes, and determining the width of a sliding window of a subsequent convolutional layer by the standard deviations; the output of the input layer is sent to a convolution layer of the recognition model, local word components in the text are selected by utilizing sliding windows with different sizes, the local word components are spliced to obtain a second word component matrix, and the second word component matrix is sent to a pooling layer of the recognition model; the pooling layer selects and distinguishes the characteristic value with effective word meaning through selecting a pooling function, and then splices again to obtain a third word component matrix;
transmitting the processed third word component matrix to a random forest of the recognition model for classification, wherein the random forest performs n rounds of extraction on the third word component matrix to obtain n training sets, the extracted n training sets are used for training by using a specified quantity characteristic value randomly through column sampling to obtain n decision trees, and the n decision trees obtain classification results according to a voting mode;
and the execution module is used for judging whether the data stream sent by the acquisition terminal comprises an attack vector according to the classification result, if so, blocking the data stream, and otherwise, allowing the data stream.
In a third aspect, the present application provides a malicious encrypted traffic detection system based on traffic fingerprint and behavior, the system comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method according to any one of the four possible aspects of the first aspect according to instructions in the program code.
In a fourth aspect, the present application provides a computer readable storage medium for storing program code for performing the method of any one of the four possibilities of the first aspect.
Advantageous effects
The application provides a malicious encryption flow detection method and a malicious encryption flow detection system based on flow fingerprints and behaviors, which are characterized in that an encryption suite and a digital certificate are extracted from a message load part to generate a flow fingerprint vector, and the flow fingerprint vector and a word component are identified together to judge whether the flow fingerprint vector is an attack or not, so that the success rate of identification is improved; the discretized data stream is obtained by dimension reduction sampling of the data stream, so that the subsequent required operand is reduced; by calling the syntactic model and the semantic analysis model, sentence breaking and redundant filtering of the data stream can be automatically completed, and automation of feature extraction is realized; the required feature vectors can be further highlighted through convolutional neural network and random forest classification, different classification capacities are integrated, and the problem that the prior art is difficult to detect the attack of time variation is solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of a malicious encrypted traffic detection method based on traffic fingerprint and behavior according to the present application;
FIG. 2 is a block diagram of a malicious encrypted traffic detection system based on traffic fingerprinting and behavior in accordance with the present application.
Detailed Description
The preferred embodiments of the present application will be described in detail below with reference to the accompanying drawings so that the advantages and features of the present application can be more easily understood by those skilled in the art, thereby making clear and defining the scope of the present application.
Fig. 1 is a general flowchart of a malicious encrypted traffic detection method based on traffic fingerprint and behavior, where the method includes:
receiving a data stream sent by an acquisition terminal, extracting the content of a message header field from the data stream, identifying different clients, and generating a single identifier for each client;
extracting an encryption suite and a digital certificate from a message payload portion, and generating a flow fingerprint vector by the identifier and the encryption suite and the digital certificate together;
decrypting the data stream according to the encryption suite, sampling the data stream according to time domain continuity, and obtaining a discrete data stream after dimension reduction;
acquiring the discrete data stream, calling a syntactic model of a server, and performing sentence breaking to obtain a first word component;
inputting the first word components into a semantic analysis model of a server one by one, and receiving the word meanings corresponding to the returned first word components;
filtering redundant information from word meanings according to a first rule to obtain a second word component corresponding to the filtered second word component, and inputting the flow fingerprint vector and the second word component into a matrix template together to obtain a first word component matrix;
inputting the first word component matrix into an input layer of a recognition model, and calculating standard deviations of different word classes, wherein the standard deviations are used for determining the width of a sliding window of a subsequent convolution layer; the identification model is a model architecture based on a random forest and a convolutional neural network;
the output of the input layer is sent to a convolution layer of the recognition model, local word components in the text are selected by utilizing sliding windows with different sizes, the local word components are spliced to obtain a second word component matrix, and the second word component matrix is sent to a pooling layer of the recognition model;
the pooling layer selects and distinguishes the characteristic value with effective word meaning through selecting a pooling function, and then splices again to obtain a third word component matrix;
transmitting the processed third word component matrix to a random forest of the recognition model for classification, wherein the random forest performs n rounds of extraction on the third word component matrix to obtain n training sets, the extracted n training sets are used for training by using a specified quantity characteristic value randomly through column sampling to obtain n decision trees, and the n decision trees obtain classification results according to a voting mode;
judging whether the data stream sent by the acquisition terminal comprises an attack vector according to the classification result, if so, blocking the data stream, otherwise, allowing the data stream.
In some preferred embodiments, the recognition model minimizes the entropy loss function by reverse propagation while training, avoids oversaturation, and indicates that the recognition model training is complete when the accuracy of the recognition model meets the requirements of a threshold. And then available for data verification.
In some preferred embodiments, the classification capability of each decision tree has pertinence, the specified quantity feature value is obtained according to different classifications, and the same feature vector matrix is classified according to different angles through the decision tree, namely, the integration function aiming at different classification capabilities is completed. Its classification performance is higher than that of a single classifier.
The average generalization error of a decision tree in a random forest is related to the regression function.
In some preferred embodiments, the voting approach involves weighted accumulation of the output results of each decision tree.
Fig. 2 is a schematic diagram of a malicious encrypted traffic detection system based on traffic fingerprint and behavior according to the present application, where the system includes:
the preprocessing module is used for receiving a data stream sent by the acquisition terminal, extracting the content of a message header field from the data stream, identifying different clients and generating a single identifier for each client; extracting an encryption suite and a digital certificate from a message payload portion, and generating a flow fingerprint vector by the identifier and the encryption suite and the digital certificate together;
the decryption module is used for decrypting the data stream according to the encryption suite, sampling the data stream according to time domain continuity, and obtaining a discrete data stream after dimension reduction;
the AI module is used for acquiring the discrete data stream, calling a syntax model of the server, and performing sentence breaking to obtain a first word component; inputting the first word components into a semantic analysis model of a server one by one, and receiving the word meanings corresponding to the returned first word components; filtering redundant information from word meanings according to a first rule to obtain a second word component corresponding to the filtered second word component, and inputting the flow fingerprint vector and the second word component into a matrix template together to obtain a first word component matrix;
the recognition module comprises a recognition model, wherein the recognition model is a model framework based on a random forest and a convolutional neural network and is used for receiving the first word component matrix output by the AI module, inputting the first word component matrix into an input layer of the recognition model, calculating standard deviations of different word classes, and determining the width of a sliding window of a subsequent convolutional layer by the standard deviations; the output of the input layer is sent to a convolution layer of the recognition model, local word components in the text are selected by utilizing sliding windows with different sizes, the local word components are spliced to obtain a second word component matrix, and the second word component matrix is sent to a pooling layer of the recognition model; the pooling layer selects and distinguishes the characteristic value with effective word meaning through selecting a pooling function, and then splices again to obtain a third word component matrix;
transmitting the processed third word component matrix to a random forest of the recognition model for classification, wherein the random forest performs n rounds of extraction on the third word component matrix to obtain n training sets, the extracted n training sets are used for training by using a specified quantity characteristic value randomly through column sampling to obtain n decision trees, and the n decision trees obtain classification results according to a voting mode;
and the execution module is used for judging whether the data stream sent by the acquisition terminal comprises an attack vector according to the classification result, if so, blocking the data stream, and otherwise, allowing the data stream.
The application provides a malicious encryption traffic detection system based on traffic fingerprint and behavior, which comprises: the system includes a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method according to any of the embodiments of the first aspect according to instructions in the program code.
The present application provides a computer readable storage medium for storing program code for performing the method of any one of the embodiments of the first aspect.
In a specific implementation, the present application also provides a computer storage medium, where the computer storage medium may store a program, where the program may include some or all of the steps in the various embodiments of the present application when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
It will be apparent to those skilled in the art that the techniques of embodiments of the present application may be implemented in software plus a necessary general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present application may be embodied in essence or a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present application.
The same or similar parts between the various embodiments of the present description are referred to each other. In particular, for the embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference should be made to the description of the method embodiments for the matters.
The embodiments of the present application described above do not limit the scope of the present application.

Claims (7)

1. A malicious encrypted traffic detection method based on traffic fingerprint and behavior, the method comprising:
receiving a data stream sent by an acquisition terminal, extracting the content of a message header field from the data stream, identifying different clients, and generating a single identifier for each client;
extracting an encryption suite and a digital certificate from a message payload portion, and generating a flow fingerprint vector by the identifier and the encryption suite and the digital certificate together;
decrypting the data stream according to the encryption suite, sampling the data stream according to time domain continuity, and obtaining a discrete data stream after dimension reduction;
acquiring the discrete data stream, calling a syntactic model of a server, and performing sentence breaking to obtain a first word component;
inputting the first word components into a semantic analysis model of a server one by one, and receiving the word meanings corresponding to the returned first word components;
filtering redundant information from word meanings according to a first rule to obtain a second word component corresponding to the filtered second word component, and inputting the flow fingerprint vector and the second word component into a matrix template together to obtain a first word component matrix;
inputting the first word component matrix into an input layer of a recognition model, and calculating standard deviations of different word classes, wherein the standard deviations are used for determining the width of a sliding window of a subsequent convolution layer; the identification model is a model architecture based on a random forest and a convolutional neural network;
the output of the input layer is sent to a convolution layer of the recognition model, local word components in the text are selected by utilizing sliding windows with different sizes, the local word components are spliced to obtain a second word component matrix, and the second word component matrix is sent to a pooling layer of the recognition model;
the pooling layer selects and distinguishes the characteristic value with effective word meaning through selecting a pooling function, and then splices again to obtain a third word component matrix;
transmitting the processed third word component matrix to a random forest of the recognition model for classification, wherein the random forest performs n rounds of extraction on the third word component matrix to obtain n training sets, the extracted n training sets are used for training by using a specified quantity characteristic value randomly through column sampling to obtain n decision trees, and the n decision trees obtain classification results according to a voting mode;
judging whether the data stream sent by the acquisition terminal comprises an attack vector according to the classification result, if so, blocking the data stream, otherwise, allowing the data stream.
2. The method according to claim 1, characterized in that: and when the accuracy of the recognition model meets the requirement of a threshold value, the recognition model is trained.
3. The method according to claim 1, characterized in that: the classification capability of each decision tree has pertinence, the specified quantity characteristic values are obtained according to different classifications, and the same characteristic vector matrix is classified according to different angles through the decision tree, so that the integration function aiming at different classification capabilities is completed.
4. A method according to any one of claims 2 or 3, wherein: the voting mode comprises the step of carrying out weighted accumulation on the output result of each decision tree.
5. A malicious encrypted traffic detection system based on traffic fingerprint and behavior, the system comprising:
the preprocessing module is used for receiving a data stream sent by the acquisition terminal, extracting the content of a message header field from the data stream, identifying different clients and generating a single identifier for each client; extracting an encryption suite and a digital certificate from a message payload portion, and generating a flow fingerprint vector by the identifier and the encryption suite and the digital certificate together;
the decryption module is used for decrypting the data stream according to the encryption suite, sampling the data stream according to time domain continuity, and obtaining a discrete data stream after dimension reduction;
the AI module is used for acquiring the discrete data stream, calling a syntax model of the server, and performing sentence breaking to obtain a first word component; inputting the first word components into a semantic analysis model of a server one by one, and receiving the word meanings corresponding to the returned first word components; filtering redundant information from word meanings according to a first rule to obtain a second word component corresponding to the filtered second word component, and inputting the flow fingerprint vector and the second word component into a matrix template together to obtain a first word component matrix;
the recognition module comprises a recognition model, wherein the recognition model is a model framework based on a random forest and a convolutional neural network and is used for receiving the first word component matrix output by the AI module, inputting the first word component matrix into an input layer of the recognition model, calculating standard deviations of different word classes, and determining the width of a sliding window of a subsequent convolutional layer by the standard deviations; the output of the input layer is sent to a convolution layer of the recognition model, local word components in the text are selected by utilizing sliding windows with different sizes, the local word components are spliced to obtain a second word component matrix, and the second word component matrix is sent to a pooling layer of the recognition model; the pooling layer selects and distinguishes the characteristic value with effective word meaning through selecting a pooling function, and then splices again to obtain a third word component matrix;
transmitting the processed third word component matrix to a random forest of the recognition model for classification, wherein the random forest performs n rounds of extraction on the third word component matrix to obtain n training sets, the extracted n training sets are used for training by using a specified quantity characteristic value randomly through column sampling to obtain n decision trees, and the n decision trees obtain classification results according to a voting mode;
and the execution module is used for judging whether the data stream sent by the acquisition terminal comprises an attack vector according to the classification result, if so, blocking the data stream, and otherwise, allowing the data stream.
6. A malicious encrypted traffic detection system based on traffic fingerprinting and behavior, the system comprising a processor and a memory:
the memory is used for storing program codes and transmitting the program codes to the processor;
the processor is configured to perform the method according to any of the claims 1-4 according to instructions in the program code.
7. A computer readable storage medium, characterized in that the computer readable storage medium is for storing a program code for performing a method implementing any of claims 1-4.
CN202210896050.7A 2022-07-27 2022-07-27 Malicious encryption traffic detection method and system based on traffic fingerprint and behavior Active CN115314268B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210896050.7A CN115314268B (en) 2022-07-27 2022-07-27 Malicious encryption traffic detection method and system based on traffic fingerprint and behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210896050.7A CN115314268B (en) 2022-07-27 2022-07-27 Malicious encryption traffic detection method and system based on traffic fingerprint and behavior

Publications (2)

Publication Number Publication Date
CN115314268A CN115314268A (en) 2022-11-08
CN115314268B true CN115314268B (en) 2023-12-12

Family

ID=83858890

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210896050.7A Active CN115314268B (en) 2022-07-27 2022-07-27 Malicious encryption traffic detection method and system based on traffic fingerprint and behavior

Country Status (1)

Country Link
CN (1) CN115314268B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115333802B (en) * 2022-07-27 2024-08-13 北京国瑞数智技术有限公司 Malicious program detection method and system based on neural network
CN115941361B (en) * 2023-02-16 2023-05-09 科来网络技术股份有限公司 Malicious traffic identification method, device and equipment

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7712134B1 (en) * 2006-01-06 2010-05-04 Narus, Inc. Method and apparatus for worm detection and containment in the internet core
EP2343864A2 (en) * 2010-01-08 2011-07-13 Juniper Networks, Inc. High availability for network security devices
CN107483488A (en) * 2017-09-18 2017-12-15 济南互信软件有限公司 A kind of malice Http detection methods and system
CN110784429A (en) * 2018-07-11 2020-02-11 北京京东尚科信息技术有限公司 Malicious traffic detection method and device and computer readable storage medium
CN112738039A (en) * 2020-12-18 2021-04-30 北京中科研究院 Malicious encrypted flow detection method, system and equipment based on flow behavior
CN113949531A (en) * 2021-09-14 2022-01-18 北京邮电大学 Malicious encrypted flow detection method and device
CN114172748A (en) * 2022-02-10 2022-03-11 中国矿业大学(北京) Encrypted malicious traffic detection method
CN115086060A (en) * 2022-06-30 2022-09-20 深信服科技股份有限公司 Flow detection method, device and equipment and readable storage medium
CN115238799A (en) * 2022-07-27 2022-10-25 天津市国瑞数码安全系统股份有限公司 AI-based random forest malicious traffic detection method and system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7712134B1 (en) * 2006-01-06 2010-05-04 Narus, Inc. Method and apparatus for worm detection and containment in the internet core
EP2343864A2 (en) * 2010-01-08 2011-07-13 Juniper Networks, Inc. High availability for network security devices
CN107483488A (en) * 2017-09-18 2017-12-15 济南互信软件有限公司 A kind of malice Http detection methods and system
CN110784429A (en) * 2018-07-11 2020-02-11 北京京东尚科信息技术有限公司 Malicious traffic detection method and device and computer readable storage medium
CN112738039A (en) * 2020-12-18 2021-04-30 北京中科研究院 Malicious encrypted flow detection method, system and equipment based on flow behavior
CN113949531A (en) * 2021-09-14 2022-01-18 北京邮电大学 Malicious encrypted flow detection method and device
CN114172748A (en) * 2022-02-10 2022-03-11 中国矿业大学(北京) Encrypted malicious traffic detection method
CN115086060A (en) * 2022-06-30 2022-09-20 深信服科技股份有限公司 Flow detection method, device and equipment and readable storage medium
CN115238799A (en) * 2022-07-27 2022-10-25 天津市国瑞数码安全系统股份有限公司 AI-based random forest malicious traffic detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
云平台恶意网页流量的检测方法研究;沈昊;中国优秀硕士学位论文全文数据库信息科技辑(第9期);全文 *

Also Published As

Publication number Publication date
CN115314268A (en) 2022-11-08

Similar Documents

Publication Publication Date Title
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
US11483340B2 (en) System for malicious HTTP traffic detection with multi-field relation
CN111614599B (en) Webshell detection method and device based on artificial intelligence
CN115314268B (en) Malicious encryption traffic detection method and system based on traffic fingerprint and behavior
CN113032001B (en) Intelligent contract classification method and device
CN115238799A (en) AI-based random forest malicious traffic detection method and system
CN116346397A (en) Network request abnormality detection method and device, equipment, medium and product thereof
CN115314291A (en) Model training method and assembly, safety detection method and assembly
CN113067792A (en) XSS attack identification method, device, equipment and medium
CN111414621B (en) Malicious webpage file identification method and device
CN116055067B (en) Weak password detection method, device, electronic equipment and medium
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
CN115333802B (en) Malicious program detection method and system based on neural network
US11907658B2 (en) User-agent anomaly detection using sentence embedding
CN115169293A (en) Text steganalysis method, system, device and storage medium
CN115392238A (en) Equipment identification method, device, equipment and readable storage medium
CN115563296A (en) Fusion detection method and system based on content semantics
CN116414976A (en) Document detection method and device and electronic equipment
CN112597498A (en) Webshell detection method, system and device and readable storage medium
CN114528908A (en) Network request data classification model training method, classification method and storage medium
CN113645222A (en) Message flow detection method, system, device and computer readable storage medium
CN111861379A (en) Chat data detection method and device
Zhao et al. Malware algorithm classification method based on big data analysis
Patil et al. Impact of PCA Feature Extraction Method used in Malware Detection for Security Enhancement
CN113065348B (en) Internet negative information monitoring method based on Bert model

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant