Online encrypted traffic classification method based on CNN and LSTM

Abstract

The invention discloses an online encrypted traffic classification method based on CNN and LSTM, and the method comprises the steps: segmenting an original encrypted data stream through a dynamic window, and obtaining n sub-streams with a time sequence relation; respectively extracting statistical characteristics of the n sub-streams, converting the n sub-streams, and extracting corresponding payload characteristics by using a CNN; fusing the load feature and the statistical feature of each substream, performing related processing on the fused comprehensive features from the perspective of time by adopting LSTM, and obtaining an identification result through a classifier. According to the method, online identification to a certain extent can be realized, and a more accurate encrypted traffic identification effect can be obtained.

Description

technical field [0001] The invention relates to the technical field of computer networks, in particular to an online encrypted traffic classification method based on CNN and LSTM. Background technique [0002] With the rapid development of Internet technology, the Internet has increasingly penetrated into public life. With the emergence of various new network applications, application traffic continues to grow, and due to people's increasing emphasis on network information security and the continuous development of encryption technology, network encrypted traffic is also on the rise. In order to better improve network traffic management level and improve network service quality, it is particularly important to correctly identify the application type of network encrypted traffic. [0003] Traditional network traffic classification methods can be divided into the following four categories: [0004] Port number-based method: This method is based on the port number in the head...

AI Technical Summary

Problems solved by technology

However, with the development of network technology, this method faces many problems: some application ports may not be registered; some application software uses dynamic ports, which may change during data transmission; In order to evade the system to restrict the use of ports of other commonly used protocols for data transmission, so as to achieve port concealment

However, this method faces many problems as follows: With the emergence of new network traffic, the content in the expression library needs to be continuously expanded, which consumes a lot of storage space, and the complexity of feature matching will also increase; it is very difficult for encrypted traffic If it is difficult to obtain the expression of its payload, then it cannot be parsed and matched; this method will parse the payload of the data packet, so it may violate the privacy of the user

Although these classic algorithms can be used to identify traffic to a certain extent, using this method requires a large number of labeled data sets, and with the increasing number of application protocols, it is difficult to obtain ideal data sets; this method also needs to consider data when training. imbalance problem

[0008] Therefore, although the above methods can classify and identify traffic to a certain extent, due to the dynamics and concealment of ports, the difficulty of extracting payload expressions of traffic, the high matching complexity, and the analysis of behavioral characteristics, it takes a lot of time and space resources and acquisition The emergence of problems such as the difficulty of a large number of labeled data sets makes the traffic identification method need to be further improved, and these solutions are also difficult to achieve online identification.

Images