Encrypted traffic analysis feature extraction method and system, storage medium and safety equipment

Abstract

The invention belongs to the technical field of network security and communication, and discloses an encrypted traffic analysis feature extraction method and system, a storage medium and security equipment. The method comprises the steps: collecting original traffic data ; preprocessing the collected original data packet, and filtering traffic data of SSL / TLS encryption communication; performing deep packet analysis on the streaming data to generate a traffic analysis log; performing log aggregation according to the connection quadruple information and the index information in each log to forma flow feature call chain, and performing feature extraction according to the call chain to obtain an initial data set; and determining an optimal supervised learning classification algorithm in thecurrent environment, determining an optimal parameter by using a grid parameter optimization method, and evaluating the feature extraction accuracy by using a ten-fold cross validation method. According to the method, the classification effect is optimal by adopting the random forest algorithm, the obtained accuracy is as high as 99.96%, the result shows that SSL / TLS encryption features used by all malicious families are different, and the classification effect is remarkable.

Description

technical field [0001] The invention belongs to the technical field of network security and communication, and in particular relates to an encrypted traffic analysis feature extraction method, system, storage medium and security equipment. Background technique [0002] At present, the closest existing technology: With the widespread use of encrypted traffic in the network and the frequent emergence of new malware, network attacks based on encryption technology are becoming more and more rampant, causing huge hidden dangers to cyberspace security. Currently, methods for identifying malicious encrypted traffic mainly include methods based on deep packet inspection, methods based on statistical characteristics of data packets, methods based on timing characteristics, methods based on machine learning, and methods based on multi-policy fusion. Among them, it is difficult to match the payload of encrypted traffic using keywords, and the timing characteristics of data collected fo...

AI Technical Summary

Problems solved by technology

[0005] To sum up, the problems existing in the existing technology are: in the existing malicious encrypted traffic identification technology, there is no process record for the feature extraction of relevant traffic, the feature extraction is complicated, the selection amount is small, the data aggregation is difficult, and the traceability analysis is difficult

However, there are many problems in the application of machine learning in the field of encrypted traffic identification, and the development is very slow. The main reason is that the identification effect of machine learning strongly depends on the extraction of traffic features in feature engineering.

For the identification of malicious encrypted traffic, the use of general features of ordinary traffic will increase the coupling between features, resulting in mediocre identification results; features are directly extracted from data streams, and the extraction process is not recorded, resulting in difficulties in subsequent traceability

Images