Encrypted traffic identification method and device and equipment

A traffic and algorithm technology, applied in the field of malicious traffic analysis, can solve the problems of high false alarm rate, poor interpretability, complex traffic, etc., to achieve the effect of improving prediction accuracy, reducing computing pressure, and improving efficiency

Pending Publication Date: 2021-10-01
北京观成科技有限公司
View PDF0 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] On the one hand, there are also behavioral characteristics between malicious traffic and network flows. These characteristics have not been extracted due to the design structure of the detection device. Traditional rule-based detection methods cannot detect encrypted traffic. encrypted malicious traffic;
[0004] On the other hand, the traffic in the live network is very complex, and the detection by a single AI model has a high false alarm rate and poor explainability
[0005] Because AI can greatly improve the recognition accuracy and efficiency, the identification of malicious network traffic using AI methods has become a popular research topic in recent years. However, the traffic in the network is complex and diverse, and different data formats Network traffic often has different characteristics, and building an AI model requires a lot of training

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Encrypted traffic identification method and device and equipment
  • Encrypted traffic identification method and device and equipment
  • Encrypted traffic identification method and device and equipment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0044] Please refer to the attached figure 1 , figure 1 A method for identifying encrypted traffic provided in an embodiment of the present application uses an AI model to identify encrypted traffic, and the training process of the AI ​​model includes the following steps:

[0045] S100. Establish a plurality of primary AI training models related to different characteristics of the data stream, and train the primary AI training models through the data stream;

[0046] S200. Fuse the primary AI training model by using an ensemble algorithm of multi-model fusion;

[0047] S300. Based on the fusion result of S200, use a supervised learning algorithm to perform secondary AI training, and obtain a secondary AI training model;

[0048] S400. When the output result after the target data flows through the secondary AI training model is outside the normal output result threshold range of the secondary AI training model, determine that the target data flow is malicious traffic.

[004...

Embodiment 2

[0068] Such as Figure 5 As shown, in this embodiment, the detection process for encrypted traffic is divided into four dimensions:

[0069] 1. One-dimensional detection: extract the destination IP and associated DNS from the traffic, and match with the IP blacklist, and / or DNS blacklist, and / or IP whitelist, and / or DNS whitelist respectively, and the IP or DNS hits black The traffic on the list is malicious encrypted traffic, and the traffic whose IP and DNS both hit the white list is normal encrypted traffic;

[0070] 2. Two-dimensional detection: The SSL / TLS protocol will generate a ClientHello message during the handshake negotiation process, which includes such as: the maximum supported TLS version, acceptable ciphers, extended list, elliptic curve cipher and elliptic curve cipher format Wait. Concatenate these values ​​together to get a specific value through the Hash function, which is the TLS fingerprint (note: different from JA3, the information granularity is finer...

Embodiment 3

[0080] This embodiment discloses an identification device for encrypted traffic such as Figure 7 As shown, the identification device of the encrypted traffic includes:

[0081] The primary AI training module 100: includes a plurality of primary AI training models related to different characteristics of the data stream, and trains the AI ​​training primary model through the data stream;

[0082] Fusion module 200: use an ensemble algorithm to fuse the AI ​​training primary model;

[0083] Secondary AI training module 300: based on the fusion result of the fusion module, use a supervised learning algorithm to perform secondary AI training, and obtain a secondary AI training model;

[0084] Judgment module 400: when the output result of the target data flowing through the secondary AI training model is outside the normal output result threshold range of the secondary AI training model, determine that the target data flow is malicious traffic.

[0085] The processes and methods...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an encrypted traffic identification method and device and equipment, an AI model is used to identify encrypted traffic, and the training process of the AI model comprises the following steps: S100, establishing a plurality of primary AI training models related to different features of a data stream, and training the primary AI training models through the data stream; S200, fusing the primary AI training models by using a multi-model fusion set algorithm; S300, performing secondary AI training by using a supervised learning algorithm based on a fusion result of S200, and obtaining a secondary AI training model; and S400, when an output result obtained after target data flow flows through the secondary AI training model is out of a threshold range of a normal output result of the secondary AI training model, determining that the target data flow is malicious flow. The encrypted traffic is detected by using a multi-dimensional and multi-model method, and the problems of high false alarm rate and poor interpretability caused by dependence on a single AI model are well solved.

Description

technical field [0001] The present application relates to the technical field of malicious traffic analysis, and more specifically, relates to a method, device and equipment for identifying encrypted traffic. Background technique [0002] With the rapid development of the Internet and the wide application of encryption technology, the proportion of encrypted traffic continues to increase. Relevant agencies predict that more than 80% of enterprise network traffic will be encrypted, but the vast majority of network devices are helpless against encrypted traffic such as network attacks and malware. When attackers use SSL encrypted channels to complete the delivery and distribution of malware payloads and exploits, as well as the communication between infected hosts and command and control (C&C) servers, existing detection methods cannot identify them. Detection technology is still scarce, mainly for the following reasons: [0003] On the one hand, there are also behavioral ch...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06N20/00G06N20/10H04L29/06
CPCG06N20/00G06N20/10H04L63/1408
Inventor 于海东刘军
Owner 北京观成科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap