Encrypted malicious traffic detection method, detection system and computer equipment

A detection method and technology for malicious traffic, applied in transmission systems, neural learning methods, biological neural network models, etc., can solve the problems of unawareness of the difference between upstream and downstream traffic, difficulty, poor traffic monitoring effect, etc. The effect of good generalization performance and good classification performance

Active Publication Date: 2021-10-01
HUAZHONG UNIV OF SCI & TECH
View PDF7 Cites 5 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] ①The training of the deep learning model requires a large amount of effective data for learning, and the amount of data is too small will lead to overfitting; ②The generalization ability of the deep learning model is poor, and the applicable environment must be consistent with the data distribution of the training environment
[0010] (1) Due to the increasing proportion of encrypted traffic, the artificial feature extraction of traditional detection methods has brought great challenges. At the same time, due to the emergence of multi-stage attack methods, most traditional detection methods can only match the data in a single data packet. The limitations of the continuous change characteristics between the data packet sequences are exposed and enlarged, and the effect of traditional detection methods gradually declines.
[0011] (2) High false detection rate and high missed detection rate are obstacles that traditional detection methods cannot overcome, and manual feature design based on expert knowledge also makes traditional detection methods lag behind in defense against new attack software
[0012] (3) The training of the existing deep learning model requires a large amount of effective data for learning, and the amount of data is too small will lead to overfitting; at the same time, the generalization ability of the deep learning model is poor, and the applicable environment must be consistent with the data distribution of the training environment
[0013] (4) For traffic detection, an attack tool has limited attack instructions, that is, the amount of effective data is small; at the same time, due to the low intelligibility of traffic data, there is a lack of reasonable and effective data enhancement methods; at the same time, the lack of model generalization ability leads to The detection effect of the model on new attack commands decreases, that is, it can detect the attack commands included in the training set but has no effect on unfamiliar attack commands. However, it is difficult to obtain all the attack command traffic of an attack software in reality.
[0014] (5) The existing model does not analyze the characteristics of the traffic itself, and only considers traffic detection as a general classification problem. The existing deep learning methods do not realize the differences between upstream and downstream traffic, which leads to deep learning. The method is less effective for multi-stage attack traffic monitoring
[0016] (1) Traditional detection methods are based on expert knowledge, and their development speed is limited by the research progress of researchers, and the analysis of some malicious software cannot obtain effective detection methods within a certain period of time, so the traditional detection methods The speed up is extremely difficult to match with the speed of malware spawning
[0017] (2) The method based on deep learning often relies on fitting the feature distribution of a large amount of data, and its adaptability to open data other than training data will deteriorate sharply. In this case, the effective data diversity of traffic itself is insufficient. , and it is very difficult to obtain complete types of data, so a model that uses a small amount of data including some types of data for training but has a good detection effect on complete types of traffic data requires extremely high generalization and classification capabilities. Extremely difficult to design
[0018] (3) The intelligibility of the traffic itself is extremely poor. At present, most researches based on deep learning methods do not pay attention to the characteristics of the traffic itself, but only deal with it as a general classification problem. How to analyze the traffic, and according to the analysis Targeted processing of the results is a difficult problem
[0023] (4) For the collection and marking of traffic, a model with good generalization ability also greatly reduces the intensity and difficulty of the work

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Encrypted malicious traffic detection method, detection system and computer equipment
  • Encrypted malicious traffic detection method, detection system and computer equipment
  • Encrypted malicious traffic detection method, detection system and computer equipment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 2

[0152] 1. Public dataset CICIDS2017

[0153] The CICIDS2017 dataset captures five days of traffic in real environments, including benign normal traffic and common attack traffic, providing real traffic data (pcap files), and network traffic analysis results (csv files) based on CICFlowMeter, including time stamp, source and destination IP, source and destination port, protocol and attack type, etc. The present invention first utilizes the SplitCap traffic segmentation tool to segment the entire pcap according to the five-tuple information, and then traverses the segmented files according to the time stamp in the CICFlowMeter analysis result to segment the granularity of the session. Attack subcategories The present invention merges categories. For data balance, only the data of the fifth day is selected as a sample for normal traffic (see Table 1).

[0154] Table 1

[0155]

[0156]

[0157] For data processing, it is stratified into training set and test set according...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention belongs to the technical field of malicious traffic detection, and discloses an encrypted malicious traffic detection method, a detection system and computer equipment, wherein the method comprises the steps of: supervising and controlling network card traffic and capturing traffic data packets; performing data preprocessing; carrying out byte dimension feature extraction; carrying out data packet dimension feature extraction; constructing a classification network; and generating and transmitting an alarm log. The invention provides a C&C encrypted malicious traffic detection method, and particularly relates to a deep learning detection model for C&C encrypted malicious traffic. The C&C traffic is traffic which utilizes an encryption technology and a multi-stage attack mode at the same time. The model has good generalization performance, and attack instructions outside a training set can be detected. The model has good classification performance, and malicious traffic types with high similarity can be distinguished.

Description

technical field [0001] The invention belongs to the technical field of malicious flow detection, and in particular relates to an encrypted malicious flow detection method, detection system and computer equipment. Background technique [0002] At present, the methods of malicious traffic detection can be divided into two categories according to the different technologies used, one is the traditional detection method based on expert knowledge, and the other is the detection method based on artificial intelligence algorithm. [0003] Traditional detection methods have made great contributions to network security in the early days of Internet development. The current intrusion detection system still includes the modules of traditional detection methods, but due to the increasing proportion of encrypted traffic, artificial feature extraction of traditional detection methods has brought At the same time, due to the emergence of multi-stage attack methods, most of the traditional d...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06G06N3/04G06N3/08
CPCH04L63/1408H04L63/1416H04L63/1425G06N3/08G06N3/045
Inventor 张成伟李瑞源宋泽慧卢玮严宇钟国辉高雅玙
Owner HUAZHONG UNIV OF SCI & TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products