Encrypted malicious traffic detection method, detection system and computer equipment

Abstract

The invention belongs to the technical field of malicious traffic detection, and discloses an encrypted malicious traffic detection method, a detection system and computer equipment, wherein the method comprises the steps of: supervising and controlling network card traffic and capturing traffic data packets; performing data preprocessing; carrying out byte dimension feature extraction; carrying out data packet dimension feature extraction; constructing a classification network; and generating and transmitting an alarm log. The invention provides a C&C encrypted malicious traffic detection method, and particularly relates to a deep learning detection model for C&C encrypted malicious traffic. The C&C traffic is traffic which utilizes an encryption technology and a multi-stage attack mode at the same time. The model has good generalization performance, and attack instructions outside a training set can be detected. The model has good classification performance, and malicious traffic types with high similarity can be distinguished.

Description

technical field [0001] The invention belongs to the technical field of malicious flow detection, and in particular relates to an encrypted malicious flow detection method, detection system and computer equipment. Background technique [0002] At present, the methods of malicious traffic detection can be divided into two categories according to the different technologies used, one is the traditional detection method based on expert knowledge, and the other is the detection method based on artificial intelligence algorithm. [0003] Traditional detection methods have made great contributions to network security in the early days of Internet development. The current intrusion detection system still includes the modules of traditional detection methods, but due to the increasing proportion of encrypted traffic, artificial feature extraction of traditional detection methods has brought At the same time, due to the emergence of multi-stage attack methods, most of the traditional d...

AI Technical Summary

Problems solved by technology

[0005] ①The training of the deep learning model requires a large amount of effective data for learning, and the amount of data is too small will lead to overfitting; ②The generalization ability of the deep learning model is poor, and the applicable environment must be consistent with the data distribution of the training environment

[0010] (1) Due to the increasing proportion of encrypted traffic, the artificial feature extraction of traditional detection methods has brought great challenges. At the same time, due to the emergence of multi-stage attack methods, most traditional detection methods can only match the data in a single data packet. The limitations of the continuous change characteristics between the data packet sequences are exposed and enlarged, and the effect of traditional detection methods gradually declines.

[0011] (2) High false detection rate and high missed detection rate are obstacles that traditional detection methods cannot overcome, and manual feature design based on expert knowledge also makes traditional detection methods lag behind in defense against new attack software

[0012] (3) The training of the existing deep learning model requires a large amount of effective data for learning, and the amount of data is too small will lead to overfitting; at the same time, the generalization ability of the deep learning model is poor, and the applicable environment must be consistent with the data distribution of the training environment

[0013] (4) For traffic detection, an attack tool has limited attack instructions, that is, the amount of effective data is small; at the same time, due to the low intelligibility of traffic data, there is a lack of reasonable and effective data enhancement methods; at the same time, the lack of model generalization ability leads to The detection effect of the model on new attack commands decreases, that is, it can detect the attack commands included in the training set but has no effect on unfamiliar attack commands. However, it is difficult to obtain all the attack command traffic of an attack software in reality.

[0014] (5) The existing model does not analyze the characteristics of the traffic itself, and only considers traffic detection as a general classification problem. The existing deep learning methods do not realize the differences between upstream and downstream traffic, which leads to deep learning. The method is less effective for multi-stage attack traffic monitoring

[0016] (1) Traditional detection methods are based on expert knowledge, and their development speed is limited by the research progress of researchers, and the analysis of some malicious software cannot obtain effective detection methods within a certain period of time, so the traditional detection methods The speed up is extremely difficult to match with the speed of malware spawning

[0017] (2) The method based on deep learning often relies on fitting the feature distribution of a large amount of data, and its adaptability to open data other than training data will deteriorate sharply. In this case, the effective data diversity of traffic itself is insufficient. , and it is very difficult to obtain complete types of data, so a model that uses a small amount of data including some types of data for training but has a good detection effect on complete types of traffic data requires extremely high generalization and classification capabilities. Extremely difficult to design

[0018] (3) The intelligibility of the traffic itself is extremely poor. At present, most researches based on deep learning methods do not pay attention to the characteristics of the traffic itself, but only deal with it as a general classification problem. How to analyze the traffic, and according to the analysis Targeted processing of the results is a difficult problem

[0023] (4) For the collection and marking of traffic, a model with good generalization ability also greatly reduces the intensity and difficulty of the work

Images