Encrypted malicious traffic detection method

Abstract

The invention discloses an encrypted malicious traffic detection method. According to the method, a Wreshark tool is utilized to process a traffic packet; filtering out invalid IP checksums, preprocessing the sample set and marking malicious / benign tags; performing preliminary feature extraction on the preprocessed traffic packet; constructing three feature subsets for the preliminarily extracted features, and standardizing and encoding the three feature subsets; carrying out feature dimension reduction on each type of feature subsets by adopting a machine learning or principal component analysis method; respectively establishing a random forest, an XGBoost classifier model and a Gaussian naive Bayes classifier model for the three feature subsets; the three classifier models are combined according to a Stacking strategy to form a DMMFC detection model; performing stream fingerprint fusion on the three feature subsets to form a sample set, dividing the sample set into a training set and a test set, and training a model; testing the model, and evaluating the test effect of the DMMFC model by using the evaluation indexes of the accuracy rate, the F1 score and the false alarm rate; encrypted malicious traffic detection is performed by adopting a method of combining multi-feature fusion and a Stacking strategy, and the method has relatively high detection capability.

Description

technical field [0001] The invention belongs to the field of encrypted malicious traffic detection in data identification, and in particular relates to a double-layer multi-model fusion (DMMFC) encrypted malicious traffic detection method of stacking strategy. Background technique [0002] In recent years, all walks of life have accelerated their digital transformation, and cyber-attack methods have become diverse, with frequent security incidents such as data leakage and ransomware. In order to protect the security of users surfing the Internet, many websites have adopted transmission encryption protocols. According to a Sophos News report, the percentage of Chrome loaded web pages with encryption enabled will go from 40% in 2014 to 98% in 2021. Unfortunately, while legitimate traffic is encrypted, malicious traffic also uses the TLS encryption protocol to mask its attack. In 2020, 23% of detected malware communicating with remote systems over the Internet used TransportL...

AI Technical Summary

Problems solved by technology

Nowadays, the malicious traffic detection method based on machine learning has become the mainstream research method. However, TLS encrypted traffic detection has the following problems: (1) TLS encrypted traffic features are diverse, and a single machine learning model is not suitable for dealing with multiple heterogeneous features. ; (2) TLS encrypted malicious traffic detection has a low recall rate and a high false positive rate

Images