Method and device for detecting encrypted malicious traffic

A malicious flow and flow technology, applied in the computer field, can solve problems such as small data ratio, limited flow information, and decreased analysis accuracy, so as to achieve the effects of ensuring accuracy, reducing dependence, and improving flexibility and accuracy

Pending Publication Date: 2022-03-18
极客信安(北京)科技有限公司
View PDF0 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0003] In an asymmetric routing environment, there are two methods for discovering malicious encrypted traffic: the first is non-data flow analysis; that is, the use of discrete data packets to directly analyze and discover possible malicious encrypted traffic; the second is Data flow analysis method: In an asymmetric routing environment, try to restore part of the data flow as much as possible, analyze the data flow that can be restored, and discard the rest of the data; but the flow information that can be obtained

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for detecting encrypted malicious traffic
  • Method and device for detecting encrypted malicious traffic
  • Method and device for detecting encrypted malicious traffic

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0075] Such as figure 1 As shown, according to a specific embodiment of the present invention, in a first aspect, the present invention provides a detection method for encrypted malicious traffic, including:

[0076] Step S101: collect network data flow in real time on the network boundary, described network data flow comprises network layer data packet and transport layer data packet, based on the feature of described network layer data packet and transport layer data packet, described data flow is carried out group;

[0077] Among them, the network boundary refers to the intersection of the internal network of the system and the external network for information exchange, which is the security concept of boundary protection. For example, the government's internal and external networks need to serve the public; the bank's data network and the Internet need to support online transactions; the enterprise's office and production networks; Real-time information query.

[0078] ...

Embodiment 2

[0122] Such as image 3 As shown, according to the specific implementation manner of the present invention, in the second aspect, the present invention provides a detection device for encrypted malicious traffic, including:

[0123] Division unit 301, filter unit 302, prediction unit 303, detection unit 304 and detection unit 305;

[0124] The dividing unit 301 is configured to collect network data streams in real time on network boundaries, the network data streams include network layer data packets and transport layer data packets, and based on the characteristics of the network layer data packets and transport layer data packets, the said data streams are grouped;

[0125] The filtering unit 302 is configured to perform data filtering on the grouped data streams through a whitelist to obtain remaining data streams;

[0126] The prediction unit 303 is configured to calculate the remaining data flow, predict suspicious flow information based on the calculation result, and s...

Embodiment 3

[0153] Such as Figure 4 As shown, this embodiment provides an electronic device, which is used for a method for detecting encrypted malicious traffic, and the electronic device includes: at least one processor; and a memory communicatively connected to the at least one processor ;in,

[0154]The memory stores instructions executable by the one processor, the instructions being executed by the at least one processor, to enable the at least one processor to handle detection of an encrypted malicious traffic.

[0155] Such as Figure 4 As shown, it shows a schematic structural diagram of an electronic device suitable for implementing the embodiments of the present disclosure. The terminal equipment in the embodiment of the present disclosure may include but not limited to such as mobile phone, notebook computer, digital broadcast receiver, PDA (personal digital assistant), PAD (tablet computer), PMP (portable multimedia player), vehicle terminal (such as mobile terminals such...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention provides a method and a device for detecting encrypted malicious traffic. After white list filtering is carried out on collected data streams, first information is supplemented based on a calculation result of suspicious data streams, second information is supplemented based on an active network probe, and then malicious traffic detection is carried out on suspicious traffic after the second information is supplemented by utilizing a machine learning algorithm. According to the method, for some key information, server prediction is carried out in an active reproduction mode to carry out information supplementation, so that the defect that data is indeed missing caused by asymmetric routing is overcome; and most information required by data stream analysis is effectively supplemented, the dependence of basic data is reduced, and the flexibility and accuracy of analysis are improved.

Description

technical field [0001] The present invention relates to the field of computer technology, in particular to a method and device for detecting encrypted malicious traffic. Background technique [0002] In real network applications, detection of malicious encrypted traffic is often performed in an asymmetric routing environment. That is, at some large-scale network borders, such as inter-provincial and international network egress, due to technical reasons such as routing configuration, the uplink and downlink data of the same data flow may not be transmitted through the same line, resulting in some detection nodes unable to Get all traffic of a stream. That is, it is necessary to detect malicious behaviors of data streams in an asymmetric routing environment. [0003] In an asymmetric routing environment, there are two methods for discovering malicious encrypted traffic: the first is non-data flow analysis; that is, the use of discrete data packets to directly analyze and di...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L9/40
CPCH04L63/1408H04L63/1416H04L63/1425Y02D30/50
Inventor 不公告发明人
Owner 极客信安(北京)科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap