Malicious traffic detection method and apparatus, storage medium, and electronic device

By monitoring network traffic, extracting and identifying network traffic characteristics, and using the LightGBM model to identify malicious traffic, the problem of low timeliness and small coverage of malicious traffic detection in existing technologies is solved, and efficient and accurate malicious traffic detection is achieved.

CN115396128BActive Publication Date: 2026-07-10WUHAN ANTIY MOBILE SECURITY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
WUHAN ANTIY MOBILE SECURITY
Filing Date
2021-05-19
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies for detecting malicious traffic have low timeliness and limited coverage, making it difficult to accurately detect malicious traffic from complex attack methods such as botnets.

Method used

By monitoring network traffic, extracting network traffic summaries, determining network traffic characteristics, and inputting them into a traffic identification model for identification, including a comprehensive evaluation of network connection characteristics, protocol characteristics, and word characteristics, the LightGBM model is used for identification.

Benefits of technology

It improves the accuracy, timeliness, and coverage of malicious traffic detection, simplifies the preprocessing process, and enhances feature extraction efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115396128B_ABST
    Figure CN115396128B_ABST
Patent Text Reader

Abstract

Embodiments of the present application disclose a malicious traffic detection method and device, a storage medium and an electronic device. The method comprises: monitoring network traffic in a current network environment, extracting a network traffic summary to be detected from the network traffic, determining a network traffic feature of at least one network dimension of the network traffic based on the network traffic summary, inputting the network traffic feature into a traffic identification model, and obtaining a traffic identification result corresponding to the network traffic. The embodiments of the present application can improve the accuracy, timeliness and coverage of malicious traffic detection.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and in particular to a method, apparatus, storage medium and electronic device for detecting malicious traffic. Background Technology

[0002] With societal development and advancements in internet technology, cybersecurity issues are receiving increasing attention. The detection of malicious traffic attacks is becoming increasingly prominent in cybersecurity operations.

[0003] Currently, malicious traffic typically intrudes into, attacks, and interferes with networks (especially home networks) in an unauthorized manner. Specifically, malicious traffic evolves and merges with traditional malicious code forms such as network worms, Trojans, and backdoors, creating a composite attack method known as botnets. Botnets can send spam, steal user privacy information, and launch distributed denial-of-service (DDoS) attacks, among other malicious network behaviors. Therefore, detecting malicious traffic is crucial for effectively intercepting malicious network activities. Summary of the Invention

[0004] This application provides a method, apparatus, storage medium, and electronic device for detecting malicious traffic, which can improve the accuracy, timeliness, and coverage of malicious traffic detection. The technical solution is as follows:

[0005] In a first aspect, embodiments of this application provide a method for detecting malicious traffic, the method comprising:

[0006] Monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic.

[0007] Based on the network traffic summary, network traffic features for at least one network dimension of the network traffic are determined;

[0008] The network traffic characteristics are input into the traffic identification model to obtain the traffic identification result corresponding to the network traffic.

[0009] Secondly, embodiments of this application provide a malicious traffic detection device, the device comprising:

[0010] The summary extraction module is used to monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic.

[0011] A feature determination module is used to determine network traffic features for at least one network dimension of the network traffic based on the network traffic summary;

[0012] The identification result module is used to input the network traffic features into the traffic identification model to obtain the traffic identification result corresponding to the network traffic.

[0013] Thirdly, embodiments of this application provide a computer storage medium storing a plurality of instructions adapted for loading by a processor and executing the above-described method steps.

[0014] Fourthly, embodiments of this application provide an electronic device that may include: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to execute the above-described method steps.

[0015] The beneficial effects of the technical solutions provided in some embodiments of this application include at least the following:

[0016] In one or more embodiments of this application, network traffic in the current network environment is monitored, a network traffic summary to be detected is extracted from the network traffic, network traffic features of at least one network dimension for the network traffic are determined based on the network traffic summary, and the network traffic features are input into a traffic identification model to obtain the traffic identification result corresponding to the network traffic. By extracting the network traffic summary to be detected from the network traffic, the preprocessing of network traffic can be simplified without losing discriminative network traffic features, while improving the efficiency of network traffic feature extraction. Furthermore, identifying network traffic through a traffic identification model can improve the accuracy, timeliness, and coverage of malicious traffic detection. Attached Figure Description

[0017] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0018] Figure 1 This is a flowchart illustrating a malicious traffic detection method provided in an embodiment of this application;

[0019] Figure 2 This is a flowchart illustrating another malicious traffic detection method provided in an embodiment of this application;

[0020] Figure 3 This is a flowchart illustrating another malicious traffic detection method provided in an embodiment of this application;

[0021] Figure 4 This is an example diagram illustrating another malicious traffic detection method provided in the embodiments of this application;

[0022] Figure 5 This is a schematic diagram of the structure of a malicious traffic detection device provided in an embodiment of this application;

[0023] Figure 6 This is a schematic diagram of the structure of a feature determination module provided in an embodiment of this application;

[0024] Figure 7 This is a schematic diagram of a connection feature extraction unit provided in an embodiment of this application;

[0025] Figure 8 This is a schematic diagram of the structure of a protocol feature extraction unit provided in an embodiment of this application;

[0026] Figure 9 This is a schematic diagram of the structure of a word feature extraction unit provided in an embodiment of this application;

[0027] Figure 10 This is a schematic diagram of another malicious traffic detection device provided in the embodiments of this application;

[0028] Figure 11 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application;

[0029] Figure 12 This is a schematic diagram of the structure of the operating system and user space provided in the embodiments of this application.

[0030] Figure 13 This is an architecture diagram of an Android system operating system provided in an embodiment of this application;

[0031] Figure 14 This is an architecture diagram of an iOS operating system provided in an embodiment of this application. Detailed Implementation

[0032] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0033] In the description of this application, it should be understood that the terms "first," "second," etc., are used for descriptive purposes only and should not be construed as indicating or implying relative importance. In the description of this application, it should be noted that, unless otherwise expressly specified and limited, "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but may optionally include steps or units not listed, or may optionally include other steps or units inherent to these processes, methods, products, or devices. Those skilled in the art can understand the specific meaning of the above terms in this application based on the specific circumstances. Furthermore, in the description of this application, unless otherwise stated, "multiple" means two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist; for example, A and / or B can represent: A alone, A and B simultaneously, and B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship.

[0034] In related technologies, malicious traffic detection methods typically extract discriminative traffic features from existing malicious traffic samples and record these features in a rule base. When detecting current network traffic, the current network traffic features are compared with those in the rule base to determine whether the current network traffic is malicious. However, using the identified malicious traffic features as the basis for traffic detection not only results in low timeliness and limited coverage but is also limited by the capacity of the rule base's traffic feature set. This makes it difficult to completely record the discriminative traffic features of malicious traffic samples, leading to inaccurate detection of malicious traffic.

[0035] According to some embodiments, the malicious traffic detection method provided in this application can solve one or more of the above-mentioned problems.

[0036] The present application will now be described in detail with reference to specific embodiments.

[0037] In one embodiment, such as Figure 1As shown, a malicious traffic detection method is proposed. This method can be implemented using a computer program and can run on a malicious traffic detection device based on the von Neumann architecture. This computer program can be integrated into an application or run as a standalone utility application. The malicious traffic detection device can be a terminal device, including but not limited to: personal computers, tablets, handheld devices, vehicle-mounted devices, wearable devices, computing devices, or other processing devices connected to a wireless modem. In different networks, the terminal device can be called by different names, such as: user equipment, access terminal, user unit, user station, mobile station, mobile station, remote station, remote terminal, mobile device, user terminal, terminal, wireless communication device, user agent or user equipment, cellular phone, cordless phone, terminal device in 5G networks or future evolved networks, etc.

[0038] Specifically, the malicious traffic detection method includes:

[0039] S101: Monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic.

[0040] According to some embodiments, a network environment refers to a broadband, high-speed, integrated, and wide-area digital telecommunications network built on the basis of the combination of electronic computers and modern communication technologies. In the embodiments of this application, the current network environment can be a network environment under different usage scenarios, including but not limited to: home network environment, public network environment, and enterprise network environment. Among them, with the popularization of the Internet of Things, home network devices are extremely vulnerable to malicious traffic attacks. Using home network devices (such as personal computers, smart TVs, smart cameras, routers, etc.) as the execution subject in the embodiments of this application can effectively detect malicious traffic in the home network environment, thereby creating a good home network environment.

[0041] Specifically, monitoring network traffic in the current network environment can be done by collecting network traffic in the current network environment at a preset period, or by collecting network traffic in the current network environment in real time.

[0042] The data collection period can be set based on network environment standards. These standards can include network environment quality level, network environment importance, and the network environment's ability to resist malicious traffic. For example, if the current network environment has poor quality and is frequently attacked by malicious traffic, a shorter preset period can be set to increase the frequency of traffic collection, thereby enhancing network traffic detection.

[0043] Optionally, a collection period can be set based on considerations of resource consumption and device performance in traffic detection. For example, in a home network environment, home network devices can collect network traffic at a time of 1 minute. This ensures that processing the network traffic within this collection period does not excessively consume resources or limit device performance, while achieving a balance between computational load, memory consumption, and the timeliness and effectiveness of detection during network traffic preprocessing.

[0044] In this embodiment of the application, extracting the network traffic summary to be detected from the network traffic means extracting basic information of the network traffic from various dimensions. It can be understood that the basic information includes data on network traffic characteristics, such as network quadruples and protocol types.

[0045] S102: Determine network traffic features for at least one network dimension of the network traffic based on the network traffic summary.

[0046] Specifically, the data information in the network traffic summary is read, and traffic features with black-and-white traffic differentiation are extracted. Based on the current network traffic environment, appropriate network traffic features for each network dimension are selected. These network traffic features for each network dimension include, but are not limited to: network connection features, network protocol features, and network word features.

[0047] S103: Input the network traffic characteristics into the traffic identification model to obtain the traffic identification result corresponding to the network traffic.

[0048] Specifically, the traffic identification model can determine the traffic identification result by comprehensively evaluating the characteristics of network traffic. The traffic identification result can be the traffic type of the network traffic or a score for the network traffic.

[0049] It is easy to understand that traffic types include black traffic (i.e., malicious traffic) and white traffic (i.e., normal traffic). Among them, the type of traffic can be used to determine whether network traffic is malicious.

[0050] Optionally, the score refers to the numerical value obtained by the traffic identification model through a comprehensive evaluation of network traffic characteristics. The score can be used to determine whether the network traffic is malicious. For example, if the score for network traffic falls within the range corresponding to malicious traffic, then the network traffic can be identified as malicious.

[0051] In this embodiment, network traffic under the current network environment is monitored, a network traffic summary to be detected is extracted from the network traffic, and network traffic features of at least one network dimension for the network traffic are determined based on the network traffic summary. These network traffic features are then input into a traffic identification model to obtain the traffic identification result corresponding to the network traffic. By extracting the network traffic summary to be detected from the network traffic, the preprocessing of network traffic can be simplified without losing discriminative network traffic features, while simultaneously improving the efficiency of network traffic feature extraction. Furthermore, identifying network traffic through a traffic identification model can improve the accuracy, timeliness, and coverage of malicious traffic detection.

[0052] Please see Figure 2 , Figure 2 This is a flowchart illustrating another embodiment of the malicious traffic detection method proposed in this application. Specifically:

[0053] S201: Monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic.

[0054] For details, please refer to S101, which will not be repeated here.

[0055] It should be noted that the process of extracting network traffic features may include at least one of S202, S203, and S204, as described below:

[0056] S202: Extract connection dimension features from the network traffic summary based on at least one network tuple data to obtain network connection features.

[0057] In this embodiment, the network traffic characteristics of each network dimension include network connection characteristics. Specifically, network connection characteristics refer to the information connection-related characteristics involved in the transmission of network traffic. The information data involved in the transmission of network traffic can be understood as network tuple data. It should be noted that network tuple data includes at least one of network quadruples, network quintuples, and network heptaples.

[0058] Furthermore, the connection elements of a network quadruple include: source IP address (srcIP), source port (srcPort), destination IP address (destIP), and destination port (destPort); the connection elements of a network quintuple include source IP address, source port, destination IP address, destination port, and transport layer protocol; the connection elements of a network septum include interface index, source IP address, destination IP address, source port, destination port, transport layer protocol, and ToS.

[0059] According to some embodiments, taking network quadruples as an example, the process of obtaining network connectivity features can be as follows:

[0060] Clustering is performed on each connection element corresponding to the network tuple data to obtain the number of categories corresponding to each connection element combination; the connection element combination is composed of at least one connection element corresponding to the network quadruple.

[0061] The classification feature value is calculated for the number of categories corresponding to each of the connection elements in the network traffic summary, and a network connection feature composed of the classification feature value is generated.

[0062] Specifically, the connection elements of the network quadruple are hierarchically combined. First, each connection element in the network quadruple (including srcIP, srcPort, destIP, and destPort) is grouped into a single group according to the first-level combination, and this group is clustered to obtain the total number of categories. Then, a preset number of elements are selected from each connection element to form a group. The preset number can be 1, in which case the group can be "srcIP", "srcPort", "destIP", or "destPort"; the preset number can be 2, in which case the group can be "srcIP, srcPort", "destIP, destIP", or "srcIP, destPort", etc.; the preset number can also be 3, in which case the group can be "srcIP, srcPort, destIP", "srcIP, destPort", etc. Based on the total number of categories, each selected group is clustered to obtain the number of categories corresponding to that group. For example, the following table shows a feasible first-level combination of connection elements of the network quadruple:

[0063]

[0064] Specifically, the number of classifications for each combination can be used as the feature value corresponding to the network connectivity feature. Furthermore, the number of classifications for the combination "srcIP, srcPor, destIP, destPort" is N, which is the maximum number of classifications for all combinations. Therefore, the ratio of the number of classifications for combinations other than "srcIP, srcPor, destIP, destPort" to the number of classifications N can be used as the feature value corresponding to the network connectivity feature. Alternatively, the maximum number of clusters corresponding to each group among the classifications of other combinations can be used as the feature value corresponding to the network connectivity feature; and the ratio of the maximum number of clusters corresponding to each group among the classifications of other combinations to the number of classifications N can also be used as the feature value corresponding to the network connectivity feature.

[0065] Next, according to the second-level combination, a preset number of elements are selected from each connection element as the first level of a combination, and a preset number of elements are selected as the second level of the combination. The preset number can be 1, where the preset elements are srcIP, srcIP, srcPort, or destPort, resulting in combinations such as "srcIP-srcPort", "srcIP-destIP", or "srcIP-destPort". The preset number can be 2, resulting in combinations such as "srcIP, srcPort", "srcIP, destIP-srcPort", or "srcIP, destPort-srcPort", etc. The preset number can also be 3 or 4. Clustering is then performed on each selected combination to obtain the number of categories corresponding to that combination. For example, the following table shows a feasible second-level combination of connection elements for a network quadruple:

[0066]

[0067] In this process, clustering is performed on each first-level combination, and then clustering is performed on each second-level combination under the first-level combination. The maximum number of classifications corresponding to each second-level combination under the first-level combination can be used as the feature value corresponding to the network connection feature.

[0068] S203: Extract protocol dimension features from the network traffic digest based on at least one network transmission protocol to obtain network protocol features.

[0069] In this embodiment of the application, the network traffic characteristics of each network dimension include network connection characteristics. Specifically, network protocol characteristics refer to the characteristics of protocol information involved in the transmission of network traffic. The network protocol characteristics include at least one of the existence characteristics, attribute value characteristics, and abnormal value characteristics. Therefore, the process of determining network protocol characteristics may include at least one of S2031, S2032, and S2033, as described below:

[0070] S2031: Based on at least one network transmission protocol, perform transmission protocol type determination processing on the network traffic digest, and determine the existence feature corresponding to each network transmission protocol in the network traffic digest. It is easy to understand that the existence feature refers to whether the network traffic contains data of that network protocol.

[0071] As an illustration, network transport protocols may include: Hypertext Transfer Protocol (HTTP), User Datagram Protocol (UDP), Transmission Control Protocol (TCP), Internet Control Message Protocol (ICMP), and Telnet protocol.

[0072] The following table shows the existence characteristics of each network protocol in network traffic:

[0073]

[0074]

[0075] S2032: In the network traffic summary, determine the traffic attribute parameters of the protocol data corresponding to each network transmission protocol, and generate the attribute numerical features based on the traffic attribute parameters.

[0076] Among them, the numerical characteristics of the corresponding attributes of different types of network transmission protocols are different.

[0077] For illustration, the numerical values ​​of Telnet protocol attributes can be the number of packets corresponding to network traffic, the time interval between incorrect passwords, and the number of incorrect passwords. Furthermore, the numerical characteristics of Telnet protocol attributes can be calculated values ​​corresponding to each attribute, such as the maximum, minimum, average, and sum of packet counts.

[0078] The table below shows the numerical characteristics of the Telnet protocol attributes in network traffic:

[0079]

[0080] Schematic representation: Determining the numerical values ​​of User Datagram Protocol (UDP) attributes can be the number of uplink data bytes, downlink data bytes, average uplink bytes, average downlink bytes, average uplink interval within a flow, average downlink interval within a flow, and the number of erroneous ciphers corresponding to network traffic. Furthermore, the numerical characteristics of UDP attributes can be calculated values ​​corresponding to each attribute, such as the maximum, minimum, average, and sum of the uplink data bytes.

[0081] The following table shows the attribute values ​​corresponding to the User Datagram Protocol (UDP) in network traffic:

[0082]

[0083] Indicatively, the attribute values ​​of a control message protocol can be the number of request packets and response packets corresponding to network traffic. Furthermore, the attribute value characteristics of a control message protocol can be calculated values ​​corresponding to each attribute value, such as the sum of the number of request packets.

[0084] The following table shows the attribute values ​​of control message protocols in network traffic:

[0085]

[0086] Illustratively, the numerical values ​​of transmission control protocol attributes can be the number of uplink TCP packets with push and ack flags, the number of downlink TCP packets with push and ack flags, the number of TCP packets with SYN flag, the number of TCP packets with SYN and ACK flags, the number of uplink data bytes, the number of downlink data bytes, the maximum uplink data byte length, the maximum downlink data byte length, the average uplink byte count, the average downlink byte count, the average uplink interval within the stream, and the average downlink interval within the stream. Furthermore, the numerical characteristics of transmission control protocol attributes can be calculated values ​​corresponding to each attribute value, for example, the sum of the number of uplink TCP packets with push and ack flags.

[0087] The table below shows the numerical characteristics of the attribute corresponding to the transmission control protocol in network traffic:

[0088]

[0089]

[0090] S2033: In the network traffic summary, abnormal data packet identification processing is performed on the protocol data of the preset network transmission protocol to generate the abnormal numerical feature.

[0091] The following table illustrates how to identify anomalous numerical characteristics of the Transmission Control Protocol (TCP) in network traffic, as shown in the illustration.

[0092]

[0093] It is understandable that S2031, S2032, and S2033 can be executed in any order; they can be executed in parallel or sequentially.

[0094] S204: Based on a preset vocabulary and an inverse text frequency table, extract word-dimensional features from the network traffic summary to obtain network word features.

[0095] Specifically, network word feature data is determined based on the network traffic summary, and the network word feature data includes destination port feature data and network address feature data;

[0096] Based on the vocabulary and the inverse text frequency table, the network word feature data is subjected to word frequency statistical processing to obtain high-dimensional word frequency features; the high-dimensional word frequency features are composed of the first word frequency features corresponding to the destination port feature data and the second word frequency features corresponding to the network address feature data;

[0097] The high-dimensional word frequency features are reduced in dimensionality to generate a low-dimensional word frequency matrix, and the network word features are determined based on the low-dimensional word frequency matrix.

[0098] One approach is to use the term frequency–inverse document frequency (TF-IDF) algorithm to calculate the high-dimensional term frequency features corresponding to the network word feature data.

[0099] According to some embodiments, network word features include a first word frequency feature corresponding to destination port feature data and a second word frequency feature corresponding to network address feature data. The network address feature data may be Hypertext Transfer Protocol data from a Uniform Resource Locator (URL) in network traffic. The vocabulary includes a port vocabulary and an address vocabulary, and the inverse text frequency table includes an inverse port frequency table and an inverse address frequency table.

[0100] The method for extracting the first word frequency feature (the word frequency feature corresponding to the destination port) includes: based on the number of port clusters corresponding to the destination port feature data, the port vocabulary, and the inverse port frequency table, calculating the first word text frequency value corresponding to the destination port feature data using a preset word frequency algorithm, and using the first word text frequency value as the first word frequency feature.

[0101] It is understandable that the preset word frequency algorithm can be the TF-IDF algorithm, and the first word text frequency value can be the TF-IDF value corresponding to the target port feature data.

[0102] Specifically, to determine the number of port clusters (N) corresponding to the target port feature data, the TF value can be calculated as 1 plus the logarithm of the number of port clusters (1+logN). Based on the first index information in the port vocabulary, the IDF value corresponding to the target port feature data is found in the inverse port frequency table. The TF-IDF value is then the product of the TF value and the IDF value. Furthermore, the target port feature data includes at least one word. When calculating the first word text frequency value corresponding to the target port feature data, the ratio of this TF-IDF value to the value corresponding to each target port feature data can be calculated. This ratio is the first word text frequency value corresponding to the target port feature data. The calculation process for the value corresponding to each target port feature data is as follows: calculate the sum of squares of the TF-IDF values ​​corresponding to each target port feature data, and then take the square root of this sum. The resulting value is the value corresponding to each target port feature data.

[0103] It should be noted that the number of port clusters can be obtained by clustering based on the total number of categories in the network quadruple, resulting in the number of clusters corresponding to the destination port (destPort).

[0104] The method for extracting the second word frequency feature (the word frequency feature corresponding to the URL) includes: based on the number of word clusters corresponding to the network address feature data, the address word list, and the inverse address frequency table, calculating the second word text frequency value corresponding to the network address feature data using a preset word frequency algorithm, and using the second word text frequency value as the second word frequency feature.

[0105] It is understandable that the first word text frequency value can be the TF-IDF value corresponding to the network address feature data.

[0106] Specifically, the Hypertext Transfer Protocol (HTTP) data is segmented to obtain the corresponding protocol words. The number of word clusters (M) corresponding to each protocol word is determined. The TF value can be calculated as 1 plus the logarithm of the number of port clusters (1+logM). Based on the second index information in the address word table, the IDF value corresponding to the protocol word in the inverse protocol frequency table is searched. The TF-IDF value is the product of the TF value and the IDF value. Furthermore, since each protocol word includes at least one, when calculating the first word text frequency value corresponding to the target protocol word, the ratio of the TF-IDF value to the value corresponding to each protocol word can be calculated. This ratio is the first word text frequency value corresponding to the protocol word. The calculation process for the value corresponding to each protocol word is as follows: calculate the sum of squares of the TF-IDF values ​​corresponding to each protocol word, and then take the square root of the sum of squares. The resulting value is the value corresponding to each protocol word.

[0107] It should be noted that, due to the large number of protocol words, using a certain retrieval resource to look up the IDF value corresponding to the protocol word in the inverse protocol frequency table based on the index information in the address word table can increase computational efficiency and consume less space resources compared to directly generating an array. This retrieval resource can be a double-array trie (DAT). It can be understood that a double-array trie is a double-array trie used for protocol word retrieval.

[0108] Optionally, to reduce resource consumption and increase computational speed, dimensionality reduction algorithms are used to transform high-dimensional word frequency features into low-dimensional word frequency matrices. These dimensionality reduction algorithms include, but are not limited to: truncated singular value decomposition (TSVD), principal component analysis (PCA), factor analysis (FA), and independent component analysis (ICA).

[0109] To illustrate, the TF-IDF matrix is ​​reduced in dimensionality using the TSVD algorithm to obtain a 30-dimensional low-dimensional term frequency matrix, which is the weight value of each word data (the protocol word corresponding to the destination port feature data or network address feature data) in the 30 dimensions of the low-dimensional term frequency matrix.

[0110] It is understandable that S202, S203, and S204 can be executed in any order; they can be executed in parallel or sequentially.

[0111] S205: Input the network traffic characteristics into the traffic identification model to obtain the traffic identification result corresponding to the network traffic.

[0112] For details, please refer to S103, which will not be repeated here.

[0113] In this embodiment, network traffic under the current network environment is monitored, a network traffic summary to be detected is extracted from the network traffic, and network traffic features of at least one network dimension for the network traffic are determined based on the network traffic summary. These network traffic features are then input into a traffic identification model to obtain the traffic identification result corresponding to the network traffic. By extracting the network traffic summary to be detected from the network traffic, the preprocessing of network traffic can be simplified without losing discriminative network traffic features, while simultaneously improving the efficiency of network traffic feature extraction. Furthermore, identifying network traffic through a traffic identification model can improve the accuracy, timeliness, and coverage of malicious traffic detection. Moreover, by extracting network connection features, network protocol features, and network word features from the network traffic as traffic features for identification, the traffic features have strong discriminative power, thereby improving the accuracy of malicious traffic detection.

[0114] Please see Figure 3 , Figure 3 This is a flowchart illustrating another embodiment of the malicious traffic detection method proposed in this application. Specifically:

[0115] S301: Obtain traffic samples from a preset traffic sample set, wherein the traffic samples include malicious sample traffic marked as malicious and normal sample traffic marked as normal.

[0116] In this embodiment of the application, the preset traffic sample set includes a large number of traffic samples, which include malicious sample traffic marked as malicious type and normal sample traffic marked as normal type. The types of malicious traffic include, but are not limited to: Gafgyt, Mirai, Dofloo, BillGates, etc.

[0117] After obtaining traffic samples from a preset traffic sample set, in order to facilitate the training of the traffic identification model and the detection of malicious traffic, a vocabulary corresponding to the sample traffic is determined. The vocabulary includes a port vocabulary and an address vocabulary. In addition, an inverse text frequency table corresponding to the sample traffic is determined. The inverse text frequency table includes an inverse port frequency table and an inverse address frequency table.

[0118] The method for determining the port vocabulary corresponding to the sample traffic is as follows:

[0119] Extract the destination port feature data of each sample traffic summary in the sample traffic, determine the first index information corresponding to each destination port feature data and the inverse port frequency table, and generate a port vocabulary containing each destination port feature data and the first index information.

[0120] Optionally, destination port feature data with a small number of port clusters can be treated as noise and excluded from the port vocabulary. For example, the destination port feature data can be sorted according to the number of port clusters, and the last 10% of destination port feature data in the sort can be removed.

[0121] The method for determining the address vocabulary corresponding to the sample traffic is as follows:

[0122] Extract network address feature data from the network address feature data of each sample traffic summary in the sample traffic, perform word segmentation on each network address feature data, determine at least one address word corresponding to each network address feature data, determine the second index information corresponding to each address word and the inverse address frequency table, and generate an address word table containing each network address feature data and the second index information.

[0123] Optionally, address words with fewer clusters can be treated as noise and excluded from the address word list. For example, address words can be sorted by the number of clusters, and the last 10% of address words in the sort can be removed.

[0124] The method for determining the inverse port frequency table corresponding to the sample traffic is as follows:

[0125] The number of first samples of each destination port feature data in each traffic sample is counted, the first quotient of the total number of traffic samples and the number of first samples is calculated, and the first logarithmic value of the first quotient is determined; the inverse port frequency table is generated, which includes each destination port feature data and the first logarithmic value corresponding to each destination port feature data.

[0126] It is easy to understand that the number of first samples corresponding to destination port feature data refers to the number of traffic samples with that destination port feature data.

[0127] The method for determining the inverse address frequency table corresponding to the sample traffic is as follows:

[0128] The number of second samples of each address word in each traffic sample is counted, the second quotient of the total number of samples and the number of second samples is calculated, and the second logarithm of the second quotient is determined; the inverse address frequency table is generated, which includes each address word and the second logarithm of each address word.

[0129] It is easy to understand that the number of first samples corresponding to address words refers to the number of traffic samples with address words.

[0130] S302: Extract a sample traffic summary of the traffic sample, and determine sample traffic features for at least one network dimension of the traffic sample based on the sample traffic summary.

[0131] Specifically, the process of extracting sample traffic features of at least one network dimension from the sample traffic summary may include at least one of S3021, S3022, and S3023, as described below:

[0132] S3021: Extract connection dimension features from the sample traffic summary based on at least one network tuple data to obtain sample connection features; wherein, the network tuple data includes at least one of network quadruples, network quintuples, and network heptatuples.

[0133] S3022: Extract protocol dimension features from the sample traffic summary based on at least one network transmission protocol to obtain sample protocol features;

[0134] S3023: Based on a preset vocabulary and an inverse text frequency table, extract word-dimensional features from the sample traffic summary to obtain sample word features.

[0135] The extraction of sample traffic features described above is based on the same concept as the extraction of network traffic features in some embodiments. The implementation process is detailed in the method embodiments and will not be repeated here.

[0136] It is understandable that S3021, S3022, and S3023 are executed in any order; they can be executed in parallel or sequentially.

[0137] It should be noted that the period for extracting the sample traffic summary of the traffic sample is the same as the detection period of the network traffic to be detected, so as to ensure that the training and detection standards are consistent.

[0138] S303: Train the initial traffic identification model based on the sample traffic characteristics to generate a trained traffic identification model.

[0139] In this application embodiment, the initial traffic identification model includes, but is not limited to, the LightGBM model, Random Forest, and Xgboost model. Among them, the LightGBM model is a decision tree algorithm based on histograms. During the training process, gradient boosting is used to further learn from samples that are misclassified by a single tree, which can achieve higher accuracy. Therefore, the LightGBM model is the optimal choice as the initial traffic identification model.

[0140] Specifically, the process of training the initial traffic identification model based on the sample traffic features can be as follows: train the LightGBM model using training samples, and adjust the model parameters according to the results of the validation set: the number of trees, the training step size, the depth of the trees, the number of leaves, and the minimum number of samples on the leaves.

[0141] Furthermore, the files corresponding to the traffic identification model and the traffic preprocessing file are solidified. The traffic preprocessing file includes a vocabulary corresponding to the sample traffic, an inverse text frequency table corresponding to the sample traffic, and retrieval resources corresponding to the address vocabulary. The retrieval resources corresponding to the address vocabulary can be a static double-array search tree.

[0142] It is easy to understand that solidifying the files corresponding to the traffic identification model and the traffic preprocessing files can effectively reduce computing and storage resources, allowing for direct loading and use, while also facilitating large-scale distribution and rapid updates.

[0143] As an example, a feasible list of firmware files is as follows:

[0144]

[0145]

[0146] like Figure 4 The diagram shows an example of a feasible memory layout for a traffic identification model. The traffic identification model can be laid out according to the layout shown in the diagram, and the 300 decision trees generated by the traffic identification model can be stored in the front and back areas of the file according to tree attributes and tree nodes.

[0147] S304: Monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic.

[0148] For details, please refer to S101, which will not be repeated here.

[0149] S305: Determine network traffic characteristics for at least one network dimension of the network traffic based on the network traffic summary.

[0150] For details, please refer to S102; it will not be repeated here.

[0151] S306: Input the network traffic characteristics into the traffic identification model to obtain the traffic identification result corresponding to the network traffic.

[0152] According to some embodiments, based on the traffic identification model, a target score corresponding to the traffic to be detected is output. If the target score is greater than a score threshold, the traffic to be detected is determined to be malicious traffic.

[0153] Specifically, the extracted network traffic features are transformed into a one-dimensional feature vector. This one-dimensional feature vector is then used for a single decision tree, starting from the root node. Based on the feature index identified in the non-leaf nodes of the decision tree, feature values ​​are obtained from the feature list of the current data. These values ​​are compared with the threshold in the tree node to determine the direction of the next node. Finally, the leaf node is reached to obtain the score of the current decision tree, thus obtaining the target score.

[0154] The score threshold can be selected based on the validation set results of the traffic sample set in the traffic identification model. The score threshold and traffic identification model with a false alarm rate below the preset standard and a detection rate above the preset standard are selected as the final score threshold and traffic monitoring model.

[0155] In this embodiment, network traffic under the current network environment is monitored, a network traffic summary to be detected is extracted from the network traffic, and network traffic features of at least one network dimension for the network traffic are determined based on the network traffic summary. These network traffic features are then input into a traffic identification model to obtain the traffic identification result corresponding to the network traffic. By extracting the network traffic summary to be detected from the network traffic, the preprocessing of network traffic can be simplified without losing discriminative network traffic features, while simultaneously improving the efficiency of network traffic feature extraction. Furthermore, identifying network traffic through a traffic identification model can improve the accuracy, timeliness, and coverage of malicious traffic detection.

[0156] The following will combine Figure 5 This application provides a detailed description of the malicious traffic detection device provided in its embodiments. It should be noted that... Figure 5 The malicious traffic detection device shown is used to execute this application. Figures 1-4 The methods shown in the embodiments are for illustrative purposes only, illustrating the parts relevant to the embodiments of this application. For specific technical details not disclosed, please refer to this application. Figures 1-4 The example shown.

[0157] Please see Figure 5 This diagram illustrates the structure of a malicious traffic detection device according to an embodiment of this application. The malicious traffic detection device 1 can be implemented as all or part of a device through software, hardware, or a combination of both. According to some embodiments, the malicious traffic detection device 1 includes a digest extraction module 11, a feature determination module 12, and an identification result module 13, specifically used for:

[0158] Summary extraction module 11 is used to monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic.

[0159] Feature determination module 12 is used to determine network traffic features for at least one network dimension of the network traffic based on the network traffic summary;

[0160] The identification result module 13 is used to input the network traffic features into the traffic identification model to obtain the traffic identification result corresponding to the network traffic.

[0161] Optional, such as Figure 6 As shown, the feature determination module 12 includes:

[0162] The connection feature extraction unit 121 is used to extract connection dimension features from the network traffic digest based on at least one network tuple data to obtain network connection features; wherein, the network tuple data includes at least one of network quadruples, network quintuples and network heptruples.

[0163] Protocol feature extraction unit 122 is used to extract protocol dimension features from the network traffic digest based on at least one network transmission protocol to obtain network protocol features;

[0164] The word feature extraction unit 123 is used to extract word-dimensional features from the network traffic summary based on a preset vocabulary and an inverse text frequency table to obtain network word features.

[0165] Optional, such as Figure 7 As shown, the connection feature extraction unit 121 includes:

[0166] Clustering subunit 1211 is used to perform combined clustering processing according to each connection element corresponding to the network tuple data to obtain the number of categories corresponding to each connection element combination; the connection element combination is composed of at least one connection element corresponding to the network quadtuple.

[0167] The calculation subunit 1212 is used to calculate the classification feature value of the number of classifications corresponding to each of the connection element combinations in the network traffic summary, and generate network connection features composed of the classification feature values.

[0168] The network tuple data is a network quadruple, and the connection elements of the network quadruple include the source IP address, source port, destination IP address, and destination port.

[0169] Optional, such as Figure 8 As shown, the protocol feature extraction unit 122 includes:

[0170] The network protocol features include the existence feature, attribute numerical feature, and abnormal numerical feature;

[0171] The decision subunit 1221 is used to perform a transmission protocol type decision on the network traffic digest based on at least one network transmission protocol, and to determine the existence feature corresponding to each of the network transmission protocols in the network traffic digest.

[0172] The attribute subunit 1222 is used to determine the traffic attribute parameters of the protocol data corresponding to each of the network transmission protocols in the network traffic summary, and generate the attribute numerical features based on the traffic attribute parameters.

[0173] The identification subunit 1223 is used to perform abnormal data packet identification processing on the protocol data of the preset network transmission protocol in the network traffic summary, and generate the abnormal numerical features.

[0174] Optional, such as Figure 9 As shown, the word feature extraction unit 123 includes:

[0175] Data subunit 1231 is used to determine network word feature data based on the network traffic summary, wherein the network word feature data includes destination port feature data and network address feature data;

[0176] The word frequency subunit 1232 is used to perform word frequency statistical processing on the network word feature data based on the vocabulary and the inverse text frequency table to obtain high-dimensional word frequency features; the high-dimensional word frequency features are composed of a first word frequency feature corresponding to the destination port feature data and a second word frequency feature corresponding to the network address feature data.

[0177] Matrix subunit 1233 is used to reduce the dimensionality of the high-dimensional word frequency features to generate a low-dimensional word frequency matrix, and to determine network word features based on the low-dimensional word frequency matrix.

[0178] Optionally, the term frequency subunit 1232 is specifically used for:

[0179] The vocabulary includes a port vocabulary and an address vocabulary, and the inverse text frequency table includes an inverse port frequency table and an inverse address frequency table.

[0180] Based on the destination port feature data corresponding The number of port clusters, the port vocabulary, and the inverse port frequency table are used to calculate the first word text frequency value corresponding to the target port feature data using a preset word frequency algorithm; the first word text frequency value is then used as the first word frequency feature.

[0181] Based on the network address feature data corresponding The word cluster count, the address word list, and the inverse address frequency table are used to calculate the second word text frequency value corresponding to the network address feature data using a preset word frequency algorithm, and the second word text frequency value is used as the second word frequency feature.

[0182] Optional, such as Figure 10 As shown, the device 1 further includes:

[0183] Sample acquisition module 14 is used to acquire traffic samples from a preset traffic sample set, wherein the traffic samples include malicious sample traffic marked as malicious and normal sample traffic marked as normal.

[0184] The sample feature module 15 is used to extract a sample traffic summary of the traffic sample and determine sample traffic features for at least one network dimension of the traffic sample based on the sample traffic summary.

[0185] The sample training module 16 is used to train the initial traffic identification model based on the sample traffic characteristics to generate a trained traffic identification model.

[0186] Optionally, the sample feature module 15 further includes:

[0187] The sample connection unit 151 is used to extract connection dimension features from the sample traffic summary based on at least one network tuple data to obtain sample connection features; wherein, the network tuple data includes at least one of network quadruples, network quintuples and network heptruples.

[0188] The sample protocol unit 152 is used to extract protocol dimension features from the sample traffic digest based on at least one network transmission protocol to obtain sample protocol features.

[0189] Sample word unit 153 is used to extract word dimension features from the sample traffic summary based on a preset vocabulary and an inverse text frequency table to obtain sample word features.

[0190] Optionally, the device 1 further includes:

[0191] The vocabulary determination module 17 is used to determine the vocabulary corresponding to the sample traffic, the vocabulary including a port vocabulary and an address vocabulary;

[0192] The frequency table determination module 18 is used to determine the inverse text frequency table corresponding to the sample traffic. The inverse text frequency table includes an inverse port frequency table and an inverse address frequency table.

[0193] Optionally, the vocabulary determination module 17 includes:

[0194] Port vocabulary unit 171 is used to extract the destination port feature data of each sample traffic summary in the sample traffic, determine the first index information corresponding to each destination port feature data and the inverse port frequency table, and generate a port vocabulary containing each destination port feature data and the first index information.

[0195] Address word table unit 172 is used to extract network address feature data of each sample traffic summary in the sample traffic, perform word segmentation on each network address feature data, determine at least one address word corresponding to each network address feature data, determine the second index information corresponding to each address word and the inverse address frequency table, and generate an address word table containing each network address feature data and the second index information.

[0196] Optionally, the frequency table determination module 18 includes:

[0197] Port logarithm unit 181 is used to count the number of first samples of each destination port feature data in each traffic sample, calculate the first quotient of the total number of samples of each traffic sample and the number of first samples, and determine the first logarithm of the first quotient.

[0198] The reverse port frequency table unit 182 is used to generate the reverse port frequency table, which includes each of the destination port feature data and a first logarithmic value corresponding to each of the destination port feature data.

[0199] Address logarithmic unit 183 is used to count the number of second samples in each of the address words in each of the traffic samples, calculate the second quotient of the total number of samples and the number of second samples, and determine the second logarithmic value of the second quotient.

[0200] The inverse address frequency table unit 184 is used to generate the inverse address frequency table, which includes each address word and a second pair of values ​​corresponding to each address word.

[0201] Optionally, the device 1 further includes:

[0202] The solidification processing module 19 is used to solidify the file corresponding to the traffic identification model and the traffic preprocessing file; the traffic preprocessing file includes a vocabulary corresponding to the sample traffic, an inverse text frequency table corresponding to the sample traffic, and retrieval resources corresponding to the address vocabulary.

[0203] Optionally, the recognition result module 13 further includes:

[0204] The score output unit 131 is used to output the target score corresponding to the traffic to be detected based on the traffic identification model.

[0205] The type determination unit 132 is used to determine that the traffic to be detected is malicious traffic if the target score is greater than the score threshold.

[0206] It should be noted that the malicious traffic detection device provided in the above embodiments is only illustrated by the division of the above functional modules when executing the malicious traffic detection method. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above. In addition, the malicious traffic detection device and the malicious traffic detection method embodiments provided in the above embodiments belong to the same concept, and the implementation process is detailed in the method embodiments, which will not be repeated here.

[0207] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.

[0208] In this embodiment, network traffic under the current network environment is monitored, a network traffic summary to be detected is extracted from the network traffic, and network traffic features of at least one network dimension for the network traffic are determined based on the network traffic summary. These network traffic features are then input into a traffic identification model to obtain the traffic identification result corresponding to the network traffic. By extracting the network traffic summary to be detected from the network traffic, the preprocessing of network traffic can be simplified without losing discriminative network traffic features, while simultaneously improving the efficiency of network traffic feature extraction. Furthermore, identifying network traffic through a traffic identification model can improve the accuracy, timeliness, and coverage of malicious traffic detection.

[0209] This application also provides a computer storage medium that can store multiple instructions, which are adapted to be loaded and executed by a processor as described above. Figures 1-4 The malicious traffic detection method described in the illustrated embodiment can be found in the following documentation for its specific execution process. Figures 1-4 The specific details of the illustrated embodiments will not be elaborated here.

[0210] This application also provides a computer program product storing at least one instruction, which is loaded and executed by the processor as described above. Figures 1-4 The malicious traffic detection method described in the illustrated embodiment can be found in the following documentation for its specific execution process. Figures 1-4 The specific details of the illustrated embodiments will not be elaborated here.

[0211] Please refer to Figure 11 This diagram illustrates a structural block diagram of an electronic device provided in an exemplary embodiment of this application. The electronic device in this application may include one or more components such as a processor 110, a memory 120, an input device 130, an output device 140, and a bus 150. The processor 110, memory 120, input device 130, and output device 140 may be connected via the bus 150.

[0212] Processor 110 may include one or more processing cores. Processor 110 connects to various parts of the electronic device via various interfaces and lines, and performs various functions and processes data of electronic device 100 by running or executing instructions, programs, code sets, or instruction sets stored in memory 120, and by calling data stored in memory 120. Optionally, processor 110 may be implemented using at least one hardware form of digital signal processing (DSP), field-programmable gate array (FPGA), or programmable logic array (PLA). Processor 110 may integrate one or more of the following: central processing unit (CPU), graphics processing unit (GPU), and modem. The CPU primarily handles the operating system, user interface, and applications; the GPU is responsible for rendering and drawing the displayed content; and the modem handles wireless communication. It is understood that the modem may also not be integrated into processor 110 and may be implemented separately using a communication chip.

[0213] The memory 120 may include random access memory (RAM) or read-only memory (ROM). Optionally, the memory 120 may include a non-transitory computer-readable storage medium. The memory 120 may be used to store instructions, programs, code, code sets, or instruction sets. The memory 120 may include a program storage area and a data storage area. The program storage area may store instructions for implementing an operating system, instructions for implementing at least one function (such as touch functionality, sound playback functionality, image playback functionality, etc.), instructions for implementing the various method embodiments described below, etc. The operating system may be the Android system, including systems deeply developed based on the Android system, the iOS system developed by Apple Inc., including systems deeply developed based on the iOS system, or other systems. The data storage area may also store data created by the electronic device during use, such as phonebook data, audio and video data, chat log data, etc.

[0214] See Figure 12As shown, the memory 120 can be divided into operating system space and user space. The operating system runs in the operating system space, while native and third-party applications run in the user space. To ensure that different third-party applications can achieve good running performance, the operating system allocates corresponding system resources for each application. However, different application scenarios within the same third-party application have different requirements for system resources. For example, in local resource loading scenarios, third-party applications have high requirements for disk read speed; in animation rendering scenarios, third-party applications have high requirements for GPU performance. Since the operating system and third-party applications are independent of each other, the operating system often cannot promptly perceive the current application scenario of a third-party application, resulting in the operating system's inability to adapt system resources accordingly to the specific application scenario of the third-party application.

[0215] In order for the operating system to distinguish the specific application scenarios of third-party applications, it is necessary to establish data communication between the third-party applications and the operating system. This would allow the operating system to obtain the current scenario information of the third-party applications at any time, and then perform targeted system resource adaptation based on the current scenario.

[0216] Taking the Android operating system as an example, the programs and data stored in memory 120 are as follows: Figure 13As shown, the memory 120 can store the Linux kernel layer 320, the system runtime library layer 340, the application framework layer 360, and the application layer 380. The Linux kernel layer 320, system runtime library layer 340, and application framework layer 360 belong to the operating system space, while the application layer 380 belongs to the user space. The Linux kernel layer 320 provides low-level drivers for various hardware components of the electronic device, such as display drivers, audio drivers, camera drivers, Bluetooth drivers, Wi-Fi drivers, and power management. The system runtime library layer 340 provides support for key features of the Android system through several C / C++ libraries. For example, the SQLite library provides database support, the OpenGL / ES library provides 3D graphics support, and the Webkit library provides browser kernel support. The system runtime library layer 340 also provides the Android runtime library, which mainly provides core libraries that allow developers to write Android applications using the Java language. The Application Framework Layer 360 provides various APIs that may be used when building applications. Developers can also use these APIs to build their own applications, such as activity management, window management, view management, notification management, content provider, package management, call management, resource management, and location management. At least one application runs in the Application Layer 380. These applications can be native applications that come with the operating system, such as contacts, SMS, clock, and camera apps; or third-party applications developed by third-party developers, such as games, instant messaging, photo editing, and notification display applications.

[0217] Taking the operating system as an example (iOS), the programs and data stored in memory 120 are as follows: Figure 14As shown, the iOS system includes: Core OS layer 420, Core Services layer 440, Media layer 460, and Cocoa Touch layer 480. Core OS layer 420 includes the operating system kernel, drivers, and low-level program frameworks. These low-level program frameworks provide hardware-level functionality for use by the program frameworks located in Core Services layer 440. Core Services layer 440 provides system services and / or program frameworks required by applications, such as Foundation framework, account framework, advertising framework, data storage framework, network connectivity framework, geolocation framework, motion framework, etc. Media layer 460 provides applications with audiovisual interfaces, such as interfaces related to graphics and images, audio technology, video technology, and AirPlay (wireless playback of audio and video transmission technologies). Cocoa Touch layer 480 provides various commonly used interface-related frameworks for application development and is responsible for user touch interaction on electronic devices. Examples include local notification services, remote push services, advertising frameworks, game tool frameworks, message user interface (UI) frameworks, UIKit frameworks, map frameworks, and so on.

[0218] exist Figure 14 The framework shown includes, but is not limited to, the base framework in the core service layer 440 and the UIKit framework in the touchable layer 480. The base framework provides many basic object classes and data types, offering the most basic system services to all applications, and is independent of the UI. The UIKit framework, on the other hand, provides a basic UI class library for creating touch-based user interfaces. iOS applications can use the UIKit framework to provide their UI, thus providing the application's infrastructure for building user interfaces, drawing, handling user interaction events, responding to gestures, and so on.

[0219] The methods and principles for implementing data communication between third-party applications and the operating system in the iOS system can be referenced from the Android system, and will not be elaborated here.

[0220] The input device 130 is used to receive input instructions or data, and includes, but is not limited to, a keyboard, mouse, camera, microphone, or touch device. The output device 140 is used to output instructions or data, and includes, but is not limited to, a display device and a speaker. In one example, the input device 130 and the output device 140 can be combined into a touch screen, which is used to receive touch operations from the user using a finger, stylus, or any suitable object on or near it, and to display the user interface of various applications. The touch screen is usually located on the front panel of the electronic device. The touch screen can be designed as a full-screen, curved screen, or irregularly shaped screen. The touch screen can also be designed as a combination of a full-screen and a curved screen, or a combination of an irregularly shaped screen and a curved screen; this embodiment of the application does not limit this.

[0221] In addition, those skilled in the art will understand that the structure of the electronic device shown in the above figures does not constitute a limitation on the electronic device. The electronic device may include more or fewer components than shown, or combine certain components, or have different component arrangements. For example, the electronic device may also include radio frequency circuits, input units, sensors, audio circuits, wireless fidelity (WiFi) modules, power supplies, Bluetooth modules, etc., which will not be described in detail here.

[0222] In the embodiments of this application, the executing entity for each step can be the electronic device described above. Optionally, the executing entity for each step is the operating system of the electronic device. The operating system can be Android, iOS, or other operating systems; this embodiment of the application does not limit this.

[0223] The electronic device in this embodiment may also be equipped with a display device, which can be various devices capable of display functions, such as: cathode ray tube display (CR), light-emitting diode display (LED), electronic ink screen, liquid crystal display (LCD), plasma display panel (PDP), etc. Users can use the display device on the electronic device 101 to view displayed text, images, videos, and other information. The electronic device may be a smartphone, tablet computer, gaming device, AR (Augmented Reality) device, automobile, data storage device, audio playback device, video playback device, laptop, desktop computing device, wearable device such as electronic watch, electronic glasses, electronic helmet, electronic bracelet, electronic necklace, electronic clothing, etc.

[0224] In this embodiment, network traffic under the current network environment is monitored, a network traffic summary to be detected is extracted from the network traffic, and network traffic features of at least one network dimension for the network traffic are determined based on the network traffic summary. These network traffic features are then input into a traffic identification model to obtain the traffic identification result corresponding to the network traffic. By extracting the network traffic summary to be detected from the network traffic, the preprocessing of network traffic can be simplified without losing discriminative network traffic features, while simultaneously improving the efficiency of network traffic feature extraction. Furthermore, identifying network traffic through a traffic identification model can improve the accuracy, timeliness, and coverage of malicious traffic detection.

[0225] It should be noted that those skilled in the art will clearly understand that the technical solutions of this application can be implemented using software and / or hardware. In this specification, "unit" and "module" refer to software and / or hardware capable of independently performing or cooperating with other components to perform specific functions. Hardware may include, for example, a Field-Programmable Gate Array (FPGA), an Integrated Circuit (IC), etc.

[0226] For the foregoing method embodiments, in order to simplify the description, they are all described as a series of actions. However, those skilled in the art should understand that this application is not limited to the described order of actions, because according to this application, some steps can be performed in other orders or simultaneously. Furthermore, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily essential to this application.

[0227] In the above embodiments, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions in other embodiments.

[0228] In the several embodiments provided in this application, it should be understood that the disclosed apparatus can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some service interface; the indirect coupling or communication connection between devices or units may be electrical or other forms.

[0229] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0230] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0231] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage device (CMD). Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a memory and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned memory includes various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.

[0232] Those skilled in the art will understand that all or part of the steps in the various methods of the above embodiments can be implemented by a program instructing related hardware. The program can be stored in a computer-readable storage medium, which may include: a flash drive, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, etc.

[0233] The foregoing description is merely an exemplary embodiment of this disclosure and should not be construed as limiting the scope of this disclosure. Any equivalent changes and modifications made in accordance with the teachings of this disclosure shall still fall within the scope of this disclosure. Other embodiments of this disclosure will be readily apparent to those skilled in the art upon consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of this disclosure that follow the general principles of this disclosure and include common knowledge or customary techniques in the art not described herein. The specification and embodiments are to be considered exemplary only, and the scope and spirit of this disclosure are defined by the claims.

Claims

1. A method for detecting malicious traffic, characterized in that, The method includes: Monitor network traffic in the current network environment and extract a summary of the network traffic to be detected from the network traffic. Based on the network traffic summary, network traffic features for at least one network dimension of the network traffic are determined; The network traffic characteristics are input into the traffic identification model to obtain the traffic identification result corresponding to the network traffic; The step of determining at least one network dimension feature for the network traffic based on the network traffic summary includes at least one of the following: extracting connection dimension features from the network traffic summary based on at least one network tuple data to obtain network connection features; wherein the network tuple data includes at least one of network quadruples, network quintuples, and network heptaples; extracting protocol dimension features from the network traffic summary based on at least one network transmission protocol to obtain network protocol features; and extracting word dimension features from the network traffic summary based on a preset vocabulary and an inverse text frequency table to obtain network word features. The step of extracting connection dimension features from the network traffic digest based on at least one network tuple data to obtain network connection features includes: performing combination clustering processing according to each connection element corresponding to the network tuple data to obtain the number of categories corresponding to each combination of connection elements; the combination of connection elements is composed of at least one connection element corresponding to the network quadruple; calculating the classification feature value of the number of categories corresponding to each combination of connection elements in the network traffic digest to generate network connection features composed of the classification feature value; wherein, the network tuple data is a network quadruple, and the connection elements of the network quadruple include source IP address, source port, destination IP address, and destination port; when the combination of connection elements is a first-level combination, the method of obtaining the network connection features includes: using the number of categories corresponding to each combination of connection elements as the feature value of the network connection features; or, using the The ratio of the number of categories for combinations other than the combination of IP address, source port, destination IP address, and destination port to the number of categories for the combination of IP address, source port, destination IP address, and destination port is used as the feature value of the network connection feature; or, the maximum value of the largest number of clusters corresponding to each group among the number of categories for combinations other than the combination of IP address, source port, destination IP address, and destination port is used as the feature value corresponding to the network connection feature; or, the ratio of the maximum value of the largest number of clusters corresponding to each group among the number of categories for combinations other than the combination of IP address, source port, destination IP address, and destination port to the number of categories for the combination of IP address, source port, destination IP address, and destination port is used as the feature value corresponding to the network connection feature.

2. The method according to claim 1, characterized in that, The step of extracting protocol-dimensional features from the network traffic digest based on at least one network transmission protocol to obtain network protocol features includes at least one of S2031, S2032, and S2033: The network protocol features include at least one of existence features, attribute numerical features, and abnormal numerical features; S2031, based on at least one network transmission protocol, perform transmission protocol type determination processing on the network traffic digest, and determine the existence feature corresponding to each network transmission protocol in the network traffic digest; S2032, in the network traffic summary, determine the traffic attribute parameters of the protocol data corresponding to each network transmission protocol, and generate the attribute numerical features based on the traffic attribute parameters; S2033, in the network traffic summary, abnormal data packet identification processing is performed on the protocol data of the preset network transmission protocol to generate the abnormal numerical feature.

3. The method according to claim 1, characterized in that, The word-dimensional features of the network traffic summary are extracted based on a preset vocabulary and an inverse text frequency table to obtain network word features, including: Based on the network traffic summary, network word feature data is determined, which includes destination port feature data and network address feature data. Based on the vocabulary and the inverse text frequency table, the network word feature data is subjected to word frequency statistical processing to obtain high-dimensional word frequency features; the high-dimensional word frequency features are composed of the first word frequency features corresponding to the destination port feature data and the second word frequency features corresponding to the network address feature data; The high-dimensional word frequency features are reduced in dimensionality to generate a low-dimensional word frequency matrix, and the network word features are determined based on the low-dimensional word frequency matrix.

4. The method according to claim 3, characterized in that, Based on the vocabulary and the inverse text frequency table, the network word feature data is subjected to word frequency statistical processing to obtain high-dimensional word frequency features; the high-dimensional word frequency features are composed of a first word frequency feature corresponding to the destination port feature data and a second word frequency feature corresponding to the network address feature data, including: The vocabulary includes a port vocabulary and an address vocabulary, and the inverse text frequency table includes an inverse port frequency table and an inverse address frequency table. Based on the number of port clusters corresponding to the destination port feature data, the port vocabulary, and the inverse port frequency table, a preset term frequency algorithm is used to calculate the first word text frequency value corresponding to the destination port feature data, and the first word text frequency value is used as the first term frequency feature; and Based on the number of word clusters corresponding to the network address feature data, the address vocabulary, and the inverse address frequency table, a preset word frequency algorithm is used to calculate the second word text frequency value corresponding to the network address feature data, and the second word text frequency value is used as the second word frequency feature.

5. The method according to claim 1, characterized in that, The method further includes: Obtain traffic samples from a preset traffic sample set, wherein the traffic samples include malicious sample traffic marked as malicious and normal sample traffic marked as normal; Extract a sample traffic summary of the traffic sample, and determine sample traffic features for at least one network dimension of the traffic sample based on the sample traffic summary; The initial traffic identification model is trained based on the sample traffic characteristics to generate a trained traffic identification model.

6. The method according to claim 5, characterized in that, The step of determining sample traffic features for at least one network dimension of the traffic sample based on the sample traffic summary includes at least one of S3021, S3022, and S3023: S3021, Based on at least one network tuple data, perform connection dimension feature extraction on the sample traffic summary to obtain sample connection features; wherein, the network tuple data includes at least one of network quadruples, network quintuples, and network heptaples. S3022, Extract protocol dimension features from the sample traffic summary based on at least one network transmission protocol to obtain sample protocol features; S3023, Based on a preset vocabulary and an inverse text frequency table, word-dimensional features are extracted from the sample traffic summary to obtain sample word features.

7. The method according to claim 5, characterized in that, Before training the initial traffic identification model based on the sample traffic features, the method further includes: Determine the vocabulary corresponding to the sample traffic, the vocabulary including a port vocabulary and an address vocabulary; Determine the inverse text frequency table corresponding to the sample traffic, wherein the inverse text frequency table includes an inverse port frequency table and an inverse address frequency table.

8. The method according to claim 7, characterized in that, The step of determining the vocabulary corresponding to the sample traffic, the vocabulary including a port vocabulary and an address vocabulary, includes: Extract the destination port feature data of each sample traffic summary in the sample traffic, determine the first index information corresponding to each destination port feature data and the inverse port frequency table, and generate a port vocabulary containing each destination port feature data and the first index information. Extract network address feature data from the network address feature data of each sample traffic summary in the sample traffic, perform word segmentation on each network address feature data, determine at least one address word corresponding to each network address feature data, determine the second index information corresponding to each address word and the inverse address frequency table, and generate an address word table containing each network address feature data and the second index information.

9. The method according to claim 8, characterized in that, The step of determining the inverse text frequency table corresponding to the sample traffic, wherein the inverse text frequency table includes an inverse port frequency table and an inverse address frequency table, includes: The number of first samples of each destination port feature data in each traffic sample is counted, the first quotient of the total number of samples in each traffic sample and the number of first samples is calculated, and the first logarithmic value of the first quotient is determined. Generate the reverse port frequency table, which includes the characteristic data of each destination port and the first logarithmic value corresponding to each characteristic data of the destination port; The number of second samples of each address word in each traffic sample is counted, the second quotient of the total number of samples and the number of second samples is calculated, and the second logarithm of the second quotient is determined. Generate the inverse address frequency table, which includes each address word and a second pair of values ​​corresponding to each address word.

10. The method according to claim 7, characterized in that, After training the initial traffic identification model based on the sample traffic features to generate a trained traffic identification model, the process further includes: The files corresponding to the traffic identification model and the traffic preprocessing files are solidified; the traffic preprocessing files include a vocabulary list corresponding to the sample traffic, an inverse text frequency table corresponding to the sample traffic, and retrieval resources corresponding to the address vocabulary list.

11. The method according to claim 1, characterized in that, The process of obtaining the traffic identification result corresponding to the network traffic includes: Based on the traffic identification model, the target score corresponding to the traffic to be detected is output; If the target score is greater than the score threshold, then the traffic to be detected is determined to be malicious traffic.

12. A computer storage medium, characterized in that, The computer storage medium stores a plurality of instructions, which are adapted to be loaded by a processor and executed as method steps as claimed in any one of claims 1 to 11.

13. An electronic device, characterized in that, include: A processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and executed the method steps as claimed in any one of claims 1 to 11.