Method and device for identifying encrypted malicious traffic, storage medium and electronic device

By preprocessing encrypted traffic and selecting an identification model, the problem of difficult identification of malicious traffic in encrypted communication is solved, achieving accurate identification of encrypted traffic and improving network security.

CN117675298BActive Publication Date: 2026-06-05STATE GRID BEIJING ELECTRIC POWER CO +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
STATE GRID BEIJING ELECTRIC POWER CO
Filing Date
2023-11-24
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing traffic detection methods struggle to identify malicious traffic when handling encrypted communications, resulting in poor network security.

Method used

By acquiring the raw dataset of encrypted traffic, preprocessing and training are performed using machine learning algorithms and multiple traffic identification models. The most suitable target traffic identification model is selected to identify the traffic to be identified, generate identification results, and mark or block malicious traffic.

Benefits of technology

It enables accurate identification of encrypted malicious traffic, improves network security, prevents encrypted traffic from escaping supervision, and enhances network protection capabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117675298B_ABST
    Figure CN117675298B_ABST
Patent Text Reader

Abstract

The application discloses a kind of identification method and device of encrypted malicious flow, storage medium and electronic equipment. Among them, the method comprises: obtaining the original data set corresponding to the to-be-identified flow, wherein the to-be-identified flow is encrypted flow data;Based on the original data set, determine the target flow identification model from multiple flow identification models;The to-be-identified flow is identified using the target flow identification model, and the identification result is obtained, wherein the identification result is used to represent whether the to-be-identified flow is encrypted malicious flow.The present application solves the technical problem that the security of network is poor.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data processing, and more specifically, to a method and apparatus for identifying encrypted malicious traffic, a storage medium, and an electronic device. Background Technology

[0002] With the increasing importance of information security, encrypted communication is widely used in network communication. Encrypted communication ensures the privacy and confidentiality of data, making it difficult for sensitive information to be stolen or tampered with during transmission. However, it also raises a series of challenges related to network security and monitoring, especially in the field of network traffic detection and identification.

[0003] Traditional traffic inspection methods are generally effective when dealing with unencrypted traffic, but when communication data is encrypted, it becomes difficult to detect and identify malicious activities or security threats, resulting in poor network security.

[0004] There is currently no effective solution to the above problems. Summary of the Invention

[0005] This invention provides a method and apparatus for identifying encrypted malicious traffic, a storage medium, and an electronic device, to at least address the technical problem of poor network security.

[0006] According to one aspect of the present invention, a method for identifying encrypted malicious traffic is provided, comprising: acquiring an original dataset corresponding to traffic to be identified, wherein the traffic to be identified is encrypted traffic data; determining a target traffic identification model from multiple traffic identification models based on the original dataset; identifying the traffic to be identified using the target traffic identification model to obtain an identification result, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic.

[0007] Optionally, based on the original dataset, a target traffic identification model is determined from multiple traffic identification models, including: preprocessing the original dataset to obtain a target dataset, wherein the target dataset is a dataset that a machine learning algorithm can identify and process; and determining the target traffic identification model from multiple traffic identification models based on the target dataset.

[0008] Optionally, the original dataset is preprocessed to obtain the target dataset, including: determining the traffic data format of the original dataset; converting the traffic data format of the original dataset into a preset format using one-hot encoding to obtain the target traffic dataset, wherein the target traffic dataset is an attack dataset suitable for the numerical format of machine learning algorithms; and standardizing the data of continuous numerical attributes in the target traffic dataset to obtain the target dataset.

[0009] Optionally, the method further includes: acquiring a training dataset; training multiple classifier models using the training dataset to obtain multiple target classifier models; and evaluating the performance of the multiple target classifier models to determine multiple traffic identification models.

[0010] Optionally, multiple classifier models are trained using a training dataset to obtain multiple target classifier models, including: determining network protocol types and attack type frequencies based on the training dataset; determining attack feature data based on network protocol types and attack type frequencies, wherein the attack feature data are data with attack protocol features and high attack type frequencies; performing augmentation processing on the attack feature data to obtain a balanced dataset; and training multiple classifier models using the balanced dataset based on the model features corresponding to multiple classifier models to obtain multiple target classifier models.

[0011] Optionally, the attack feature data is augmented to obtain a balanced dataset, including: determining any one minority class data in the attack feature data as the benchmark sample data; determining the distance values ​​between other minority class data in the attack feature data and the benchmark sample data; determining the nearest neighbor minority class data based on the distance values ​​according to a preset threshold, wherein the nearest neighbor minority class data are multiple data that are closest to the benchmark sample data among all minority class data; generating synthetic sample data based on the nearest neighbor minority class data; and merging the synthetic sample data with the attack feature data to obtain a balanced dataset.

[0012] Optionally, performance evaluation is performed on multiple target classifier models to determine multiple traffic identification models, including: obtaining the accuracy and weighted scores of multiple target classifier models; and based on the accuracy and weighted scores, performance evaluation is performed on multiple target classifier models to determine multiple traffic identification models.

[0013] According to another aspect of the present invention, an apparatus for identifying encrypted malicious traffic is also provided, comprising: an acquisition module, configured to acquire an original dataset corresponding to traffic to be identified, wherein the traffic to be identified is encrypted traffic data; a determination module, configured to determine a target traffic identification model from multiple traffic identification models based on the original dataset; and an identification module, configured to identify the traffic to be identified using the target traffic identification model to obtain an identification result, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic.

[0014] According to another aspect of the present invention, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored program, wherein, when the program is executed, it controls the execution of any of the encrypted malicious traffic identification methods in the processor of the device described above.

[0015] According to another aspect of the present invention, an electronic device is also provided, comprising: one or more processors; a storage device for storing one or more programs; and, when the one or more programs are executed by the one or more processors, causing the one or more processors to perform the encrypted malicious traffic identification method of any of the above embodiments.

[0016] In this embodiment of the invention, the method involves obtaining the original dataset corresponding to the traffic to be identified, wherein the traffic to be identified is encrypted traffic data; based on the original dataset, a target traffic identification model is determined from multiple traffic identification models; the target traffic identification model is used to identify the traffic to be identified, and an identification result is obtained, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic. It should be noted that selecting a target traffic identification model from multiple traffic identification models based on the original dataset can quickly obtain a target traffic identification model with a high degree of matching with the traffic to be identified, and then using the target traffic identification model to accurately identify the traffic to be identified, thereby efficiently identifying whether the traffic to be identified is encrypted malicious traffic, preventing encrypted malicious traffic from escaping network monitoring, achieving the goal of improving network security, realizing the technical effect of detecting whether encrypted traffic data is malicious traffic, and thus solving the technical problem of poor network security. Attached Figure Description

[0017] The accompanying drawings, which are included to provide a further understanding of the invention and form part of this application, illustrate exemplary embodiments of the invention and, together with their description, serve to explain the invention and do not constitute an undue limitation thereof. In the drawings:

[0018] Figure 1 This is a flowchart of a method for identifying encrypted malicious traffic according to an embodiment of the present invention;

[0019] Figure 2 This is a flowchart of an optional data preprocessing method according to an embodiment of the present invention;

[0020] Figure 3 This is a flowchart of an optional method for identifying encrypted malicious traffic according to an embodiment of the present invention;

[0021] Figure 4 This is a schematic diagram of an encrypted malicious traffic identification device according to an embodiment of the present invention. Detailed Implementation

[0022] To enable those skilled in the art to better understand the present invention, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of the present invention.

[0023] It should be noted that the terms "first," "second," etc., in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0024] Example 1

[0025] According to an embodiment of the present invention, an embodiment of a method for identifying encrypted malicious traffic is provided. It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions. Furthermore, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be executed in a different order than that shown here.

[0026] Figure 1 This is a flowchart of a method for identifying encrypted malicious traffic according to an embodiment of the present invention, such as... Figure 1 As shown, the method includes the following steps:

[0027] Step S102: Obtain the original dataset corresponding to the traffic to be identified, wherein the traffic to be identified is encrypted traffic data.

[0028] The traffic to be identified mentioned above can be traffic data that needs to be identified as malicious traffic.

[0029] The aforementioned raw dataset can be the unprocessed raw traffic file of the traffic to be identified, which contains information such as traffic characteristics related to the traffic to be identified, original observation results, and records.

[0030] In one optional embodiment, since all data transmitted over the network is encrypted, the encrypted traffic data ensures data privacy and confidentiality, making it difficult to view or tamper with during transmission. Therefore, network security and oversight struggle to accurately identify and process malicious traffic. When encrypted traffic data is detected on the network, it is identified as traffic to be identified, and extraction processing is performed to obtain the original dataset of the traffic to be identified.

[0031] Step S104: Based on the original dataset, determine the target traffic identification model from multiple traffic identification models.

[0032] The aforementioned traffic identification models can be multiple models that can be used to identify the traffic to be identified.

[0033] The target traffic identification model mentioned above is the most suitable identification model among multiple traffic identification models for identifying the traffic to be identified, and it can identify the traffic to be identified more accurately.

[0034] In one optional embodiment, relevant information such as the data protocol type of the traffic to be identified is obtained from the original dataset, and the relevant information of the traffic to be identified is matched with multiple traffic identification models to determine the traffic identification model with a high degree of matching with the traffic to be identified as the target traffic identification model.

[0035] Step S106: Use the target traffic identification model to identify the traffic to be identified and obtain the identification result, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic.

[0036] The above identification results can be used to identify whether the traffic to be identified is malicious traffic, including but not limited to: malicious traffic and non-malicious traffic.

[0037] The aforementioned encrypted malicious traffic can be malicious traffic that has been encrypted.

[0038] In one optional embodiment, a target traffic identification model is used to extract features from the traffic to be identified, and the extracted features are identified to generate an identification result. If the identification result is malicious traffic, the traffic to be identified is immediately marked as a priority and a prompt message is sent to the administrator or network security supervision department, or the malicious traffic is automatically blocked; if the identification result is non-malicious traffic, the traffic to be identified is marked as safe traffic.

[0039] Through the above steps, the original dataset corresponding to the traffic to be identified can be obtained, where the traffic to be identified is encrypted traffic data. Based on the original dataset, a target traffic identification model is determined from multiple traffic identification models. The target traffic identification model is then used to identify the traffic to be identified, and the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic. It should be noted that selecting a target traffic identification model from multiple traffic identification models based on the original dataset can quickly obtain a target traffic identification model with a high degree of matching with the traffic to be identified. Then, the target traffic identification model is used to accurately identify the traffic to be identified, thereby efficiently identifying whether the traffic to be identified is encrypted malicious traffic, preventing encrypted malicious traffic from escaping network monitoring, achieving the goal of improving network security, realizing the technical effect of detecting whether encrypted traffic data is malicious traffic, and thus solving the technical problem of poor network security.

[0040] Optionally, based on the original dataset, a target traffic identification model is determined from multiple traffic identification models, including: preprocessing the original dataset to obtain a target dataset, wherein the target dataset is a dataset that a machine learning algorithm can identify and process; and determining the target traffic identification model from multiple traffic identification models based on the target dataset.

[0041] The aforementioned machine learning algorithm can be an algorithm that uses statistical and mathematical models to analyze data.

[0042] In one optional embodiment, since the original dataset lacks an inherent ordered relationship and the numerical format is not uniform, a unified standard is needed to preprocess the original dataset to obtain the target dataset in order to facilitate the subsequent selection of a target traffic identification model from multiple traffic identification models to determine whether the traffic to be identified is malicious. Then, a machine learning algorithm is used to select a model capable of identifying the traffic to be identified from multiple traffic identification models based on the target dataset.

[0043] Optionally, the original dataset is preprocessed to obtain the target dataset, including: determining the traffic data format of the original dataset; converting the traffic data format of the original dataset into a preset format using one-hot encoding to obtain the target traffic dataset, wherein the target traffic dataset is an attack dataset suitable for the numerical format of machine learning algorithms; and standardizing the data of continuous numerical attributes in the target traffic dataset to obtain the target dataset.

[0044] The traffic data format mentioned above can be the data storage format of the original dataset.

[0045] The one-hot encoding described above can be a coding method used to convert categorical variables into numerical variables.

[0046] The aforementioned preset format can be a format set in advance to unify the original dataset according to specific circumstances, or it can be a numerical format set in advance according to specific circumstances to suit machine learning algorithms.

[0047] The aforementioned continuous numerical attributes can be numerical attributes with an infinite number of possible values.

[0048] In one optional embodiment, the traffic data format of the original dataset is read, and one-hot encoding is used to convert the traffic data format of the original dataset into a preset format to obtain the target traffic dataset. This improves the interpretability of the target traffic dataset, making it easier for machine learning algorithms to easily identify the target traffic recognition model that matches the original dataset. Since the target traffic dataset contains data with continuous numerical attributes, to ensure that the features in the target traffic dataset have a consistent scale, the continuous numerical attribute data in the target traffic dataset undergoes standardization processing such as min-max scaling to obtain the target dataset. This standardization of the features in the target traffic dataset enhances the performance of machine learning algorithms that rely on distance metrics or gradient optimization. This allows machine learning algorithms to quickly determine the target traffic recognition model from multiple traffic recognition models based on the target dataset, resulting in more accurate recognition results.

[0049] Optionally, the method further includes: acquiring a training dataset; training multiple classifier models using the training dataset to obtain multiple target classifier models; and evaluating the performance of the multiple target classifier models to determine multiple traffic identification models.

[0050] The training dataset mentioned above can be a dataset used to train multiple traffic identification models.

[0051] The aforementioned multiple classifier models can be multiple untrained classifier models, or multiple models capable of identifying and classifying data, including but not limited to: random forest classifier, extreme random tree classifier, XGBoost (extreme gradient boosting tree) classifier, and decision tree classifier.

[0052] The aforementioned target classifier models can be classifier models capable of recognizing encrypted traffic data.

[0053] In one optional embodiment, an encrypted dataset can be arbitrarily selected from a database or network as the training dataset. Alternatively, to accurately train the classifier model, a training dataset can be set or created according to specific circumstances. This training dataset can then be used to train multiple classifier models, enabling them to identify whether the traffic to be identified is encrypted malicious traffic. This identification can be performed without decryption and without causing data leakage. After obtaining multiple target classifier models, their performance needs to be evaluated. Classifier models that do not meet the requirements or have poor performance are eliminated, and the qualified target classifier models are determined as multiple traffic identification models.

[0054] Optionally, multiple classifier models are trained using a training dataset to obtain multiple target classifier models, including: determining network protocol types and attack type frequencies based on the training dataset; determining attack feature data based on network protocol types and attack type frequencies, wherein the attack feature data are data with attack protocol features and high attack type frequencies; performing augmentation processing on the attack feature data to obtain a balanced dataset; and training multiple classifier models using the balanced dataset based on the model features corresponding to multiple classifier models to obtain multiple target classifier models.

[0055] The aforementioned network protocol types can be a classification used to define the rules and standards for data transmission and communication. They specify the transmission method of data in the network, the format of data packets, the transmission process, etc., to ensure that different devices can communicate with each other and process data correctly.

[0056] The attack type frequency mentioned above can be the frequency of attack type labels contained in the training dataset.

[0057] The attack signature data mentioned above can be data with attack characteristics or data containing malicious traffic.

[0058] The balanced dataset mentioned above can be a dataset in which the number of samples in different categories is approximately equal.

[0059] In one optional embodiment, during training, the UNSW-NB15 dataset (a public dataset for network intrusion detection) can be selected as the training dataset. The UNSW-NB15 dataset contains nine different types of network attack types, such as: Fuzzers, Analysis, Backdoors, DoS (Denial of Service), Exploits, Generis, Reconnaissance, Shellcode, and Worms. Based on the training dataset, the network protocol type and attack type frequency are determined, and data showing a preference for attacks based on the network protocol type, as well as data with a high attack type frequency, are selected as attack feature data. The attack type frequency can be compared with a preset frequency, which can be a minimum attack frequency set in advance, such as, but not limited to, 50% or 70%. If the attack type frequency is higher than the preset frequency, the corresponding data is determined as attack feature data; if the attack type frequency is lower than or equal to the preset frequency, the corresponding data is determined as other data and does not participate in training. Since attack feature data may exhibit an imbalance in the number of data points corresponding to each attack category, the Synthetic Minority Over-sampling Technique (SMOTE) can be used to enhance the minority class samples in the attack feature data, resulting in a balanced dataset. This balanced dataset can then be used to train multiple classifier models, yielding multiple target classifier models.

[0060] Specifically, the random forest classifier constructs 150 decision trees, each trained on a different subset of the balanced dataset to improve the model's generalization ability. Random forest employs an ensemble learning approach for decision trees, using either voting or averaging the outputs of the decision trees to make the final classification decision, thus effectively reducing the risk of overfitting.

[0061] Extremely Random Tree Classifier: This model constructs 200 extremely random trees. This model is more random in its feature partitioning, emphasizing feature diversity compared to traditional random forests, which helps improve the model's robustness and accuracy. Extremely random trees also employ the ensemble method of decision trees.

[0062] XGBoost classifier: The XGBoost model constructs 150 gradient boosting trees. XGBoost is a gradient boosting algorithm that iteratively trains multiple weak learners to continuously optimize the model's performance and improve classification accuracy.

[0063] Decision tree classifier: A single decision tree is constructed using default parameters in the decision tree model. The decision tree splits based on feature values ​​to maximize information gain or reduce Gini impurity for classification. The extracted features are fed as input to the model, which finally returns the identification result, determining the traffic type.

[0064] Furthermore, if the training dataset is obtained directly from the database, the dataset may lack standardization, which is detrimental to subsequent processing. Therefore, data preprocessing is recommended. Figure 2 This is a flowchart of an optional data preprocessing method according to an embodiment of the present invention, such as... Figure 2 As shown, the steps of this method are as follows:

[0065] Step S201: Obtain the training dataset;

[0066] Step S202: Use one-hot encoding to convert the data format of the training dataset into a numerical format that can be recognized by machine learning algorithms.

[0067] Step S203: Remove data with low attack performance from the training dataset and retain data with high attack performance as attack feature data;

[0068] Step S204: Standardize the attack feature data to ensure consistent feature scale;

[0069] Step S205: Enhance the attack feature data to obtain a balanced dataset.

[0070] Optionally, the attack feature data is augmented to obtain a balanced dataset, including: determining any one minority class data in the attack feature data as the benchmark sample data; determining the distance values ​​between other minority class data in the attack feature data and the benchmark sample data; determining the nearest neighbor minority class data based on the distance values ​​according to a preset threshold, wherein the nearest neighbor minority class data are multiple data that are closest to the benchmark sample data among all minority class data; generating synthetic sample data based on the nearest neighbor minority class data; and merging the synthetic sample data with the attack feature data to obtain a balanced dataset.

[0071] The aforementioned minority category data may be a data category with a small number of data points in the attack feature data.

[0072] The aforementioned benchmark sample data can be a standard dataset used for comparison and reference in determining a few categories of data.

[0073] The distance values ​​mentioned above can be the distance between other minority category data and the benchmark sample data.

[0074] The aforementioned preset threshold can be a threshold set in advance according to specific circumstances to determine a small number of closely spaced categories of data.

[0075] The aforementioned nearest neighbor minority category data can be sample data in the attack feature data that are similar to or close to the benchmark sample data.

[0076] The aforementioned synthetic sample data can be sample data that combines nearest neighbor minority class data and benchmark sample data.

[0077] In one optional embodiment, a minority class data point is randomly selected from the attack feature data as the baseline sample data. The distance between the baseline sample data and all other minority class data points in the feature space is calculated to determine the distance value. It is then determined whether the distance value is less than or equal to a preset threshold. If the distance value is greater than the preset threshold, the corresponding minority class data point is discarded; if the distance value is less than or equal to the preset threshold, the corresponding minority class data point is determined as the nearest neighbor minority sample data point. The nearest neighbor minority sample data point can be one or more. The difference between the baseline sample data point and a nearest neighbor sample data point is multiplied by a random number, where the random number is typically between [0,1]. The result is then added to the baseline sample data point to obtain a synthetic sample data point, as shown in the following formula:

[0078] C = A + r*(BA),

[0079] Where C represents synthetic sample data, A represents baseline sample data, B represents nearest neighbor sample data, and r represents a random number. This process is repeated until the number of synthetic sample data reaches the user's requirement. The synthetic sample data is then merged with the attack feature data to obtain a balanced dataset.

[0080] It is important to note that the synthetic sample data is located at the linear interpolation position between the baseline sample data and the nearest neighbor sample data, which can cover the sample space to better represent the distribution of the minority classes.

[0081] Optionally, performance evaluation is performed on multiple target classifier models to determine multiple traffic identification models, including: obtaining the accuracy and weighted scores of multiple target classifier models; and based on the accuracy and weighted scores, performance evaluation is performed on multiple target classifier models to determine multiple traffic identification models.

[0082] The accuracy rate mentioned above can be the accuracy rate of multiple target classifier models in recognition.

[0083] The weighted score mentioned above can be the harmonic mean of the precision and recall of multiple target classifier models.

[0084] In one optional embodiment, the accuracy and weighted scores of multiple target classifier models are obtained. Specifically, the number of correctly classified samples and the total number of classified samples of each target classifier model are obtained, and the ratio of the number of correctly classified samples to the total number of classified samples is obtained to obtain the accuracy. The specific formula is as follows:

[0085]

[0086] Wherein, TP represents true positives (the number of samples that are correctly classified as positive), TN represents true negatives (the number of samples that are correctly classified as negative), FP represents false positives (the number of samples that are incorrectly classified as positive), and FN represents false negatives (the number of samples that are incorrectly classified as negative).

[0087] And obtain the weighted score corresponding to the target classifier model, the specific formula is as follows:

[0088]

[0089] Where F1 represents the target classifier model, F1_1, F1_2, ..., F2_n correspond to the scores of each category in the target classifier model, and weight1, weight2, ..., weightn are the weights of each category. The accuracy and weighted scores of multiple target classifier models are compared, and the target classifier models with high accuracy and high weighted scores are identified as multiple traffic identification models.

[0090] Figure 3 This is a flowchart of an optional method for identifying encrypted malicious traffic according to an embodiment of the present invention, such as... Figure 3 As shown, the steps of this method are as follows:

[0091] Step S301: Obtain the training dataset;

[0092] Step S302: Preprocess the training dataset to obtain the preprocessed dataset;

[0093] Step S303: Perform augmentation processing on the preprocessed dataset to obtain the augmented dataset;

[0094] Step S304: Train multiple classifier models using the enhanced dataset to obtain multiple target classifier models;

[0095] Step S305: Obtain the accuracy and weighted scores of multiple target classifier models;

[0096] Step S306: Determine multiple traffic identification models based on the accuracy and weighted scores of multiple target classifier models;

[0097] Step S307: Obtain the traffic to be identified;

[0098] Step S308: Determine the target traffic identification model from multiple traffic identification models based on the traffic to be identified;

[0099] Step S309: Use the target traffic identification model to identify the traffic to be identified and determine whether the traffic to be identified is encrypted malicious traffic; if yes, proceed to step S310; if no, proceed to step S311.

[0100] Step S310: Intercept the traffic to be identified;

[0101] Step S311, ignore.

[0102] Example 2

[0103] According to an embodiment of the present invention, an encrypted malicious traffic identification device is also provided. This device can execute the encrypted malicious traffic identification method in the above embodiments. The specific implementation method and preferred application scenarios are the same as those in the above embodiments, and will not be described in detail here.

[0104] Figure 4 This is a schematic diagram of an encrypted malicious traffic identification device according to an embodiment of the present invention, such as... Figure 4 As shown, the device includes the following components: an acquisition module 40, a determination module 42, and an identification module 44.

[0105] The acquisition module 40 is used to acquire the original dataset corresponding to the traffic to be identified, wherein the traffic to be identified is encrypted traffic data;

[0106] The determination module 42 is used to determine the target traffic identification model from multiple traffic identification models based on the original dataset;

[0107] The identification module 44 is used to identify the traffic to be identified using the target traffic identification model and obtain the identification result, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic.

[0108] Optionally, the determining module includes: a preprocessing unit for preprocessing the original dataset to obtain a target dataset, wherein the target dataset is a dataset that a machine learning algorithm can identify and process; and a first determining unit for determining a target traffic identification model from multiple traffic identification models based on the target dataset.

[0109] Optionally, the preprocessing unit includes: a first determining subunit for determining the traffic data format of the original dataset; a conversion subunit for converting the traffic data format of the original dataset into a preset format using one-hot encoding to obtain a target traffic dataset, wherein the target traffic dataset is an attack dataset with a numerical format suitable for machine learning algorithms; and a standardization processing subunit for standardizing the data of continuous numerical attributes in the target traffic dataset to obtain the target dataset.

[0110] Optionally, the device further includes: a data acquisition module for acquiring a training dataset; a training module for training multiple classifier models using the training dataset to obtain multiple target classifier models; and an evaluation module for evaluating the performance of the multiple target classifier models to determine multiple traffic identification models.

[0111] Optionally, the training module includes: a second determining unit for determining network protocol types and attack type frequencies based on the training dataset; a third determining unit for determining attack feature data based on network protocol types and attack type frequencies, wherein the attack feature data is data with attack protocol characteristics and a high attack type frequency; an enhancement processing unit for enhancing the attack feature data to obtain a balanced dataset; and a training unit for training multiple classifier models using the balanced dataset based on the model features corresponding to multiple classifier models to obtain multiple target classifier models.

[0112] Optionally, the enhancement processing unit includes: a second determining subunit, used to determine any one minority class data in the attack feature data as the benchmark sample data; a third determining subunit, used to determine the distance values ​​between other minority class data in the attack feature data and the benchmark sample data; a fourth determining subunit, used to determine the nearest neighbor minority class data based on the distance values ​​and according to a preset threshold, wherein the nearest neighbor minority class data are multiple data that are closest to the benchmark sample data among all minority class data; a generation subunit, used to generate synthetic sample data based on the nearest neighbor minority class data; and a merging processing subunit, used to merge the synthetic sample data with the attack feature data to obtain a balanced dataset.

[0113] Optionally, the evaluation module includes: an acquisition unit for acquiring the accuracy and weighted scores of multiple target classifier models; and an evaluation unit for evaluating the performance of the multiple target classifier models based on the accuracy and weighted scores to determine multiple traffic identification models.

[0114] Example 3

[0115] According to another aspect of the present invention, a computer-readable storage medium is also provided, the computer-readable storage medium including a stored program, wherein, when the program is executed, it controls the execution of any of the encrypted malicious traffic identification methods in the processor of the device described above.

[0116] Example 4

[0117] According to another aspect of the present invention, an electronic device is also provided, comprising: one or more processors; a storage device for storing one or more programs; and, when the one or more programs are executed by the one or more processors, causing the one or more processors to perform the encrypted malicious traffic identification method of any of the above embodiments.

[0118] The sequence numbers of the above embodiments of the present invention are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.

[0119] In the above embodiments of the present invention, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0120] In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units can be a logical functional division, and in actual implementation, there may be other division methods. For instance, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual coupling, direct coupling, or communication connection may be through some interfaces; the indirect coupling or communication connection between units or modules may be electrical or other forms.

[0121] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0122] Furthermore, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0123] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks, or optical disks.

[0124] The above description is only a preferred embodiment of the present invention. It should be noted that for those skilled in the art, several improvements and modifications can be made without departing from the principle of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. A method for identifying encrypted malicious traffic, characterized in that, include: Obtain the original dataset corresponding to the traffic to be identified, wherein the traffic to be identified is encrypted traffic data; Based on the original dataset, the target traffic identification model is determined from multiple traffic identification models; The target traffic identification model is used to identify the traffic to be identified, and an identification result is obtained, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic; The process of determining a target traffic identification model from multiple traffic identification models based on the original dataset includes: determining the traffic data format of the original dataset, wherein the traffic data format is the data storage format of the original dataset; converting the traffic data format of the original dataset into a preset format using one-hot encoding to obtain a target traffic dataset, wherein the target traffic dataset is an attack dataset suitable for numerical formats of machine learning algorithms, and the one-hot encoding is used to convert categorical variables into numerical variables; The continuous numerical attribute data in the target traffic dataset are standardized to obtain the target dataset, wherein the target dataset is a dataset that the machine learning algorithm can identify and process; based on the target dataset, the target traffic identification model is determined from the plurality of traffic identification models; The method further includes: obtaining the accuracy and weighted scores of multiple target classifier models, wherein the multiple target classifier models are classifier models capable of identifying encrypted traffic data; and evaluating the performance of the multiple target classifier models based on the accuracy and the weighted scores to determine the multiple traffic identification models, wherein the weighted scores are calculated based on the scores of each category of the target classifier models and the weights of each category.

2. The method for identifying encrypted malicious traffic according to claim 1, characterized in that, The method further includes: Obtain the training dataset; Multiple classifier models are trained using the training dataset to obtain multiple target classifier models.

3. The method for identifying encrypted malicious traffic according to claim 2, characterized in that, Multiple classifier models are trained using the aforementioned training dataset to obtain multiple target classifier models, including: Based on the training dataset, determine the network protocol type and attack type frequency; Based on the network protocol type and the frequency of the attack type, attack feature data is determined, wherein the attack feature data is data that has attack protocol characteristics and a high frequency of attack types; The attack feature data is augmented to obtain a balanced dataset; Based on the model features corresponding to the multiple classifier models, the multiple classifier models are trained using the balanced dataset to obtain multiple target classifier models.

4. The method for identifying encrypted malicious traffic according to claim 3, characterized in that, The attack feature data is augmented to obtain a balanced dataset, including: Select any one of the minority categories in the attack feature data as the baseline sample data; Determine the distance values ​​between the other minority categories of data in the attack feature data and the benchmark sample data; Based on the distance value, the nearest neighbor minority category data is determined according to a preset threshold, wherein the nearest neighbor minority category data are multiple data that are closest to the benchmark sample data among all the minority category data; Based on the nearest neighbor minority class data, synthetic sample data is generated; The synthetic sample data and the attack feature data are merged to obtain the balanced dataset.

5. A device for identifying encrypted malicious traffic, characterized in that, include: The acquisition module is used to acquire the original dataset corresponding to the traffic to be identified, wherein the traffic to be identified is encrypted traffic data; The determination module is used to determine the target traffic identification model from multiple traffic identification models based on the original dataset; The identification module is used to identify the traffic to be identified using the target traffic identification model and obtain an identification result, wherein the identification result is used to characterize whether the traffic to be identified is encrypted malicious traffic; The identification device is further configured to determine the traffic data format of the original dataset, wherein the traffic data format is the data storage format of the original dataset; convert the traffic data format of the original dataset into a preset format using one-hot encoding to obtain a target traffic dataset, wherein the target traffic dataset is an attack dataset suitable for the numerical format of the machine learning algorithm, and the one-hot encoding is used to convert categorical variables into numerical variables; standardize the data of continuous numerical attributes in the target traffic dataset to obtain a target dataset, wherein the target dataset is a dataset that the machine learning algorithm can identify and process; and determine the target traffic identification model from the plurality of traffic identification models based on the target dataset. The identification device is also used to obtain the accuracy and weighted scores of multiple target classifier models, wherein the multiple target classifier models are classifier models capable of identifying encrypted traffic data; based on the accuracy and the weighted scores, the performance of the multiple target classifier models is evaluated to determine the multiple traffic identification models, wherein the weighted scores are calculated based on the scores of each category of the target classifier models and the weights of each category.

6. A computer-readable storage medium, characterized in that, The computer-readable storage medium includes a stored program, wherein, when the program is executed, it controls the execution of the encrypted malicious traffic identification method according to any one of claims 1 to 4 in the processor of the device.

7. An electronic device, characterized in that, include: One or more processors; Storage device for storing one or more programs; When the one or more programs are executed by the one or more processors, the one or more processors perform the method for identifying encrypted malicious traffic as described in any one of claims 1 to 4.