A malicious encryption behavior intelligent monitoring method and system based on flow multi-dimensional portrait
By generating multi-dimensional profiles of encrypted traffic and combining them with multi-model collaborative detection, and dynamically adjusting adaptive response thresholds, the problems of low accuracy in identifying malicious behavior in encrypted traffic and high false alarm rate are solved, enabling accurate monitoring and continuous adaptive management of encrypted traffic.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING WEIZHIXINYE TECH CO LTD
- Filing Date
- 2026-04-21
- Publication Date
- 2026-06-19
Smart Images

Figure CN122247735A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to an intelligent monitoring method and system for malicious encryption behavior based on multi-dimensional traffic profiling. Background Technology
[0002] With the increasing prevalence of encryption in network communications, encryption protocols such as TLS and VPN are widely used in various business scenarios. While encryption technology protects communication privacy, it is also exploited by malicious attackers, becoming a covert channel for malicious activities such as unauthorized cross-border data transmission, sensitive data leakage, and advanced persistent threats (APTs). Traditional security monitoring technologies based on deep packet inspection (DPI) are gradually becoming ineffective because they cannot decrypt encrypted payloads.
[0003] Existing multi-agent systems have similar functions for each agent, focusing on state perception and policy execution. They have failed to achieve deep division of labor and collaboration of heterogeneous functions such as traffic filtering, special risk detection (such as illegal cross-border traffic and data leakage), and collaborative scheduling in encrypted traffic monitoring scenarios.
[0004] Existing solutions are mostly based on general network characteristics (such as quintuples and traffic size), and do not make full use of the multi-dimensional characteristics specific to encrypted traffic, such as TLS / SSL handshake characteristics (such as SNI and cipher suites), geographical information, and communication structure, resulting in low accuracy and high false positive rate in identifying encrypted malicious behavior. Summary of the Invention
[0005] This application proposes an intelligent monitoring method and system for malicious encryption behavior based on multi-dimensional traffic profiling, which solves the problems of low accuracy, poor dynamic adaptability, and lack of closed-loop linkage in existing encrypted traffic monitoring technologies.
[0006] To achieve the above objectives, this application provides the following technical solution: Firstly, this application proposes an intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling, including: Obtain a copy of encrypted traffic in the network, and determine the target traffic in the encrypted traffic copy; wherein the target traffic is distributed according to risk type; Receive the distributed target traffic, determine the multi-dimensional characteristics of the target traffic, and generate a multi-dimensional traffic profile based on the multi-dimensional characteristics; The multidimensional profile is scored according to one or more scoring rules to determine one or more scores and to determine whether there is an abnormal traffic score. When the traffic anomaly score exists and the traffic anomaly score exceeds the adaptive response threshold, the risk event corresponding to the multi-dimensional profile is reported.
[0007] In conjunction with the first aspect, the encrypted traffic copy is obtained by port mirroring or network splitter deployed at the core switching node of the IDC data center via a bypass method; wherein, The encrypted traffic copy is identified through cross-border traffic monitoring to detect unauthorized cross-border target traffic used to access sensitive assets. The cross-border traffic monitoring includes cross-border IP segment monitoring and sensitive asset access monitoring.
[0008] In conjunction with the first aspect, the multidimensional features include at least one of the following: protocol type, source and destination IP addresses, port, packet size, connection frequency, time interval, geographical information, and TLS / SSL handshake features.
[0009] In conjunction with the first aspect, generating a multi-dimensional traffic profile through the multi-dimensional features includes: Normal network traffic is modeled using an unsupervised learning algorithm to construct a normal behavior baseline, which includes traffic volume, session frequency, access IP range, access time, and data packet size. The transmission characteristics of real-time traffic are extracted and combined with TLS handshake characteristics and geographic information to construct the multi-dimensional traffic profile. The transmission characteristics include: number of session connections, uplink / downlink traffic ratio, access path, and transmission scale characteristics.
[0010] In conjunction with the first aspect, the traffic anomaly scoring includes: The deviation between the real-time traffic multidimensional profile and the normal behavior baseline is calculated, and correlation analysis is performed in conjunction with network threat intelligence to generate the traffic anomaly score.
[0011] In conjunction with the first aspect, the traffic anomaly scoring also includes: Extract the meta-features of the target traffic, including: quintuples, protocol version, cipher suites, server name indication, certificate chains, and connection-level statistical features; Based on the aforementioned meta-features, construct a high-dimensional feature vector; The high-dimensional feature vector is subjected to multi-dimensional detection to generate multiple detection results. The multi-dimensional detection includes fusion of deep packet inspection, rule detection and machine learning model detection. The multiple detection results are weighted and fused using a five-dimensional feature fusion model to generate a traffic anomaly score.
[0012] In conjunction with the first aspect, the multiple scoring rules score the multidimensional profile. When there is a scoring conflict, arbitration is carried out based on a preset global optimization goal, which includes risk level priority or detection accuracy weight.
[0013] In conjunction with the first aspect, reporting the risk events corresponding to the multi-dimensional profile includes: Based on the multi-dimensional profile, risk information is determined, including event type, risk level, affected assets, and disposal recommendations. The risk information is pushed to an external information security system in real time to generate a coordinated response instruction.
[0014] In conjunction with the first aspect, the generation of coordinated response instructions also includes: Based on the joint response instructions, determine the response feedback information; Based on the feedback information and historical detection data, the optimization vector is determined through iterative optimization using an incremental learning mechanism. Based on the optimization vector, the adaptive response threshold and the extraction weights of the multidimensional features are dynamically adjusted.
[0015] Secondly, this application proposes an intelligent monitoring system for malicious encryption behavior based on multi-dimensional traffic profiling, the system comprising: Traffic filtering module: used to obtain encrypted traffic copies in the network and determine target traffic in the encrypted traffic copies; wherein, the target traffic is distributed according to risk type; At least one detection module is used to receive the distributed target traffic, determine the multi-dimensional features of the target traffic, and generate a multi-dimensional traffic profile based on the multi-dimensional features. Intelligent collaborative scheduling module: used to score the multi-dimensional profile according to one or more scoring rules, determine one or more scores, and determine whether there is an abnormal traffic score; Risk event reporting module: When the traffic anomaly score exists and the traffic anomaly score exceeds the adaptive response threshold, the risk event corresponding to the multi-dimensional profile is reported.
[0016] The beneficial effects of this application are as follows: This application improves the accuracy of identifying malicious encryption behaviors, namely illegal cross-border traffic and data leakage, and reduces the false positive rate by integrating TLS handshake characteristics, geographic information, and other multi-dimensional traffic profiles, and combining multi-model collaborative detection. Through the adaptive optimization engine and incremental learning mechanism embedded in the intelligent collaborative scheduling module, the system can continuously optimize the detection model and dynamic thresholds based on feedback from the existing network, solving the problem of static model decay and providing continuous adaptability to cope with unknown threats.
[0017] Other features and advantages of the invention will be set forth in the following description, and will be apparent in part from the description, or may be learned by practicing the invention. The objects and other advantages of the invention may be realized and obtained by means of the structures particularly pointed out in the written description and the accompanying drawings.
[0018] The technical solution of the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. Attached Figure Description
[0019] The accompanying drawings are provided to further illustrate the invention and form part of the specification. They are used together with the embodiments of the invention to explain the invention and do not constitute a limitation thereof.
[0020] In the attached diagram: Figure 1 This is a flowchart illustrating an intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling in an embodiment of the present invention. Figure 2 This is a flowchart illustrating the generation process of a multi-dimensional image in an embodiment of the present invention; Figure 3 This is a flowchart of the traffic anomaly detection process in an embodiment of the present invention; Figure 4 This is a flowchart of risk reporting in an embodiment of the present invention; Figure 5 This is a flowchart of the coordinated processing in an embodiment of the present invention; Figure 6 This is a schematic diagram of the structure of an intelligent monitoring system for malicious encryption behavior based on multi-dimensional traffic profiling in an embodiment of the present invention; Figure 7 This is a schematic diagram of the structure of a computing device according to an embodiment of the present invention. Detailed Implementation
[0021] The preferred embodiments of the present invention will be described below with reference to the accompanying drawings. It should be understood that the preferred embodiments described herein are for illustration and explanation only and are not intended to limit the present invention.
[0022] The terms "first," "second," etc., in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. The terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion.
[0023] For ease of understanding, the technical terms involved in the embodiments of this invention are explained as follows: Multi-dimensional traffic profiling: Based on IDC data center traffic flow logs, extract multi-dimensional data features such as protocol type, source and destination IP, port, packet size, connection frequency, time interval, geographical information, and TLS / SSL handshake characteristics (SNI, cipher suites) to construct a comprehensive data model that depicts network communication behavior.
[0024] Encrypted Traffic Anomaly Score (ETAS): A numerical indicator used to quantify the risk of malicious behavior in encrypted traffic.
[0025] Adaptive Response Threshold (ART): A scoring threshold value dynamically adjusted by the intelligent collaborative scheduling module to determine whether a risk event reporting is triggered.
[0026] Non-intrusive traffic collection: A collection method that obtains traffic copies through switch port mirroring (SPAN) or network splitters, with zero changes to the existing network topology and zero impact on service traffic.
[0027] Incremental learning mechanism: an adaptive learning technique that continuously iterates and trains the detection model by periodically extracting the latest business traffic data, enabling the model to dynamically learn new traffic features and new attack patterns.
[0028] like Figure 1 The diagram shown is a flowchart illustrating an intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling, provided by an embodiment of the present invention. The method includes: 101. The traffic filtering module obtains a copy of encrypted traffic in the network and determines the target traffic in the encrypted traffic copy; wherein the target traffic is distributed according to the risk type.
[0029] 102. The detection module receives the distributed target traffic, determines the multi-dimensional characteristics of the target traffic, and generates a multi-dimensional traffic profile based on the multi-dimensional characteristics.
[0030] 103. The intelligent collaborative scheduling module scores the multi-dimensional profile according to one or more scoring rules, determines one or more scores, and judges whether there is an abnormal traffic score.
[0031] 104. When the traffic anomaly score exists and the traffic anomaly score exceeds the adaptive response threshold, the risk event reporting module will report the risk event corresponding to the multi-dimensional profile.
[0032] In one embodiment, the encrypted traffic copy is obtained via a bypass method by a port mirror or network splitter deployed at the core switching node of the IDC data center. The traffic filtering module identifies target traffic that violates cross-border regulations through cross-border traffic monitoring. This target traffic is used to access sensitive assets. The cross-border traffic monitoring includes cross-border IP segment monitoring and sensitive asset access monitoring. The risk type indicates the protocol or scenario characteristics of the target traffic during its access to sensitive assets. For example, if the IP address corresponding to the target traffic is not a domestic address, there is a risk of cross-border transmission.
[0033] Optionally, the traffic filtering module monitors the traffic distribution status in real time and reports load information to the intelligent collaborative scheduling module to ensure distribution efficiency.
[0034] In one embodiment, the multidimensional features include at least one of the following: protocol type, source and destination IP addresses, port, packet size, connection frequency, time interval, geographic information, and TLS / SSL handshake features.
[0035] In one embodiment, such as Figure 2 As shown, the process of generating a multi-dimensional traffic profile using the multi-dimensional features specifically includes: 201. The data risk identification module models normal network traffic using an unsupervised learning algorithm to construct a normal behavior baseline, which includes traffic volume, session frequency, access IP range, access time, and data packet size.
[0036] Optionally, the unsupervised learning algorithm uses an autoencoder to model the normal network traffic of the IDC asset.
[0037] 202. The data risk identification module extracts the transmission characteristics of real-time traffic and combines them with TLS handshake characteristics and geographical information to construct the multi-dimensional traffic profile. The transmission characteristics include: number of session connections, uplink / downlink traffic ratio, access path, and transmission scale characteristics.
[0038] 203. The data risk identification module calculates the deviation between the real-time traffic multidimensional profile and the normal behavior baseline, and performs correlation analysis in conjunction with network threat intelligence and vulnerability information to generate the traffic anomaly score (ETAS).
[0039] Optionally, the deviation value is calculated using Mahalanobis distance.
[0040] Based on this solution, by constructing a baseline of normal behavior and calculating the deviation between the real-time profile and the baseline, it is possible to effectively identify data anomalies such as data leakage risks, suspicious port data transmission risks, and ransomware data theft risks, with a detection accuracy rate of over 80%.
[0041] In another embodiment, such as Figure 3 As shown, the traffic anomaly score is also generated in the following way: 301. The illegal cross-border detection module extracts the meta-features of the target traffic, including: 5-tuple, protocol version, cipher suite, server name indicator (SNI), certificate chain and connection-level statistical features (such as connection duration and data packet sequence).
[0042] 302. The illegal cross-border detection module constructs a high-dimensional feature vector based on the meta-features.
[0043] 303. The illegal cross-border detection module performs multi-dimensional detection on the high-dimensional feature vector to generate multiple detection results. The multi-dimensional detection includes fusion deep packet inspection (DPI), rule detection, and machine learning model detection.
[0044] Optionally, the machine learning model includes one or more of the following: Support Vector Machine (SVM), Extreme Gradient Boosting (XGBoost), Convolutional Neural Network (CNN), and Long Short-Term Memory Network (LSTM). The deep learning model is responsible for capturing the temporal dependencies and complex patterns of traffic, while traditional rule detection is responsible for quickly matching known threats.
[0045] 304. The illegal cross-border detection module uses a five-dimensional feature fusion model to weight and fuse the multiple detection results to generate an abnormal traffic score (ETAS).
[0046] Optionally, the five-dimensional feature fusion model takes five core dimensions—communication scale, time frequency, traffic direction, cross-border path, and communication structure—and comprehensively employs graph neural networks and time-series anomaly detection algorithms.
[0047] The specific implementation steps are as follows: The five-dimensional feature vector includes communication scale dimension, time frequency dimension, traffic direction dimension, cross-border path dimension, and communication structure dimension. The communication scale dimension extracts the total number of bytes and data packets within a unit time window, denoted as the first vector. The time frequency dimension extracts the timestamp sequence of session connections and calculates the average and variance of connection intervals, denoted as the second vector. The traffic direction dimension calculates the ratio of uplink to downlink traffic and the ratio of data packets containing the SYN flag to data packets containing the RST flag, denoted as the third vector. The cross-border path dimension extracts the cross-border hop count and whether sensitive countries / regions are involved based on the geographic information databases of the source and destination IPs, encoding them one-hot as the fourth vector. The communication structure uses a graph neural network to model the communication graph between the source and destination IPs, extracting the out-degree, in-degree, and PageRank value of the node in the communication graph, denoted as the fifth vector.
[0048] The five-dimensional feature fusion model inputs the five high-dimensional feature vectors mentioned above into the DPI rule detector, XGBoost detector, and LSTM time series detector in parallel. The DPI rule detector matches the feature vectors against a pre-set malware feature library and a cross-border violation policy library, outputting a binary classification confidence score S1; the XGBoost detector classifies the feature vectors based on a trained extreme gradient boosting model, outputting a probability score S2; and the LSTM time series detector uses a long short-term memory network to analyze the change patterns of the feature vectors over time, outputting an anomaly probability score S3.
[0049] The final process of generating a five-dimensional feature fusion model is a weighted fusion process to generate the final score: Specifically, the traffic anomaly score is as follows: ; in, These are the weighting coefficients, and The initial values of the weighting coefficients are set based on the detection accuracy of historical samples. For example, α=0.2, β=0.5, γ=0.3. Specifically, if the DPI rule detector hits a high-risk rule S1=1, then ETAS is directly set to 1.0.
[0050] Based on the above embodiments, by introducing interpretable five-dimensional features and a multi-model weighted fusion mechanism, the impact of false positives from a single model is significantly reduced. It can effectively identify more than 20 VPN protocols or tools such as OPENVPN, L2TP, and SHADOWSOCKS, with a detection accuracy of over 85%.
[0051] In one embodiment, when there is a scoring conflict among the multiple scoring rules for the multi-dimensional profile (e.g., a conflict between the ETAS judgment results generated by the illegal cross-border detection module and the data risk identification module for the same traffic), the intelligent collaborative scheduling module arbitrates based on a preset global optimization objective. The global optimization objective includes risk level priority or detection accuracy weight.
[0052] For example, if any ETAS exceeds the high-risk threshold (e.g., 0.9), a malicious judgment is adopted; otherwise, the weighted average of the two ETAS is taken, with the weight determined by the historical detection accuracy.
[0053] In one embodiment, such as Figure 4 The risk reporting steps described herein specifically include: 401. The risk event reporting module determines risk information based on the multi-dimensional profile. The risk information includes event type, risk level (based on ETAS score), affected assets, and disposal recommendations.
[0054] 402. The risk event reporting module pushes the risk information to the external information security system in real time through a standardized application programming interface (API) and message bus mechanism, and generates a linkage response instruction.
[0055] Based on this solution, automatic reporting and coordinated handling of risk events can be achieved, forming a closed-loop management mechanism for detection, reporting, and handling.
[0056] In one embodiment, such as Figure 5 As shown, the coordinated processing includes: 501. The intelligent collaborative scheduling module receives handling feedback information from the information security system based on the coordinated handling instructions. Among them, the probe intelligence agent continuously monitors the handling effect (such as whether the attack traffic is blocked and whether the service is normal) and reports the feedback information to the intelligent collaborative scheduling module.
[0057] 502. The intelligent collaborative scheduling module determines the optimization vector by iteratively optimizing based on the handling feedback information and historical detection data through an incremental learning mechanism.
[0058] Specifically, the adaptive optimization engine embeds an optimization policy network based on reinforcement learning, which integrates the system's key parameters: the weight matrix W for each feature extraction dimension, the adaptive response threshold ART, and the weight coefficients in the aforementioned weighted fusion formula. Encode as a multidimensional optimized vector .
[0059] 503. The intelligent collaborative scheduling module dynamically adjusts the adaptive response threshold (ART) and feature weights based on the optimization vector.
[0060] Specifically, the adaptive optimization engine encodes key system parameters into optimization vectors; these key parameters include: feature extraction dimension weights, model training cycles, and the ART threshold. The fitness function is defined as follows: F = (Detection accuracy × Recall) / (False alarm rate × System resource consumption); Among them, detection accuracy, recall, false alarm rate, and system resource consumption are all quantifiable performance indicators.
[0061] The adaptive optimization engine periodically (e.g., every 24 hours) or when the accumulated feedback data reaches a threshold, iteratively optimizes the optimization vector based on the incremental learning mechanism, historical detection data, and the processing feedback, so as to maximize the value of the fitness function.
[0062] In practice, the adaptive optimization engine periodically initiates an iterative optimization cycle. The iteration process is as follows: The system loads the handling feedback information collected during this cycle and confirmed by the external security system. This feedback information includes confirmed malicious events and normal events marked as false alarms. The fitness function value under the current optimized vector is calculated. Then, based on the current optimized vector, Gaussian noise is used to fine-tune the parameter values to generate a candidate optimized vector. Next, the candidate optimized vector is evaluated in a sandbox environment using the same feedback data, and the target fitness function value of the candidate optimized vector is calculated. Finally, if the target fitness function value is greater than the fitness function value under the current optimized vector, the system running parameters are replaced with the candidate optimized vector; otherwise, the current optimized vector is retained.
[0063] In this application, through the aforementioned closed-loop incremental learning mechanism, the adaptive response threshold can automatically adjust the alarm sensitivity according to the dynamic changes in network traffic (e.g., the off-peak hours of nighttime business and the peak hours of daytime business), which solves the problem of easy decay of static models and fixed thresholds, and enables the system to have the continuous adaptability to cope with unknown threats.
[0064] Based on this solution, the system can learn and evolve its detection behavior autonomously, dynamically adapt to new attack methods and changing network environments, and possess strong resilience and survivability.
[0065] like Figure 6 The diagram shown is a structural schematic of an intelligent monitoring system for malicious encryption behavior based on multi-dimensional traffic profiling, provided in an embodiment of the present invention. The system includes: The traffic filtering module is used to obtain a copy of encrypted traffic in the network and determine the target traffic in the encrypted traffic copy; wherein the target traffic is distributed according to the risk type.
[0066] At least one detection module is used to receive the distributed target traffic, determine the multi-dimensional characteristics of the target traffic, and generate a multi-dimensional traffic profile based on the multi-dimensional characteristics; the at least one detection module includes a cross-border violation detection module and / or a data risk identification module.
[0067] The intelligent collaborative scheduling module is used to score the multi-dimensional profile according to one or more scoring rules, determine one or more scores, and judge whether there is an abnormal traffic score.
[0068] The risk event reporting module is used to report the risk event corresponding to the multi-dimensional profile when there is a traffic anomaly score and the traffic anomaly score exceeds the adaptive response threshold.
[0069] In one embodiment, the traffic filtering module is deployed at the core switching node of the IDC data center and obtains traffic copies in a bypass manner through switch port mirroring or network splitter.
[0070] In one embodiment, the illegal cross-border detection module is specifically used to: extract the five-tuple, protocol version, cipher suite, SNI, certificate chain, and connection-level statistical features of the target traffic to construct a high-dimensional feature vector; process the high-dimensional feature vector by fusing DPI, rule detection, and machine learning models to generate multiple detection results; and perform weighted fusion of the multiple detection results based on the five-dimensional feature fusion model to output the ETAS.
[0071] In one embodiment, the data risk identification module is specifically used to: model normal network traffic through unsupervised learning to construct a baseline of normal behavior; extract transmission characteristics of real-time traffic, and construct a multi-dimensional traffic profile by combining TLS handshake characteristics and geographic information; calculate the deviation value between the real-time profile and the baseline, and generate ETAS by combining threat intelligence.
[0072] In one embodiment, the intelligent collaborative scheduling module is further used to: resolve conflicts based on risk level priority or detection accuracy weight when the judgment results of different detection modules conflict.
[0073] In one embodiment, the intelligent collaborative scheduling module embeds an adaptive optimization engine, which is used to: encode key system parameters into optimization vectors, define a fitness function, and iteratively optimize the optimization vectors through an incremental learning mechanism and historical detection data and handling feedback to maximize the fitness function.
[0074] Optionally, the system also includes a visualization management module for displaying global traffic trends, drilling down into risk events, and statistically analyzing detection results.
[0075] like Figure 7 The diagram shown is a structural schematic of a computing device according to an embodiment of the present invention. The computing device can be a server, a personal computer, or a network device. The computing device includes: at least one processor, a memory, a communication interface, a bus, and a display terminal. The processor, memory, and communication interface are connected via the bus to complete communication with each other, and the display terminal is used to display the communication content.
[0076] The memory stores a computer program that, when executed by the processor, causes the processor to perform all or part of the steps of the method described in any of the above embodiments.
[0077] Optionally, the processor may be a central processing unit (CPU), a graphics processing unit (GPU), a digital signal processor (DSP), or a field-programmable gate array (FPGA).
[0078] Optionally, the memory may include random access memory (RAM) and read-only memory (ROM).
[0079] In one possible implementation, the system provided in this embodiment of the invention can be deployed in a cluster of computing devices, with multiple computing devices connected via a network (such as a local area network or a wide area network) to execute the intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling in a distributed manner.
[0080] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, this invention also intends to include these modifications and variations.
Claims
1. A method for intelligent monitoring of malicious encryption behavior based on multi-dimensional traffic profiling, characterized in that, include: Obtain a copy of encrypted traffic in the network, and determine the target traffic in the encrypted traffic copy; wherein the target traffic is distributed according to risk type; Receive the distributed target traffic, determine the multi-dimensional characteristics of the target traffic, and generate a multi-dimensional traffic profile based on the multi-dimensional characteristics; The multidimensional profile is scored according to one or more scoring rules to determine one or more scores and to determine whether there is an abnormal traffic score. When the traffic anomaly score exists and the traffic anomaly score exceeds the adaptive response threshold, the risk event corresponding to the multi-dimensional profile is reported.
2. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 1, characterized in that, The encrypted traffic copy is obtained via a bypass method from port mirroring or network splitters deployed at the core switching nodes of the IDC data center; wherein, The encrypted traffic copy is identified through cross-border traffic monitoring to detect unauthorized cross-border target traffic used to access sensitive assets. The cross-border traffic monitoring includes cross-border IP segment monitoring and sensitive asset access monitoring.
3. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 1, characterized in that, The multidimensional features include at least one of the following: protocol type, source and destination IP addresses, port, packet size, connection frequency, time interval, geographical information, and TLS / SSL handshake features.
4. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 1, characterized in that, The process of generating a multi-dimensional traffic profile using the multi-dimensional features includes: Normal network traffic is modeled using an unsupervised learning algorithm to construct a normal behavior baseline, which includes traffic volume, session frequency, access IP range, access time, and data packet size. The transmission characteristics of real-time traffic are extracted and combined with TLS handshake characteristics and geographic information to construct the multi-dimensional traffic profile. The transmission characteristics include: number of session connections, uplink / downlink traffic ratio, access path, and transmission scale characteristics.
5. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 4, characterized in that, The traffic anomaly scoring includes: The deviation between the real-time traffic multidimensional profile and the normal behavior baseline is calculated, and correlation analysis is performed in conjunction with network threat intelligence to generate the traffic anomaly score.
6. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 1, characterized in that, The traffic anomaly scoring includes: Extract the meta-features of the target traffic, including: quintuples, protocol version, cipher suites, server name indication, certificate chains, and connection-level statistical features; Based on the aforementioned meta-features, construct a high-dimensional feature vector; The high-dimensional feature vector is subjected to multi-dimensional detection to generate multiple detection results. The multi-dimensional detection includes fusion of deep packet inspection, rule detection and machine learning model detection. The multiple detection results are weighted and fused using a five-dimensional feature fusion model to generate a traffic anomaly score.
7. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 1, characterized in that, The multiple scoring rules score the multidimensional profile. When there is a scoring conflict, arbitration is carried out based on a preset global optimization goal, which includes risk level priority or detection accuracy weight.
8. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 1, characterized in that, The reporting of risk events corresponding to the multi-dimensional profile includes: Based on the multi-dimensional profile, risk information is determined, including event type, risk level, affected assets, and disposal recommendations. The risk information is pushed to an external information security system in real time to generate a coordinated response instruction.
9. The intelligent monitoring method for malicious encryption behavior based on multi-dimensional traffic profiling as described in claim 8, characterized in that, The generation of coordinated response instructions also includes: Based on the joint response instructions, determine the response feedback information; Based on the feedback information and historical detection data, the optimization vector is determined through iterative optimization using an incremental learning mechanism. Based on the optimization vector, the adaptive response threshold and the extraction weights of the multidimensional features are dynamically adjusted.
10. A malicious encryption behavior intelligent monitoring system based on multi-dimensional traffic profiling, characterized in that, The system includes: a traffic filtering module: used to obtain encrypted traffic copies in the network and determine target traffic in the encrypted traffic copies; wherein the target traffic is distributed according to risk type; At least one detection module is used to receive the distributed target traffic, determine the multi-dimensional features of the target traffic, and generate a multi-dimensional traffic profile based on the multi-dimensional features. Intelligent collaborative scheduling module: used to score the multi-dimensional profile according to one or more scoring rules, determine one or more scores, and determine whether there is an abnormal traffic score; Risk event reporting module: When the traffic anomaly score exists and the traffic anomaly score exceeds the adaptive response threshold, the risk event corresponding to the multi-dimensional profile is reported.