An encrypted traffic identification system and method based on multi-modal fusion

By collecting and analyzing the multimodal behavioral characteristics of encrypted traffic, and combining deep flow detection and DNS log tools, we have achieved accurate identification and dynamic display of network attack types. This solves the problem that existing technologies cannot intelligently analyze network attacks in a hierarchical manner, and improves the security and intelligence of network communication.

CN122268673APending Publication Date: 2026-06-23SICHUAN DIANKE WANGAN TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SICHUAN DIANKE WANGAN TECH CO LTD
Filing Date
2026-05-20
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

The existing network communication encrypted traffic identification process cannot intelligently analyze network attack types in a hierarchical manner based on the behavioral characteristics of multimodal encrypted traffic, which reduces the security and intelligence of network communication.

Method used

By collecting time series, packet size, statistics, connection interactions, and associated protocol characteristics of encrypted traffic, and combining this with deep flow detection probes, dedicated traffic analyzers, and DNS log analysis tools, multimodal fusion analysis is performed to identify network attack types.

Benefits of technology

It enables multi-level intelligent analysis of encrypted traffic, improving the security and intelligence of network communication, accurately identifying network attack types, and dynamically displaying the identification results.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268673A_ABST
    Figure CN122268673A_ABST
Patent Text Reader

Abstract

The application relates to the technical field of network security, and discloses an encrypted traffic identification system and method based on multi-modal fusion, which realizes intelligent type identification of network attacks on encrypted traffic in network communication by combining different network attack type standard encrypted traffic abnormal connection interaction feature information established by combining artificial intelligence algorithms and standards with network attack type standard encrypted traffic abnormal connection interaction feature information; scientific detection of network attack types on encrypted traffic in network communication is realized by combining different network attack type standard encrypted traffic abnormal connection protocol feature information established by combining data analysis and science, multi-level intelligent analysis of network attack types based on communication time sequence features, communication packet size features, communication traffic statistical features, communication connection interaction features and communication connection protocol features of encrypted traffic is realized, and intelligent and efficient supervision of communication network anomalies based on multi-modal behavior features of encrypted traffic is realized.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the technical field of network security, specifically to an encrypted traffic identification system and method based on multimodal fusion. Background Technology

[0002] Encrypted traffic identification technology aims to classify and analyze encrypted network communications. Traditional techniques rely on port identification, deep packet inspection, and plaintext information during the TLS / SSL handshake phase for application or protocol determination. However, with the evolution of encryption technology, the effectiveness of these methods has diminished. Current mainstream research focuses on utilizing machine learning and deep learning to extract patterns from traffic statistical features and train models to identify different services or malicious behaviors. Examples include using random forests, CNNs, or LSTMs to process traffic sequences. Existing encrypted traffic identification processes cannot intelligently analyze network attack types hierarchically based on multimodal encrypted traffic behavior characteristics, thus reducing the security and intelligence of network communications.

[0003] Chinese invention patent application CN116192449A, published on May 30, 2023, discloses a method and system for identifying encrypted traffic applications. The method involves acquiring encrypted traffic to be identified, extracting packet feature data and payload data from the encrypted traffic, and converting the payload data into an image. The packet feature data and the image are then input into a pre-trained application identification model to obtain the application type corresponding to the encrypted traffic. The application identification model is trained using packet feature data samples and image samples, which are obtained through feature conversion from encrypted traffic samples. This method solves the technical problems of poor identification results, low utilization rate of the identification program, and limited application scope in existing technologies for irregular and unpredictable encrypted traffic. However, the above technical solution cannot intelligently and reliably identify network attack types based on the behavioral characteristics of encrypted traffic. Summary of the Invention

[0004] (a) Technical problems to be solved

[0005] To address the issue that existing network communication encrypted traffic identification processes cannot intelligently analyze network attack types based on multimodal encrypted traffic behavior characteristics, thus reducing network communication security and intelligence, this paper aims to achieve multi-level intelligent analysis of network attack types based on encrypted traffic communication time series characteristics, communication data packet size characteristics, communication traffic statistical characteristics, communication connection interaction characteristics, and communication association protocol characteristics. This will enable digital and scientific judgment of network attack types and improve network communication security and intelligence.

[0006] (II) Technical Solution

[0007] This invention is achieved through the following technical solution: a method for identifying encrypted traffic based on multimodal fusion, the method comprising the following steps:

[0008] Encrypted traffic time series feature information and encrypted traffic data packet size feature information are collected separately; network attack type analysis is performed based on the communication time series behavior features of encrypted network traffic to obtain time series-side network attack type analysis information; network attack type identification is performed based on the communication data packet size behavior features of encrypted network traffic to obtain data packet-side network attack type identification information.

[0009] Encrypted traffic statistical characteristics, encrypted traffic connection interaction characteristics, and encrypted traffic association protocol characteristics are collected separately. Based on the communication traffic statistical behavior characteristics of encrypted network traffic, network attack type judgment is performed to obtain traffic-side network attack type judgment information. Based on the communication connection interaction behavior characteristics of encrypted network traffic, network attack type identification is performed to obtain connection-side network attack type identification information. Based on the communication association protocol behavior characteristics of encrypted network traffic, network attack type detection is performed to obtain protocol-side network attack type detection information.

[0010] The system searches for and processes real-time network attack types in encrypted network traffic to obtain real-time network attack type information; it also performs statistical processing on the frequency of real-time network attack types in encrypted network traffic to obtain frequency information; and finally constructs real-time identification information for encrypted network traffic and executes a feedback operation on the identification results.

[0011] Preferably, the following steps are taken: First, time-series characteristic information and data packet size characteristic information of encrypted traffic are collected. Second, network attack type analysis is performed based on the communication time-series behavioral characteristics of encrypted network traffic to obtain time-series-side network attack type analysis information. Third, network attack type identification is performed based on the communication data packet size behavioral characteristics of encrypted network traffic to obtain data packet-side network attack type identification information.

[0012] The network performance monitoring tool, Riverbed, is used to monitor the time-series characteristics of encrypted network traffic online and generate encrypted traffic time-series characteristic information. This information includes data packet arrival intervals, session durations, and silence periods. The deep flow detection probe, DarktraceNDR, is used to collect data packet size characteristics of encrypted network traffic online and generate encrypted traffic data packet size characteristic information. This information includes forward long sequence information, backward long sequence information, packet length distribution information, and packet length entropy value information.

[0013] Based on the encrypted traffic time series feature information and the set of abnormal encrypted traffic time series feature information of different network attack types, network attack type analysis and processing of network communication encrypted traffic is performed to obtain time-series network attack type analysis information.

[0014] Based on the encrypted traffic data packet size feature information and the set of abnormal encrypted traffic data packet size feature information for different network attack types, network attack type identification processing of encrypted traffic in network communication is performed to obtain network attack type identification information on the data packet side.

[0015] Preferably, the network attack type analysis processing of encrypted traffic based on the encrypted traffic time series feature information and the standard encrypted traffic anomaly time series feature information set for different network attack types, to obtain time-series network attack type analysis information, includes the following steps:

[0016] Establish a set of time series feature information of abnormal encrypted traffic for different types of network attacks. ,in Indicates the first This document describes the abnormal time-series characteristics of standard encrypted traffic for different network attack types, including botnets, remote access Trojans, advanced persistent threats (C2 channels), spyware, targeted attacks, insider threats, ransomware downloaders, worm propagation, botnet component updates, tunneling attacks, traffic spoofing, and encrypted DDoS attacks. The abnormal time-series characteristics of standard encrypted traffic for different network attack types represent textual information describing the abnormal communication time-series characteristics of standard encrypted traffic set for different network attack types.

[0017] The encrypted traffic time series feature information is compared with the set of standard encrypted traffic anomaly time series feature information for different network attack types. The abnormal time series characteristics of standard encrypted traffic for different network attack types described in the article The communication time-series feature information of encrypted traffic is matched to find all abnormal time-series feature information of standard encrypted traffic of different network attack types that matches the encrypted traffic time-series feature information. The corresponding network attack type text information is used to construct time-series network attack type analysis information. The time-series network attack type analysis information includes either no network attack type or any one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0018] Preferably, the network attack type identification processing of encrypted traffic based on the encrypted traffic data packet size feature information and the standard encrypted traffic abnormal data packet size feature information set for different network attack types, to obtain data packet-side network attack type identification information includes the following steps:

[0019] Establish a set of characteristic information on the size of abnormal encrypted traffic packets for different types of network attacks. ,in Indicates the first The abnormal data packet size characteristic information of standard encrypted traffic for different network attack types is represented by the text information of the abnormal data packet size characteristic of standard encrypted traffic for different network attack types.

[0020] The encrypted traffic packet size feature information is compared with the set of standard encrypted traffic abnormal packet size feature information for different network attack types. The abnormal packet size characteristics of standard encrypted traffic for different network attack types described in the document The system performs data packet size feature matching on encrypted traffic to search for all abnormal encrypted traffic data packet size features of different network attack types that match the encrypted traffic data packet size feature information. The corresponding network attack type text information is used to generate data packet-side network attack type identification information after data identification. The data packet-side network attack type identification information includes either no network attack type or one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0021] Preferably, the process involves collecting encrypted traffic statistical characteristics, encrypted traffic connection interaction characteristics, and encrypted traffic association protocol characteristics, respectively; performing network attack type judgment processing based on the communication traffic statistical behavior characteristics of encrypted network traffic to obtain traffic-side network attack type judgment information; performing network attack type identification processing based on the communication connection interaction behavior characteristics of encrypted network traffic to obtain connection-side network attack type identification information; and performing network attack type detection processing based on the communication association protocol behavior characteristics of encrypted network traffic to obtain protocol-side network attack type detection information, including the following steps:

[0022] The system acquires statistical characteristic text information of encrypted network traffic transmission online using a dedicated traffic analyzer and generates encrypted traffic statistical characteristic information, including uplink and downlink byte information, data packet ratio information, total byte number information, and average transmission rate information. It also collects communication connection interaction characteristic text information of encrypted network traffic online using a network traffic analysis platform and generates encrypted traffic connection interaction characteristic information, including communication connection frequency information, target IP port information, and connection success rate information. The network traffic analysis platform includes SecurityOnion. Finally, it monitors communication association protocol characteristic text information of encrypted network traffic online using a DNS log analysis tool and generates encrypted traffic association protocol characteristic information, including DNS query characteristic information and TLS handshake metadata. The DNS log analysis tool includes Zeek.

[0023] Based on the encrypted traffic statistical feature information and the set of standard encrypted traffic abnormal traffic statistical feature information for different network attack types, network attack type judgment processing of network communication encrypted traffic is performed to obtain network attack type judgment information on the traffic side.

[0024] Based on the encrypted traffic connection interaction feature information and the set of standard encrypted traffic abnormal connection interaction feature information for different network attack types, network attack type identification processing of network communication encrypted traffic is performed to obtain network attack type identification information on the connection side.

[0025] Based on the encrypted traffic association protocol feature information and the set of standard encrypted traffic anomaly association protocol feature information for different network attack types, network attack type detection processing is performed on the encrypted traffic of network communication to obtain network attack type detection information on the protocol side.

[0026] Preferably, the network attack type determination process for network communication encrypted traffic based on the encrypted traffic statistical feature information and the set of standard encrypted traffic abnormal traffic statistical feature information for different network attack types, to obtain traffic-side network attack type determination information, includes the following steps:

[0027] Establish a set of statistical feature information on standard encrypted traffic and abnormal traffic for different types of network attacks. ,in Indicates the first The statistical feature information of abnormal traffic of standard encrypted traffic for different network attack types corresponding to different network attack types, wherein the statistical feature information of abnormal traffic of standard encrypted traffic for different network attack types represents the text information of abnormal traffic transmission characteristics of communication of standard encrypted traffic set for different network attack types.

[0028] The encrypted traffic statistical feature information is compared with the set of standard encrypted traffic abnormal traffic statistical feature information for different network attack types. The statistical characteristics of abnormal encrypted traffic for different network attack types described in the document The communication traffic transmission characteristic information of encrypted traffic is matched to find all standard encrypted traffic abnormal traffic statistical characteristic information of different network attack types that match the encrypted traffic statistical characteristic information. The corresponding network attack type text information is used to generate traffic-side network attack type judgment information after data identification. The traffic-side network attack type judgment information includes the absence of any network attack type or includes any one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0029] Preferably, the network attack type identification processing of encrypted traffic based on the encrypted traffic connection interaction feature information and the standard encrypted traffic abnormal connection interaction feature information set for different network attack types, to obtain connection-side network attack type identification information, includes the following steps:

[0030] Establish a set of standard encrypted traffic abnormal connection interaction feature information for different network attack types. ,in Indicates the first The abnormal connection interaction feature information of standard encrypted traffic for different network attack types corresponding to different network attack types, wherein the abnormal connection interaction feature information of standard encrypted traffic for different network attack types represents the text information of communication connection interaction features of standard encrypted traffic set for different network attack types.

[0031] The encrypted traffic connection interaction feature information is compared with the standard encrypted traffic abnormal connection interaction feature information set for different network attack types. The different network attack types described in the standard encrypted traffic abnormal connection interaction characteristic information The communication connection feature information of encrypted traffic is matched to find all abnormal connection interaction feature information of standard encrypted traffic of different network attack types that matches the encrypted traffic connection interaction feature information. The corresponding network attack type text information is used to generate connection-side network attack type identification information through data identification. The specific steps for generating the connection-side network attack type identification information are as follows:

[0032] Step 2321: Initialize and update the maximum number of iterations T and the set of abnormal connection interaction feature information of standard encrypted traffic under different network attack types. The location of the raccoon population searched for by network attack targets is randomly initialized and updated within the optimization space; the formula for updating the location of the raccoon population searched for by network attack targets is as follows: ,in This indicates a search for individual raccoons as targets of a cyberattack. exist The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The location of the search space; This is a set of abnormal connection interaction feature information for standard encrypted traffic of different network attack types. The upper boundary of the optimization space. This is a set of abnormal connection interaction feature information for standard encrypted traffic of different network attack types. The lower boundary of the optimization space, where r is a random number taking values ​​in the interval [0,1].

[0033] Step 2322, Hunting and Attacking, based on the set of abnormal connection interaction characteristic information of standard encrypted traffic of different network attack types. In the optimization space, the network attack target search for raccoon populations involves simulating attacks on iguanas to attack and hunt raccoons; individual raccoons climb trees to search for standard encrypted traffic abnormal connection interaction feature information of different network attack types that match the encrypted traffic connection interaction feature information. Iguana; other cyberattack targets search raccoons on the ground waiting until the different cyberattack types' standard encrypted traffic abnormal connection interaction characteristic information. The iguana fell to the ground, and the abnormal connection interaction characteristic information of the standard encrypted traffic of the different network attack types was obtained. After the iguana lands, the network attack targets search for and hunt raccoons, using standard encrypted traffic abnormal connection interaction characteristic information of different network attack types. Iguana; The algorithm design assumes that the location of the optimal raccoon member in the network attack target search raccoon population is the standard encrypted traffic abnormal connection interaction characteristic information of different network attack types. The iguana's location, assuming half of the different network attack types, standard encrypted traffic, abnormal connection interaction characteristic information. The iguana climbs the tree, and the other half describes the different network attack types, standard encrypted traffic, abnormal connection interaction characteristic information. The iguana fell to the ground; the abnormal connection interaction characteristic information of the standard encrypted traffic of the different network attack types that rose from the tree. iguanas in the standard encrypted traffic abnormal connection interaction feature information set of different network attack types The mathematical simulation formula for the position in the optimization space is as follows: ,in This represents the abnormal connection interaction characteristic information of standard encrypted traffic for different network attack types described in the tree. iguanas in The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The updated position in the optimization space. This indicates a search for individual raccoons as targets in a tree-based cyberattack. exist The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The updated position in the optimization space. This represents the abnormal connection interaction characteristic information of standard encrypted traffic for different network attack types described in the tree. iguanas in The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The original position in the search space. It is a random integer taking values ​​in the range [0,1].

[0034] The abnormal connection interaction characteristic information of standard encrypted traffic for the different network attack types After the iguana fell to the ground, the abnormal connection interaction characteristic information of the standard encrypted traffic of the different network attack types was obtained. The iguana was placed in the standard encrypted traffic abnormal connection interaction feature information set of the different network attack types. A random location within the optimization space; based on the random location, simulate the abnormal connection interaction characteristics of standard encrypted traffic for different network attack types on the ground. iguanas in the standard encrypted traffic abnormal connection interaction feature information set of different network attack types Moving position within the optimization space; abnormal connection interaction characteristic information of standard encrypted traffic for different network attack types. The formula for simulating iguana movement is: ,in This indicates the abnormal connection interaction characteristics of standard encrypted traffic for different types of network attacks described on the ground. iguanas in The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The updated position in the optimization space. This indicates a ground-based network attack targeting raccoon individuals. exist The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The updated position in the optimization space. This indicates the abnormal connection interaction characteristics of standard encrypted traffic for different types of network attacks described on the ground. iguanas in The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The original position in the search space; This indicates the abnormal connection interaction characteristics of standard encrypted traffic for different types of network attacks described on the ground. iguanas in The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The range of update positions in the optimization space; This indicates that the search for individual raccoons as targets of ground-based cyberattacks is underway. The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The range of update positions in the optimization space;

[0035] Step 2323: Escape the predator, based on the set of abnormal connection interaction characteristic information of standard encrypted traffic for different network attack types. The search for network attack targets within the optimization space of raccoon populations involves simulating predator encounters and escape strategies to identify standard encrypted traffic anomaly connection interaction characteristics that match the encrypted traffic connection interaction characteristics of different network attack types. When a predator uses the standard encrypted traffic abnormal connection interaction feature information set of different network attack types... When searching for individual raccoon targets within the optimization space of a network attack target, the network attack target raccoon individual is searched within the set of abnormal connection interaction feature information of standard encrypted traffic of different network attack types. The simulation formula for raccoon individuals escaping from their current dangerous position to a new safe position within the optimization space; the simulation formula for the position update of a raccoon individual escaping a predator during a network attack target search is as follows: ,in Indicates that predators are The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The updated position of the raccoon individual during the search for targets in the optimization space of the attack ground network attack target. This indicates a search for individual raccoons as targets of a cyberattack. exist The set of standard encrypted traffic abnormal connection interaction feature information of different network attack types mentioned above. The updated position during the process of escaping the predator in the optimization space; and They represent the first The set of standard encrypted traffic abnormal connection interaction feature information for different network attack types after each iteration The upper and lower boundaries of the optimization space;

[0036] Step 2324: When the algorithm reaches the maximum number of iterations, output all the standard encrypted traffic abnormal connection interaction feature information of different network attack types that matches the encrypted traffic connection interaction feature information. Otherwise, repeat steps 2322 to 2324 until the maximum number of iterations is reached;

[0037] Step 2325: Collect all the different network attack types' standard encrypted traffic abnormal connection interaction feature information output in step 2324 that match the encrypted traffic connection interaction feature information. The corresponding network attack type text information is used to generate connection-side network attack type identification information through data identification. The connection-side network attack type identification information includes either no network attack type or one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0038] Preferably, the network attack type detection processing of encrypted traffic based on the encrypted traffic association protocol feature information and the standard encrypted traffic anomaly association protocol feature information set for different network attack types, to obtain protocol-side network attack type detection information, includes the following steps:

[0039] Establish a set of characteristic information of standard encrypted traffic anomalies associated with different types of network attacks. ,in Indicates the first The abnormal data packet size characteristic information of standard encrypted traffic for different network attack types is represented by the text information of the communication association protocol characteristics of standard encrypted traffic set for different network attack types.

[0040] The encrypted traffic association protocol feature information is compared with the set of standard encrypted traffic anomaly association protocol feature information for different network attack types. The abnormal packet size characteristics of standard encrypted traffic for different network attack types described in the document The communication association protocol feature information of encrypted traffic is matched to find all abnormal data packet size features of standard encrypted traffic of different network attack types that match the encrypted traffic association protocol feature information. The corresponding network attack type text information is used to generate protocol-side network attack type detection information after data identification. The protocol-side network attack type detection information includes the absence of any network attack type or includes any one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0041] Preferably, the process of searching for real-time network attack types in encrypted network communication traffic to obtain real-time network attack type information for encrypted traffic; statistically analyzing the frequency of occurrence of real-time network attack types in encrypted network communication traffic to obtain frequency information for real-time network attack types in encrypted traffic; and constructing real-time identification information for encrypted network communication traffic and executing a feedback operation for the identification results of encrypted network communication traffic includes the following steps:

[0042] The KD-tree nearest neighbor search algorithm is used to search for network attack type object categories in the time-series network attack type analysis information, the packet-side network attack type identification information, the traffic-side network attack type judgment information, the connection-side network attack type identification information, and the protocol-side network attack type detection information based on network attack type keywords, and a real-time network attack type information set for encrypted traffic is constructed. ,in and Indicates the first species and first The information includes real-time encrypted traffic attack type information corresponding to various network attack types. This information represents textual information about the types of encrypted traffic attack objects detected in real-time during network communication. The information may include either no network attack type or attacks that include any one or more of the following: botnets, remote access Trojans, advanced persistent threat C2 channels, spyware, targeted attacks, insider threats, ransomware downloaders, worm propagation, botnet component updates, tunneling attacks, traffic spoofing, and encrypted DDoS attacks.

[0043] Based on the encrypted traffic real-time network attack type information set The encrypted traffic real-time network attack type information described in the document to The corresponding network attack type information is used to search for the real-time network attack type information of the encrypted traffic from the time-series network attack type analysis information, the data packet-side network attack type identification information, the traffic-side network attack type judgment information, the connection-side network attack type identification information, and the protocol-side network attack type detection information. to The frequency of corresponding network attack types is used to generate a set of real-time network attack type frequency information for encrypted traffic through data identification. ,in and Indicates the first species and first Real-time network attack type frequency information for encrypted traffic corresponding to various network attack types;

[0044] The encrypted traffic real-time network attack type information and the encrypted traffic real-time network attack type frequency information are combined and identified to construct real-time network communication encrypted traffic identification information, which is then transmitted to the network communication security display terminal via the mobile communication network to perform the network communication encrypted traffic identification result feedback operation.

[0045] A multimodal fusion-based encrypted traffic identification system is provided to implement the multimodal fusion-based encrypted traffic identification method. The system includes a time-based data packet feature analysis module, a traffic interaction protocol feature analysis module, and an encrypted traffic comprehensive evaluation module.

[0046] The time-based data packet feature analysis module includes an encrypted traffic time series feature acquisition unit, an encrypted traffic data packet feature acquisition unit, a standard encrypted traffic abnormal time series feature information storage unit for different network attack types, a standard encrypted traffic abnormal data packet feature information storage unit for different network attack types, a time-series-side network attack type analysis unit, and a data packet-side network attack type identification unit.

[0047] The encrypted traffic time-series feature acquisition unit collects encrypted traffic time-series feature information through network performance monitoring tools; the encrypted traffic data packet feature acquisition unit collects encrypted traffic data packet size feature information through a deep flow detection probe; the standard encrypted traffic anomaly time-series feature information storage unit for different network attack types stores standard encrypted traffic anomaly time-series feature information for different network attack types; the standard encrypted traffic anomaly data packet feature information storage unit for different network attack types stores standard encrypted traffic anomaly data packet size feature information for different network attack types; the time-series-side network attack type analysis unit performs network attack type analysis processing on network communication encrypted traffic based on the encrypted traffic time-series feature information and the standard encrypted traffic anomaly time-series feature information for different network attack types to obtain time-series-side network attack type analysis information; the data packet-side network attack type identification unit performs network attack type identification processing on network communication encrypted traffic based on the encrypted traffic data packet size feature information and the standard encrypted traffic anomaly data packet size feature information for different network attack types to obtain data packet-side network attack type identification information.

[0048] The traffic interaction protocol feature analysis module includes an encrypted traffic statistical feature acquisition unit, an encrypted traffic connection interaction feature acquisition unit, an encrypted traffic association protocol feature acquisition unit, a standard encrypted traffic abnormal traffic statistical feature information storage unit for different network attack types, a standard encrypted traffic abnormal connection interaction feature information storage unit for different network attack types, a standard encrypted traffic abnormal association protocol feature information storage unit for different network attack types, a traffic-side network attack type judgment unit, a connection-side network attack type identification unit, and a protocol-side network attack type detection unit.

[0049] The encrypted traffic statistics feature acquisition unit collects encrypted traffic statistics feature information through a dedicated traffic analyzer; the encrypted traffic connection interaction feature acquisition unit collects encrypted traffic connection interaction feature information through a network traffic analysis platform; the encrypted traffic association protocol feature acquisition unit collects encrypted traffic association protocol feature information through a DNS log analysis tool; the standard encrypted traffic abnormal traffic statistics feature information storage unit for different network attack types is used to store standard encrypted traffic abnormal traffic statistics feature information for different network attack types; the standard encrypted traffic abnormal connection interaction feature information storage unit for different network attack types is used to store standard encrypted traffic abnormal connection interaction feature information for different network attack types; the standard encrypted traffic abnormal association protocol feature information storage unit for different network attack types is used to store standard encrypted traffic abnormal connection interaction feature information for different network attack types. The network attack type determination unit on the traffic side performs network attack type determination processing on encrypted traffic based on the encrypted traffic statistical feature information and the abnormal encrypted traffic statistical feature information of different network attack types, to obtain traffic side network attack type determination information; the network attack type identification unit on the connection side performs network attack type identification processing on encrypted traffic based on the encrypted traffic connection interaction feature information and the abnormal encrypted traffic connection interaction feature information of different network attack types, to obtain connection side network attack type identification information; the network attack type detection unit on the protocol side performs network attack type detection processing on encrypted traffic based on the encrypted traffic associated protocol feature information and the abnormal associated protocol feature information of different network attack types, to obtain protocol side network attack type detection information.

[0050] The encrypted traffic comprehensive evaluation module includes an encrypted traffic real-time network attack type search unit, an encrypted traffic real-time network attack type frequency statistics unit, and an encrypted traffic real-time identification result feedback unit.

[0051] The encrypted traffic real-time network attack type search unit performs real-time network attack type search processing on encrypted network communication traffic based on the time-series network attack type analysis information, the data packet-side network attack type identification information, the traffic-side network attack type judgment information, the connection-side network attack type identification information, and the protocol-side network attack type detection information to obtain encrypted traffic real-time network attack type information. The encrypted traffic real-time network attack type frequency statistics unit performs real-time network attack type occurrence frequency statistics processing on encrypted network communication traffic based on the encrypted traffic real-time network attack type information, the time-series network attack type analysis information, the data packet-side network attack type identification information, the traffic-side network attack type judgment information, the connection-side network attack type identification information, and the protocol-side network attack type detection information to obtain encrypted traffic real-time network attack type frequency information. The encrypted traffic real-time identification result feedback unit constructs real-time network communication encrypted traffic identification information based on the encrypted traffic real-time network attack type information and the encrypted traffic real-time network attack type frequency information, combined with data processing, and transmits it to the network communication security display terminal through the mobile communication network to perform network communication encrypted traffic identification result feedback operation.

[0052] (III) Beneficial Effects

[0053] This invention provides an encrypted traffic identification system and method based on multimodal fusion. It has the following beneficial effects:

[0054] I. Real-time and accurate monitoring of encrypted traffic's communication time-series characteristics and data packet size characteristics using network performance monitoring tools and deep flow detection probes; precise analysis of network attack types in encrypted traffic based on encrypted traffic time-series characteristics, combined with data analysis and standard-established abnormal encrypted traffic time-series characteristics for different network attack types, achieving network attack type identification based on encrypted traffic communication time-series behavioral characteristics; and precise identification of network attack types in encrypted traffic based on encrypted traffic data packet size characteristics, combined with data analysis and scientifically established abnormal encrypted traffic data packet size characteristics for different network attack types, improving the accuracy of encrypted traffic identification.

[0055] II. Dynamically collect statistical characteristics, connection interaction characteristics, and associated protocol characteristics of encrypted traffic using dedicated traffic analyzers, network traffic analysis platforms, and DNS log analysis tools. Based on these encrypted traffic statistical characteristics, combined with data analysis and statistical characteristics of abnormal encrypted traffic established using big data standards for different network attack types, scientifically determine the network attack type of encrypted network traffic. This achieves refined judgment of network attack types based on the statistical behavioral characteristics of encrypted traffic. Furthermore, based on encrypted traffic connection interaction characteristics, combined with artificial intelligence algorithms and abnormal encrypted traffic connection interaction characteristics established using standards for different network attack types, intelligently identify network attack types in encrypted network traffic. This achieves intelligent identification of network attack types based on the communication connection interaction behavioral characteristics of encrypted traffic. Finally, based on encrypted traffic associated protocol characteristics, combined with data analysis and scientifically established abnormal associated protocol characteristics for different network attack types, scientifically detect network attack types in encrypted network traffic. This enables multi-level intelligent analysis of network attack types based on encrypted traffic communication time series characteristics, communication data packet size characteristics, communication traffic statistical characteristics, communication connection interaction characteristics, and communication associated protocol characteristics. This achieves intelligent and efficient monitoring of communication network anomalies based on the multi-modal behavioral characteristics of encrypted traffic, improving the refinement of encrypted network traffic security monitoring.

[0056] Third, based on network attack type detection information from the time-series, packet-side, traffic-side, connection-side, and protocol-side of encrypted traffic, the system autonomously searches for real-time network attack types in encrypted network communication traffic, achieving efficient real-time network attack type search. Simultaneously, it dynamically and digitally statistically analyzes the frequency of real-time network attack types in encrypted network communication traffic, combining data statistics. Based on the real-time network attack type information and frequency information of encrypted traffic, and combined with data processing, it constructs real-time identification information for encrypted network communication traffic. This information is then transmitted via mobile communication networks to a network communication security display terminal for dynamic visualization and feedback of the encrypted network communication traffic identification results. This achieves digital display of encrypted network communication traffic security monitoring results and improves the quality of encrypted network communication traffic identification. Attached Figure Description

[0057] Figure 1 A schematic diagram of a module for an encrypted traffic identification system based on multimodal fusion provided by the present invention;

[0058] Figure 2 The flowchart illustrates a method for identifying encrypted traffic based on multimodal fusion, as provided by this invention. Detailed Implementation

[0059] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0060] An embodiment of an encrypted traffic identification system and method based on multimodal fusion is as follows:

[0061] Example 1:

[0062] Please see Figures 1-2 A method for identifying encrypted traffic based on multimodal fusion, the method comprising the following steps:

[0063] Step 1: Collect encrypted traffic time series feature information and encrypted traffic data packet size feature information respectively; perform network attack type analysis based on the communication time series behavior characteristics of encrypted network traffic to obtain time series-side network attack type analysis information; perform network attack type identification based on the communication data packet size behavior characteristics of encrypted network traffic to obtain data packet-side network attack type identification information.

[0064] Step 2: Collect encrypted traffic statistical feature information, encrypted traffic connection interaction feature information, and encrypted traffic association protocol feature information respectively; perform network attack type judgment processing based on the communication traffic statistical behavior characteristics of network communication encrypted traffic to obtain traffic-side network attack type judgment information; perform network attack type identification processing based on the communication connection interaction behavior characteristics of network communication encrypted traffic to obtain connection-side network attack type identification information; perform network attack type detection processing based on the communication association protocol behavior characteristics of network communication encrypted traffic to obtain protocol-side network attack type detection information.

[0065] Step 3: Search and process the real-time network attack types of encrypted network traffic to obtain real-time network attack type information; statistically process the frequency of occurrence of real-time network attack types of encrypted network traffic to obtain frequency information of real-time network attack types of encrypted network traffic; construct real-time identification information for encrypted network traffic and execute the network communication encrypted traffic identification result feedback operation.

[0066] For further details, please refer to Figures 1-2The process involves collecting encrypted traffic time-series feature information and encrypted traffic data packet size feature information, respectively; performing network attack type analysis based on the communication time-series behavior characteristics of encrypted network traffic to obtain time-series-side network attack type analysis information; and performing network attack type identification based on the communication data packet size behavior characteristics of encrypted network traffic to obtain data packet-side network attack type identification information, including the following steps:

[0067] Step 11: Monitor the communication time-series characteristic text information of encrypted network traffic online using network performance monitoring tools, and generate encrypted traffic time-series characteristic information. This time-series characteristic information includes data packet arrival interval information, session duration information, and silence period information. The network performance monitoring tool includes Riverbed. Collect the communication data packet size characteristic text information of encrypted network traffic online using a deep flow detection probe, and generate encrypted traffic data packet size characteristic information. This data packet size characteristic information includes the forward long sequence information, backward long sequence information, packet length distribution information, and packet length entropy value information of encrypted traffic communication data packets. The deep flow detection probe includes DarktraceNDR.

[0068] Step 12: Based on the encrypted traffic time series feature information and the set of abnormal encrypted traffic time series feature information of different network attack types, perform network attack type analysis processing on the encrypted traffic of network communication to obtain time-series network attack type analysis information;

[0069] Step 13: Based on the encrypted traffic data packet size feature information and the set of abnormal encrypted traffic data packet size feature information for different network attack types, perform network attack type identification processing on the encrypted traffic of network communication to obtain network attack type identification information on the data packet side.

[0070] Based on the time-series feature information of encrypted traffic and the set of abnormal time-series feature information of standard encrypted traffic for different network attack types, network attack type analysis of encrypted traffic in network communication is performed to obtain time-series network attack type analysis information, including the following steps:

[0071] Step 121: Establish a set of time series feature information of abnormal encrypted traffic for different network attack types. ,in Indicates the first This section presents abnormal time-series characteristics of standard encrypted traffic for different network attack types, including botnets, remote access Trojans, advanced persistent threat C2 channels, spyware, targeted attacks, insider threats, ransomware downloaders, worm propagation, botnet component updates, tunneling attacks, traffic spoofing, and encrypted DDoS attacks. The abnormal time-series characteristics of standard encrypted traffic for different network attack types represent textual information describing the abnormal communication time-series characteristics of standard encrypted traffic set for different network attack types.

[0072] Step 122: Combine the encrypted traffic time series feature information with the standard encrypted traffic anomaly time series feature information sets for different network attack types. Abnormal time series characteristics of standard encrypted traffic for different types of network attacks The system performs time-series feature matching on encrypted traffic to search for all different network attack types and their corresponding abnormal encrypted traffic time-series features. The corresponding network attack type text information is used to construct time-series network attack type analysis information. The time-series network attack type analysis information includes either no network attack type or one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0073] Based on the characteristics of encrypted traffic data packets and the set of abnormal encrypted traffic data packet sizes for different network attack types, network attack type identification processing of encrypted traffic in network communication is performed to obtain network attack type identification information on the data packet side, including the following steps:

[0074] Step 131: Establish a set of characteristic information on the size of abnormal encrypted traffic packets for different types of network attacks. ,in Indicates the first The textual information represents the abnormal packet size characteristics of standard encrypted traffic for different network attack types.

[0075] Step 132: Combine the encrypted traffic packet size characteristic information with the standard encrypted traffic abnormal packet size characteristic information set for different network attack types. Information on the abnormal packet size characteristics of standard encrypted traffic for different types of network attacks The system performs packet size feature matching on encrypted traffic to identify all abnormal encrypted traffic packet size features of different network attack types that match the encrypted traffic packet size feature information. The corresponding network attack type text information is used to generate data packet-side network attack type identification information after data identification. The data packet-side network attack type identification information includes either no network attack type or one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0076] For further details, please refer to Figures 1-2 The process involves collecting encrypted traffic statistical characteristics, encrypted traffic connection interaction characteristics, and encrypted traffic associated protocol characteristics, respectively. Based on the communication traffic statistical behavior characteristics of encrypted network traffic, network attack type judgment is performed to obtain traffic-side network attack type judgment information. Based on the communication connection interaction behavior characteristics of encrypted network traffic, network attack type identification is performed to obtain connection-side network attack type identification information. Finally, based on the communication associated protocol behavior characteristics of encrypted network traffic, network attack type detection is performed to obtain protocol-side network attack type detection information. This includes the following steps:

[0077] Step 21: Acquire statistical characteristic text information of encrypted network traffic transmission online using a dedicated traffic analyzer, and generate encrypted traffic statistical characteristic information. This information includes uplink and downlink byte information, data packet ratio, total bytes transmitted, and average transmission rate. Collect communication connection interaction characteristic text information of encrypted network traffic online using a network traffic analysis platform, and generate encrypted traffic connection interaction characteristic information. This information includes communication connection frequency, target IP port, and connection success rate. The network traffic analysis platform includes SecurityOnion. Monitor the communication association protocol characteristic text information of encrypted network traffic online using a DNS log analysis tool, and generate encrypted traffic association protocol characteristic information. This information includes DNS query characteristic information and TLS handshake metadata. The DNS log analysis tool includes Zeek.

[0078] Step 22: Based on the encrypted traffic statistical feature information and the set of standard encrypted traffic abnormal traffic statistical feature information for different network attack types, perform network attack type judgment processing on the encrypted traffic of network communication to obtain network attack type judgment information on the traffic side.

[0079] Step 23: Based on the encrypted traffic connection interaction feature information and the standard encrypted traffic abnormal connection interaction feature information set for different network attack types, perform network attack type identification processing on the encrypted traffic of network communication to obtain the network attack type identification information on the connection side.

[0080] Step 24: Based on the encrypted traffic association protocol feature information and the set of standard encrypted traffic anomaly association protocol feature information for different network attack types, perform network attack type detection processing on the encrypted traffic of network communication to obtain network attack type detection information on the protocol side.

[0081] Based on the statistical characteristics of encrypted traffic and the statistical characteristics of abnormal encrypted traffic for different network attack types, the network attack type determination process for encrypted network communication traffic is performed to obtain network attack type determination information on the traffic side, including the following steps:

[0082] Step 221: Establish a set of statistical feature information on standard encrypted traffic and abnormal traffic for different network attack types. ,in Indicates the first The statistical characteristics of abnormal traffic in standard encrypted traffic for different network attack types are represented by text information indicating the abnormal traffic transmission characteristics of standard encrypted traffic set for different network attack types.

[0083] Step 222: Combine the encrypted traffic statistical feature information with the standard encrypted traffic abnormal traffic statistical feature information set for different network attack types. Standard encrypted traffic anomaly traffic statistical characteristics information for different types of network attacks The system performs communication traffic transmission characteristic matching on encrypted traffic to search for all different network attack types' standard encrypted traffic abnormal traffic statistical characteristic information that matches the encrypted traffic statistical characteristic information. The corresponding network attack type text information is used to generate traffic-side network attack type judgment information after data identification. The traffic-side network attack type judgment information includes the absence of any network attack type or includes any one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0084] Based on encrypted traffic connection interaction feature information and a set of abnormal encrypted traffic connection interaction feature information for different network attack types, network attack type identification processing of encrypted traffic in network communication is performed to obtain connection-side network attack type identification information, including the following steps:

[0085] Step 231: Establish a set of standard encrypted traffic abnormal connection interaction feature information for different network attack types. ,in Indicates the first The abnormal connection interaction feature information of standard encrypted traffic for different network attack types is represented by the text information of the communication connection interaction features of standard encrypted traffic set for different network attack types.

[0086] Step 232: Combine the encrypted traffic connection interaction characteristic information with the standard encrypted traffic abnormal connection interaction characteristic information set for different network attack types. Standard encrypted traffic abnormal connection interaction characteristic information for different types of network attacks Perform communication connection characteristic matching on encrypted traffic to search for all different network attack types' standard encrypted traffic abnormal connection interaction characteristic information that matches the encrypted traffic connection interaction characteristic information. The corresponding network attack type text information is used to generate connection-side network attack type identification information through data identification. The specific steps for generating connection-side network attack type identification information are as follows:

[0087] Step 2321: Initialize and update the maximum number of iterations T and the set of abnormal connection interaction feature information of standard encrypted traffic under different network attack types. The location of the raccoon population searched for by network attack targets is randomly initialized and updated within the optimization space; the formula for updating the location of the raccoon population searched for by network attack targets is as follows: ,in This indicates a search for individual raccoons as targets of a cyberattack. exist Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The location of the search space; A set of abnormal connection interaction characteristic information for standard encrypted traffic of different network attack types The upper boundary of the optimization space. A set of abnormal connection interaction characteristic information for standard encrypted traffic of different network attack types The lower boundary of the optimization space, where r is a random number taking values ​​in the interval [0,1].

[0088] Step 2322, Hunting and Attacking: Set of Abnormal Connection Interaction Feature Information Based on Standard Encrypted Traffic of Different Network Attack Types In the optimization space, the search for network attack targets involves raccoon populations, employing simulated attacks on iguanas to attack and hunt them; individual raccoons climb trees to search for different network attack types and standard encrypted traffic abnormal connection interaction characteristics that match encrypted traffic connection interaction characteristics. Iguana; other cyberattack targets search raccoons on the ground, waiting until different cyberattack types' standard encrypted traffic abnormal connection interaction characteristic information. The iguana fell to the ground; different network attack types, standard encrypted traffic, abnormal connection interaction characteristic information. After the iguana lands, the network attack targets search for and hunt raccoons, using various network attack types, standard encrypted traffic, abnormal connection interaction characteristics, and other information. Iguana; The algorithm design assumes that the optimal location of the raccoon member in the network attack target search is different from the standard encrypted traffic, abnormal connection, and interaction feature information of different network attack types. The location of the iguana, assuming half of the different network attack types, standard encrypted traffic, abnormal connection interaction characteristic information The iguana climbs the tree, while the other half shows abnormal connection interaction characteristics information related to different network attack types, standard encrypted traffic. Iguana falls to the ground; different network attack types for climbing trees, standard encrypted traffic, abnormal connection interaction characteristic information. iguana's abnormal connection interaction feature information set under different network attack types and standard encrypted traffic The mathematical simulation formula for the position in the optimization space is as follows: ,in This indicates the characteristics of abnormal connections and standard encrypted traffic for different network attack types on the tree. iguanas in Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The updated position in the optimization space. This indicates a search for individual raccoons as targets in a tree-based cyberattack. exist Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The updated position in the optimization space. This indicates the characteristics of abnormal connections and standard encrypted traffic for different network attack types on the tree. iguanas in Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The original position in the search space. It is a random integer taking values ​​in the range [0,1].

[0089] Standard encrypted traffic abnormal connection interaction characteristic information for different types of network attacks After the iguana fell to the ground, abnormal connection interaction information was generated based on standard encrypted traffic of different network attack types. Iguanas were placed in a set of abnormal connection interaction characteristic information based on standard encrypted traffic of different network attack types. A random location within the optimization space; based on this random location, simulate standard encrypted traffic anomaly connection interaction characteristic information of different network attack types on the ground. iguana's abnormal connection interaction feature information set under different network attack types and standard encrypted traffic Moving position within the optimization space; abnormal connection interaction characteristic information of standard encrypted traffic for different network attack types. The formula for simulating iguana movement is: ,in This indicates the abnormal connection interaction characteristics of standard encrypted traffic for different types of ground-based network attacks. iguanas in Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The updated position in the optimization space. This indicates a ground-based network attack targeting raccoon individuals. exist Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The updated position in the optimization space. This indicates the abnormal connection interaction characteristics of standard encrypted traffic for different types of ground-based network attacks. iguanas in Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The original position in the search space; This indicates the abnormal connection interaction characteristics of standard encrypted traffic for different types of ground-based network attacks. iguanas in Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The range of update positions in the optimization space; This indicates that the search for individual raccoons as targets of ground-based cyberattacks is underway. Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The range of update positions in the optimization space;

[0090] Step 2323: Escape from the predator by collecting abnormal connection interaction characteristic information from standard encrypted traffic under different network attack types. The search for network attack targets within the optimization space of raccoon populations involves simulating predator encounters and escape strategies to identify different network attack types that match the characteristics of encrypted traffic connections. This search also identifies abnormal encrypted traffic connections and their corresponding interaction features. When predators use different network attack types, standard encrypted traffic, abnormal connection interaction characteristic information sets When searching for individual raccoon targets within the optimization space of a network attack target, the search for individual raccoon targets involves a set of abnormal connection interaction characteristic information based on standard encrypted traffic under different network attack types. The simulation formula for raccoon individuals escaping from their current dangerous position to a new safe position within the optimization space; the simulation formula for the position update of a raccoon individual escaping a predator during a network attack target search is as follows: ,in Indicates that predators are Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The updated position of the raccoon individual during the search for targets in the optimization space of the attack ground network attack target. This indicates a search for individual raccoons as targets of a cyberattack. exist Different types of network attacks, standard encrypted traffic, abnormal connection interaction feature information set The updated position during the process of escaping the predator in the optimization space; and They represent the first After several iterations, a set of standard encrypted traffic abnormal connection interaction feature information for different network attack types. The upper and lower boundaries of the optimization space;

[0091] Step 2324: When the algorithm reaches the maximum number of iterations, output the standard encrypted traffic abnormal connection interaction characteristic information of all different network attack types that match the encrypted traffic connection interaction characteristic information. Otherwise, repeat steps 2322 to 2324 until the maximum number of iterations is reached;

[0092] Step 2325: Collect all the standard encrypted traffic abnormal connection interaction characteristic information of different network attack types that match the encrypted traffic connection interaction characteristic information output in Step 2324. The corresponding network attack type text information is used to generate connection-side network attack type identification information after data identification. The connection-side network attack type identification information includes either no network attack type or one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0093] Based on the characteristic information of encrypted traffic association protocols and the set of characteristic information of abnormal association protocols of standard encrypted traffic for different network attack types, network attack type detection processing of encrypted traffic in network communication is performed to obtain network attack type detection information on the protocol side, including the following steps:

[0094] Step 241: Establish a set of characteristic information of standard encrypted traffic anomalies associated with different network attack types. ,in Indicates the first The text information represents the communication association protocol characteristics of the standard encrypted traffic for different network attack types, corresponding to various network attack types.

[0095] Step 242: Associate encrypted traffic with protocol feature information and the set of abnormal encrypted traffic association protocol feature information for different network attack types. Information on the abnormal packet size characteristics of standard encrypted traffic for different types of network attacks Perform communication protocol feature matching on encrypted traffic to search for abnormal packet size characteristics of standard encrypted traffic of different network attack types that match the protocol feature information of encrypted traffic. The corresponding network attack type text information is used to generate protocol-side network attack type detection information after data identification. The protocol-side network attack type detection information includes either no network attack type or one or more of the following: botnet, remote access Trojan, advanced persistent threat C2 channel, spyware, targeted attack, insider threat, ransomware downloader, worm propagation, botnet component update, tunneling attack, traffic spoofing, and encrypted DDoS attack.

[0096] For further details, please refer to Figures 1-2 The process involves searching for and processing real-time network attack types in encrypted network traffic to obtain real-time network attack type information; statistically processing the frequency of occurrence of real-time network attack types in encrypted network traffic to obtain real-time network attack type frequency information; and constructing real-time identification information for encrypted network traffic and performing a feedback operation on the identification results, including the following steps:

[0097] Step 31: Using the KD-tree nearest neighbor search algorithm, search for the types of network attack types in the time-series network attack type analysis information, packet-side network attack type identification information, traffic-side network attack type judgment information, connection-side network attack type identification information, and protocol-side network attack type detection information based on network attack type keywords, and construct a real-time network attack type information set for encrypted traffic. ,in and Indicates the first species and first This refers to real-time network attack type information for encrypted traffic corresponding to various network attack types. The real-time network attack type information for encrypted traffic represents the type of network attack object detected in real-time during network communication. This information may include either no network attack type or one or more of the following: botnets, remote access Trojans, advanced persistent threat C2 channels, spyware, targeted attacks, insider threats, ransomware downloaders, worm propagation, botnet component updates, tunneling attacks, traffic spoofing, and encrypted DDoS attacks.

[0098] Step 32: Set up real-time network attack type information based on encrypted traffic Real-time network attack type information for encrypted traffic to The corresponding network attack type information is retrieved from the time-series network attack type analysis information, packet-side network attack type identification information, traffic-side network attack type judgment information, connection-side network attack type identification information, and protocol-side network attack type detection information to identify real-time network attack type information of encrypted traffic. to The frequency of corresponding network attack types is used to generate a set of real-time network attack type frequency information for encrypted traffic through data identification. ,in and Indicates the first species and first Real-time network attack type frequency information for encrypted traffic corresponding to various network attack types;

[0099] Step 33: Combine and identify the real-time network attack type information and frequency information of the encrypted traffic to construct real-time identification information of encrypted network traffic, and transmit it to the network communication security display terminal through the mobile communication network to perform the network communication encrypted traffic identification result feedback operation.

[0100] Example 2:

[0101] Please see Figures 1-2A multimodal fusion-based encrypted traffic identification system is used to implement a multimodal fusion-based encrypted traffic identification method. The system includes a time-based data packet feature analysis module, a traffic interaction protocol feature analysis module, and an encrypted traffic comprehensive evaluation module.

[0102] The time-based data packet feature analysis module includes an encrypted traffic time series feature acquisition unit, an encrypted traffic data packet feature acquisition unit, a standard encrypted traffic abnormal time series feature information storage unit for different network attack types, a standard encrypted traffic abnormal data packet feature information storage unit for different network attack types, a time-series-side network attack type analysis unit, and a data packet-side network attack type identification unit.

[0103] The system comprises the following components: an encrypted traffic time-series feature acquisition unit, which acquires encrypted traffic time-series feature information through network performance monitoring tools; an encrypted traffic data packet feature acquisition unit, which acquires encrypted traffic data packet size feature information through a deep flow detection probe; a standard encrypted traffic anomaly time-series feature information storage unit for different network attack types, used to store standard encrypted traffic anomaly time-series feature information for different network attack types; a standard encrypted traffic anomaly data packet feature information storage unit for different network attack types, used to store standard encrypted traffic anomaly data packet size feature information for different network attack types; a time-series-side network attack type analysis unit, which performs network attack type analysis processing on encrypted network communication traffic based on encrypted traffic time-series feature information and standard encrypted traffic anomaly time-series feature information for different network attack types, to obtain time-series-side network attack type analysis information; and a data packet-side network attack type identification unit, which performs network attack type identification processing on encrypted network communication traffic based on encrypted traffic data packet size feature information and standard encrypted traffic anomaly data packet size feature information for different network attack types, to obtain data packet-side network attack type identification information.

[0104] The traffic interaction protocol feature analysis module includes an encrypted traffic statistical feature acquisition unit, an encrypted traffic connection interaction feature acquisition unit, an encrypted traffic association protocol feature acquisition unit, a standard encrypted traffic abnormal traffic statistical feature information storage unit for different network attack types, a standard encrypted traffic abnormal connection interaction feature information storage unit for different network attack types, a standard encrypted traffic abnormal association protocol feature information storage unit for different network attack types, a traffic-side network attack type judgment unit, a connection-side network attack type identification unit, and a protocol-side network attack type detection unit.

[0105] The system includes: an encrypted traffic statistics feature acquisition unit, which collects encrypted traffic statistics feature information using a dedicated traffic analyzer; an encrypted traffic connection interaction feature acquisition unit, which collects encrypted traffic connection interaction feature information using a network traffic analysis platform; an encrypted traffic association protocol feature acquisition unit, which collects encrypted traffic association protocol feature information using a DNS log analysis tool; a standard encrypted traffic abnormal traffic statistics feature information storage unit for different network attack types, used to store standard encrypted traffic abnormal traffic statistics feature information for different network attack types; a standard encrypted traffic abnormal connection interaction feature information storage unit for different network attack types; and a standard encrypted traffic abnormal association protocol feature information storage unit for different network attack types. The system comprises: a traffic-side network attack type judgment unit, which performs network attack type judgment on encrypted traffic based on encrypted traffic statistical feature information and abnormal encrypted traffic statistical feature information of different network attack types; a connection-side network attack type identification unit, which performs network attack type identification on encrypted traffic based on encrypted traffic connection interaction feature information and abnormal encrypted traffic connection interaction feature information of different network attack types; and a protocol-side network attack type detection unit, which performs network attack type detection on encrypted traffic based on encrypted traffic associated protocol feature information and abnormal associated protocol feature information of different network attack types.

[0106] The encrypted traffic comprehensive evaluation module includes a real-time encrypted traffic network attack type search unit, a real-time encrypted traffic network attack type frequency statistics unit, and a real-time encrypted traffic identification result feedback unit.

[0107] The encrypted traffic real-time network attack type search unit performs real-time network attack type search processing on encrypted network communication traffic based on time-series network attack type analysis information, data packet-side network attack type identification information, traffic-side network attack type judgment information, connection-side network attack type identification information, and protocol-side network attack type detection information to obtain encrypted traffic real-time network attack type information. The encrypted traffic real-time network attack type frequency statistics unit performs real-time network attack type occurrence frequency statistics processing on encrypted network communication traffic based on the encrypted traffic real-time network attack type information, time-series network attack type analysis information, data packet-side network attack type identification information, traffic-side network attack type judgment information, connection-side network attack type identification information, and protocol-side network attack type detection information to obtain encrypted traffic real-time network attack type frequency information. The encrypted traffic real-time identification result feedback unit constructs real-time network communication encrypted traffic identification information based on the encrypted traffic real-time network attack type information and encrypted traffic real-time attack type frequency information, combined with data processing, and transmits it to the network communication security display terminal via the mobile communication network to perform the network communication encrypted traffic identification result feedback operation.

[0108] Although embodiments of the invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made to these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims and their equivalents.

Claims

1. A method for identifying encrypted traffic based on multimodal fusion, characterized in that, The method includes the following steps: Encrypted traffic time series feature information and encrypted traffic data packet size feature information are collected separately; network attack type analysis is performed based on the communication time series behavior features of encrypted network traffic to obtain time series-side network attack type analysis information; network attack type identification is performed based on the communication data packet size behavior features of encrypted network traffic to obtain data packet-side network attack type identification information. Collect encrypted traffic statistical characteristics, encrypted traffic connection interaction characteristics, and encrypted traffic association protocol characteristics, respectively. Network attack type judgment is performed based on the communication traffic statistics behavior characteristics of encrypted network communication traffic to obtain network attack type judgment information on the traffic side; network attack type identification is performed based on the communication connection interaction behavior characteristics of encrypted network communication traffic to obtain network attack type identification information on the connection side; network attack type detection is performed based on the communication association protocol behavior characteristics of encrypted network communication traffic to obtain network attack type detection information on the protocol side. The system searches for and processes real-time network attack types in encrypted network traffic to obtain real-time network attack type information; it also performs statistical processing on the frequency of real-time network attack types in encrypted network traffic to obtain frequency information; and finally constructs real-time identification information for encrypted network traffic and executes a feedback operation on the identification results.

2. The encrypted traffic identification method based on multimodal fusion according to claim 1, characterized in that: The process involves collecting encrypted traffic time-series feature information and encrypted traffic data packet size feature information; performing network attack type analysis based on the communication time-series behavior characteristics of encrypted network traffic to obtain time-series-side network attack type analysis information; and performing network attack type identification based on the communication data packet size behavior characteristics of encrypted network traffic to obtain data packet-side network attack type identification information, including the following steps: The network performance monitoring tool is used to monitor the communication time series characteristic text information of encrypted network traffic online and generate encrypted traffic time series characteristic information; the deep flow detection probe is used to collect the communication data packet size characteristic text information of encrypted network traffic online and generate encrypted traffic data packet size characteristic information. Based on the encrypted traffic time series feature information and the set of abnormal encrypted traffic time series feature information of different network attack types, network attack type analysis and processing of network communication encrypted traffic is performed to obtain time-series network attack type analysis information. Based on the encrypted traffic data packet size feature information and the set of abnormal encrypted traffic data packet size feature information for different network attack types, network attack type identification processing of encrypted traffic in network communication is performed to obtain network attack type identification information on the data packet side.

3. The encrypted traffic identification method based on multimodal fusion according to claim 2, characterized in that: Based on the encrypted traffic time series feature information and the set of abnormal encrypted traffic time series feature information of different network attack types, network attack type analysis processing of network communication encrypted traffic is performed to obtain time-series network attack type analysis information, including the following steps: Establish a set of time series feature information of abnormal encrypted traffic for different types of network attacks. The include ;in Indicates the first Different network attack types correspond to different network attack types, including standard encrypted traffic anomaly time series characteristic information. The encrypted traffic time series feature information and the The above The communication time series feature information of the encrypted traffic is matched to find all the encrypted traffic time series feature information that match the encrypted traffic time series feature information. The corresponding network attack type text information is used to construct time-series network attack type analysis information.

4. The encrypted traffic identification method based on multimodal fusion according to claim 3, characterized in that: Based on the encrypted traffic data packet size characteristic information and the standard encrypted traffic abnormal data packet size characteristic information set for different network attack types, network attack type identification processing of encrypted traffic in network communication is performed to obtain network attack type identification information on the data packet side, including the following steps: Establish a set of characteristic information on the size of abnormal encrypted traffic packets for different types of network attacks. The include ;in Indicates the first The size characteristics of abnormal data packets in standard encrypted traffic corresponding to different network attack types; The encrypted traffic data packet size feature information and the The above The communication data packet size feature information of the encrypted traffic is matched to find all packets that match the size feature information of the encrypted traffic data packets. The corresponding network attack type text information is generated and then processed by data identification to generate network attack type identification information on the data packet side.

5. The encrypted traffic identification method based on multimodal fusion according to claim 4, characterized in that: Collect encrypted traffic statistical characteristics, encrypted traffic connection interaction characteristics, and encrypted traffic association protocol characteristics, respectively. The process of determining network attack types based on the statistical behavior characteristics of encrypted network traffic yields network attack type determination information on the traffic side; the process of identifying network attack types based on the communication connection interaction behavior characteristics of encrypted network traffic yields network attack type identification information on the connection side; and the process of detecting network attack types based on the communication association protocol behavior characteristics of encrypted network traffic yields network attack type detection information on the protocol side, including the following steps: The system acquires statistical characteristic text information of encrypted network traffic transmission through a dedicated traffic analyzer and generates encrypted traffic statistical characteristic information. It also collects communication connection interaction characteristic text information of encrypted network traffic online through a network traffic analysis platform and generates encrypted traffic connection interaction characteristic information. Furthermore, it monitors communication association protocol characteristic text information of encrypted network traffic online through a DNS log analysis tool and generates encrypted traffic association protocol characteristic information. Based on the encrypted traffic statistical feature information and the set of standard encrypted traffic abnormal traffic statistical feature information for different network attack types, network attack type judgment processing of network communication encrypted traffic is performed to obtain network attack type judgment information on the traffic side. Based on the encrypted traffic connection interaction feature information and the set of standard encrypted traffic abnormal connection interaction feature information for different network attack types, network attack type identification processing of network communication encrypted traffic is performed to obtain network attack type identification information on the connection side. Based on the encrypted traffic association protocol feature information and the set of standard encrypted traffic anomaly association protocol feature information for different network attack types, network attack type detection processing is performed on the encrypted traffic of network communication to obtain network attack type detection information on the protocol side.

6. The encrypted traffic identification method based on multimodal fusion according to claim 5, characterized in that: Based on the encrypted traffic statistical feature information and the set of standard encrypted traffic abnormal traffic statistical feature information for different network attack types, the network attack type judgment process for network communication encrypted traffic is performed to obtain network attack type judgment information on the traffic side, including the following steps: Establish a set of statistical feature information on standard encrypted traffic and abnormal traffic for different types of network attacks. The include ;in Indicates the first Statistical characteristics of abnormal traffic in standard encrypted traffic corresponding to different types of network attacks; The encrypted traffic statistics feature information and the The above The communication traffic transmission characteristic information of the encrypted traffic is matched to search for all traffic patterns that match the statistical characteristic information of the encrypted traffic. The corresponding network attack type text information is used to generate network attack type judgment information on the traffic side after data identification.

7. The encrypted traffic identification method based on multimodal fusion according to claim 6, characterized in that: Based on the encrypted traffic connection interaction feature information and the standard encrypted traffic abnormal connection interaction feature information set for different network attack types, network attack type identification processing of network communication encrypted traffic is performed to obtain connection-side network attack type identification information, including the following steps: Establish a set of standard encrypted traffic abnormal connection interaction feature information for different network attack types. The include ;in Indicates the first Different network attack types correspond to different network attack types, including standard encrypted traffic, abnormal connection interaction characteristic information; The encrypted traffic connection interaction feature information and the The above Perform communication connection feature information matching on encrypted traffic, and search for all traffic that matches the encrypted traffic connection interaction feature information. The corresponding network attack type text information is used to generate connection-side network attack type identification information through data identification. The specific steps for generating the connection-side network attack type identification information are as follows: Step 2321: Initialize, update the maximum number of iterations T and the number of iterations T mentioned in the previous step. The search space is randomly initialized and updated to find the location of the raccoon population by network attack targets; Step 2322, Hunting and Attacking, as described In the optimization space, the network attack target search for raccoon populations involves simulating attacks on iguanas to attack and hunt them; individual raccoons climb trees to search for targets that match the encrypted traffic connection interaction feature information. Iguana; other cyberattack targets search for raccoons waiting on the ground until the... The iguana fell to the ground, the aforementioned After the iguana landed, the cyberattack target searched for and attacked the raccoon. Iguana; the algorithm design assumes that the optimal location of the raccoon member in the network attack target search raccoon population is the... The location of the iguana, assuming half of what is stated. The iguana climbed the tree and ascended, the other half described The iguana fell to the ground; the one that had climbed the tree rose up. iguanas in the The position in the optimization space is mathematically simulated; Regarding the After the iguana fell to the ground, the following... The iguana was placed in the A random location in the optimization space; simulating the ground based on the random location. iguanas in the Move position within the optimization space; Step 2323: Escape the predator, as stated in the... The search for network attack targets in the optimization space of raccoon populations involves simulating predator encounters and escape strategies to find targets that match the encrypted traffic connection interaction characteristics. When the predator is described When searching for raccoon individuals as targets of network attacks within the optimization space, the network attack target raccoon individuals are described in... Escape the current dangerous position and reach a new safe position within the optimization space; Step 2324: When the algorithm reaches the maximum number of iterations, output all the data that match the encrypted traffic connection interaction feature information. Otherwise, repeat steps 2322 to 2324 until the maximum number of iterations is reached; Step 2325: All the data output in step 2324 that match the encrypted traffic connection interaction feature information... The corresponding network attack type text information is used to generate network attack type identification information on the connection side through data identification.

8. The encrypted traffic identification method based on multimodal fusion according to claim 7, characterized in that: Based on the encrypted traffic association protocol feature information and the standard encrypted traffic anomaly association protocol feature information set for different network attack types, network attack type detection processing of network communication encrypted traffic is performed to obtain protocol-side network attack type detection information, including the following steps: Establish a set of characteristic information of standard encrypted traffic anomalies associated with different types of network attacks. The include ;in Indicates the first The size characteristics of abnormal data packets in standard encrypted traffic corresponding to different network attack types; The encrypted traffic association protocol feature information and the The above Perform communication association protocol feature information matching on encrypted traffic, and search for all protocols that match the encrypted traffic association protocol feature information. The corresponding network attack type text information is used to generate protocol-side network attack type detection information through data identification.

9. The encrypted traffic identification method based on multimodal fusion according to claim 8, characterized in that: The process involves searching for and processing real-time network attack types in encrypted network traffic to obtain real-time network attack type information; statistically processing the frequency of occurrence of real-time network attack types in encrypted network traffic to obtain real-time network attack type frequency information; and constructing real-time identification information for encrypted network traffic and performing a feedback operation on the identification results, which includes the following steps: The KD-tree nearest neighbor search algorithm is used to search for network attack type object categories in the time-series network attack type analysis information, the packet-side network attack type identification information, the traffic-side network attack type judgment information, the connection-side network attack type identification information, and the protocol-side network attack type detection information based on network attack type keywords, and a real-time network attack type information set for encrypted traffic is constructed. The include and ;in and Indicates the first species and first Real-time network attack type information for encrypted traffic corresponding to various network attack types; Based on the above The above to The corresponding network attack type information is searched from the time-series network attack type analysis information, the packet-side network attack type identification information, the traffic-side network attack type judgment information, the connection-side network attack type identification information, and the protocol-side network attack type detection information. to The frequency of corresponding network attack types is used to generate a set of real-time network attack type frequency information for encrypted traffic through data identification. The include and ;in and Indicates the first species and first Real-time network attack type frequency information for encrypted traffic corresponding to various network attack types; The encrypted traffic real-time network attack type information and the encrypted traffic real-time network attack type frequency information are combined and identified to construct real-time network communication encrypted traffic identification information, which is then transmitted to the network communication security display terminal via the mobile communication network to perform the network communication encrypted traffic identification result feedback operation.

10. A multimodal fusion-based encrypted traffic identification system, used to implement the multimodal fusion-based encrypted traffic identification method according to any one of claims 1-9, characterized in that: The system includes a time-based data packet feature analysis module, a traffic interaction protocol feature analysis module, and an encrypted traffic comprehensive evaluation module. The time-based data packet feature analysis module collects encrypted traffic time series feature information and encrypted traffic data packet size feature information respectively; performs network attack type analysis processing based on the communication time series behavior features of network communication encrypted traffic to obtain time-series network attack type analysis information; and performs network attack type identification processing based on the communication data packet size behavior features of network communication encrypted traffic to obtain data packet-side network attack type identification information. The traffic interaction protocol feature analysis module collects encrypted traffic statistical feature information, encrypted traffic connection interaction feature information, and encrypted traffic association protocol feature information, respectively. Network attack type judgment is performed based on the communication traffic statistics behavior characteristics of encrypted network communication traffic to obtain network attack type judgment information on the traffic side; network attack type identification is performed based on the communication connection interaction behavior characteristics of encrypted network communication traffic to obtain network attack type identification information on the connection side; network attack type detection is performed based on the communication association protocol behavior characteristics of encrypted network communication traffic to obtain network attack type detection information on the protocol side. The encrypted traffic comprehensive evaluation module searches for real-time network attack types in encrypted network communication traffic to obtain real-time network attack type information; it statistically processes the frequency of occurrence of real-time network attack types in encrypted network communication traffic to obtain frequency information of real-time network attack types; it constructs real-time identification information for encrypted network communication traffic and executes a feedback operation for the identification results of encrypted network communication traffic.