A malicious encrypted traffic detection method and device based on semi-supervised meta-learning
By employing a semi-supervised meta-learning method, combined with pseudo-label generation and a consistency loss function, and utilizing collaborative learning with labeled and unlabeled data, the problem of insufficient model generalization and overfitting in encrypted traffic detection is solved, achieving efficient malicious attack identification.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- COMP NETWORK INFORMATION CENT CHINESE ACADEMY OF SCI
- Filing Date
- 2025-01-14
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies rely on large amounts of labeled data for encrypted traffic detection, which suffers from insufficient model generalization ability, small sample size problem, and overfitting risk. Furthermore, traditional semi-supervised learning methods perform poorly in cases of small samples and complex distributions.
We employ a semi-supervised meta-learning approach, combining pseudo-label generation and a consistency loss function with labeled and unlabeled data for collaborative learning. We utilize confidence thresholds to generate high-confidence pseudo-labels and improve model robustness through weak and strong perturbation strategies.
It significantly improves the model's detection and generalization capabilities in encrypted traffic, effectively identifies new types of malicious attacks, adapts to complex network environments, and enhances detection accuracy and robustness.
Smart Images

Figure SMS_2 
Figure SMS_3 
Figure SMS_5
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to a method and apparatus for detecting malicious encrypted traffic based on semi-supervised meta-learning. Background Technology
[0002] In today's complex network environment, deep learning-based network traffic detection methods are developing rapidly. With the increasing prevalence of encrypted traffic, anomaly detection has become particularly important, aiming to identify malicious activities hidden within encrypted traffic, such as DDoS attacks, APTs (Advanced Persistent Threats), and botnets. Detecting these threats is crucial for ensuring network security. However, with rising demands for user privacy protection, traditional payload-based detection methods are gradually becoming ineffective. Therefore, research has shifted towards technologies that can identify encrypted traffic without decryption, such as detection methods based on statistical features and user behavior.
[0003] For example, Nychis et al. studied entropy-related traffic distribution, analyzed traffic header and behavioral characteristics, and proposed an effective method for anomaly detection using time series data. AbuShqeir et al. demonstrated the feasibility of behavior-based detection by analyzing command sequences and session correlations to detect malicious attacks. Traffic-based detection methods typically rely on statistical features or time series characteristics and employ machine learning algorithms (such as support vector machines, decision trees, and random forests) for modeling and detection. For instance, Soleimani et al. studied three traffic obfuscation plugins for the Tor network (Obfs3, Obfs4, and ScrambleSuit), exploring how to identify these obfuscated traffic using machine learning techniques. This study successfully achieved effective identification of obfuscated traffic by analyzing statistical data of forward and reverse packets (such as the total number of forward bytes) and using algorithms such as C4.5, SVM, AdaBoost, and random forests. Experiments showed that even using only information from the first 10 to 50 packets, these obfuscated traffic could be detected quickly.
[0004] While existing machine learning and deep learning methods have made some progress in encrypted traffic detection, their reliance on large amounts of labeled data remains a limitation. Due to the scarcity and high cost of acquiring labeled data in real-world applications, the generalization ability of models on unlabeled data is limited. Furthermore, in many detection tasks, the number of malicious samples is typically limited, leading to the few-shot problem and making models prone to overfitting during training.
[0005] To address these issues, few-shot learning has emerged in recent years as an effective method to cope with insufficient labeled data. Few-shot learning has demonstrated its potential in scenarios with scarce data, high labeling costs, and imbalanced data, allowing for more efficient utilization of existing data. However, encrypted traffic detection still faces some unique challenges: 1. Attackers can exploit protocol rules to disguise malicious traffic as legitimate traffic, increasing the difficulty of detection; 2. Traditional deep learning methods rely on large amounts of labeled data, but in real-world scenarios, it is difficult to obtain sufficient labeled data, making it difficult for models to generalize to novel unlabeled encrypted traffic; 3. The limited number of malicious samples in many detection tasks leads to the few-shot problem, increasing the risk of model overfitting.
[0006] To address the aforementioned technical issues, several semi-supervised learning models have been disclosed in existing technologies. The most representative is FixMatch, proposed by Sohn et al. in 2020. Although this method is relatively simple in its process and has achieved significant results in the field of semi-supervised learning, it has the following limitations in cases of small samples and complex distributions:
[0007] First, these methods rely on high-confidence pseudo-labels to guide training on unlabeled data. In small sample sizes, the model's initial performance is limited, and the generated pseudo-labels may be inaccurate. Incorrect pseudo-labels are repeatedly used by the model, leading to self-reinforcement and trapping the model in a cycle of incorrect learning, making it difficult to improve the model's generalization ability.
[0008] Secondly, many methods assume that unlabeled and labeled data have similar distributions, but this assumption often fails in practice. Attackers may exploit unknown protocol rules or camouflage techniques to hide malicious traffic within normal traffic, resulting in a large amount of data with distributional bias or unknown categories in the unlabeled data. Consequently, the model may be affected by anomalous samples in the unlabeled data during training, impacting detection performance.
[0009] Furthermore, in scenarios involving small sample sizes, models are prone to overfitting to limited labeled data. Traditional semi-supervised learning methods struggle to effectively utilize unlabeled data to mitigate overfitting and cannot adequately address the insufficient generalization ability of models caused by small sample sizes. Summary of the Invention
[0010] To address the problems existing in the prior art, this application provides a method and apparatus for detecting malicious encrypted traffic based on semi-supervised meta-learning. This method can utilize a small amount of labeled and unlabeled data for collaborative learning, significantly improving the model's ability to detect small-sample encryption attacks.
[0011] One technical solution of the present invention provides a method for detecting malicious encrypted traffic based on semi-supervised meta-learning, the method comprising the following steps:
[0012] Acquire network traffic data and preprocess it to obtain labeled and unlabeled data sample sets;
[0013] The model is trained using a labeled dataset to obtain an initial model;
[0014] The unlabeled data sample set is input into the initial model, and a false label algorithm is used to generate confidence values. The confidence values are compared with a confidence threshold, and false labels are generated for samples that are greater than the confidence threshold, thus forming a false label data sample set.
[0015] Labeled and pseudo-labeled data samples are mixed and input into the network model for training. The parameters of the initial model are then optimized based on the parameters of the trained network model. The mixed loss function of the trained network model is used as the optimization objective, and the mixed loss function is L = L s +L x +L u , where L s L is the supervised loss function for the labeled data sample set; x L is the target confidence loss function; u This is the consistency loss function.
[0016] In a further improved scheme, the supervised loss function Among them, B L Indicates batch size;
[0017] v i This indicates the relationship between each traffic sample x. i The corresponding real tags;
[0018] p(v i |x i ) indicates that the model is based on sample features x i Predicted v i The probability of the category;
[0019] y represents the loss function.
[0020] In a further improved scheme, weak perturbation is applied to the unlabeled data sample set.
[0021] In a further improved scheme, the target confidence loss function
[0022]
[0023] in,
[0024] Z iand Z j It is the value of logits;
[0025] T is a hyperparameter that controls scaling;
[0026] α and γ are weight hyperparameters;
[0027] D(p x ,q x ) represents a term that controls the diversity of category distribution.
[0028] In a further improved scheme, the unlabeled data sample set is subjected to strong interference.
[0029] In a further improved scheme, the consistency loss function
[0030]
[0031] in,
[0032] B u Indicates the batch size of unlabeled samples;
[0033] λ(p i ) represents the weighting function, based on the confidence level p of sample i. i To calculate;
[0034] y i ∣Ω(x i ) represents the input data x i The predicted value y after model Ω i ;
[0035] β represents the hyperparameter;
[0036] z i and z j These are the representations of the samples after weak and strong enhancement, respectively.
[0037] z i ·z j Represents the eigenvector z i and z j The dot product;
[0038] ∥z i ∥ and ∥z j ∥ is the norm of the eigenvector;
[0039] The cosine similarity value is between -1 and 1.
[0040] Another technical solution of the present invention provides a malicious encrypted traffic detection device based on semi-supervised meta-learning, the device comprising:
[0041] The data acquisition module is used to acquire network traffic data and preprocess it to obtain labeled data sample sets and unlabeled data sample sets.
[0042] The initial model training module is used to train the model using a labeled data sample set to obtain the initial model;
[0043] The pseudo-label generation module is used to input the unlabeled data sample set into the initial model, generate confidence values using the pseudo-label algorithm, compare the confidence values with the confidence threshold, generate pseudo-labels for samples that are greater than the confidence threshold, and form a pseudo-label data sample set.
[0044] The initial model optimization module is used to input the mixed labeled data sample set and pseudo-labeled data sample set into the network model for training, and optimize the parameters of the initial model based on the parameters of the trained network model; the mixed loss function of the trained network model is used as the optimization objective, and the mixed loss function is L = L s +L x +L u , where L s L is the supervised loss function for the labeled data sample set; x L is the target confidence loss function; u This is the consistency loss function.
[0045] Another technical solution of the present invention provides a computer-readable storage medium having a computer program stored thereon, the program being executed by a processor to implement the steps of a malicious encrypted traffic detection method based on semi-supervised meta-learning.
[0046] This invention provides a method and apparatus for detecting malicious encrypted traffic based on semi-supervised meta-learning, with the following advantages:
[0047] 1) This application proposes a novel encrypted traffic detection method that combines the advantages of semi-supervised learning and meta-learning. This method can improve the model's ability to detect novel malicious attacks in encrypted traffic by co-learning with a small amount of labeled and unlabeled data, even when labeled data is scarce. This framework design solves the bottleneck problem of traditional methods' ineffective detection in encrypted traffic environments.
[0048] 2) This application dynamically generates high-confidence pseudo-labels by setting a confidence threshold, and uses these pseudo-labels as additional supervision signals for training. A target confidence loss function is introduced to ensure that the model maintains attention to different categories during pseudo-label generation, avoiding overfitting due to overconfidence in certain categories. This strategy significantly improves the utilization efficiency of unlabeled encrypted traffic.
[0049] 3) This application proposes enhancement strategies with weak and strong perturbations to test and improve the robustness of the model under different encrypted traffic perturbations. By applying slight and significant data transformations to the unlabeled data, this application utilizes consistency contrast loss to ensure that the model maintains stable predictive performance under different enhancements. By introducing pseudo-label generation and consistency contrast loss, the model adapts to dynamically changing network environments and optimizes its performance in encrypted traffic detection. Experiments on publicly available encrypted traffic security datasets show that this method has significant advantages in key performance indicators such as detection accuracy and F1 score. Furthermore, this application has also been tested on real network datasets, and the results show that this method not only significantly improves the detection rate of malicious activities in encrypted traffic but also exhibits good robustness and generalization ability. Therefore, this method is particularly suitable for various complex network security scenarios, providing an efficient and innovative solution for threat detection in encrypted traffic. Detailed Implementation
[0050] The technical solutions of the present invention will be clearly and completely described below with reference to the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present invention.
[0051] One embodiment of the present invention provides a method for detecting malicious encrypted traffic based on semi-supervised meta-learning, the method comprising the following steps:
[0052] S1: Acquire network traffic data and preprocess it to obtain labeled data sample sets and unlabeled data sample sets;
[0053] During the handshake phase of an encryption protocol, the client and server typically negotiate encryption parameters in plaintext. This provides valuable encryption-related data, such as the TLS version, encryption algorithm, certificate information, and TLS extension options. Furthermore, features such as packet length, traffic duration, and time intervals can significantly improve the detection accuracy of malicious encrypted traffic. However, too many features can lead to degraded model performance and increased storage and computational burden.
[0054] Therefore, this application further requires preprocessing of network traffic data; the specific method includes the following steps:
[0055] S11: Use a packet capture tool, such as Wireshark, to split the traffic and store it as a PCAP file;
[0056] S12: Remove irrelevant information, such as MAC addresses in TCP / UDP headers, through traffic scrubbing to ensure that only features related to encryption detection are retained;
[0057] S13: Perform traffic optimization; specifically: delete duplicate and empty data files, and unify the length of all data packets to 900 bytes;
[0058] S14: Convert the processed data into a 30×30 byte two-dimensional IDX format.
[0059] S2: Train the model using a labeled data sample set to obtain an initial model;
[0060] The model is trained using labeled data, and the model used is a neural network model, such as the Wide-ResNet model.
[0061] S3: Input the unlabeled data sample set into the initial model, use the pseudo-label algorithm to generate confidence values, compare the confidence values with the confidence threshold, generate pseudo labels for samples that are greater than the confidence threshold, and form a pseudo-labeled data sample set;
[0062] After inputting unlabeled data, a pseudo-label algorithm is used to generate a value similar to a confidence score, which is essentially a temperature-scaled (i.e., a modified softmax) output of logits. The confidence threshold can be set through multiple rounds of comparative experiments.
[0063] In this way, the model can continue to learn on unlabeled data, thereby further improving its ability to classify unknown encrypted traffic.
[0064] To better utilize unlabeled encrypted data, a pseudo-label strategy was adopted to weakly perturb the unlabeled data sample set, resulting in a confidence level higher than the threshold after weak perturbation.
[0065] Weak interference includes:
[0066] 1. Slight packet delay: Slightly adjust the packet sending time without changing the packet order.
[0067] 2. Basic packet reordering: performs slight reordering of packets within the same traffic without affecting the overall traffic context.
[0068] 3. Limited flow truncation or padding: Truncate a small portion of the data stream or add irrelevant data at the beginning or end of the stream to simulate slight data changes.
[0069] 4. Translation and flipping operations: In visual data representation, operations similar to image enhancement can be used, such as small-amplitude translation and flipping.
[0070] In this way, the model can adaptively adjust its learning direction, allowing pseudo-labels to play a guiding role in the model's training process.
[0071] To further improve the effectiveness of semi-supervised few-shot learning methods in encrypted traffic detection and enhance the model's robustness and generalization ability, it is also necessary to subject the data to strong perturbations. These perturbations include:
[0072] 1. Significant packet out-of-order processing: The packets in the traffic are significantly out of order to test whether the model depends on the order of the packets.
[0073] 2. Data packet loss simulation: Randomly discard some data packets to simulate data packet loss and test the model's performance under incomplete data conditions.
[0074] 3. Advanced packet transformations: such as Cutout, CTAugment, and RandAugment, which simulate traffic distortion techniques that attackers may use.
[0075] 4. Add noise data: Insert random or simulated noise data packets into the original traffic to test the model's ability to identify noise in a noisy environment.
[0076] S4: The labeled data sample set and the pseudo-labeled data sample set are mixed and input into the network model for training. The parameters of the initial model are optimized based on the parameters of the trained network model. The mixed loss function of the trained network model is used as the optimization objective, and the mixed loss function is L = L s +L x +L u , where L s L is the supervised loss function for the labeled data sample set; x L is the target confidence loss function; u This is the consistency loss function.
[0077] In model training, optimization is performed by combining the supervised loss of labeled sample data and the loss of unlabeled data.
[0078] Among them, the supervision loss function in,
[0079] B L This indicates the batch size, which is the number of traffic samples being processed.
[0080] v i This indicates the relationship between each traffic sample x. i The corresponding real tags;
[0081] p(v i |x iThe model represents the model based on sample features x. i Predicted v i The probability of the category.
[0082] y represents the loss function, which can be a supervised loss function or other loss metric suitable for classification tasks, used to measure the probability p(v) predicted by the model. i |x i ) and real label v i The differences between them.
[0083] The supervised loss function guides the model's learning on labeled data, while the unlabeled loss enhances the model's robustness and adaptability on unlabeled encrypted traffic data. Through this dual optimization strategy, the model can not only effectively utilize limited labeled data but also make fuller use of a large amount of unlabeled encrypted traffic data.
[0084] Among them, the target confidence loss function
[0085]
[0086] in:
[0087] Z i and Z j It is the value of logits;
[0088] T is a hyperparameter that controls scaling;
[0089] α and γ represent weight hyperparameters, used to balance the contributions of each part of the loss;
[0090] D(p x ,q x ) represents a term that controls the diversity of category distribution.
[0091] The introduction of the targeted confidence loss function adjusts the model's output probability distribution, reducing excessive confidence in predictions during pseudo-label learning. Furthermore, if the model overconfidently predicts certain categories while ignoring others, it may overfit to those categories, ultimately impacting overall performance. The targeted confidence loss function forces the model to consider all categories when generating pseudo-labels, preventing any single category from accumulating excessive sample weight. This avoids overconfidence in incorrect pseudo-labels, thus increasing the robustness and flexibility of the learning process.
[0092] Consistency loss function
[0093]
[0094] in,
[0095] Bu This indicates the batch size of the unlabeled samples, representing the number of unlabeled data points in a mini-batch; this symbol appears in the denominator of the formula to average the loss over the entire batch.
[0096] λ(p i ) represents the weighting function, based on the confidence level p of sample i. i This function is typically used to assign greater weights to high-confidence samples and lower weights to low-confidence samples, ensuring that the model focuses more on learning from high-confidence samples.
[0097] y i ∣Ω(x i ) represents the input data x i The predicted value y after model Ω i Model Ω is based on input features x i The prediction function;
[0098] β represents a hyperparameter used to control the weight of the contrastive loss term and adjust the contribution of the contrastive loss to the total loss.
[0099] z i and z j These are the representations of the samples after weak and strong enhancement, respectively.
[0100] z i ·z j Represents the eigenvector z i and z j The dot product is used to measure the similarity between two samples;
[0101] ∥z i ∥ and ∥z j ∥ is the norm (modulus) of the eigenvector, used to normalize the length of the vector;
[0102] The cosine similarity value ranges between -1 and 1, where 1 indicates that the two vectors are exactly the same, 0 indicates that the two vectors are orthogonal (no similarity), and -1 indicates that they are completely opposite. The more similar the different enhancement results are, the smaller the loss. By introducing this contrastive loss term, the model can better learn discriminative feature representations, thereby enhancing its ability to distinguish different patterns in encrypted traffic.
[0103] The aforementioned consistency loss function mitigates the prediction discrepancies between weak and strong enhancements, ensuring model stability and robustness to different enhancement operations. It maintains prediction consistency between weak and strong enhancement samples, improving the model's generalization ability and performance across different scenarios. This process ensures the model can better adapt to the diverse characteristics of encrypted traffic and enhances its ability to identify novel and complex attack patterns.
[0104] The malicious encrypted traffic detection method based on semi-supervised meta-learning provided in this application is based on a semi-supervised meta-learning framework, which enables collaborative learning using a small amount of labeled data and a large amount of unlabeled data. Meta-learning helps the model learn general feature representations by training on different encrypted traffic data detection tasks, allowing it to quickly adapt to new tasks. By constructing a task pool containing various encrypted traffic data, the model optimizes global model parameters based on meta-learning, improving its performance on various tasks.
[0105] The semi-supervised meta-learning-based malicious encrypted traffic detection method provided in this application significantly improves the accuracy and effectiveness of encrypted traffic detection by introducing pseudo-label generation and consistency loss, especially showing excellent performance in the detection of novel encrypted attacks and different encryption protocols.
[0106] In summary, the semi-supervised meta-learning-based malicious encrypted traffic detection method provided in this application solves the performance bottleneck of traditional detection methods when dealing with encrypted traffic. By combining pseudo-label generation, consistency regularization, and meta-learning techniques, this application can effectively utilize a large amount of unlabeled data with a small amount of labeled data, improving the model's ability to detect malicious activities in encrypted traffic and providing an efficient and reliable solution for network security.
[0107] One embodiment of the present invention provides a malicious encrypted traffic detection device based on semi-supervised meta-learning, the device comprising:
[0108] The data acquisition module is used to acquire network traffic data and preprocess it to obtain labeled data sample sets and unlabeled data sample sets.
[0109] The initial model training module is used to train the model using a labeled data sample set to obtain the initial model;
[0110] The pseudo-label generation module is used to input the unlabeled data sample set into the initial model, generate confidence values using the pseudo-label algorithm, compare the confidence values with the confidence threshold, generate pseudo-labels for samples that are greater than the confidence threshold, and form a pseudo-label data sample set.
[0111] The initial model optimization module is used to input the mixed labeled data sample set and pseudo-labeled data sample set into the network model for training, and optimize the parameters of the initial model based on the parameters of the trained network model; the mixed loss function of the trained network model is used as the optimization objective, and the mixed loss function is L = L s +L x +L u , where L d L is the supervised loss function for the labeled data sample set; xL is the target confidence loss function; u This is the consistency loss function.
[0112] In model training, optimization is performed by combining the supervised loss of labeled sample data and the loss of unlabeled data.
[0113] Among them, the supervision loss function in,
[0114] B L This indicates the batch size, which is the number of traffic samples being processed.
[0115] v i This indicates the relationship between each traffic sample x. i The corresponding real tags;
[0116] p(v i |x i The model represents the model based on sample features x. i Predicted v i The probability of the category.
[0117] y represents the loss function, which can be a supervised loss function or other loss metric suitable for classification tasks, used to measure the probability p(v) predicted by the model. i |x i ) and real label v i The differences between them.
[0118] The supervised loss function guides the model's learning on labeled data, while the unlabeled loss enhances the model's robustness and adaptability on unlabeled encrypted traffic data. Through this dual optimization strategy, the model can not only effectively utilize limited labeled data but also make fuller use of a large amount of unlabeled encrypted traffic data.
[0119] Among them, the target confidence loss function
[0120]
[0121] in:
[0122] Z i and Z j It is the value of logits;
[0123] T is a hyperparameter that controls scaling;
[0124] α and γ represent weight hyperparameters, used to balance the contributions of each part of the loss;
[0125] D(p x ,q x ) represents a term that controls the diversity of category distribution.
[0126] The introduction of the targeted confidence loss function adjusts the model's output probability distribution, reducing excessive confidence in predictions during pseudo-label learning. Furthermore, if the model overconfidently predicts certain categories while ignoring others, it may overfit to those categories, ultimately impacting overall performance. The targeted confidence loss function forces the model to consider all categories when generating pseudo-labels, preventing any single category from accumulating excessive sample weight. This avoids overconfidence in incorrect pseudo-labels, thus increasing the robustness and flexibility of the learning process.
[0127] Consistency loss function
[0128]
[0129] in,
[0130] B u This indicates the batch size of the unlabeled samples, representing the number of unlabeled data points in a mini-batch; this symbol appears in the denominator of the formula to average the loss over the entire batch.
[0131] λ(p i ) represents the weighting function, based on the confidence level p of sample i. i This function is typically used to assign greater weights to high-confidence samples and lower weights to low-confidence samples, ensuring that the model focuses more on learning from high-confidence samples.
[0132] y i ∣Ω(x i ) represents the input data x i The predicted value y after model Ω i Model Ω is based on input features x i The prediction function;
[0133] β represents a hyperparameter used to control the weight of the contrastive loss term and adjust the contribution of the contrastive loss to the total loss.
[0134] z i and z j These are the representations of the samples after weak and strong enhancement, respectively.
[0135] z i ·z j Represents the eigenvector z i and z j The dot product is used to measure the similarity between two samples;
[0136] ∥z i ∥ and ∥z j ∥ is the norm (modulus) of the eigenvector, used to normalize the length of the vector;
[0137] The cosine similarity value ranges between -1 and 1, where 1 indicates that the two vectors are exactly the same, 0 indicates that the two vectors are orthogonal (no similarity), and -1 indicates that they are completely opposite. The more similar the different enhancement results are, the smaller the loss. By introducing this contrastive loss term, the model can better learn discriminative feature representations, thereby enhancing its ability to distinguish different patterns in encrypted traffic.
[0138] This application provides a semi-supervised meta-learning-based malicious encrypted traffic detection device that overcomes the performance bottleneck of traditional detection methods when dealing with encrypted traffic. By combining pseudo-label generation, consistency regularization, and meta-learning techniques, this application can effectively utilize a large amount of unlabeled data with a small amount of labeled data, improving the model's ability to detect malicious activities in encrypted traffic and providing an efficient and reliable solution for network security.
[0139] Another embodiment of the present invention provides another computer-readable storage medium, which may be a computer-readable storage medium included in the memory of the above embodiments; or it may be a standalone computer-readable storage medium not assembled into a terminal. The computer-readable storage medium stores one or more programs, which are used by one or more processors to execute the methods provided in the above embodiments.
[0140] The various embodiments in this specification are described in a progressive manner. The same or similar parts between the various embodiments can be referred to each other. Each embodiment focuses on describing the differences from other embodiments.
[0141] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), or random access memory (RAM), etc.
[0142] The above description is merely a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.
Claims
1. A method for detecting malicious encrypted traffic based on semi-supervised meta-learning, characterized in that, The method includes the following steps: Acquire network traffic data and preprocess it to obtain labeled and unlabeled data sample sets; The model is trained using a labeled dataset to obtain an initial model; The unlabeled data sample set is input into the initial model, and a false label algorithm is used to generate confidence values. The confidence values are compared with a confidence threshold, and false labels are generated for samples that are greater than the confidence threshold, thus forming a false label data sample set. Labeled and pseudo-labeled data samples are mixed and input into the network model for training. The parameters of the initial model are then optimized based on the parameters of the trained network model. The mixed loss function of the trained network model is used as the optimization objective, and the mixed loss function is L = L s +L x +L u , where L s L is the supervised loss function for the labeled data sample set; x L is the target confidence loss function; u This is the consistency loss function.
2. The malicious encrypted traffic detection method based on semi-supervised meta-learning according to claim 1, characterized in that, The supervision loss function in, B L Indicates batch size; v i This indicates the relationship between each traffic sample x. i The corresponding real tags; p(v i |x i ) indicates that the model is based on sample features x i Predicted v i The probability of the category; y represents the loss function.
3. The malicious encrypted traffic detection method based on semi-supervised meta-learning according to claim 2, characterized in that, Weak perturbation is applied to the unlabeled data sample set.
4. The malicious encrypted traffic detection method based on semi-supervised meta-learning according to claim 1, characterized in that, The target confidence loss function in, Z i and Z j It is the value of logits; T is a hyperparameter that controls scaling; α and γ represent the weight hyperparameters; D(p x ,q x ) represents a term that controls the diversity of category distribution.
5. The malicious encrypted traffic detection method based on semi-supervised meta-learning according to claim 4, characterized in that, The unlabeled data sample set is subjected to strong perturbation.
6. The malicious encrypted traffic detection method based on semi-supervised meta-learning according to claim 5, characterized in that, The consistency loss function in, B u Indicates the batch size of unlabeled samples; λ(p i ) represents the weighting function, based on the confidence level p of sample i. i To calculate; y i ∣Ω(x i ) represents the input data x i The predicted value y after model Ω i ; β represents the hyperparameter; z i and z j These are the representations of the samples after weak and strong enhancement, respectively. z i ·z j Represents the eigenvector z i and z j The dot product; ∥z i ∥ and ∥z j ∥ is the norm of the eigenvector; The cosine similarity value is between -1 and 1.
7. A malicious encrypted traffic detection device based on semi-supervised meta-learning, characterized in that, The device includes: The data acquisition module is used to acquire network traffic data and preprocess it to obtain labeled data sample sets and unlabeled data sample sets. The initial model training module is used to train the model using a labeled data sample set to obtain the initial model; The pseudo-label generation module is used to input the unlabeled data sample set into the initial model, generate confidence values using the pseudo-label algorithm, compare the confidence values with the confidence threshold, generate pseudo-labels for samples that are greater than the confidence threshold, and form a pseudo-label data sample set. The initial model optimization module is used to input the mixed labeled data sample set and pseudo-labeled data sample set into the network model for training, and optimize the parameters of the initial model based on the parameters of the trained network model; the mixed loss function of the trained network model is used as the optimization objective, and the mixed loss function is L = L s +L x +L u , where L s L is the supervised loss function for the labeled data sample set; x L is the target confidence loss function; u This is the consistency loss function.
8. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by a processor, it implements the steps of the method according to any one of claims 1-6.