A method for detecting encrypted proxy confusion mining traffic based on flow time series representation
By constructing a stream time series representation and a stable feature subset, combined with a random forest model, the problem of mining traffic detection in the context of encrypted proxy obfuscation is solved, achieving efficient and accurate detection in complex network environments.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SOUTHEAST UNIV
- Filing Date
- 2026-05-27
- Publication Date
- 2026-07-14
AI Technical Summary
Existing technologies struggle to effectively detect mining traffic in cryptographic proxy obfuscation scenarios, leading to decreased detection performance and an inability to adapt to various obfuscation methods and complex network environments.
By constructing a streaming time series representation, periodic features, time series features, and statistical features are extracted to form a stable feature subset, and a random forest model is used for detection, adapting to various encryption proxy obfuscation methods.
It improves the robustness and adaptability of detection, reduces the false alarm rate, and is suitable for online monitoring and rapid early warning in complex network environments.
Smart Images

Figure CN122394949A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of cyberspace security technology and relates to a method for detecting mining traffic in encrypted proxy obfuscation scenarios, which involves stream time series construction, stable feature set extraction, and machine learning. Background Technology
[0002] The Proof-of-Work (PoW) mechanism in blockchain systems verifies transactions and records blocks through continuous hash calculations. As the total network computing power grows, the profitability of mining independently from a single device gradually decreases. Miners typically need to connect to mining pools to continuously request tasks, submit results, and report computing power. This process consumes significant computing and electricity resources over a long period, leading to substantial energy consumption. Furthermore, driven by the promise of cryptocurrency profits, attackers may use malware, web scripts, or intrusion control to hijack devices' computing power without user authorization, illegally obtaining profits. Such behavior not only degrades device performance, slows business response, and increases energy consumption, but in severe cases, it can also affect the stable operation of the organization's network and business systems, creating a cybersecurity risk that requires continuous monitoring and mitigation. Therefore, in some regions and specific network management scenarios, mining has become an object requiring detection and governance.
[0003] Existing cryptocurrency mining detection technologies mainly fall into two categories: host-side detection and network-side detection. Host-side methods typically detect mining activities by monitoring host status information such as software behavior, web browsing history, and CPU and memory usage. While these methods are effective in single-machine environments, they usually require the installation of monitoring programs on the protected terminal, involve user-side data processing, and have high deployment and maintenance costs in large-scale network environments. In contrast, network-side methods achieve detection by passively analyzing communication traffic at network boundaries or egress points. They are more suitable for centralized deployment and unified monitoring, and therefore have gradually become an important research direction in cryptocurrency mining detection.
[0004] For unobfuscated mining communications, since miners and mining pools typically interact based on the unencrypted Stratum protocol, the traffic is somewhat detectable in terms of protocol and statistical characteristics. Existing methods can utilize rule matching, deep packet inspection, and machine learning for detection. However, in real-world environments, miners or attackers often use encrypted proxies to forward, encrypt, and re-encapsulate mining traffic, and evade regulation through protocol spoofing and dynamic port switching. This processing significantly alters the spatial characteristics of the traffic and weakens some directly usable protocol fingerprints, resulting in a marked decrease in the performance of detection schemes that rely on features such as packet length, payload content, and protocol fingerprints.
[0005] Therefore, how to extract relatively stable criteria for judging obfuscation strategies from network traffic in the context of encrypted proxy obfuscation, and how to construct a mining traffic detection method that takes into account timeliness, robustness and low false alarms, are problems that existing technologies urgently need to solve. Summary of the Invention
[0006] To effectively regulate cryptocurrency mining activities on the network and improve network-side detection capabilities against crypto-hijacking, this invention proposes a mining traffic detection method for various crypto-proxy obfuscation methods, addressing the challenge of stable detection of mining traffic under crypto-proxy obfuscation scenarios. The method first processes the original traffic into streams and constructs a 0-1 stream time series representation. Second, it extracts periodic features, time series features, and statistical features based on the stream time series to form an initial stable feature set. This initial stable feature set is then preprocessed and subjected to correlation filtering to obtain a 16-dimensional stable feature subset. Finally, the stable feature subset is input into a detection model to detect obfuscated mining traffic. By utilizing relatively stable communication behavior patterns under different obfuscation methods as the detection basis, this invention improves adaptability and robustness to various crypto-proxy obfuscation methods.
[0007] To achieve the above objectives, the present invention provides the following technical solution:
[0008] A method for detecting cryptographic proxy obfuscated mining traffic based on stream time series representation includes the following steps:
[0009] (1) Construct a labeled traffic dataset for training and testing. Set up a mining traffic collection environment, collect mining traffic under various cryptographic proxy obfuscation scenarios, and introduce background traffic samples to form a labeled sample dataset containing mining traffic and normal business traffic;
[0010] (2) Perform grouping, direction splitting and short-flow filtering on the labeled traffic dataset and the network traffic to be detected, and construct a flow time series representation within a preset observation time window to characterize the arrival behavior of the target traffic in the time dimension;
[0011] (3) Extract stable features based on the time series of the stream and the statistical behavior of the target stream, and preprocess and screen the stable features to form a subset of stable features for detection;
[0012] (4) Train a confused mining traffic detection model using the stable feature subset corresponding to the training set in the labeled traffic dataset, and input the test set and the stable feature subset corresponding to the online traffic to be detected into the detection model, and output the detection result of whether the traffic to be detected is mining traffic.
[0013] Furthermore, step (1) specifically includes the following sub-steps:
[0014] (1.1) Build a mining traffic collection environment consisting of controlled terminals, proxy clients, proxy servers and mining pools, in which the encrypted proxy tool V2Ray is used to forward, encrypt and obfuscate mining communication;
[0015] (1.2) Configure four transmission modes respectively in the encrypted proxy environment: VMess over TCP, VMess over WebSocket, VMess over QUIC and VMess over mKCP, so as to form a variety of different proxy obfuscation scenarios;
[0016] (1.3) Run a mining program on a controlled terminal to access a mining pool, collect plaintext mining traffic that has not been proxied and mining traffic that has been processed by the four obfuscation methods, and run normal applications and mining programs on at least one controlled terminal at the same time to construct an encrypted hijacking scenario in which mining traffic and normal business traffic occur concurrently.
[0017] (1.4) Collect the obfuscated mining traffic between the proxy client and the proxy server, and collect the corresponding deobfuscated plaintext mining traffic at the exit position of the proxy server to form a comparison sample of plaintext mining traffic and obfuscated mining traffic.
[0018] (1.5) Obtain the CICIoT 2023 dataset and the ISCXVPN 2016 dataset as background traffic, wherein the CICIoT 2023 dataset is used to provide background traffic for IoT scenarios, and the ISCXVPN 2016 dataset is used to provide background traffic for encrypted applications such as chat, file transfer, streaming media, P2P download, and VoIP.
[0019] (1.6) The plaintext mining traffic, single obfuscated mining traffic, multi-obfuscated scenario mining traffic and background traffic are uniformly labeled, organized and sampled to construct a binary classification labeled traffic dataset, and mixed according to an unbalanced ratio of 100:1 between background traffic and mining traffic to simulate a scenario where the proportion of mining traffic is low in the real network.
[0020] (1.7) The completed labeled traffic dataset is randomly divided into a training set and a test set in a 7:3 ratio for subsequent feature extraction, model training and detection verification.
[0021] Through steps (1.1) to (1.7), the labeled traffic dataset constructed by this invention simultaneously covers plaintext mining traffic, single-proxy obfuscated mining traffic, multi-proxy obfuscated mining traffic, and mixed traffic from normal business operations running concurrently with mining programs. Compared to detection schemes that only target plaintext mining traffic, single-proxy configuration traffic, or relatively balanced experimental data, this invention enables training and testing samples to more closely resemble real-world network application scenarios characterized by low mining traffic proportions, complex background business, and varied proxy obfuscation methods. This improves the adaptability of subsequent detection models to mixed scenarios involving different proxy transmission configurations, different obfuscation methods, and crypto-hijacking.
[0022] Furthermore, step (2) specifically includes the following sub-steps:
[0023] (2.1) Group the network traffic of the training set and the test set according to the five-tuple {source IP address, destination IP address, source port, destination port, transport layer protocol}, and split the same session into inbound flow and outbound flow;
[0024] (2.2) Based on the characteristic that mining behavior usually has continuous operation, short streams with a duration of less than 10 minutes are filtered out, and the candidate stream set is retained;
[0025] (2.3) Set the observation time window to 5 minutes and the time slot granularity to 1 second, and divide each candidate flow into a continuous time slot within the observation time window;
[0026] (2.4) For data packets whose arrival time falls within the observation time window, map them to the corresponding time slot according to their arrival time;
[0027] (2.5) If at least one data packet arrives in a certain time slot, the time slot is assigned a value of 1; if no data packet arrives in a certain time slot, the time slot is assigned a value of 0.
[0028] (2.6) The values corresponding to each time slot are spliced together in chronological order to form a 0-1 flow time sequence corresponding to the target flow, and the time behavior representations of the inflow and outflow flows are retained respectively.
[0029] Through steps (2.1) to (2.6), this invention converts heterogeneous network traffic, after being forwarded, encrypted, and repackaged by an encrypted proxy, into a unified 0-1 stream time series representation. Compared to detection schemes that rely on packet length, payload content, fixed ports, protocol fingerprints, or specific packet flags, this representation does not directly depend on plaintext content and fixed protocol features, thus reducing the impact of protocol spoofing, packet padding, dynamic port switching, and proxy repackaging on detection features. Furthermore, by constructing time series for the inbound and outbound flows of the same session separately, this invention preserves the temporal behavior differences in different communication directions, providing a more consistent input basis for subsequent stable feature extraction.
[0030] Furthermore, step (3) specifically includes the following sub-steps:
[0031] (3.1) Extract periodic features, perform fast Fourier transform on the time series of the stream described in step (2.6) to obtain each frequency component and its corresponding intensity, and select the two terms with larger frequency component intensities as the main period and the sub-period.
[0032] (3.2) Extract periodic features, and use the main period and sub-period described in step (3.1) as the corresponding lags to perform autocorrelation analysis on the flow time series described in step (2.6) to obtain the autocorrelation coefficient of the main period and the autocorrelation coefficient of the sub-period;
[0033] (3.3) Extract time series features and statistically analyze the proportion of active time slots, the number of active time slots, the maximum number of consecutive active time slots, and the maximum duration of consecutive activities in the streaming time series described in step (2.6).
[0034] (3.4) Extract time series features, divide the stream time series described in step (2.6) into multiple sub-stream time series according to a preset length, count the proportion of active time slots in each sub-stream, and calculate the standard deviation of the proportion of active time slots in each sub-stream;
[0035] (3.5) Extract statistical features, construct a data packet arrival interval sequence for the candidate stream described in step (2.2), and extract the number of data packets, the maximum value of the arrival interval, the minimum value of the arrival interval, the proportion of arrival intervals within 1 second, the proportion of arrival intervals over 20 seconds, the variance of the arrival interval, and the transport layer protocol type.
[0036] (3.6) Combine the periodic features, time series features and statistical features described in steps (3.1) to (3.5) to form an initial stable feature set for characterizing the behavior of confused mining traffic;
[0037] (3.7) Perform missing value processing and standardization on the initial stable feature set described in step (3.6) to eliminate the influence of feature missingness and dimensional differences on the detection results;
[0038] (3.8) Perform Pearson correlation coefficient analysis on the preprocessed stable feature set to remove redundant features and obtain a stable feature subset for detection.
[0039] Furthermore, the selected stable feature subset specifically includes the following features:
[0040]
[0041] Through steps (3.1) to (3.8), this invention extracts stable behavioral features of obfuscated mining traffic from three dimensions: periodic features, time series features, and statistical features. Periodic features characterize the repetitive communication patterns in the time series of the stream; time series features characterize the activity level, continuous activity, and fine-grained sparsity fluctuations of the target stream within the observation time window; and statistical features characterize the number of data packets, arrival interval distribution, and transport layer protocol type of the candidate stream. Compared to detection schemes that only use single data packet length distribution, single data packet time interval distribution, or plaintext protocol features, this invention can extract relatively stable discrimination criteria for different encryption proxy obfuscation methods from multiple complementary dimensions, and reduces the impact of missing values, dimensional differences, and redundant features on model training and detection results through preprocessing and correlation screening.
[0042] Furthermore, step (4) specifically includes the following sub-steps:
[0043] (4.1) Use the stable feature subset corresponding to the training set to construct training samples and train the confused mining traffic detection model, wherein the detection model is a random forest model;
[0044] (4.2) Input the plaintext mining samples, single obfuscation mining samples, multi-obfuscation scenario mining samples and background traffic samples from the test set into the trained detection model, and verify the detection capability of the model under different obfuscation scenarios.
[0045] (4.3) The detection model outputs the classification result of whether the detected flow belongs to mining flow or normal flow;
[0046] (4.4) For the inbound and outbound flows corresponding to the same session, they can be detected separately, and a comprehensive judgment can be made on whether the corresponding session has mining behavior based on the detection results.
[0047] Through the processing in steps (4.1) to (4.4), this invention uses the stable feature subset from step (3) as input to the detection model, enabling the traffic to be detected to complete feature generation and model determination within a short observation time without waiting for the complete session to end. Preferably, the observation time window is 5 minutes, thus achieving a good balance between detection accuracy and detection timeliness. Compared to detection schemes that require a long time to track the complete traffic, accumulate a fixed number of data packets, or rely on long-term distribution comparisons, this invention can shorten the detection waiting time, reduce caching and computational overhead during online detection, and is more suitable for continuous monitoring and rapid early warning at the network egress side. At the same time, by detecting the inbound and outbound flows corresponding to the same session separately and making a comprehensive judgment on the detection results of the two directions, the risk of misjudgment caused by single-direction traffic sparsity, sudden local background business, or individual obfuscation disturbances can be reduced, improving the stability and practical deployability of mining behavior detection in encrypted proxy obfuscation scenarios.
[0048] Compared with the prior art, the present invention has the following advantages and beneficial effects:
[0049] (1) This invention is aimed at mining traffic detection scenarios under various encryption proxy obfuscation methods. By uniformly modeling obfuscated mining traffic in scenarios with different proxy transmission configurations, different equipment conditions, and concurrent normal business and mining traffic, it can achieve stable detection in multiple obfuscation scenarios that are closer to the real network environment. Therefore, it has stronger practical applicability than existing detection schemes that are mainly designed for single traffic modes or single obfuscation conditions.
[0050] (2) By constructing a stream time series representation and extracting stable features from three dimensions—period, time sequence, and statistics—this invention can characterize the relatively stable communication behavior patterns under different encryption proxy obfuscation methods. Compared with detection schemes that rely on single data packet length, single time interval distribution, or plaintext protocol features, this invention can more effectively adapt to situations such as protocol spoofing, message padding, and dynamic port changes, thereby improving detection stability in obfuscated scenarios.
[0051] (3) The present invention has good detection timeliness, generalization ability and robustness. The method can complete the detection in a short observation time, reducing the storage and computing overhead caused by long-term traffic tracking; at the same time, it still has good adaptability to unknown device scenarios, mixed scenarios of normal business and mining concurrency, and disturbances such as packet delay and packet amplification within a certain range, so it is more suitable for online monitoring and rapid early warning in complex network environments.
[0052] (4) The present invention can still maintain excellent detection performance in a highly unbalanced real background traffic scenario. Under the condition that the ratio of background traffic to mining traffic is 100:1 and the observation time window is 5 minutes, the recall rate of the present invention for confused mining traffic reaches 89.47% and the false positive rate is only 0.01%, which shows that the present invention takes into account both detection effectiveness and practical deployment. Attached Figure Description
[0053] Figure 1 Schematic diagram of a cryptographic proxy obfuscated mining traffic detection framework;
[0054] Figure 2 A schematic diagram of the method for constructing streaming time series;
[0055] Figure 3 Performance of this invention on different performance indicators for detecting cryptographic proxy obfuscated mining traffic under different time window sizes;
[0056] Figure 4 The performance of different methods and this invention on different performance indicators for detecting cryptographic proxy obfuscated mining traffic. Detailed Implementation
[0057] The technical solutions provided by the present invention will be described in detail below with reference to specific embodiments. It should be understood that the following specific embodiments are only used to illustrate the present invention and are not intended to limit the scope of the present invention.
[0058] Example 1: This invention proposes a method for detecting cryptographic proxy obfuscation mining traffic based on stream time series representation. The detection framework is as follows: Figure 1 As shown, it is divided into four parts. The first part is the construction of the labeled traffic dataset. Specifically, it involves setting up a mining traffic collection environment consisting of controlled terminals, proxy clients, proxy servers, and mining pools. Encryption proxy tools are used to forward, encrypt, and obfuscate mining communications. Plaintext mining traffic, single-obfuscated mining traffic, multi-obfuscated mining traffic, and mixed traffic from normal business operations and concurrent mining are collected. A labeled sample dataset is then constructed by combining this with a publicly available background traffic dataset. The second part is the construction of the stream time series. Specifically, the raw traffic is grouped, directed, filtered for short flows, and divided into time slots. A 0-1 stream time series representation is then constructed. Figure 2 The first part illustrates the construction method of the streaming time series; the second part is the extraction of stable feature subsets, which involves extracting periodic features, time series features, and statistical features from the streaming time series and candidate streaming statistical behavior, and forming a 16-dimensional stable feature subset for detection after missing value processing, standardization, and correlation screening; the third part is the training of the detection model and online detection, which involves training a confused mining traffic detection model using the stable feature subset corresponding to the training set, and inputting the test set and online traffic to be detected into the detection model to output the detection results. Figure 3The performance of this invention on different performance indicators is shown under different observation time window sizes for detecting cryptographic proxy obfuscated mining traffic. Figure 4 The performance of different methods and the present invention on various performance metrics for detecting crypto-proxy obfuscation mining traffic is illustrated. Specifically, a method for detecting crypto-proxy obfuscation mining traffic based on stream time series representation includes the following steps:
[0059] (1) Construct a labeled traffic dataset for training and testing.
[0060] The specific process for this step is as follows:
[0061] (1.1) Build a mining traffic collection environment consisting of controlled terminals, proxy clients, proxy servers and mining pools, in which the encrypted proxy tool V2Ray is used to forward, encrypt and obfuscate mining communication;
[0062] (1.2) Configure four transmission modes respectively in the encrypted proxy environment: VMess over TCP, VMess over WebSocket, VMess over QUIC and VMess over mKCP, so as to form a variety of different proxy obfuscation scenarios;
[0063] (1.3) Run a mining program on a controlled terminal to access a mining pool, collect plaintext mining traffic that has not been proxied and mining traffic that has been processed by the four obfuscation methods, and run normal applications and mining programs on at least one controlled terminal at the same time to construct an encrypted hijacking scenario in which mining traffic and normal business traffic occur concurrently.
[0064] (1.4) Collect the obfuscated mining traffic between the proxy client and the proxy server, and collect the corresponding deobfuscated plaintext mining traffic at the exit position of the proxy server to form a comparison sample of plaintext mining traffic and obfuscated mining traffic.
[0065] (1.5) Obtain the CICIoT 2023 dataset and the ISCXVPN 2016 dataset as background traffic, wherein the CICIoT 2023 dataset is used to provide background traffic for IoT scenarios, and the ISCXVPN 2016 dataset is used to provide background traffic for encrypted applications such as chat, file transfer, streaming media, P2P download, and VoIP.
[0066] (1.6) The plaintext mining traffic, single obfuscated mining traffic, multi-obfuscated scenario mining traffic and background traffic are uniformly labeled, organized and sampled to construct a binary classification labeled traffic dataset, and mixed according to an unbalanced ratio of 100:1 between background traffic and mining traffic to simulate a scenario where the proportion of mining traffic is low in the real network.
[0067] (1.7) The completed labeled traffic dataset is randomly divided into a training set and a test set in a 7:3 ratio for subsequent feature extraction, model training and detection verification.
[0068] (2) Perform grouping, direction splitting and short-flow filtering on the labeled traffic dataset and the network traffic to be detected, and construct a flow time series representation within a preset observation time window.
[0069] The specific process for this step is as follows:
[0070] (2.1) Group the network traffic of the training set and the test set according to the five-tuple {source IP address, destination IP address, source port, destination port, transport layer protocol}, and split the same session into inbound flow and outbound flow;
[0071] (2.2) Based on the characteristic that mining behavior usually has continuous operation, short streams with a duration of less than 10 minutes are filtered out, and the candidate stream set is retained;
[0072] (2.3) Set the observation time window to 5 minutes and the time slot granularity to 1 second, and divide each candidate flow into a continuous time slot within the observation time window;
[0073] (2.4) For data packets whose arrival time falls within the observation time window, map them to the corresponding time slot according to their arrival time;
[0074] (2.5) If at least one data packet arrives in a certain time slot, the time slot is assigned a value of 1; if no data packet arrives in a certain time slot, the time slot is assigned a value of 0.
[0075] (2.6) The values corresponding to each time slot are spliced together in chronological order to form a 0-1 flow time sequence corresponding to the target flow, and the time behavior representations of the inflow and outflow flows are retained respectively; under the preferred parameters of the observation time window of 5 minutes and the time slot granularity of 1 second, the length of the 0-1 flow time sequence formed is 300.
[0076] (3) Extract stable features based on the time series of the stream and the statistical behavior of the target stream, and preprocess and screen the stable features to form a subset of stable features for detection.
[0077] The specific process for this step is as follows:
[0078] (3.1) Extract periodic features, perform fast Fourier transform on the time series of the stream described in step (2.6) to obtain each frequency component and its corresponding intensity, and select the two terms with larger frequency component intensities as the main period and the sub-period.
[0079] (3.2) Extract periodic features, and use the main period and sub-period described in step (3.1) as the corresponding lags to perform autocorrelation analysis on the flow time series described in step (2.6) to obtain the autocorrelation coefficient of the main period and the autocorrelation coefficient of the sub-period;
[0080] (3.3) Extract time series features and statistically analyze the proportion of active time slots, the number of active time slots, the maximum number of consecutive active time slots, and the maximum duration of consecutive activities in the streaming time series described in step (2.6).
[0081] (3.4) Extract time series features, divide the stream time series described in step (2.6) into multiple sub-stream time series according to a preset length, count the proportion of active time slots in each sub-stream, and calculate the standard deviation of the proportion of active time slots in each sub-stream;
[0082] (3.5) Extract statistical features, construct a data packet arrival interval sequence for the candidate stream described in step (2.2), and extract the number of data packets, the maximum value of the arrival interval, the minimum value of the arrival interval, the proportion of arrival intervals within 1 second, the proportion of arrival intervals over 20 seconds, the variance of the arrival interval, and the transport layer protocol type.
[0083] (3.6) Combine the periodic features, time series features and statistical features described in steps (3.1) to (3.5) to form an initial stable feature set for characterizing the behavior of confused mining traffic;
[0084] (3.7) Perform missing value processing and standardization on the initial stable feature set described in step (3.6) to eliminate the influence of feature missingness and dimensional differences on the detection results;
[0085] (3.8) Perform Pearson correlation coefficient analysis on the preprocessed stable feature set to remove redundant features and obtain a stable feature subset for detection; specifically, calculate the Pearson correlation coefficient for each pair of features in the preprocessed stable feature set, and for feature pairs whose absolute Pearson correlation coefficient is greater than a preset correlation threshold, retain one of them and remove the other. The preset correlation threshold is preferably 0.8. After screening, a stable feature subset consisting of 16-dimensional features is obtained.
[0086] Furthermore, the selected stable feature subset specifically includes the following features:
[0087]
[0088] (4) Train a confused mining traffic detection model using the stable feature subset corresponding to the training set in the labeled traffic dataset, and input the test set and the stable feature subset corresponding to the online traffic to be detected into the detection model, and output the detection result of whether the traffic to be detected is mining traffic.
[0089] The specific process for this step is as follows:
[0090] (4.1) Use the stable feature subset corresponding to the training set to construct training samples and train the confused mining traffic detection model. The detection model adopts the random forest model and the number of decision trees is set to 100.
[0091] (4.2) Input the plaintext mining samples, single obfuscation mining samples, multi-obfuscation scenario mining samples and background traffic samples from the test set into the trained detection model, and verify the detection capability of the model in different scenarios.
[0092] (4.3) The detection model outputs the classification result of whether the detected flow belongs to mining flow or normal flow;
[0093] (4.4) For the inbound and outbound flows corresponding to the same session, they can be detected separately, and a comprehensive judgment can be made on whether the corresponding session has mining behavior based on the detection results. Specifically, the comprehensive judgment is performed according to the preset comprehensive judgment rules, which make the session determined to have mining behavior when at least one of the inbound and outbound flows has a flow level classification result of mining flow.
[0094] (4.5) To verify the impact of the observation time window setting on the detection effect, the observation time window was set to 2 minutes, 5 minutes, and 10 minutes respectively for testing. The test results are as follows: Figure 3 As shown in the figure. The comparison results show that the 5-minute observation time window can achieve a good balance between detection accuracy and detection timeliness. Therefore, 5 minutes is selected as the preferred observation time window in this invention.
[0095] (4.6) The present invention is compared with existing mining traffic detection methods and encryption traffic detection methods, and the results are as follows: Figure 4 As shown in the figure. The comparison results show that the present invention has a better detection effect in encrypted proxy obfuscation scenarios, and is especially suitable for real network environments with complex background business, low mining traffic, and multiple proxy obfuscation methods.
[0096] The technical means disclosed in this invention are not limited to those disclosed in the above embodiments, but also include technical solutions composed of any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of this invention, and these improvements and modifications are also considered within the scope of protection of this invention.
Claims
1. A method for detecting cryptographic proxy obfuscation mining traffic based on stream time series representation, characterized in that, Includes the following steps: (1) Construction of labeled traffic dataset: A dual-collection-point environment containing plaintext collection points and obfuscated collection points is built. Plaintext mining traffic, mining traffic after being processed by various encryption proxy obfuscation methods, mixed traffic generated by mining and normal business concurrently, and background traffic are collected respectively. They are then mixed according to a preset unbalanced ratio to form a labeled traffic dataset. (2) Construction of 0-1 flow time series: group the labeled traffic dataset and the network traffic to be detected into five-tuples, split the same session into inbound flow and outbound flow; filter short flows with a duration lower than the preset threshold, and discretize the candidate flow according to the fixed time slot within the preset observation time window to construct the corresponding 0-1 flow time series; (3) Extract a multidimensional stable feature subset. Based on the 0-1 flow time series and the statistical behavior of the candidate flow, extract periodic features, time series features and statistical features, and combine them to form an initial stable feature set; The initial stable feature set is sequentially processed by missing value handling, standardization, and redundant feature screening based on Pearson correlation coefficient to obtain a stable feature subset under the cross-encryption proxy obfuscation scenario; (4) Encryption proxy obfuscation mining traffic detection: The obfuscation mining traffic detection model is trained using the stable feature subset corresponding to the training sample. The network traffic to be detected is processed by steps (2) and (3) to obtain the stable feature subset, and then input into the detection model to obtain the flow-level classification results of the inbound and outbound flows corresponding to the same session, and to make a comprehensive judgment on whether the session has mining behavior.
2. The method for detecting cryptographic proxy obfuscation mining traffic based on stream time series representation according to claim 1, characterized in that, Step (1) specifically includes the following sub-steps: (1.1) Build a mining traffic collection environment consisting of a controlled terminal, a proxy client, a proxy server and a mining pool, and configure a variety of different encryption proxy obfuscation methods between the proxy client and the proxy server; (1.2) Running a mining program on a controlled terminal to access a mining pool generates plaintext mining traffic without a proxy, mining traffic after being processed by different proxy obfuscation methods, and mixed traffic when normal business and the mining program run concurrently. (1.3) Collect the obfuscated mining traffic between the proxy client and the proxy server, and collect the corresponding deobfuscated plaintext mining traffic at the exit position of the proxy server to form a comparison sample of plaintext mining traffic and obfuscated mining traffic. (1.4) Obtain background traffic, and uniformly label, organize and sample plaintext mining traffic, obfuscated mining traffic and background traffic to construct a binary classification labeled traffic dataset; (1.5) Divide the labeled traffic dataset into a training set and a test set.
3. The method for detecting cryptographic proxy obfuscation mining traffic based on stream time series representation according to claim 2, characterized in that, The encryption proxy obfuscation method configured in step (1.1) includes at least two or more of the following: TCP-based protocol spoofing obfuscation, WebSocket-based protocol spoofing obfuscation, QUIC-based protocol spoofing obfuscation, and mKCP-based transport simulation obfuscation; the preset imbalance ratio in step (1.4) is such that the background traffic and mining traffic satisfy a ratio of 100:
1.
4. The method for detecting cryptographic proxy obfuscation mining traffic based on stream time series representation according to claim 1, characterized in that, Step (2) specifically includes the following sub-steps: (2.1) The original traffic is grouped into streams according to the five-tuple consisting of source IP address, destination IP address, source port, destination port and transport layer protocol, and the bidirectional traffic of the same session is further split into inbound flow with the controlled terminal as the destination and outbound flow with the controlled terminal as the source. (2.2) Based on the characteristic that mining behavior is continuous operation, a minimum duration threshold is set for each direction flow, and short flows with a duration lower than the minimum duration threshold are filtered out, and only candidate flows that meet the threshold are retained; (2.3) Set the start time for each candidate stream as the arrival time of the first data packet of the candidate stream, and divide the preset observation time window from the start time into continuous time slots of equal and non-overlapping duration, wherein the granularity of the time slots is smaller than the length of the observation time window. (2.4) For each candidate stream, data packets whose arrival time falls within the observation time window are mapped to the corresponding time slots according to their arrival time. For each time slot, if at least one data packet arrives in the time slot, the corresponding value of the time slot is set to 1; otherwise, it is set to 0. (2.5) The values of each time slot in the observation time window are sequentially spliced together in chronological order to obtain a 0-1 stream time series with a length equal to the ratio of the observation time window to the time slot granularity. The 0-1 stream time series corresponding to the inbound and outbound streams are retained respectively. The 0-1 stream time series does not carry data packet length, payload content and specific protocol fingerprint information, but only describes the data packet arrival and occupancy of the candidate stream in the time dimension.
5. The method for detecting cryptographic proxy obfuscation mining traffic based on stream time series representation according to claim 4, characterized in that, The minimum duration threshold in step (2.2) is 10 minutes, the observation time window in step (2.3) is 5 minutes, the granularity of the time slot is 1 second, and the length of the 0-1 stream time series in step (2.5) is 300.
6. The method for detecting cryptographic proxy obfuscated mining traffic based on stream time series representation according to claim 1, characterized in that, Step (3) specifically includes the following sub-steps: (3.1) Perform a fast Fourier transform on the 0-1 stream time series obtained in step (2) to obtain each frequency component and its corresponding intensity. Select the first two frequency components from high to low according to the spectral intensity, and take the period corresponding to the selected first two frequency components as the main period and the sub-period, respectively. (3.2) Using the main period and the sub-period as the corresponding lag, calculate the value of the autocorrelation function for the 0-1 stream time series respectively. The two autocorrelation function values are used as the autocorrelation coefficient of the main period and the autocorrelation coefficient of the sub-period respectively, and are used to quantitatively verify the communication law represented by the main period and the sub-period. (3.3) For the 0-1 flow time series, the time slot with a value of 1 is defined as the active time slot. The proportion of active time slots, the number of active time slots, the maximum number of consecutive active time slots, and the maximum duration of consecutive activity are statistically analyzed as time series features characterizing the activity level of the candidate flow within the observation time window. (3.4) Divide the 0-1 stream time series into multiple non-overlapping sub-stream time series according to the preset sub-sequence length, calculate the proportion of active time slots for each sub-stream time series, and calculate the standard deviation of the proportion of active time slots for each sub-stream as a time series feature characterizing the degree of fine-grained temporal sparsity fluctuation of the candidate stream. (3.5) Construct a data packet arrival interval sequence based on the arrival times of all data packets of the candidate stream, and extract the number of data packets, the maximum value of data packet arrival interval, the minimum value of data packet arrival interval, the proportion of arrival intervals within 1 second, the proportion of arrival intervals over 20 seconds, and the variance of data packet arrival interval from the data packet arrival interval sequence, and combine them with the transport layer protocol type to which the candidate stream belongs, as statistical features characterizing the candidate stream. (3.6) Combine the periodic features, time series features and statistical features obtained in steps (3.1) to (3.5) in a preset order to form an initial stable feature set containing 22-dimensional features; (3.7) Perform missing value imputation and zero-mean unit variance standardization on the feature values in the initial stable feature set in sequence to obtain the preprocessed stable feature set; (3.8) For the preprocessed stable feature set, calculate the Pearson correlation coefficient for each pair of features. For feature pairs whose absolute value of the Pearson correlation coefficient is greater than the preset correlation threshold, retain one of them and remove the other to obtain a stable feature subset consisting of 16-dimensional features.
7. The method for detecting cryptographic proxy obfuscated mining traffic based on stream time series representation according to claim 6, characterized in that, The stable feature subset obtained in step (3.8) is a 16-dimensional stable feature subset, including the main period, sub-period, main period autocorrelation coefficient and sub-period autocorrelation coefficient in the periodic dimension; the proportion of active time slots, number of active time slots, maximum number of consecutive active time slots, maximum duration of consecutive activities and standard deviation of sub-stream active time slot proportion in the time series dimension; and the number of data packets, maximum data packet arrival interval, minimum data packet arrival interval, proportion of arrival intervals within 1 second, proportion of arrival intervals over 20 seconds, variance of data packet arrival interval and transport layer protocol type in the statistical dimension.
8. The method for detecting cryptographic proxy obfuscated mining traffic based on stream time series representation according to claim 1, characterized in that, Step (4) specifically includes the following sub-steps: (4.1) Using the stable feature subset corresponding to each candidate flow in the training set as input and whether the candidate flow belongs to mining flow as label, a confused mining flow detection model based on multiple decision trees is trained. The detection model votes on the prediction results of each decision tree in the prediction stage and outputs the flow-level classification result of whether the candidate flow belongs to mining flow or normal flow. (4.2) Perform the same group flow, direction splitting, short flow filtering and 0-1 flow time series construction as in step (2) on the network traffic to be detected, and perform the same stable feature subset extraction as in step (3) to obtain the stable feature subset of the inbound flow and the stable feature subset of the outbound flow corresponding to the same session. (4.3) Input the stable feature subsets of the inflow and the stable feature subsets of the outflow into the detection model trained in step (4.1) respectively, and obtain the flow level classification results of the inflow and outflow respectively; (4.4) For the inbound and outbound flows corresponding to the same session, the session is determined to have mining behavior based on the preset comprehensive judgment rules and the flow level classification results of the inbound and outbound flows. The comprehensive judgment rule states that when the flow level classification result in any direction is mining flow, the session is judged to have mining behavior.