CN109379377A - Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium - Google Patents

Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN109379377A
CN109379377A CN201811462207.5A CN201811462207A CN109379377A CN 109379377 A CN109379377 A CN 109379377A CN 201811462207 A CN201811462207 A CN 201811462207A CN 109379377 A CN109379377 A CN 109379377A
Authority
CN
China
Prior art keywords
feature
input
detection model
model
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811462207.5A
Other languages
Chinese (zh)
Other versions
CN109379377B (en
Inventor
江斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Geek Xin'an (beijing) Technology Co Ltd
Original Assignee
Geek Xin'an (beijing) Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Geek Xin'an (beijing) Technology Co Ltd filed Critical Geek Xin'an (beijing) Technology Co Ltd
Priority to CN201811462207.5A priority Critical patent/CN109379377B/en
Publication of CN109379377A publication Critical patent/CN109379377A/en
Application granted granted Critical
Publication of CN109379377B publication Critical patent/CN109379377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the present disclosure provides a kind of encryption malicious traffic stream detection method, device, electronic equipment and computer readable storage medium, which comprises the steps of: is based on normal discharge sample and malicious traffic stream sample extraction feature;The fisrt feature input deep learning model for being suitable for deep learning in the extraction feature is trained, the depth detection model based on deep learning is formed;The feature set that deep learning model exports is input to machine learning model, the second feature for being suitable for machine learning in the extraction feature is input to the machine learning model, forms the machine detection model based on machine learning;Using the depth detection model and the machine learning detection model, live network flow is detected, finally identifies encryption malicious traffic stream.It is incomplete that the disclosure can effectively solve the problems, such as that manual features are extracted.Malice encryption flow can be more efficiently identified simultaneously, while may insure that detection model is being semantically that user is intelligible.

Description

Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium
Technical field
This disclosure relates to data on flows detection technique field, specially it is a kind of appoint encryption malicious traffic stream detection method, device, Electronic equipment and storage medium.
Background technique
Network communication is the Information application that current nearly all enterprises and individuals can be related to.With enterprise and personal use Family is higher and higher for the attention degree of information security, and the usage scenario of encryption technology is more and more in current network communication.I.e. By encryption method Content of Communication can not be identified by the other users on network in addition to communicating pair.
At the same time, all kinds of rogue programs such as network wooden horse, worm etc. with control terminal when being communicated, in order to hide net The identification of network detection device, often also using encryption traffic communication.This has resulted in normal encryption flow and malice encryption flow Indistinguishable problem brings very big challenge for network security detection.
The method that detection currently for encryption malicious traffic stream mainly uses Supervised machine learning.Pass through malice encryption stream The detection model of amount and normal encryption flow, the detection model can be used to differentiate whether encryption flow to be malicious traffic stream.
Main problem existing for existing scheme is that the definition of feature needs the participation of experienced experts, and disposable definition is complete Face is characterized in being difficult to complete of the task, and a small amount of feature set is difficult to obtain effective testing result.Therefore, how It efficiently separates malicious traffic stream and has become a technical problem urgently to be resolved.
Summary of the invention
Be designed to provide a kind of encryption malicious traffic stream detection method, device, electronic equipment and the storage of the disclosure are situated between Matter rapidly the malice in detection flows information can encrypt flow.
In a first aspect, the disclosure provides a kind of encryption malicious traffic stream detection method, include the following steps:
S101: normal discharge sample and malicious traffic stream sample extraction feature are based on;
S102: the fisrt feature input deep learning model for being suitable for deep learning in the extraction feature is instructed Practice, forms the depth detection model based on deep learning;
S103: being input to machine learning model for the feature set that deep learning model exports, and will fit in the extraction feature Second feature for machine learning is input to the machine learning model, forms the machine detection model based on machine learning;
S104: the depth detection model and the machine detection model are utilized, live network flow is detected, most Malicious traffic stream is identified eventually.
Optionally, the extraction feature includes that consistency feature, certificate feature and prevalence are characterized.
Optionally, the fisrt feature is characterized for prevalence;The second feature is consistency feature or certificate feature.
Optionally, the step S102 includes:
S1021: training function model is constructed:
it=σ (WxiXt+Whiht-1+WciCt-1+bi)
ft=σ (WxfXt+Whfht-1+WcfCt-1+bf)
Ot=σ (WxoXt+Whoht-1+WcoCt-1+bo)
Ct=ftCt-1+ittanh(WxcXt+Whcht-1+bc)
ht=Ottanh(Ct)
Wherein, σ is logic sigmod function, and t indicates the number of neural network iteration, and i, f, o, c, h respectively indicate input Door forgets door, out gate, unit activating vector, hidden unit;Wxi, Whi and Wci respectively indicate input feature value, hide Weight matrix between layer unit, unit activating vector and input gate;Wxf, Whf and Wcf respectively indicate input feature value, hidden It hides layer unit, unit activating vector and forgets the weight matrix between door;Wxo, Who and Wco respectively indicate input feature value, Hide the weight matrix between layer unit, unit activating vector and out gate;Bi, bf, bc, bo be respectively input gate, forget door, The deviation of unit activating vector sum out gate;
Wherein, sigmod function are as follows:
Tanh function are as follows:
S1022: inputting above-mentioned trained function model for the fisrt feature and be iterated calculating, until output feature tends to Stablize, deconditioning.
Optionally, step S103 includes:
S1031: construction decision tree sample set Z, wherein X indicates that the whole characteristic sets extracted from flow, Y indicate packet Whole training datas of the flow containing black and white, n indicate decision tree quantity
Z={ (X1, Y1), (X2, Y2), (X3, X3) ... (Xn, Yn) };
S1032: for each data set constructed in step S1031, by top-down recursive fashion, each The feature in training subset is selected at split vertexes, to each feature calculation information gain-ratio, selects the maximum feature of gain It is divided as Split Attribute, until all samples all reach leaf node, each training subset in the step S1031 is closed All construct a following decision tree
Wherein, yi indicates the voting results of any decision tree, PiIndicate that any data passes through probability;
S1033: merging the step S1032 any decision tree obtained, obtain final decision tree RF,
Wherein n is the quantity of decision tree, and qi is the weight of tree, and yi is the voting results of tree.
Second aspect, the disclosure provide a kind of encryption malicious traffic stream detection device, comprising:
Feature extraction unit is based on normal discharge sample and malicious traffic stream sample extraction feature;
Depth detection model forms unit, and the fisrt feature for being suitable for deep learning in the extraction feature is inputted depth Learning model is trained, and forms the depth detection model based on deep learning;
Machine detection model forms unit, and the feature set that deep learning model exports is input to machine learning model, will Second feature in the extraction feature suitable for machine learning is input to the machine learning model, is formed and is based on machine learning Machine detection model;
Recognition unit examines live network flow using the depth detection model and the machine detection model It surveys, finally identifies malicious traffic stream.
Optionally, the feature that the feature extraction unit is extracted includes that consistency feature, certificate feature and Flow Behavior are special Sign.
Optionally, the fisrt feature is characterized for prevalence;The second feature is consistency feature or certificate feature.
The third aspect, the disclosure provide a kind of electronic equipment, including processor and memory, the memory are stored with energy Enough computer program instructions executed by the processor when the processor executes the computer program instructions, realize the On the one hand any method and step.
Fourth aspect, the disclosure provide a kind of computer readable storage medium, are stored with computer program instructions, the meter Calculation machine program instruction realizes any method and step of first aspect when being called and being executed by processor.
Compared with prior art, the beneficial effect of the embodiment of the present disclosure is:
The advantage of disclosure deep learning detection model is that input feature vector is simple, and the requirement to people is lower, but full-amount Point is detection model semanteme indigestion, is difficult to be adjusted and analyze as user.The disclosure knows deep learning algorithm The feature not generated is put into machine learning algorithm as input, and it is incomplete can effectively to solve the problems, such as that manual features are extracted.Together When we have proposed a set of feature sets based on current machine Learning Scheme, two category feature collective effects can be more efficiently Identification malice encryption flow, while may insure that detection model is being semantically that user is intelligible.
Detailed description of the invention
In order to illustrate more clearly of the embodiment of the present disclosure or technical solution in the prior art, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this public affairs The some embodiments opened for those of ordinary skill in the art without creative efforts, can be with root Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the malicious traffic stream extracting method flow diagram that one embodiment of the disclosure provides;
Fig. 2 is the model training schematic diagram that the another embodiment of the disclosure provides;
Fig. 3 is the model training data structure schematic diagram that one embodiment of the disclosure provides;
Fig. 4 is the structural schematic diagram for the malicious traffic stream extraction element that another embodiment of the disclosure provides;
Fig. 5 is the structural schematic diagram for the electronic equipment that the embodiment of the present disclosure provides.
Specific embodiment
To keep the purposes, technical schemes and advantages of the embodiment of the present disclosure clearer, below in conjunction with the embodiment of the present disclosure In attached drawing, the technical solution in the embodiment of the present disclosure is clearly and completely described, it is clear that described embodiment is Disclosure a part of the embodiment, instead of all the embodiments.Based on the embodiment in the disclosure, those of ordinary skill in the art Every other embodiment obtained without creative efforts belongs to the range of disclosure protection.
The term used in the embodiments of the present disclosure is only to be not intended to be limiting merely for for the purpose of describing particular embodiments The disclosure.In the embodiment of the present disclosure and the "an" of singular used in the attached claims, " described " and "the" It is also intended to including most forms, unless the context clearly indicates other meaning, " a variety of " generally comprise at least two, but not It excludes to include at least one situation.
It should be appreciated that term "and/or" used herein is only a kind of incidence relation for describing affiliated partner, indicate There may be three kinds of relationships, for example, A and/or B, can indicate: individualism A, exist simultaneously A and B, individualism B these three Situation.In addition, character "/" herein, typicallys represent the relationship that forward-backward correlation object is a kind of "or".
It will be appreciated that though in the embodiments of the present disclosure may be using term first, second, third, etc. come description technique name Claim, but these technical names should not necessarily be limited by these terms.These terms are only used to distinguish technical name.For example, not taking off In the case where embodiment of the present disclosure range, the first signature verification can also be referred to as the second signature verification, similarly, the second school Sign test name can also be referred to as the first signature verification.
Depending on context, word as used in this " if ", " if " can be construed to " ... when " or " when ... " or " in response to determination " or " in response to detection ".Similarly, depend on context, phrase " if it is determined that " or If " detection (condition or event of statement) " can be construed to " when determining " or " in response to determination " or " work as detection When (condition or event of statement) " or " in response to detection (condition or event of statement) ".
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability Include, so that commodity or system including a series of elements not only include those elements, but also including not clear The other element listed, or further include for this commodity or the intrinsic element of system.In the feelings not limited more Under condition, the element that is limited by sentence " including one ... ", it is not excluded that in the commodity or system for including the element There is also other identical elements.
In addition, the step timing in following each method embodiments is only a kind of citing, rather than considered critical.
Referring to Fig. 1, including the following steps: in a first aspect, the disclosure provides a kind of encryption malicious traffic stream detection method
The training of first stage, model
Step S101: normal discharge sample and malicious traffic stream sample extraction feature are based on;
These are characterized in the basis for training depth detection model and classification and Detection model, and feature can be divided into three classes: consistent Property feature, certificate feature and prevalence are characterized, and the specific element of three category features is as shown in the table:
Consistency feature includes:
The identity and service that whether the target of client access is consistent with the target of client statement access, server-side provides The verifying at end proves whether unanimously.SNI is the server-side domain name of client statement access, and the host in similar plaintext, DNS are clothes CN/SAN in the actual domain name of business end IP, certificate is the actual domain name of server-side statement, compares this few class domain name by combination, Our available domain name consistency features.
Difference of the certificate feature from malice certificate and common certificate:
Malice certificate is usually using self-signed certificate, and there are biggish for these certificates and the self-signed certificate of normal website Difference, usually using host name or IP as CN (such as Windows system user name), the CN of normal certificate is logical for malice certificate It is often domain name.
Malice certificate is not perfect due to making, without actual verification, it may appear that some null field features.Malice certificate is logical It can often be signed and issued by third party's tool, or construct CN using DGA domain name, so will appear some spcial characters in CN field String, such as localhost, such as attack.cc, are extracted by Ngram, can obtain this kind of word common in malicious traffic stream Section.Server-side website in a specific network environment environment encodes relatively stable, the server-side flow of specific coding type Greatly mostly from the viral flow of global range.
Step S102: the feature input deep learning model for being suitable for deep learning is trained, is formed and is based on depth The deep learning detection model of study.
For example, the prevalence in step S101 is characterized suitable for deep learning, such as RNN deep learning model is put it into It is trained, obtains the classifier based on deep learning.
Step S103: the feature set that deep learning detection model exports is input to machine learning model (random forest mould Type).
As shown in Fig. 2, will form a middle layer, among it during being trained using deep learning model It as a result is each category feature needed for deep learning detection model, the feature set that these middle layers are formed is as one of input input machine Device learning model, that is, Random Forest model is trained.
Step S104: it is (random gloomy that the feature suitable for machine learning extracted in flow is input to machine learning model Woods model).
For example, in addition to the feature that deep learning model is found automatically, the user-defined feature extracted in other S101 steps, such as Consistency feature and certificate feature input machine learning model simultaneously and are trained.
Step S105: detection model training is carried out using machine learning model (Random Forest model), obtains final inspection Survey model.
Based on the feature of two steps of S103 and S104 input, detection model training is carried out, final detection model is formed.
The actual combat of second stage, malicious traffic stream is extracted
Step S106: network flow is inputted into deep learning detection model, obtains feature set.
Step S101~S105 is detection model generation step, is later detecting step.Live network flow is inputted deep Degree study detection model, among it the result is that feature vector needed for the phase depth detection model of face.
Step S107: other feature extractions of final detection model will be suitable in network flow using user-defined feature.
By in the corresponding real traffic of S101 consistency feature and certificate feature extraction come out.
Step S108: malicious traffic stream is identified using final detection model.
The detection model that step S106 and the S107 feature extracted input S105 formation jointly is subjected to malicious traffic stream detection.
Optionally, in the step S102, building deep learning detection model is as follows.
All include three control doors as shown in figure 3, in each neural unit, be respectively used to control input, export and Forget door.Input gate (Input Gate) is indicated whether the traffic characteristic sequence in this stream being imparted to active cell, be exported Door (Output Gate) indicates whether that retaining present node outputs data to next layer.Forgeing door (Forget Gate) indicates Whether the history feature data of present node record are emptied.For each sample, a neural unit will be initially set up, by it It is inputted by input gate.
S1021: training function model is constructed:
it=σ (WxiXt+Whiht-1+WciCt-1+bi)
ft=σ (WxfXt+Whfht-1+WcfCt-1+bf)
Ot=σ (WxoXt+Whoht-1+WcoCt-1+bo)
Ct=ftCt-1+ittanh(WxcXt+Whcht-1+bc)
ht=Ottanh(Ct)
Wherein, σ is logic sigmod function, and t indicates the number of neural network iteration, and i, f, o, c, h respectively indicate input Door forgets door, out gate, unit activating vector, hidden unit;Wxi, Whi and Wci respectively indicate input feature value, hide Weight matrix between layer unit, unit activating vector and input gate;Wxf, Whf and Wcf respectively indicate input feature value, hidden It hides layer unit, unit activating vector and forgets the weight matrix between door;Wxo, Who and Wco respectively indicate input feature value, Hide the weight matrix between layer unit, unit activating vector and out gate;Bi, bf, bc, bo be respectively input gate, forget door, The deviation of unit activating vector sum out gate;
Wherein, sigmod function are as follows:
Tanh function are as follows:
S1022: inputting above-mentioned trained function model for the fisrt feature and be iterated calculating, until output feature tends to Stablize, deconditioning.Wherein, the output feature, which tends towards stability, typically refers to, the input based on sample, the output-index of acquisition Be under maximum probability it is identical, that is, illustrate that model training finishes.
Optionally, final machine learning model is constructed in step S105 includes:
S1051: construction decision tree sample set Z, wherein X indicates that the whole characteristic sets extracted from flow, Y indicate packet Whole training datas of the flow containing black and white, n indicate decision tree quantity
Z={ (X1, Y1), (X2, Y2), (X3, X3) ... (Xn, Yn) };
S1052: for each data set constructed in step S1051, by top-down recursive fashion, each The feature in training subset is selected at split vertexes, to each feature calculation information gain-ratio, selects the maximum feature of gain It is divided as Split Attribute, until all samples all reach leaf node, each training subset in the step S1051 is closed All construct a following decision tree
Wherein, yi indicates the voting results of any decision tree, PiIndicate that any data passes through probability;
S1053: merging the step S1052 any decision tree obtained, obtain final decision tree RF,
Wherein n is the quantity of decision tree, and qi is the weight of tree, and yi is the voting results of tree, and n is natural number.
The advantage of disclosure deep learning detection model is that input feature vector is simple, and the requirement to people is lower, but full-amount Point is detection model semanteme indigestion, is difficult to be adjusted and analyze as user.The disclosure knows deep learning algorithm The feature not generated is put into machine learning algorithm as input, and it is incomplete can effectively to solve the problems, such as that manual features are extracted.Together When we have proposed a set of feature sets based on current machine Learning Scheme, two category feature collective effects can be more efficiently Identification malice encryption flow, while may insure that detection model is being semantically that user is intelligible.
As shown in figure 4, second aspect, the disclosure provides a kind of encryption malicious traffic stream detection device, comprising:
Feature extraction unit is based on normal discharge sample and malicious traffic stream sample extraction feature;
Depth detection model forms unit, and the fisrt feature for being suitable for deep learning in the extraction feature is inputted depth Learning model is trained, and forms the depth detection model based on deep learning;
Machine detection model forms unit, and the feature set that deep learning model exports is input to machine learning model, will Second feature in the extraction feature suitable for machine learning is input to the machine learning model, is formed and is based on machine learning Machine detection model;
Recognition unit examines live network flow using the depth detection model and the machine detection model It surveys, finally identifies malicious traffic stream.
Optionally, the feature that the feature extraction unit is extracted includes that consistency feature, certificate feature and Flow Behavior are special Sign.The fisrt feature is characterized for prevalence;The second feature is consistency feature or certificate feature.Consistency feature packet It includes:
The identity and service that whether the target of client access is consistent with the target of client statement access, server-side provides The verifying at end proves whether unanimously.SNI is the server-side domain name of client statement access, and the host in similar plaintext, DNS are clothes CN/SAN in the actual domain name of business end IP, certificate is the actual domain name of server-side statement, compares this few class domain name by combination, Our available domain name consistency features.
Difference of the certificate feature from malice certificate and common certificate:
Malice certificate is usually using self-signed certificate, and there are biggish for these certificates and the self-signed certificate of normal website Difference, usually using host name or IP as CN (such as Windows system user name), the CN of normal certificate is logical for malice certificate It is often domain name.
Malice certificate is not perfect due to making, without actual verification, it may appear that some null field features.Malice certificate is logical It can often be signed and issued by third party's tool, or construct CN using DGA domain name, so will appear some spcial characters in CN field String, such as localhost, such as attack.cc, are extracted by Ngram, can obtain this kind of word common in malicious traffic stream Section.Server-side website in a specific network environment environment encodes relatively stable, the server-side flow of specific coding type Greatly mostly from the viral flow of global range.
Optionally, the depth detection model formation unit includes:
S1021: training function model is constructed:
it=σ (WxiXt+Whiht-1+WciCt-1+bi)
ft=σ (WxfXt+Whfht-1+WcfCt-1+bf)
Ot=σ (WxoXt+Whoht-1+WcoCt-1+bo)
Ct=ftCt-1+ittanh(WxcXt+Whcht-1+bc)
ht=Ottanh(Ct)
Wherein, σ is logic sigmod function, and t indicates the number of neural network iteration, and i, f, o, c, h respectively indicate input Door forgets door, out gate, unit activating vector, hidden unit;Wxi, Whi and Wci respectively indicate input feature value, hide Weight matrix between layer unit, unit activating vector and input gate;Wxf, Whf and Wcf respectively indicate input feature value, hidden It hides layer unit, unit activating vector and forgets the weight matrix between door;Wxo, Who and Wco respectively indicate input feature value, Hide the weight matrix between layer unit, unit activating vector and out gate;Bi, bf, bc, bo be respectively input gate, forget door, The deviation of unit activating vector sum out gate;
Wherein, sigmod function are as follows:
Tanh function are as follows:
S1022: inputting above-mentioned trained function model for the fisrt feature and be iterated calculating, until output feature tends to Stablize, deconditioning.
Optionally, machine detection model formation unit includes:
S1031: construction decision tree sample set Z, wherein X indicates that the whole characteristic sets extracted from flow, Y indicate packet Whole training datas of the flow containing black and white, n indicate decision tree quantity
Z={ (X1, Y1), (X2, Y2), (X3, X3) ... (Xn, Yn) };
S1032: for each data set constructed in step S1031, by top-down recursive fashion, each The feature in training subset is selected at split vertexes, to each feature calculation information gain-ratio, selects the maximum feature of gain It is divided as Split Attribute, until all samples all reach leaf node, each training subset in the step S1031 is closed All construct a following decision tree
Wherein, yi indicates the voting results of any decision tree, PiIndicate that any data passes through probability;
S1033: merging the step S1032 any decision tree obtained, obtain final decision tree RF,
Wherein n is the quantity of decision tree, and qi is the weight of tree, and yi is the voting results of tree.
The third aspect, the disclosure provide a kind of electronic equipment, including processor and memory, the memory are stored with energy Enough computer program instructions executed by the processor when the processor executes the computer program instructions, realize the On the one hand any method and step.
Fourth aspect, the disclosure provide a kind of computer readable storage medium, are stored with computer program instructions, the meter Calculation machine program instruction realizes any method and step of first aspect when being called and being executed by processor.
The advantage of disclosure deep learning detection model is that input feature vector is simple, and the requirement to people is lower, but full-amount Point is detection model semanteme indigestion, is difficult to be adjusted and analyze as user.The disclosure knows deep learning algorithm The feature not generated is put into machine learning algorithm as input, and it is incomplete can effectively to solve the problems, such as that manual features are extracted.Together When we have proposed a set of feature sets based on current machine Learning Scheme, two category feature collective effects can be more efficiently Identification malice encryption flow, while may insure that detection model is being semantically that user is intelligible.
Below with reference to Fig. 5, it illustrates the structural representations for the electronic equipment 500 for being suitable for being used to realize the embodiment of the present disclosure Figure.Terminal device in the embodiment of the present disclosure can include but is not limited to such as mobile phone, laptop, digital broadcasting and connect Receive device, PDA (personal digital assistant), PAD (tablet computer), PMP (portable media player), car-mounted terminal (such as vehicle Carry navigation terminal) etc. mobile terminal and such as number TV, desktop computer etc. fixed terminal.Electricity shown in Fig. 5 Sub- equipment is only an example, should not function to the embodiment of the present disclosure and use scope bring any restrictions.
As shown in figure 5, electronic equipment 500 may include processing unit (such as central processing unit, graphics processor etc.) 501, random access can be loaded into according to the program being stored in read-only memory (ROM) 502 or from storage device 508 Program in memory (RAM) 503 and execute various movements appropriate and processing.In RAM 503, it is also stored with electronic equipment Various programs and data needed for 500 operations.Processing unit 501, ROM 502 and RAM 503 pass through the phase each other of bus 504 Even.Input/output (I/O) interface 505 is also connected to bus 504.
In general, following device can connect to I/O interface 505: including such as touch screen, touch tablet, keyboard, mouse, taking the photograph As the input unit 506 of head, microphone, accelerometer, gyroscope etc.;Including such as liquid crystal display (LCD), loudspeaker, vibration The output device 507 of dynamic device etc.;Storage device 508 including such as tape, hard disk etc.;And communication device 509.Communication device 509, which can permit electronic equipment 500, is wirelessly or non-wirelessly communicated with other equipment to exchange data.Although Fig. 5 shows tool There is the electronic equipment 500 of various devices, it should be understood that being not required for implementing or having all devices shown.It can be with Alternatively implement or have more or fewer devices.
Particularly, in accordance with an embodiment of the present disclosure, it may be implemented as computer above with reference to the process of flow chart description Software program.For example, embodiment of the disclosure includes a kind of computer program product comprising be carried on computer-readable medium On computer program, which includes the program code for method shown in execution flow chart.In such reality It applies in example, which can be downloaded and installed from network by communication device 509, or from storage device 508 It is mounted, or is mounted from ROM 502.When the computer program is executed by processing unit 501, the embodiment of the present disclosure is executed Method in the above-mentioned function that limits.
It should be noted that the above-mentioned computer-readable medium of the disclosure can be computer-readable signal media or meter Calculation machine readable storage medium storing program for executing either the two any combination.Computer readable storage medium for example can be --- but not Be limited to --- electricity, magnetic, optical, electromagnetic, infrared ray or semiconductor system, device or device, or any above combination.Meter The more specific example of calculation machine readable storage medium storing program for executing can include but is not limited to: have the electrical connection, just of one or more conducting wires Taking formula computer disk, hard disk, random access storage device (RAM), read-only memory (ROM), erasable type may be programmed read-only storage Device (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), light storage device, magnetic memory device, Or above-mentioned any appropriate combination.In the disclosure, computer readable storage medium can be it is any include or storage journey The tangible medium of sequence, the program can be commanded execution system, device or device use or in connection.And at this In open, computer-readable signal media may include in a base band or as the data-signal that carrier wave a part is propagated, In carry computer-readable program code.The data-signal of this propagation can take various forms, including but not limited to Electromagnetic signal, optical signal or above-mentioned any appropriate combination.Computer-readable signal media can also be computer-readable and deposit Any computer-readable medium other than storage media, the computer-readable signal media can send, propagate or transmit and be used for By the use of instruction execution system, device or device or program in connection.Include on computer-readable medium Program code can transmit with any suitable medium, including but not limited to: electric wire, optical cable, RF (radio frequency) etc. are above-mentioned Any appropriate combination.
Above-mentioned computer-readable medium can be included in above-mentioned electronic equipment;It is also possible to individualism, and not It is fitted into the electronic equipment.
Above-mentioned computer-readable medium carries one or more program, when said one or multiple programs are by the electricity When sub- equipment executes, so that the electronic equipment: obtaining at least two internet protocol addresses;Send to Node evaluation equipment includes institute State the Node evaluation request of at least two internet protocol addresses, wherein the Node evaluation equipment is internet from described at least two In protocol address, chooses internet protocol address and return;Receive the internet protocol address that the Node evaluation equipment returns;Its In, the fringe node in acquired internet protocol address instruction content distributing network.
Alternatively, above-mentioned computer-readable medium carries one or more program, when said one or multiple programs When being executed by the electronic equipment, so that the electronic equipment: receiving the Node evaluation including at least two internet protocol addresses and request; From at least two internet protocol address, internet protocol address is chosen;Return to the internet protocol address selected;Wherein, The fringe node in internet protocol address instruction content distributing network received.
The calculating of the operation for executing the disclosure can be write with one or more programming languages or combinations thereof Machine program code, above procedure design language include object oriented program language-such as Java, Smalltalk, C++, It further include conventional procedural programming language-such as " C " language or similar programming language.Program code can be complete It executes, partly executed on the user computer on the user computer entirely, being executed as an independent software package, part Part executes on the remote computer or executes on a remote computer or server completely on the user computer.It is relating to And in the situation of remote computer, remote computer can pass through the network of any kind --- including local area network (LAN) or extensively Domain net (WAN)-be connected to subscriber computer, or, it may be connected to outer computer (such as utilize ISP To be connected by internet).
Flow chart and block diagram in attached drawing are illustrated according to the system of the various embodiments of the disclosure, method and computer journey The architecture, function and operation in the cards of sequence product.In this regard, each box in flowchart or block diagram can generation A part of one module, program segment or code of table, a part of the module, program segment or code include one or more use The executable instruction of the logic function as defined in realizing.It should also be noted that in some implementations as replacements, being marked in box The function of note can also occur in a different order than that indicated in the drawings.For example, two boxes succeedingly indicated are actually It can be basically executed in parallel, they can also be executed in the opposite order sometimes, and this depends on the function involved.Also it to infuse Meaning, the combination of each box in block diagram and or flow chart and the box in block diagram and or flow chart can be with holding The dedicated hardware based system of functions or operations as defined in row is realized, or can use specialized hardware and computer instruction Combination realize.
Being described in unit involved in the embodiment of the present disclosure can be realized by way of software, can also be by hard The mode of part is realized.Wherein, the title of unit does not constitute the restriction to the unit itself under certain conditions, for example, the One acquiring unit is also described as " obtaining the unit of at least two internet protocol addresses ".

Claims (10)

1. a kind of encryption malicious traffic stream detection method, which comprises the steps of:
S101: normal discharge sample and malicious traffic stream sample extraction feature are based on;
S102: the fisrt feature input deep learning model for being suitable for deep learning in the extraction feature is trained, shape At the depth detection model based on deep learning;
S103: being input to machine learning model for the feature set that deep learning model exports, and will be suitable in the extraction feature The second feature of machine learning is input to the machine learning model, forms the machine detection model based on machine learning;
S104: utilizing the depth detection model and the machine detection model, detect to live network flow, final to know It Chu not malicious traffic stream.
2. the method according to claim 1, wherein
The extraction feature includes that consistency feature, certificate feature and prevalence are characterized.
3. according to the method described in claim 2, it is characterized in that, the fisrt feature is characterized for prevalence;Described second is special Sign is consistency feature and/or certificate feature.
4. according to the method described in claim 3, it is characterized in that, the step S102 includes:
S1021: training function model is constructed:
it=σ (WxiXt+Whiht-1+WciCt-1+bi)
ft=σ (WxfXt+Whfht-1+WcfCt-1+bf)
Ot=σ (WxoXt+Whoht-1+WcoCt-1+bo)
Ct=ftCt-1+ittanh(WxcXt+Whcht-1+bc)
ht=Ottanh(Ct)
Wherein, σ is logic sigmod function, and t indicates that the number of neural network iteration, i, f, o, c, h respectively indicate input gate, lose Forget door, out gate, unit activating vector, hidden unit;Wxi, Whi and Wci respectively indicate input feature value, hidden layer list Weight matrix between member, unit activating vector and input gate;Wxf, Whf and Wcf respectively indicate input feature value, hidden layer Weight matrix between unit, unit activating vector and forgetting door;Wxo, Who and Wco respectively indicate input feature value, hide Weight matrix between layer unit, unit activating vector and out gate;Bi, bf, bc, bo are respectively input gate, forget door, unit Activate the deviation of vector sum out gate;
Wherein, sigmod function are as follows:
Tanh function are as follows:
S1022: inputting above-mentioned trained function model for the fisrt feature and be iterated calculating, until output feature tends to be steady It is fixed, deconditioning.
5. the method according to claim 1, wherein step S103 includes:
S1031: construction decision tree sample set Z, wherein X indicates that the whole characteristic sets extracted from flow, Y are indicated comprising black Whole training datas of Bai Liuliang, n indicate decision tree quantity
Z={ (X1, Y1), (X2, Y2), (X3, X3) ... (Xn, Yn) };
S1032: for each data set constructed in step S1031, by top-down recursive fashion, in each division The feature in training subset is selected at node, to each feature calculation information gain-ratio, select the maximum feature of gain as Split Attribute is divided, until all samples all reach leaf node, each training subset in the step S1031 closes structure Make a following decision tree
Wherein, yi indicates the voting results of any decision tree, PiIndicate that any data passes through probability;
S1033: merging the step S1032 any decision tree obtained, obtain final decision tree RF,
Wherein n is the quantity of decision tree, and qi is the weight of tree, and yi is the voting results of tree.
6. a kind of encryption malicious traffic stream detection device characterized by comprising
Feature extraction unit is based on normal discharge sample and malicious traffic stream sample extraction feature;
Depth detection model forms unit, and the fisrt feature for being suitable for deep learning in the extraction feature is inputted deep learning Model is trained, and forms the depth detection model based on deep learning;
Machine detection model forms unit, and the feature set that deep learning model exports is input to machine learning model, will be described It extracts the second feature in feature suitable for machine learning and is input to the machine learning model, form the machine based on machine learning Device detection model;
Recognition unit detects live network flow, most using the depth detection model and the machine detection model Malicious traffic stream is identified eventually.
7. the apparatus according to claim 1, which is characterized in that
The feature that the feature extraction unit is extracted includes that consistency feature, certificate feature and prevalence are characterized.
8. the method according to the description of claim 7 is characterized in that the fisrt feature is characterized for prevalence;Described second is special Sign is consistency feature or certificate feature.
9. a kind of electronic equipment, which is characterized in that including processor and memory, the memory is stored with can be by the place The computer program instructions that device executes are managed, when the processor executes the computer program instructions, realize that claim 1-5 appoints Method and step described in one.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer program instructions, the computer program It instructs and realizes any method and step of claim 1-5 when being called and being executed by processor.
CN201811462207.5A 2018-11-30 2018-11-30 Encrypted malicious traffic detection method and device, electronic equipment and storage medium Active CN109379377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811462207.5A CN109379377B (en) 2018-11-30 2018-11-30 Encrypted malicious traffic detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811462207.5A CN109379377B (en) 2018-11-30 2018-11-30 Encrypted malicious traffic detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN109379377A true CN109379377A (en) 2019-02-22
CN109379377B CN109379377B (en) 2020-12-08

Family

ID=65375078

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811462207.5A Active CN109379377B (en) 2018-11-30 2018-11-30 Encrypted malicious traffic detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN109379377B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110012029A (en) * 2019-04-22 2019-07-12 中国科学院声学研究所 A kind of method and system for distinguishing encryption and non-encrypted compression flow
CN110138745A (en) * 2019-04-23 2019-08-16 极客信安(北京)科技有限公司 Abnormal host detection method, device, equipment and medium based on data stream sequences
CN110191103A (en) * 2019-05-10 2019-08-30 长安通信科技有限责任公司 A kind of DGA domain name detection classification method
CN110535820A (en) * 2019-04-18 2019-12-03 国家计算机网络与信息安全管理中心 For the classification method of malice domain name, device, electronic equipment and medium
CN110830515A (en) * 2019-12-13 2020-02-21 支付宝(杭州)信息技术有限公司 Flow detection method and device and electronic equipment
CN111447190A (en) * 2020-03-20 2020-07-24 北京观成科技有限公司 Encrypted malicious traffic identification method, equipment and device
CN112134829A (en) * 2019-06-25 2020-12-25 北京观成科技有限公司 Method and device for generating encrypted flow characteristic set
CN112491660A (en) * 2020-12-07 2021-03-12 北京明略昭辉科技有限公司 Abnormal flow identification method and device, electronic equipment and readable storage medium
CN112822167A (en) * 2020-12-31 2021-05-18 杭州立思辰安科科技有限公司 Abnormal TLS encrypted traffic detection method and system
CN112968872A (en) * 2021-01-29 2021-06-15 成都信息工程大学 Malicious flow detection method, system and terminal based on natural language processing
CN113347210A (en) * 2021-08-03 2021-09-03 北京观成科技有限公司 DNS tunnel detection method and device and electronic equipment
CN113472809A (en) * 2021-07-19 2021-10-01 华中科技大学 Encrypted malicious traffic detection method and system and computer equipment
CN113705619A (en) * 2021-08-03 2021-11-26 广州大学 Malicious traffic detection method, system, computer and medium
CN113742726A (en) * 2021-08-27 2021-12-03 恒安嘉新(北京)科技股份公司 Program recognition model training and program recognition method, device, equipment and medium
CN113904861A (en) * 2021-10-21 2022-01-07 厦门安胜网络科技有限公司 Encrypted flow security detection method and device
CN114268484A (en) * 2021-12-17 2022-04-01 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device, electronic equipment and storage medium
CN114884715A (en) * 2022-04-27 2022-08-09 深信服科技股份有限公司 Flow detection method, detection model training method, device and related equipment
CN115102728A (en) * 2022-06-09 2022-09-23 江苏保旺达软件技术有限公司 Scanner identification method, device, equipment and medium for information security
CN115296937A (en) * 2022-10-09 2022-11-04 中孚信息股份有限公司 Method and equipment for identifying real-time encrypted malicious traffic

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187395A (en) * 2015-08-10 2015-12-23 济南大学 Method and system for performing malicious software network behavior detection based on access router
CN108038374A (en) * 2017-12-26 2018-05-15 郑州云海信息技术有限公司 It is a kind of to detect the method threatened in real time
CN108199863A (en) * 2017-11-27 2018-06-22 中国科学院声学研究所 A kind of net flow assorted method and system based on the study of two benches sequence signature
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream
CN108566364A (en) * 2018-01-15 2018-09-21 中国人民解放军国防科技大学 Intrusion detection method based on neural network
CN108574668A (en) * 2017-03-10 2018-09-25 北京大学 A kind of ddos attack peak flow prediction technique based on machine learning
US20180295320A1 (en) * 2017-04-11 2018-10-11 Advanced Micro Devices, Inc. Enhanced resolution video and security via machine learning

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187395A (en) * 2015-08-10 2015-12-23 济南大学 Method and system for performing malicious software network behavior detection based on access router
CN108574668A (en) * 2017-03-10 2018-09-25 北京大学 A kind of ddos attack peak flow prediction technique based on machine learning
US20180295320A1 (en) * 2017-04-11 2018-10-11 Advanced Micro Devices, Inc. Enhanced resolution video and security via machine learning
CN108199863A (en) * 2017-11-27 2018-06-22 中国科学院声学研究所 A kind of net flow assorted method and system based on the study of two benches sequence signature
CN108038374A (en) * 2017-12-26 2018-05-15 郑州云海信息技术有限公司 It is a kind of to detect the method threatened in real time
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream
CN108566364A (en) * 2018-01-15 2018-09-21 中国人民解放军国防科技大学 Intrusion detection method based on neural network

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110535820A (en) * 2019-04-18 2019-12-03 国家计算机网络与信息安全管理中心 For the classification method of malice domain name, device, electronic equipment and medium
CN110012029A (en) * 2019-04-22 2019-07-12 中国科学院声学研究所 A kind of method and system for distinguishing encryption and non-encrypted compression flow
CN110138745A (en) * 2019-04-23 2019-08-16 极客信安(北京)科技有限公司 Abnormal host detection method, device, equipment and medium based on data stream sequences
CN110138745B (en) * 2019-04-23 2021-08-24 极客信安(北京)科技有限公司 Abnormal host detection method, device, equipment and medium based on data stream sequence
CN110191103A (en) * 2019-05-10 2019-08-30 长安通信科技有限责任公司 A kind of DGA domain name detection classification method
CN110191103B (en) * 2019-05-10 2022-07-15 长安通信科技有限责任公司 DGA domain name detection and classification method
CN112134829B (en) * 2019-06-25 2023-06-30 北京观成科技有限公司 Method and device for generating encrypted traffic feature set
CN112134829A (en) * 2019-06-25 2020-12-25 北京观成科技有限公司 Method and device for generating encrypted flow characteristic set
CN110830515A (en) * 2019-12-13 2020-02-21 支付宝(杭州)信息技术有限公司 Flow detection method and device and electronic equipment
CN111447190A (en) * 2020-03-20 2020-07-24 北京观成科技有限公司 Encrypted malicious traffic identification method, equipment and device
CN112491660A (en) * 2020-12-07 2021-03-12 北京明略昭辉科技有限公司 Abnormal flow identification method and device, electronic equipment and readable storage medium
CN112822167A (en) * 2020-12-31 2021-05-18 杭州立思辰安科科技有限公司 Abnormal TLS encrypted traffic detection method and system
CN112822167B (en) * 2020-12-31 2023-04-07 杭州中电安科现代科技有限公司 Abnormal TLS encrypted traffic detection method and system
CN112968872A (en) * 2021-01-29 2021-06-15 成都信息工程大学 Malicious flow detection method, system and terminal based on natural language processing
CN113472809A (en) * 2021-07-19 2021-10-01 华中科技大学 Encrypted malicious traffic detection method and system and computer equipment
CN113472809B (en) * 2021-07-19 2022-06-07 华中科技大学 Encrypted malicious traffic detection method and system and computer equipment
CN113705619A (en) * 2021-08-03 2021-11-26 广州大学 Malicious traffic detection method, system, computer and medium
CN113347210B (en) * 2021-08-03 2021-10-29 北京观成科技有限公司 DNS tunnel detection method and device and electronic equipment
CN113347210A (en) * 2021-08-03 2021-09-03 北京观成科技有限公司 DNS tunnel detection method and device and electronic equipment
CN113705619B (en) * 2021-08-03 2023-09-12 广州大学 Malicious traffic detection method, system, computer and medium
CN113742726A (en) * 2021-08-27 2021-12-03 恒安嘉新(北京)科技股份公司 Program recognition model training and program recognition method, device, equipment and medium
CN113904861A (en) * 2021-10-21 2022-01-07 厦门安胜网络科技有限公司 Encrypted flow security detection method and device
CN113904861B (en) * 2021-10-21 2023-10-17 厦门安胜网络科技有限公司 Encryption traffic safety detection method and device
CN114268484A (en) * 2021-12-17 2022-04-01 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device, electronic equipment and storage medium
CN114884715A (en) * 2022-04-27 2022-08-09 深信服科技股份有限公司 Flow detection method, detection model training method, device and related equipment
CN115102728A (en) * 2022-06-09 2022-09-23 江苏保旺达软件技术有限公司 Scanner identification method, device, equipment and medium for information security
CN115102728B (en) * 2022-06-09 2024-02-20 江苏保旺达软件技术有限公司 Scanner identification method, device, equipment and medium for information security
CN115296937A (en) * 2022-10-09 2022-11-04 中孚信息股份有限公司 Method and equipment for identifying real-time encrypted malicious traffic

Also Published As

Publication number Publication date
CN109379377B (en) 2020-12-08

Similar Documents

Publication Publication Date Title
CN109379377A (en) Encrypt malicious traffic stream detection method, device, electronic equipment and storage medium
US11574077B2 (en) Systems and methods for removing identifiable information
WO2021077642A1 (en) Network space security threat detection method and system based on heterogeneous graph embedding
CN104036780B (en) Man-machine identification method and system
Wang et al. Representing fine-grained co-occurrences for behavior-based fraud detection in online payment services
CN110138745A (en) Abnormal host detection method, device, equipment and medium based on data stream sequences
US10049199B2 (en) Securing a device using graphical analysis
CN111400504A (en) Method and device for identifying enterprise key people
CN105989261B (en) For protecting the method and computer system of electronic equipment
US11455364B2 (en) Clustering web page addresses for website analysis
CN109495513A (en) Unsupervised encryption malicious traffic stream detection method, device, equipment and medium
CN114595689A (en) Data processing method, data processing device, storage medium and computer equipment
Woubie et al. Federated learning for privacy-preserving speaker recognition
Toffalini et al. Detection of masqueraders based on graph partitioning of file system access events
Kuvonchbek Method Authentication of Objects Information Communication
Khan Detection of phishing websites using deep learning techniques
Bródka et al. Profile cloning detection in social networks
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
Wang et al. Verification Grid and Map Slipping Based Graphical Password against Shoulder‐Surfing Attacks
Roy et al. A fuzzy decision support system for multifactor authentication
Liu et al. MMWD: An efficient mobile malicious webpage detection framework based on deep learning and edge cloud
CN113158206A (en) Document security level dividing method based on decision tree
Luo et al. Kernel Fisher discriminant analysis based on a regularized method for multiclassification and application in lithological identification
Wang et al. Application research of file fingerprint identification detection based on a network security protection system
CN111277433A (en) Network service abnormity detection method and device based on attribute network characterization learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant