CN111277587A - Malicious encrypted traffic detection method and system based on behavior analysis - Google Patents

Malicious encrypted traffic detection method and system based on behavior analysis Download PDF

Info

Publication number
CN111277587A
CN111277587A CN202010058395.6A CN202010058395A CN111277587A CN 111277587 A CN111277587 A CN 111277587A CN 202010058395 A CN202010058395 A CN 202010058395A CN 111277587 A CN111277587 A CN 111277587A
Authority
CN
China
Prior art keywords
data
network
session
network traffic
traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010058395.6A
Other languages
Chinese (zh)
Inventor
李韦成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Sipuleng Technology Co Ltd
Wuhan Sipuling Technology Co Ltd
Original Assignee
Wuhan Sipuling Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Sipuling Technology Co Ltd filed Critical Wuhan Sipuling Technology Co Ltd
Priority to CN202010058395.6A priority Critical patent/CN111277587A/en
Publication of CN111277587A publication Critical patent/CN111277587A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a malicious encrypted traffic detection method and system based on behavior analysis, wherein after network traffic data are obtained, the method can perform feature analysis on the network traffic data to obtain a feature sequence based on a session; and inputting the characteristic sequence into a detection model to obtain a detection result score, and determining whether the network traffic is malicious encrypted traffic according to the detection result score. According to the method, the normal encrypted flow in the network can be effectively filtered out by analyzing the behavior characteristics of the network flow data, the malicious encrypted flow is identified, and the false alarm rate is reduced. Meanwhile, unknown data characteristics can be deduced according to known samples through a detection model established in a machine learning mode, and whether network traffic data is malicious encrypted traffic or not can be accurately judged.

Description

Malicious encrypted traffic detection method and system based on behavior analysis
Technical Field
The present application relates to the field of traffic detection technologies, and in particular, to a malicious encrypted traffic detection method and system based on behavior analysis.
Background
The encrypted traffic refers to network traffic encrypted by a specific encryption algorithm, and aims to protect the security of internet traffic, so that data and privacy of users cannot be easily obtained by lawbreakers. But malicious network traffic can be propagated through an encryption algorithm and cannot be discovered by protective measures such as a firewall, a security gateway and the like, so that attack is initiated on target equipment, and information of a target user is stolen. Therefore, how to effectively identify malicious encrypted traffic plays an important role in ensuring the network data security of users and maintaining the privacy of users.
In the malicious network traffic encryption, data is encrypted, and the handshake message is presented in a plaintext, as in the normal network traffic encryption method. Therefore, the traditional detection method for malicious encrypted traffic re-analyzes the handshake message. Generally, information of some fields, such as TLS protocol (Transport Layer Security) version information, encryption suite information supported by a client, an encryption suite selected by a server, extension information carried by each of the client and the server, information in a certificate chain issued by the server, and the like, is extracted from a handshake message whose content is a plaintext, and the encrypted traffic is characterized according to the extracted content, and normal traffic and malicious traffic are distinguished by using feature matching.
However, the above malicious encrypted traffic detection method based on feature matching has a very high requirement for feature extraction. If the coverage of the extracted features is not wide and the coverage is not deep, the false alarm is easy to generate; if the coverage of extracting features is too wide and the coverage is too deep, false alarm is easy to generate, so that the detection result of the malicious encrypted traffic detection method based on feature matching is not accurate.
Disclosure of Invention
The application provides a malicious encrypted traffic detection method and system based on behavior analysis, and aims to solve the problem that traditional encrypted traffic detection results are inaccurate.
In one aspect, the present application provides a malicious encrypted traffic detection method based on behavior analysis, including:
acquiring network flow data;
performing feature analysis on the network traffic data to obtain a feature sequence based on a session; the session comprises a plurality of pieces of network traffic data which flow between the same pair of network terminals;
inputting the characteristic sequence into a detection model to obtain a detection result score, wherein the detection model is a random forest model obtained by training according to a sample set, and the sample set comprises malicious samples and white samples;
and determining whether the network traffic is malicious encrypted traffic according to the detection result score.
Optionally, after the step of obtaining the network traffic data, filtering the network traffic data includes:
judging whether the network flow data is a TCP message or not according to the transmission protocol of the network flow data;
and if the network flow data is not the TCP message, discarding the network flow data.
Optionally, the step of performing feature analysis on the network traffic data to obtain a feature sequence based on a session includes:
extracting quintuple information in the current network traffic data;
matching the current session to which the network traffic data belongs, wherein the session to which the network traffic data belongs is a set consisting of historical traffic data; quintuple information corresponding to the historical flow data is the same as quintuple information corresponding to the current network flow data;
and recording the network flow data into the matched session.
Optionally, the step of performing feature analysis on the network traffic data to obtain a feature sequence based on a session further includes: and if the current network flow data is not matched with the session to which the network flow data belongs, establishing a new session according to the quintuple information.
Optionally, the step of performing feature analysis on the network traffic data to obtain a feature sequence based on a session further includes:
extracting a characteristic field from network traffic data belonging to the same session;
determining a handshake message, wherein the handshake message is network traffic data containing the characteristic field;
extracting characteristic information from the handshake message;
adding the feature data to a feature sequence.
Optionally, after the step of adding the feature data to the feature sequence, the method further includes:
acquiring a communication behavior model, wherein a plurality of matching templates constructed according to malicious traffic communication rules are preset in the communication behavior model;
matching network flow in the conversation by using the communication behavior model to obtain a matching template hit result;
and adding the matching template hit result as a communication behavior characteristic to the characteristic sequence.
Optionally, after the step of adding the feature data to the feature sequence, the method further includes:
extracting a time sequence of each network flow contained in the session;
acquiring a heartbeat behavior model, wherein a plurality of heartbeat behavior matching templates of malicious traffic are preset in the heartbeat behavior model;
matching a time sequence corresponding to the conversation by using the heartbeat behavior model to obtain a matching template hit result;
and adding the hit result of the matching template as a heartbeat behavior characteristic to the characteristic sequence.
Optionally, the step of inputting the feature sequence into a detection model to obtain a score of a detection result includes:
converting the characteristic sequence into a characteristic vector matrix;
and inputting the characteristic vector matrix into a detection model to obtain the classification probability of the detection model, and outputting the detection result score.
Optionally, the step of determining whether the network traffic is malicious encrypted traffic according to the detection result score further includes:
acquiring a safety level threshold value which is a preset judgment value within the range of 0-1;
and comparing the detection result score with the security level threshold value, and determining the security level corresponding to the network traffic.
On the other hand, the present application further provides a malicious encrypted traffic detection system based on behavior analysis, including: the gateway equipment and a data processing device connected with the gateway equipment; the gateway equipment is connected with a network port to be detected so as to capture network traffic data from the network port to be detected; the data processing apparatus has a built-in detection module, the data processing apparatus is further configured to perform the following program steps:
acquiring network flow data;
performing feature analysis on the network traffic data to obtain a feature sequence based on a session; the session comprises a plurality of pieces of network traffic data which flow between the same pair of network terminals;
inputting the characteristic sequence into a detection model to obtain a detection result score, wherein the detection model is a random forest model obtained by training according to a sample set, and the sample set comprises malicious samples and white samples;
and determining whether the network traffic is malicious encrypted traffic according to the detection result score.
According to the technical scheme, after network traffic data are obtained, feature analysis is carried out on the network traffic data to obtain a feature sequence based on a session; and inputting the characteristic sequence into a detection model to obtain a detection result score, and determining whether the network traffic is malicious encrypted traffic according to the detection result score. According to the method, the normal encrypted flow in the network can be effectively filtered out by analyzing the behavior characteristics of the network flow data, the malicious encrypted flow is identified, and the false alarm rate is reduced. Meanwhile, unknown data characteristics can be deduced according to known samples through a detection model established in a machine learning mode, and whether network traffic data is malicious encrypted traffic or not can be accurately judged.
Drawings
In order to more clearly explain the technical solution of the present application, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious to those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a malicious encrypted traffic detection method based on behavior analysis according to the present application;
FIG. 2 is a schematic flow chart illustrating filtering of network traffic data according to the present application;
FIG. 3 is a schematic view of a session flow for matching network traffic data affiliation according to the present application;
fig. 4 is a schematic flow chart of extracting handshake message feature information according to the present application;
FIG. 5 is a schematic flow chart of the present application for extracting the behavior characteristics of session communication;
FIG. 6 is a schematic flow chart of extracting session heartbeat behavior features according to the present application;
FIG. 7 is a schematic view of the process for obtaining a score of a test result according to the present application;
fig. 8 is a schematic structural diagram of a malicious encrypted traffic detection system based on behavior analysis according to the present application.
Detailed Description
Reference will now be made in detail to embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following examples do not represent all embodiments consistent with the present application. But merely as exemplifications of systems and methods consistent with certain aspects of the application, as recited in the claims.
The malicious encrypted traffic detection method based on the behavior analysis can be applied to the internet behavior management equipment so as to detect traffic data in a network and avoid the user from being threatened by malicious traffic. The internet behavior management device is a device for helping internet users to control and manage the use condition of the internet. The method can be used for filtering the access webpage, controlling network application, managing bandwidth flow, auditing information transceiving, analyzing user behavior and the like. The internet behavior management device can generate various report logs through analysis of the internet behavior data of the network where the internet behavior management device is located, so that management personnel can know the current operation state of the network through the report logs.
The internet behavior management device can be used as a gateway device to be accessed into a local network of a user, namely, one or more user terminals can be connected with the internet behavior management device, and the internet behavior management device is accessed into the internet, so that the user terminals are connected with the internet through the internet behavior management device to realize the internet behavior. Generally, the internet access behavior of a user is realized through interaction on a user terminal, and the user terminal may be an intelligent terminal device capable of accessing the internet, such as a computer, a mobile phone, a tablet computer, and the like, and may also be other forms of terminal devices, such as an industrial control terminal, a secondary network management terminal, a server, and the like.
Along with the interactive action of the user on the terminal, the user terminal can send and receive network traffic data. These network traffic data are often sent to or received from the internet via the internet behavior management device in the form of encrypted traffic. Generally, for a type of internet access behavior, such as accessing a specified web page or remote control operation, network traffic data needs to be transceived between a user terminal and a specified server (or terminal) many times, and the network traffic data transceived many times may include malicious traffic data, such as virus file data, malicious spread traffic data, and the like. The malicious traffic data may endanger the network security of the user terminal, and therefore, the malicious traffic data needs to be identified and detected, so that data interaction between the user terminal and a corresponding network is blocked in time, and the user terminal is prevented from being damaged.
Referring to fig. 1, a schematic flow chart of a malicious encrypted traffic detection method based on behavior analysis according to the present application is shown. As can be seen from fig. 1, in order to identify and detect network traffic data, the malicious encrypted traffic detection method based on behavior analysis provided in the present application includes the following steps:
s1: and acquiring network flow data.
In practical application, the network traffic data in the current network can be captured through the internet behavior management, and the captured network traffic data is input into the built-in behavior analysis module. The behavior analysis module can perform preliminary analysis on the network traffic data, and classify the network traffic data so as to determine the session to which the network traffic data belongs. Because the actual internet surfing behavior can generate data continuously, all the to-be-processed network traffic data in at least one analysis period needs to be stored in the behavior analysis module.
Therefore, if the internet access behaviors in the current network are dense, the generated network flow data volume is large, and the storage capacity of the internet access behavior management equipment is greatly required. Therefore, the method and the device can appropriately increase the storage capacity of the internet behavior management device, and can reduce the amount of the acquired network traffic data by screening the process of acquiring the network traffic data. For example, a capturing rule of the message may be preset to capture only a traffic message of a new address, that is, it is assumed that a server frequently accessed by the user terminal does not generate malicious traffic, and therefore, the traffic message frequently accessed may be directly discarded after being captured, rather than being analyzed in the behavior analysis module.
S2: and carrying out characteristic analysis on the network flow data to obtain a characteristic sequence based on the conversation.
In the application, a plurality of pieces of network traffic data are exchanged between the user terminal and the designated network server (or terminal) according to the internet access behavior, so that a plurality of pieces of network traffic data belonging to the same internet access behavior can be alternately called a session, that is, the session includes a plurality of pieces of network traffic data flowing between the same pair of network terminals.
Obviously, one piece of network traffic data cannot directly form a session, and a plurality of pieces of network traffic data flowing between the same pair of network terminals need to be analyzed and processed in a unified manner, so that the session to which the current piece of network traffic data belongs can be determined. After the attributed session is determined, the features included in the session may be extracted to form a feature sequence.
The extracted features refer to information capable of representing characteristics of current network traffic data, and may be actual data directly extracted from the content of the network traffic data or analysis data obtained by analyzing the network traffic data. The actual data is limited by the encryption behavior, and the extracted data may be data that can be directly obtained without decryption. For example, five-tuple information of a packet, i.e., source IP address, source port, destination IP address, destination port, and transport layer protocol; the directly acquired data may also include information for subsequent analysis, such as the time of transmission and reception of the data packets, the traffic type, the total volume of the data packets, etc.
The analysis data is a feature generated according to the data packet analysis and used for subsequent detection, for example, a communication behavior feature obtained according to the data analysis such as a transceiving traffic type and a traffic data packet characteristic; and analyzing the obtained heartbeat behavior characteristics according to data such as flow transceiving time, a plurality of flow interaction rules and the like.
After extracting the corresponding features based on the session, the extracted features may be converted into a feature sequence according to a preset format. The feature sequence may be an information table formed based on the extracted features, or may be a feature matrix generated by digitalization. In the feature matrix, the feature value of the corresponding feature can be represented by a number, for example, "0" represents that the corresponding feature is "not present" in the current network traffic data, and "1" represents that the corresponding feature is "present" in the current network traffic data.
S3: and inputting the characteristic sequence into a detection model to obtain a detection result score.
In the application, after the feature extraction is performed on the session through the behavior analysis module, the generated feature sequence can be further sent to the detection module so as to detect the feature sequence. The detection module can be internally provided with a detection model constructed in a machine learning mode.
The detection model is a random forest model obtained according to the training of the sample set. The random forest model is a classifier that trains and predicts samples using a plurality of trees, and the output class of the classifier is determined by the mode of the class output by the individual trees. In practical application, a random forest model can be trained by combining a large amount of sample data according to a machine learning algorithm, and a classification tree in the model can correspond to one or more feature types. And continuously obtaining data from the sample data to the initial model, and reversely adjusting the model parameters by combining the classification label, so that the data result is gradually close to the classification label, and a complete detection model is formed.
Obviously, the sample set includes malicious samples and white samples, where the malicious samples refer to a feature sequence having the same session behavior features as the malicious encrypted traffic. Because of the large number of types of malicious encrypted traffic, the number of malicious samples should also meet the requirement of sufficient sample size. The malicious sample can refer to the actual malicious encrypted traffic characteristics to artificially establish a characteristic sequence, and can also directly generate the characteristic sequence through the malicious encrypted traffic after marking that the network traffic is the malicious traffic.
After the feature sequence is input into the detection model, the detection model can perform calculation analysis on the feature sequence according to a classification algorithm and output a classification result. The output classification result can be a classification probability value or a classification probability matrix, and a detection result score can be generated by performing statistical analysis on the classification results and is used for representing whether the current session conforms to the application behavior of malicious traffic data.
S4: and determining whether the network traffic is malicious encrypted traffic according to the detection result score.
The detection result score can be set in a corresponding form according to actual analysis needs, for example, the detection result score can be a numerical value between 0 and 1, and the closer the value is to 1, the more likely it is to be malicious encrypted traffic; the closer its value is to 0, the more likely it is to be normal traffic.
In order to determine whether the current network traffic data is malicious traffic, a detection result score output by the detection model may be determined. The specific judgment method may be to set a judgment threshold, and when the score of the detection result exceeds the set judgment threshold, that is, it represents that most of the features corresponding to the current network traffic data all satisfy the malicious traffic characteristics, it is considered that the current network traffic causes all the traffic under the corresponding session to be malicious encrypted traffic. Otherwise, when the detection result score exceeds the set judgment threshold value, the current network traffic is considered not to be malicious encrypted traffic.
According to the technical scheme, the encrypted network traffic data are processed through a detection mode based on characteristic analysis and behavior analysis, the characteristic value in the network traffic data is extracted on the basis of the session, malicious encrypted traffic can be identified on the premise of not decrypting the network traffic data, the detection accuracy is improved, and the detection timeliness is improved. Meanwhile, a detection model is constructed through a machine learning method, a final result is further detected, and unknown threats are protected.
In some embodiments of the present application, as shown in fig. 2, after the step of obtaining the network traffic data, the method further filters the network traffic data, and specifically includes the following steps:
s101: judging whether the network flow data is a TCP message or not according to the transmission protocol of the network flow data;
s102: and if the network flow data is not the TCP message, discarding the network flow data.
In this embodiment, as for the network traffic data input to the behavior analysis module, simple filtering may be performed on the network traffic data in advance. Because the encrypted traffic generally adopts the TLS (Transport Layer Security)/SSL (Secure Sockets Layer) protocol, i.e., the HTTP protocol + TLS protocol. Therefore, it is necessary to analyze a TCP (Transmission Control Protocol) message, and a non-TCP message may be directly filtered and discarded to avoid the misjudgment of the network traffic data by the detection model, reduce the data processing amount, and improve the accuracy of the detection result.
In practical applications, since one internet behavior management device can access a plurality of user terminals, for different user terminals, it may generate a plurality of network traffic data and correspond to a plurality of sessions. Therefore, to determine whether the network traffic data is malicious traffic through behavior analysis, it is necessary to determine to which session the traffic data belongs. Therefore, as shown in fig. 3, in some embodiments of the present application, the step of performing a feature analysis on the network traffic data to obtain a session-based feature sequence further includes the following steps:
s211: and extracting quintuple information in the current network traffic data.
After the network traffic data is obtained, quintuple information (a source IP address, a source port, a destination IP address, a destination port, a transport layer protocol) in the network traffic data can be extracted, so as to match a session to which the current network traffic belongs.
S212: and matching the session to which the current network traffic data belongs.
The session to which the network traffic data belongs is a set composed of historical traffic data, namely the network traffic data is continuously collected along with the internet access behavior, and the network traffic data can be classified and processed to be determined; generally, network traffic data belonging to the same session generally occurs between the same pair of terminals, and therefore, quintuple information corresponding to data traffic is the same, and therefore, quintuple information corresponding to the historical traffic data is the same as quintuple information corresponding to the current network traffic data.
In the specific matching process, an index table can be established in the memory in a unified format according to the quintuple information, and corresponding network traffic data can be stored according to the index table. After new network traffic data is acquired, matching can be performed in the index table according to quintuple information of the new traffic data, and if the quintuple information corresponding to any session is matched with the current network traffic data, the current network traffic data is determined to belong to the matched session, so that the network traffic data is stored.
S213: and recording the network flow data into the matched session.
After determining the session to which the network traffic data belongs, the network traffic data may be stored in a storage location under the index table corresponding to the matched session. It can be seen that, in this embodiment, the network traffic data included in the session may be constantly changed, that is, the collected traffic data volume may be constantly increased along with the internet access behavior of the user terminal, and the behavior characteristics that can be correspondingly reflected are more obvious. Therefore, in the subsequent detection process, the session containing the network traffic data with large volume can be preferentially detected.
In addition, as network traffic data is collected continuously, the data volume in the same session is larger and larger. However, the feature extraction speed is reduced due to an excessively large data volume, and therefore, in the present application, the traffic data in the session may be deleted periodically, for example, the detection period may be preset to be one day, that is, the stored data may be deleted by the internet behavior management device at 0 point every day.
Further, for the network traffic data corresponding to the partial internet access behavior, the network traffic data may be the first packet of data, that is, the session that can not be matched to the home is obtained. Therefore, a new session can be established for the first packet of data, and the correspondingly acquired network traffic data can be filled into the session in the subsequent analysis.
Therefore, the step of performing feature analysis on the network traffic data to obtain a session-based feature sequence further includes:
s214: and if the current network flow data is not matched with the session to which the network flow data belongs, establishing a new session according to the quintuple information.
It can be seen that, in this embodiment, after the filtered TCP packet is obtained, the session to which the packet belongs may be determined according to the quintuple information in the packet, if the packet belongs to the existing session, the packet is counted into the existing session, and if the packet does not match the existing session, a new session is established by using the quintuple, so that analysis behavior analysis is performed on the session to which the packet belongs.
Optionally, as shown in fig. 4, the step of performing feature analysis on the network traffic data to obtain a feature sequence based on a session further includes:
s221: extracting a characteristic field from network traffic data belonging to the same session;
s222: determining a handshake message;
s223: extracting characteristic information from the handshake message;
s224: adding the feature data to a feature sequence.
In practical application, a message in network traffic data may be analyzed, and whether the analyzed message is a handshake message is determined by analyzing a characteristic field in the message, that is, whether the current network traffic data includes a handshake message is determined, where the handshake message is a type of network message that allows a client and a server to confirm identities of each other through a handshake protocol. Typically, the characteristic fields are included in a handshake message, such as a handshake protocol, a Client Hello message, a Server Hello message, a digital certificate, a public key, and the like.
By extracting the characteristic field, it can be determined whether the current network traffic data is (or contains) a handshake message. If the current network flow data is a handshake message, extracting required plaintext content and storing the plaintext content as the content of the characteristic sequence. Because the handshake message does not need to be encrypted, the plaintext part in the handshake message can be extracted to obtain the characteristic information.
The feature information extracted in the handshake message includes, but is not limited to, the following information: the system comprises TLS protocol version information, specific contents of an encryption suite supported by a Client, the encryption suite selected by a server, specific contents of expansion information carried by the Client and the server, Client Key Exchange information sent by the Client, integrity of certificate information in a certificate chain sent by the server, self-signature, validity period of the certificate and other related information. After extracting the feature information, the extracted feature information may be digitized and added to the feature sequence for detection analysis by a detection model.
Further, as shown in fig. 5, after the step of adding the feature data to the feature sequence, the method further comprises the steps of:
s231: a communication behavior model is obtained.
S232: matching network flow in the conversation by using the communication behavior model to obtain a matching template hit result;
s233: and adding the matching template hit result as a communication behavior characteristic to the characteristic sequence.
After the extraction of the characteristic information in the handshake message is completed, the communication behavior of the network traffic data can be detected on a session basis. The communication behavior refers to a transceiving rule corresponding to a transmission process of network data, for example, a transport layer protocol, an interaction frequency, and the like.
Because the malicious traffic often carries malicious programs such as computer viruses and the like, and the communication behavior propagated by the malicious traffic has the characteristics of the malicious traffic, the encrypted traffic can be analyzed through the communication behavior to determine whether the encrypted traffic is the malicious traffic. That is, whether a session contains a suspicious communication behavior is matched according to the communication behavior model, and then the matching result is added as a communication behavior feature to the feature sequence of the session. And a plurality of matching templates constructed according to the malicious traffic communication rule are preset in the communication behavior model.
Further, as shown in fig. 6, after the step of adding the feature data to the feature sequence, the method further comprises the steps of:
s241: extracting a time sequence of each network flow contained in the session;
s242: acquiring a heartbeat behavior model, wherein a plurality of heartbeat behavior matching templates of malicious traffic are preset in the heartbeat behavior model;
s243: matching a time sequence corresponding to the conversation by using the heartbeat behavior model to obtain a matching template hit result;
s244: and adding the hit result of the matching template as a heartbeat behavior characteristic to the characteristic sequence.
The heartbeat behavior refers to a data interaction mode between a pair of terminals and also has a certain rule. Such as transceiving data transceiving cycle, data exchange frequency, etc. Similarly, after the extraction of the communication behavior features is completed, the heartbeat behavior detection analysis of the session can be continued. Similar to the communication behavior, all messages in the session are detected by using a heartbeat behavior model, and the detection result is added into a feature sequence of the session as heartbeat behavior features.
In some embodiments of the present application, as shown in fig. 7, the step of inputting the feature sequence into the detection model to obtain the score of the detection result includes the following steps:
s301: converting the characteristic sequence into a characteristic vector matrix;
s302: and inputting the characteristic vector matrix into a detection model to obtain the classification probability of the detection model, and outputting the detection result score.
In practical application, for convenience of computer processing, the feature sequence of the conversation is expressed in a manner of converting into a feature vector matrix. The feature sequence is still in the state of a word (or text) sequence, so that the feature sequence cannot be directly input into a random forest model for classification detection. Therefore, the feature sequence of the session needs to be converted into a feature vector matrix, and then the feature vector matrix enters a machine learning model for detection.
For example, after the feature vectorization process, a two-dimensional matrix is obtained. Each session is characterized by multiple dimensions, with different sessions having different characteristics, but normal sessions and malicious sessions each having similar characteristics. The session is detected through the multi-dimensional feature vector, and whether the session pair is malicious or not can be judged.
In some embodiments of the present application, the step of determining whether the network traffic is malicious encrypted traffic according to the detection result score further includes:
s401: acquiring a security level threshold;
s402: and comparing the detection result score with the security level threshold value, and determining the security level corresponding to the network traffic.
In this embodiment, the random forest algorithm detection is performed on the input feature vector matrix, the output algorithm may obtain a prediction result and a final detection result of each session on each classification, the result is a classification probability of 0-1, where 0 indicates normal, 1 indicates abnormal, and the more the prediction result approaches to 1, the higher the possibility that the session is malicious is.
After the detection result score is obtained, further judgment can be performed on the detection result score, and the security level corresponding to the network traffic is determined by comparing the detection result score with the security level threshold. The safety level threshold is a judgment value preset in the range of 0-1. For example, three security levels are set, with security level thresholds of 0.2 and 0.6, respectively, i.e. security gear: 0 to 0.2; dangerous gear: 0.2 to 0.6; malicious files: 0.6 to 1. For the network flow data of the security file, it can be determined that the network flow data has no malicious behavior, and the analysis can be omitted subsequently; for the network traffic data of the dangerous gear, the possibility of malicious behaviors can be determined, and the data needs to be continuously analyzed; and for the malicious files, determining that the malicious files have malicious behaviors, and directly blocking corresponding network connection.
Based on the malicious encrypted traffic detection method, as shown in fig. 8, the present application further provides a malicious encrypted traffic detection system based on behavior analysis, including: the gateway equipment and a data processing device connected with the gateway equipment; the gateway equipment is connected with a network port to be detected so as to capture network traffic data from the network port to be detected; the data processing apparatus has a built-in detection module, the data processing apparatus is further configured to perform the following program steps:
s1: acquiring network flow data;
s2: performing feature analysis on the network traffic data to obtain a feature sequence based on a session; the session comprises a plurality of pieces of network traffic data which flow between the same pair of network terminals;
s3: inputting the characteristic sequence into a detection model to obtain a detection result score, wherein the detection model is a random forest model obtained by training according to a sample set, and the sample set comprises malicious samples and white samples;
s4: and determining whether the network traffic is malicious encrypted traffic according to the detection result score.
According to the technical scheme, after network traffic data are obtained, feature analysis is carried out on the network traffic data to obtain a feature sequence based on a session; and inputting the characteristic sequence into a detection model to obtain a detection result score, and determining whether the network traffic is malicious encrypted traffic according to the detection result score. According to the method, the normal encrypted flow in the network can be effectively filtered out by analyzing the behavior characteristics of the network flow data, the malicious encrypted flow is identified, and the false alarm rate is reduced. Meanwhile, unknown data characteristics can be deduced according to known samples through a detection model established in a machine learning mode, and whether network traffic data is malicious encrypted traffic or not can be accurately judged.
The embodiments provided in the present application are only a few examples of the general concept of the present application, and do not limit the scope of the present application. Any other embodiments extended according to the scheme of the present application without inventive efforts will be within the scope of protection of the present application for a person skilled in the art.

Claims (10)

1. A malicious encrypted traffic detection method based on behavior analysis is characterized by comprising the following steps:
acquiring network flow data;
performing feature analysis on the network traffic data to obtain a feature sequence based on a session; the session comprises a plurality of pieces of network traffic data which flow between the same pair of network terminals;
inputting the characteristic sequence into a detection model to obtain a detection result score, wherein the detection model is a random forest model obtained by training according to a sample set, and the sample set comprises malicious samples and white samples;
and determining whether the network traffic is malicious encrypted traffic according to the detection result score.
2. The malicious encrypted traffic detection method according to claim 1, wherein filtering the network traffic data after the step of obtaining the network traffic data comprises:
judging whether the network flow data is a TCP message or not according to the transmission protocol of the network flow data;
and if the network flow data is not the TCP message, discarding the network flow data.
3. The malicious encrypted traffic detection method according to claim 1, wherein the step of performing feature analysis on the network traffic data to obtain a session-based feature sequence includes:
extracting quintuple information in the current network traffic data;
matching the current session to which the network traffic data belongs, wherein the session to which the network traffic data belongs is a set consisting of historical traffic data; quintuple information corresponding to the historical flow data is the same as quintuple information corresponding to the current network flow data;
and recording the network flow data into the matched session.
4. The malicious encrypted traffic detection method according to claim 3, wherein the step of performing feature analysis on the network traffic data to obtain a session-based feature sequence further comprises: and if the current network flow data is not matched with the session to which the network flow data belongs, establishing a new session according to the quintuple information.
5. The malicious encrypted traffic detection method according to claim 3, wherein the step of performing feature analysis on the network traffic data to obtain a session-based feature sequence further comprises:
extracting a characteristic field from network traffic data belonging to the same session;
determining a handshake message, wherein the handshake message is network traffic data containing the characteristic field;
extracting characteristic information from the handshake message;
adding the feature data to a feature sequence.
6. The malicious encrypted traffic detection method according to claim 5, wherein after the step of adding the feature data to a feature sequence, the method further comprises:
acquiring a communication behavior model, wherein a plurality of matching templates constructed according to malicious traffic communication rules are preset in the communication behavior model;
matching network flow in the conversation by using the communication behavior model to obtain a matching template hit result;
and adding the matching template hit result as a communication behavior characteristic to the characteristic sequence.
7. The malicious encrypted traffic detection method according to claim 5, wherein after the step of adding the feature data to a feature sequence, the method further comprises:
extracting a time sequence of each network flow contained in the session;
acquiring a heartbeat behavior model, wherein a plurality of heartbeat behavior matching templates of malicious traffic are preset in the heartbeat behavior model;
matching a time sequence corresponding to the conversation by using the heartbeat behavior model to obtain a matching template hit result;
and adding the hit result of the matching template as a heartbeat behavior characteristic to the characteristic sequence.
8. The malicious encrypted traffic detection method according to claim 1, wherein the step of inputting the feature sequence into a detection model to obtain a detection result score comprises:
converting the characteristic sequence into a characteristic vector matrix;
and inputting the characteristic vector matrix into a detection model to obtain the classification probability of the detection model, and outputting the detection result score.
9. The malicious encrypted traffic detection method according to claim 1, wherein the step of determining whether the network traffic is malicious encrypted traffic according to the detection result score further includes:
acquiring a safety level threshold value which is a preset judgment value within the range of 0-1;
and comparing the detection result score with the security level threshold value, and determining the security level corresponding to the network traffic.
10. A malicious encrypted traffic detection system based on behavior analysis is characterized by comprising: the gateway equipment and a data processing device connected with the gateway equipment; the gateway equipment is connected with a network port to be detected so as to capture network traffic data from the network port to be detected; the data processing apparatus has a built-in detection module, the data processing apparatus is further configured to perform the following program steps:
acquiring network flow data;
performing feature analysis on the network traffic data to obtain a feature sequence based on a session; the session comprises a plurality of pieces of network traffic data which flow between the same pair of network terminals;
inputting the characteristic sequence into a detection model to obtain a detection result score, wherein the detection model is a random forest model obtained by training according to a sample set, and the sample set comprises malicious samples and white samples;
and determining whether the network traffic is malicious encrypted traffic according to the detection result score.
CN202010058395.6A 2020-01-19 2020-01-19 Malicious encrypted traffic detection method and system based on behavior analysis Pending CN111277587A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010058395.6A CN111277587A (en) 2020-01-19 2020-01-19 Malicious encrypted traffic detection method and system based on behavior analysis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010058395.6A CN111277587A (en) 2020-01-19 2020-01-19 Malicious encrypted traffic detection method and system based on behavior analysis

Publications (1)

Publication Number Publication Date
CN111277587A true CN111277587A (en) 2020-06-12

Family

ID=71003072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010058395.6A Pending CN111277587A (en) 2020-01-19 2020-01-19 Malicious encrypted traffic detection method and system based on behavior analysis

Country Status (1)

Country Link
CN (1) CN111277587A (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003870A (en) * 2020-08-28 2020-11-27 国家计算机网络与信息安全管理中心 Network encryption traffic identification method and device based on deep learning
CN112235314A (en) * 2020-10-29 2021-01-15 东巽科技(北京)有限公司 Network flow detection method, device and equipment
CN112311814A (en) * 2020-12-23 2021-02-02 中国航空油料集团有限公司 Malicious encrypted traffic identification method and system based on deep learning and electronic equipment
CN112511384A (en) * 2020-11-26 2021-03-16 广州品唯软件有限公司 Flow data processing method and device, computer equipment and storage medium
CN112637292A (en) * 2020-12-14 2021-04-09 中国联合网络通信集团有限公司 Data processing method and device, electronic equipment and storage medium
CN112822167A (en) * 2020-12-31 2021-05-18 杭州立思辰安科科技有限公司 Abnormal TLS encrypted traffic detection method and system
CN112910920A (en) * 2021-03-01 2021-06-04 深信服科技股份有限公司 Malicious communication detection method, system, storage medium and electronic device
CN113015167A (en) * 2021-03-11 2021-06-22 杭州安恒信息技术股份有限公司 Encrypted flow data detection method, system, electronic device and storage medium
CN113067839A (en) * 2021-06-02 2021-07-02 中国人民解放军国防科技大学 Malicious encrypted flow detection method based on multi-mode neural network
CN113132359A (en) * 2021-03-30 2021-07-16 深圳市吉方工控有限公司 Network security data information detection method
CN113141375A (en) * 2021-05-08 2021-07-20 国网新疆电力有限公司喀什供电公司 Network security monitoring method and device, storage medium and server
CN113194068A (en) * 2021-03-30 2021-07-30 北京六方云信息技术有限公司 Malicious encrypted flow detection method and device based on convolutional neural network
CN113691562A (en) * 2021-09-15 2021-11-23 神州网云(北京)信息技术有限公司 Method for implementing rule engine for accurately identifying malicious network communication
CN113949531A (en) * 2021-09-14 2022-01-18 北京邮电大学 Malicious encrypted flow detection method and device
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN114584371A (en) * 2022-03-04 2022-06-03 桀安信息安全技术(上海)有限公司 Method, system and device for detecting encrypted flow behavior
CN115086242A (en) * 2021-03-12 2022-09-20 天翼云科技有限公司 Encrypted data packet identification method and device and electronic equipment
CN115189926A (en) * 2022-06-22 2022-10-14 北京天融信网络安全技术有限公司 Network flow detection method, network flow detection system and electronic equipment
CN115766204A (en) * 2022-11-14 2023-03-07 电子科技大学 Dynamic IP equipment identification system and method for encrypted flow
CN116192490A (en) * 2023-02-14 2023-05-30 北京中睿天下信息技术有限公司 Network threat detection method and system based on flow behaviors
CN116405278A (en) * 2023-03-30 2023-07-07 华能信息技术有限公司 Malicious attack encryption traffic detection method
CN116471057A (en) * 2023-03-29 2023-07-21 华能信息技术有限公司 Malicious traffic analysis method
CN116506216A (en) * 2023-06-19 2023-07-28 国网上海能源互联网研究院有限公司 Lightweight malicious flow detection and evidence-storage method, device, equipment and medium
WO2023173790A1 (en) * 2022-03-18 2023-09-21 广州大学 Data packet-based encrypted traffic classification system
CN117354057A (en) * 2023-12-01 2024-01-05 杭州海康威视数字技术股份有限公司 Malicious traffic detection method, device and equipment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106899978A (en) * 2017-03-16 2017-06-27 杭州安恒信息技术有限公司 A kind of wireless network attack localization method
CN107733851A (en) * 2017-08-23 2018-02-23 刘胜利 DNS tunnels Trojan detecting method based on communication behavior analysis
US20180124085A1 (en) * 2016-11-02 2018-05-03 Cujo LLC Extracting Encryption Metadata and Terminating Malicious Connections Using Machine Learning
CN108833360A (en) * 2018-05-23 2018-11-16 四川大学 A kind of malice encryption flow identification technology based on machine learning
CN109194657A (en) * 2018-09-11 2019-01-11 北京理工大学 A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length
US20190068362A1 (en) * 2017-08-31 2019-02-28 Cisco Technology, Inc. Passive decryption of encrypted traffic to generate more accurate machine learning training data
CN110113349A (en) * 2019-05-15 2019-08-09 北京工业大学 A kind of malice encryption traffic characteristics analysis method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180124085A1 (en) * 2016-11-02 2018-05-03 Cujo LLC Extracting Encryption Metadata and Terminating Malicious Connections Using Machine Learning
CN106899978A (en) * 2017-03-16 2017-06-27 杭州安恒信息技术有限公司 A kind of wireless network attack localization method
CN107733851A (en) * 2017-08-23 2018-02-23 刘胜利 DNS tunnels Trojan detecting method based on communication behavior analysis
US20190068362A1 (en) * 2017-08-31 2019-02-28 Cisco Technology, Inc. Passive decryption of encrypted traffic to generate more accurate machine learning training data
CN108833360A (en) * 2018-05-23 2018-11-16 四川大学 A kind of malice encryption flow identification technology based on machine learning
CN109194657A (en) * 2018-09-11 2019-01-11 北京理工大学 A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length
CN110113349A (en) * 2019-05-15 2019-08-09 北京工业大学 A kind of malice encryption traffic characteristics analysis method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
汪尧: "恶意代码的网络行为分析与识别技术研究", 《中国优秀硕士学位论文全文数据库》 *

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112003870B (en) * 2020-08-28 2022-10-14 国家计算机网络与信息安全管理中心 Network encryption traffic identification method and device based on deep learning
CN112003870A (en) * 2020-08-28 2020-11-27 国家计算机网络与信息安全管理中心 Network encryption traffic identification method and device based on deep learning
CN112235314A (en) * 2020-10-29 2021-01-15 东巽科技(北京)有限公司 Network flow detection method, device and equipment
CN112511384A (en) * 2020-11-26 2021-03-16 广州品唯软件有限公司 Flow data processing method and device, computer equipment and storage medium
CN112637292A (en) * 2020-12-14 2021-04-09 中国联合网络通信集团有限公司 Data processing method and device, electronic equipment and storage medium
CN112637292B (en) * 2020-12-14 2022-11-22 中国联合网络通信集团有限公司 Data processing method and device, electronic equipment and storage medium
CN112311814A (en) * 2020-12-23 2021-02-02 中国航空油料集团有限公司 Malicious encrypted traffic identification method and system based on deep learning and electronic equipment
CN112311814B (en) * 2020-12-23 2021-11-26 中国航空油料集团有限公司 Malicious encrypted traffic identification method and system based on deep learning and electronic equipment
CN112822167A (en) * 2020-12-31 2021-05-18 杭州立思辰安科科技有限公司 Abnormal TLS encrypted traffic detection method and system
CN112910920A (en) * 2021-03-01 2021-06-04 深信服科技股份有限公司 Malicious communication detection method, system, storage medium and electronic device
CN113015167A (en) * 2021-03-11 2021-06-22 杭州安恒信息技术股份有限公司 Encrypted flow data detection method, system, electronic device and storage medium
CN115086242A (en) * 2021-03-12 2022-09-20 天翼云科技有限公司 Encrypted data packet identification method and device and electronic equipment
CN113132359A (en) * 2021-03-30 2021-07-16 深圳市吉方工控有限公司 Network security data information detection method
CN113194068A (en) * 2021-03-30 2021-07-30 北京六方云信息技术有限公司 Malicious encrypted flow detection method and device based on convolutional neural network
CN113141375A (en) * 2021-05-08 2021-07-20 国网新疆电力有限公司喀什供电公司 Network security monitoring method and device, storage medium and server
CN113067839A (en) * 2021-06-02 2021-07-02 中国人民解放军国防科技大学 Malicious encrypted flow detection method based on multi-mode neural network
CN113949531A (en) * 2021-09-14 2022-01-18 北京邮电大学 Malicious encrypted flow detection method and device
CN113949531B (en) * 2021-09-14 2022-06-17 北京邮电大学 Malicious encrypted flow detection method and device
CN113691562A (en) * 2021-09-15 2021-11-23 神州网云(北京)信息技术有限公司 Method for implementing rule engine for accurately identifying malicious network communication
CN113691562B (en) * 2021-09-15 2024-04-23 神州网云(北京)信息技术有限公司 Rule engine implementation method for accurately identifying malicious network communication
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN114079579B (en) * 2021-10-21 2024-03-15 北京天融信网络安全技术有限公司 Malicious encryption traffic detection method and device
CN114584371A (en) * 2022-03-04 2022-06-03 桀安信息安全技术(上海)有限公司 Method, system and device for detecting encrypted flow behavior
WO2023173790A1 (en) * 2022-03-18 2023-09-21 广州大学 Data packet-based encrypted traffic classification system
CN115189926B (en) * 2022-06-22 2024-01-26 北京天融信网络安全技术有限公司 Network traffic detection method, network traffic detection system and electronic equipment
CN115189926A (en) * 2022-06-22 2022-10-14 北京天融信网络安全技术有限公司 Network flow detection method, network flow detection system and electronic equipment
CN115766204A (en) * 2022-11-14 2023-03-07 电子科技大学 Dynamic IP equipment identification system and method for encrypted flow
CN115766204B (en) * 2022-11-14 2024-04-26 电子科技大学 Dynamic IP equipment identification system and method for encrypted traffic
CN116192490A (en) * 2023-02-14 2023-05-30 北京中睿天下信息技术有限公司 Network threat detection method and system based on flow behaviors
CN116471057A (en) * 2023-03-29 2023-07-21 华能信息技术有限公司 Malicious traffic analysis method
CN116405278A (en) * 2023-03-30 2023-07-07 华能信息技术有限公司 Malicious attack encryption traffic detection method
CN116506216A (en) * 2023-06-19 2023-07-28 国网上海能源互联网研究院有限公司 Lightweight malicious flow detection and evidence-storage method, device, equipment and medium
CN116506216B (en) * 2023-06-19 2023-09-12 国网上海能源互联网研究院有限公司 Lightweight malicious flow detection and evidence-storage method, device, equipment and medium
CN117354057A (en) * 2023-12-01 2024-01-05 杭州海康威视数字技术股份有限公司 Malicious traffic detection method, device and equipment
CN117354057B (en) * 2023-12-01 2024-03-05 杭州海康威视数字技术股份有限公司 Malicious traffic detection method, device and equipment

Similar Documents

Publication Publication Date Title
CN111277587A (en) Malicious encrypted traffic detection method and system based on behavior analysis
CN107733851B (en) DNS tunnel Trojan detection method based on communication behavior analysis
Chen et al. Using rough set and support vector machine for network intrusion detection
CN111935170B (en) Network abnormal flow detection method, device and equipment
US11399288B2 (en) Method for HTTP-based access point fingerprint and classification using machine learning
Hoque et al. An implementation of intrusion detection system using genetic algorithm
Chen et al. Using rough set and support vector machine for network intrusion detection system
Catak et al. Distributed denial of service attack detection using autoencoder and deep neural networks
CN111526121B (en) Intrusion prevention method and device, electronic equipment and computer readable medium
CN109936578A (en) The detection method of HTTPS tunnel traffic in a kind of network-oriented
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN112953971B (en) Network security flow intrusion detection method and system
Yan et al. Identifying wechat red packets and fund transfers via analyzing encrypted network traffic
CN112769633B (en) Proxy traffic detection method and device, electronic equipment and readable storage medium
Abdullah et al. Performance evaluation of a genetic algorithm based approach to network intrusion detection system
CN113518042B (en) Data processing method, device, equipment and storage medium
CN113098878A (en) Industrial internet intrusion detection method based on support vector machine and implementation system
Fallahi et al. Automated flow-based rule generation for network intrusion detection systems
CN109672687B (en) HTTP confusion flow detection method based on suspicion degree evaluation
Iglesias et al. DAT detectors: uncovering TCP/IP covert channels by descriptive analytics
CN111464510A (en) Network real-time intrusion detection method based on rapid gradient lifting tree model
McLaren et al. Mining malware command and control traces
Iqbal et al. Analysis of a payload-based network intrusion detection system using pattern recognition processors
Bhardwaj et al. Enhanced neural network-based attack investigation framework for network forensics: Identification, detection, and analysis of the attack
Patil et al. Network intrusion detection and prevention techniques for DoS attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200612

RJ01 Rejection of invention patent application after publication