CN107360159B - A kind of method and device of the abnormal encryption flow of identification - Google Patents
A kind of method and device of the abnormal encryption flow of identification Download PDFInfo
- Publication number
- CN107360159B CN107360159B CN201710561737.4A CN201710561737A CN107360159B CN 107360159 B CN107360159 B CN 107360159B CN 201710561737 A CN201710561737 A CN 201710561737A CN 107360159 B CN107360159 B CN 107360159B
- Authority
- CN
- China
- Prior art keywords
- flow
- encryption
- recognition result
- encryption flow
- activity recognition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present invention provides a kind of method and device of abnormal encryption flow of identification, which comprises obtains encryption flow file;The encryption flow file is pre-processed, to determine the corresponding flow protocol of encryption flow;According to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out Activity recognition to the encryption flow;According to the recognition result of Activity recognition, the machine learning recognition result and preset rules of the encryption flow being obtained ahead of time, abnormal encryption flow is identified.Described device executes the above method.The method and device of the abnormal encryption flow of identification provided in an embodiment of the present invention can accurately identify abnormal encryption flow.
Description
Technical field
The present embodiments relate to data traffic identification technology fields, and in particular to a kind of side of the abnormal encryption flow of identification
Method and device.
Background technique
With the rapid development of network technology, internet and related application have appeared in each of our daily lifes
Corner, correspondingly, the type of the encryption flow on internet is more and more, scale is also increasing.Internet makes people's
Daily life quality is constantly improved, but internet also brings more and more problems at the same time, for example,
Viral wooden horse spreads on a large scale and causes damages, network caused by a large amount of P2P application and flow block on a large scale with postpone, it is hostile
Force is stolen secret information using internet to the important institutional settings in China and scientific research institutions and network attack, at these problems all urgent needs
Reason.The key to solve the above problems is accurately and efficiently identified all types of how in complicated real network environment
Flow is encrypted, and detects abnormal flow therein.
The prior art identifies abnormal flow using the flow identification technology based on port, the technical method it is simple and
Computing cost is small, and for traditional using accuracy rate with higher.But as port camouflage and port are jumped
The it is proposed and use of change technology, dynamic port technology and tunneling technique, the technical method are also just gradually losing its advantage, and identification is quasi-
True rate is also gradually decreasing.
Therefore, how becoming, which need solve the problems, such as, accurately to be identified to abnormal encryption flow.
Summary of the invention
In view of the problems of the existing technology, the embodiment of the present invention provides the method and dress of a kind of abnormal encryption flow of identification
It sets.
In a first aspect, the embodiment of the present invention provides a kind of method of abnormal encryption flow of identification, which comprises
Obtain encryption flow file;
The encryption flow file is pre-processed, to determine the corresponding flow protocol of encryption flow;
According to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out behavior to the encryption flow
Identification;
According to the recognition result of Activity recognition, the machine learning recognition result of the encryption flow being obtained ahead of time and default
Rule identifies abnormal encryption flow.
Second aspect, the embodiment of the present invention provide a kind of device of abnormal encryption flow of identification, and described device includes:
Acquiring unit, for obtaining encryption flow file;
Determination unit, for being pre-processed to the encryption flow file, to determine the corresponding flow association of encryption flow
View;
Selecting unit selects corresponding Activity recognition rule to add to described for the type according to the flow protocol
Close flow carries out Activity recognition;
Recognition unit, for the machine learning according to the recognition result, the encryption flow being obtained ahead of time of Activity recognition
Recognition result and preset rules identify abnormal encryption flow.
The third aspect, the embodiment of the present invention provide the device of the abnormal encryption flow of another identification, comprising: processor is deposited
Reservoir and bus, wherein
Obtain encryption flow file;
The encryption flow file is pre-processed, to determine the corresponding flow protocol of encryption flow;
According to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out behavior to the encryption flow
Identification;
According to the recognition result of Activity recognition, the machine learning recognition result of the encryption flow being obtained ahead of time and default
Rule identifies abnormal encryption flow.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, comprising:
The non-transient computer readable storage medium stores computer instruction, and the computer instruction makes the computer
Execute following method:
Obtain encryption flow file;
The encryption flow file is pre-processed, to determine the corresponding flow protocol of encryption flow;
According to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out behavior to the encryption flow
Identification;
According to the recognition result of Activity recognition, the machine learning recognition result of the encryption flow being obtained ahead of time and default
Rule identifies abnormal encryption flow.
The method and device of the abnormal encryption flow of identification provided in an embodiment of the present invention, can be accurately to abnormal encryption stream
Amount is identified.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Bright some embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the method flow schematic diagram of the abnormal encryption flow of identification of the embodiment of the present invention;
Fig. 2 is the structural schematic diagram of the abnormal encryption flow of identification of the embodiment of the present invention;
Fig. 3 is device entity structural schematic diagram provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is the method flow schematic diagram of the abnormal encryption flow of identification of the embodiment of the present invention, as shown in Figure 1, the present invention is real
The method that a kind of identification encryption flow extremely of example offer is provided, comprising the following steps:
S1: encryption flow file is obtained.
Specifically, device obtains encryption flow file.Encryption flow file can be PCAP, and (process characteristic analyzes software
Packet) format standard, but be not especially limited.
S2: pre-processing the encryption flow file, to determine the corresponding flow protocol of encryption flow.
Specifically, device pre-processes the encryption flow file, to determine the corresponding flow protocol of encryption flow.
Pretreated process may include: that the format (can be PCAP) for encrypting flow file is converted to TCP/UDP stream format;Again by
Manual analysis encrypts the corresponding flow protocol of flow to determine,.It should be understood that the embodiment of the present invention passes through to numerous encryptions
Flow is made thorough investigation and study and is learnt, and pair of ten kinds of widely used encryption flow protocols as detection and subsequent analysis is had chosen
As, may include: SSH, TLS, QQ, Skype, ICQ, IPMSG, Thunder, eDonkey, uTorrent, BitTorrent this
Ten kinds of agreements.It, can be by above-mentioned ten kinds of flows due to often there is biggish otherness between different types of flow protocol behavior
Agreement is divided into four major class, and presses every unique behavior pattern of class flow protocol, has designed and Implemented corresponding Activity recognition method,
Four class flow protocols be respectively as follows: underlying cryptographic agreement (may include SSH, TLS), C/S instant messaging agreement (may include QQ),
P2P instant messaging agreement (may include Skype, ICQ, IPMSG) and P2P File Transfer Protocol (may include Thunder,
eDonkey、uTorrent、BitTorrent)。
S3: according to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out the encryption flow
Activity recognition.
Specifically, type of the device according to the flow protocol, selects corresponding Activity recognition rule to the encryption
Flow carries out Activity recognition.If flow protocol is basic cryptographic protocol (SSH, TLS), encryption corresponding to minimum flow agreement
Flow carries out port identification;Since SSH and tls protocol are the common protocols realized on Transmission Control Protocol upper layer, port numbers are solid
It is fixed, thus can by determine TCP flow destination slogan whether be default 22 or 443 (SSH:22, TLS:443) carry out preliminary judgement should
TCP flow attribute.If destination port is 22 (the first recognition results), SSH behavior pattern recognition is executed to it;If destination port is
443 (the second recognition results), then execute TLS behavior pattern recognition to it.It, can be with since SSH and TLS are End to End Encryption agreements
The information utilized has the information in data on flows packet header, and when being communicated using SSH, both sides can mutually send out a pair of of node in network first
Handshake packet, Bao Zhongjun include SSH-2.0 (in header packet information specify character string) or SSH-1.99 (designated character in header packet information
String) beginning plaintext string.Then, both sides can mutually send out code key and Encryption Algorithm protocol package, wherein containing a variety of encryption sides
Method external member, external member title are deposited in packet load with plaintext version.According to RFC file, SSH client and service routine support ssh-
Therefore dss (character string is specified in follow-up) or ssh-rsa (character string is specified in follow-up) method specifically execute SSH
If it includes SSH-2.0 character string or SSH-1.99 character string that behavior pattern recognition, which includes: in header packet information, and subsequent
It include ssh-dss character string or ssh-rsa character string in information, if above-mentioned two condition is all satisfied, behavior mode meets SSH
Agreement (that is: the Activity recognition result of the encryption flow file is normal SSH agreement), if any one is not in above-mentioned two condition
Meet then behavior mode do not meet SSH agreement (that is: the Activity recognition result of the encryption flow file be abnormal SSH assist
View).
Since the behavior pattern and SSH agreement of tls protocol are there are certain similitude, a pair communicated using tls protocol
In node, there are points of SERVER (server node) and CLIENT (client node).In first the shaking hands of CLIENT transmission
It wraps in (the first request handshake packet for being sent to SERVER), it includes the more of its support which, which carries with plaintext version,
A encryption method external member title, SERVER can select one wherein, and feed back to the side CLIENT, to add as both subsequent
The mode of close communication.Therefore, specifically executing TLS behavior pattern recognition includes: the handshake packet (hair for obtaining CLIENT HELLO type
Give the first request handshake packet of SERVER), the handshake packet of CLIENT HELLO type can be provided with multiple encryption method sets
Part title.Then, look for whether that present pattern is SERVER HELLO (for first request handshake packet feedback in subsequent packet
Server node requests handshake packet), and the specific field of SERVER HELLO is corresponding with above-mentioned multiple encryption method external member titles
One of in.If above-mentioned condition all meets, behavior mode meets tls protocol (that is: the behavior of the encryption flow file
Recognition result is normal tls protocol), if in above-mentioned condition, any one is unsatisfactory for behavior mode and does not meet tls protocol
(that is: the Activity recognition result of the encryption flow file is abnormal tls protocol).
If flow protocol is C/S instant messaging agreement, port is carried out to the corresponding encryption flow of C/S instant messaging agreement
Identification;If recognition result is port numbers 8000 (third recognition result), Activity recognition further is carried out to encryption flow.It is flowed in QQ
In amount, client can periodically request to update the list of friends of active user to server end.There is mark should in the type request packet
The clear text field (type id field) of Packet type, and QQ account used in active user is equally contained with plaintext version
(identity field).Above-mentioned two field (QQ account used in the clear text field of Packet type, active user) is in the normal of QQ
It is remained unchanged in such all request packet sent in communication process, and the time interval phase of the transmission of such all request packet
Together, therefore, specifically executing C/S instant messaging agreement behavior pattern recognition includes: to obtain mark to be sent out by client
The type id field of the request Packet type sent and the identity field for identifying client user's identity;And it determines candidate
Request packet, the candidate request packet indicate the same type request packet that same user sends;Obtain the time for sending candidate request packet
Interval, and time interval is less than or equal to the candidate request packet of prefixed time interval threshold value as destination request packet;Calculate target
The ratio for all request packets sum that the quantity of request packet and same user send;Whether the ratio is greater than fractional threshold, presets
Time interval and fractional threshold can be independently arranged according to the actual situation, if above-mentioned condition all meets, behavior mode meets C/S
Instant messaging cryptographic protocol (that is: the Activity recognition result of the encryption flow is normal C/S instant messaging cryptographic protocol), if on
It states in condition, any one is unsatisfactory for, and behavior mode does not meet C/S instant messaging cryptographic protocol (that is: encryption flow file
Activity recognition result be abnormal C/S instant messaging cryptographic protocol).
If flow protocol is P2P instant messaging agreement, port knowledge is carried out to the corresponding encryption flow of P2P instant messaging agreement
Not, if the recognition result of port identification is destination port number 2425 (the 4th recognition result), the P2P Instant Messenger is tentatively regarded as
Letter agreement is IPMSQ agreement, obtains the source address and destination address of encryption flow, and according to the configuration of current network mask, meter
Calculate the corresponding original broadcast address of source address, the corresponding purpose broadcast address of destination address;It should be understood that according to current network
The configuration of mask, the method for calculating corresponding broadcast address are the technology of this field maturation, are repeated no more.If encryption flow is deposited
The broadcast packet that original broadcast address and port are 2425, if above-mentioned condition all meets, behavior mode are being sent to from source address
Meet in P2P instant messaging agreement IPMSQ agreement (that is: the Activity recognition result of the encryption flow file be normal P2P i.e.
When communication protocol in IPMSQ agreement), if in above-mentioned condition, any one is unsatisfactory for, then it is instant not meet P2P for behavior mode
(that is: the Activity recognition result of the encryption flow file is abnormal P2P instant messaging association to IPMSQ agreement in communication protocol
IPMSQ agreement in view), can similarly determine: if encryption flow exist from destination address be sent to purpose broadcast address and
The broadcast packet that port is 2425, if above-mentioned condition all meets, behavior mode meets the IPMSQ in P2P instant messaging agreement
Agreement (that is: the Activity recognition result of the encryption flow file is the IPMSQ agreement in normal P2P instant messaging agreement), if
In above-mentioned condition, any one is unsatisfactory for, then behavior mode does not meet the IPMSQ agreement in P2P instant messaging agreement and (that is: should
The Activity recognition result of flow file is encrypted as the IPMSQ agreement in abnormal P2P instant messaging agreement).
If the recognition result of port identification is not destination port number 2425 (the 5th recognition result), encryption flow is obtained
Source address;The Skype DNS request packet (first kind request packet) or ICQ DNS that source address sending is obtained in encryption flow are asked
Ask packet (Second Type request packet);Whether include following field according to Skype DNS request packet: " skype.com ",
" skype.net ", " skypeassets.com " and " skype-cr.akadns.net " (first of corresponding first preset quantity
Specific field, the first preset quantity be chosen as 4, the first specific field be above-mentioned 4) or ICQ DNS request packet whether include
There is following field: " icq.net ", " icq.com " and " mail.ru " (the second specific field of corresponding second preset quantity, the
Two preset quantities be chosen as 3, the second specific field be above-mentioned 3), the first above-mentioned preset quantity, the second preset quantity, the
One specific field and the second specific field are not especially limited, and will meet the Skype DNS request packet or ICQ DNS of above-mentioned condition
Request packet is as target Skype DNS request packet (target first kind request packet) or target ICQ DNS request packet (target second
Type requests packet);Whether it is greater than quantity according to the quantity forwarded of target Skype DNS request packet or target ICQ DNS request packet
Threshold value (amount threshold can be independently arranged, and be chosen as 2), and each target Skype DNS request packet or each target ICQ DNS
Whether byte number included by request packet is less than byte number threshold value (byte number threshold value can be independently arranged, and be chosen as 170 bytes), if
Above-mentioned condition all meets (including determining target Skype DNS request packet or target ICQ DNS request packet), then behavior mode accords with
(that is: the Activity recognition result of the encryption flow file is normal to Skype or ICQ agreement in conjunction P2P instant messaging agreement
Skype or ICQ agreement in P2P instant messaging agreement), if in above-mentioned condition, any one is unsatisfactory for, then behavior mode is not inconsistent
(that is: the Activity recognition result of the encryption flow file is abnormal to Skype or ICQ agreement in conjunction P2P instant messaging agreement
Skype or ICQ agreement in P2P instant messaging agreement).
If flow protocol is P2P File Transfer Protocol, every two in the corresponding encryption flow of P2P File Transfer Protocol are obtained
All communication messages between a IP address;It whether include TCP and UDP message according to all communication messages, and UDP message length is
It is no all 82 bytes (the first predetermined word joint number) between 85 bytes (the second predetermined word joint number), UDP message whether be all
Along from sender to recipient same direction send, each UDP message arrival time interval whether be preset value whether be
Preset value (preset value is chosen as 6 seconds, is not especially limited), if above-mentioned condition all meets, behavior mode meets P2P file
(that is: the Activity recognition result of the encryption flow file is normal P2P file transmission association to Thunder agreement in transport protocol
Thunder agreement in view), if in above-mentioned condition, any one is unsatisfactory for, then behavior mode does not meet P2P file transmission association
(that is: the Activity recognition result of the encryption flow file is in abnormal P2P File Transfer Protocol to Thunder agreement in view
Thunder agreement).
Or,
If meeting all communication messages all includes TCP, UDP and eDonkey message, behavior mode meets P2P file
(that is: the Activity recognition result of the encryption flow file is normal P2P file transmission association to eDonkey agreement in transport protocol
EDonkey agreement in view), if not satisfied, then behavior mode does not meet the eDonkey agreement in P2P File Transfer Protocol
(that is: the Activity recognition result of the encryption flow file is the eDonkey agreement in abnormal P2P File Transfer Protocol).
Or,
If meeting all communication messages all includes TCP, UDP and BitTorrent message, and TCP message quantity is more than UDP
Message amount, then behavior mode meets BitTorrent agreement (that is: encryption flow file in P2P File Transfer Protocol
Activity recognition result be normal P2P File Transfer Protocol in BitTorrent agreement);If meeting all communication messages all
Including TCP, UDP and BitTorrent message, and TCP message quantity is less than UDP message amount, then behavior mode meets P2P
(that is: the Activity recognition result of the encryption flow file is normal P2P file biography to uTorrent agreement in File Transfer Protocol
UTorrent agreement in defeated agreement), if being unsatisfactory for above-mentioned condition, it is determined that the Activity recognition result of encryption flow file is not
Normal P2P File Transfer Protocol.
S4: according to the recognition result of Activity recognition, the encryption flow being obtained ahead of time machine learning recognition result and
Preset rules identify abnormal encryption flow.
Specifically, device is known according to the machine learning of the recognition result, the encryption flow being obtained ahead of time of Activity recognition
Other result and preset rules identify abnormal encryption flow.The machine learning of encryption flow, which is identified by, extracts encryption flow
Specific feature set, and it is based on trained disaggregated model, to judge to encrypt the concrete type of flow.The embodiment of the present invention is chosen
Part is not easy the feature being affected by the external environment, as the feature database of encryption flow, as shown in table 1:
Table 1
| Number | Title | Description |
| 1 | min_fpktl | Minimum packet length in forward direction subflow (byte number, lower section are all the same) |
| 2 | mean_fpktl | The mean value of packet length in forward direction subflow |
| 3 | max_fpktl | The maximum value of packet length in forward direction subflow |
| 4 | std_fpktl | The standard deviation of packet length in forward direction subflow |
| 5 | min_bpktl | Minimum packet length in backward subflow |
| 6 | mean_bpktl | The mean value of packet length in backward subflow |
| 7 | max_bpktl | The maximum value of packet length in backward subflow |
| 8 | std_bpktl | The standard deviation of packet length in backward subflow |
| 9 | min_fiat | The minimum value (microsecond meter, under identical) of parlor time difference in forward direction subflow |
| 10 | mean_fiat | The mean value of parlor time difference in forward direction subflow |
| 11 | max_fiat | The maximum value of parlor time difference in forward direction subflow |
| 12 | std_fiat | The standard deviation of parlor time difference in forward direction subflow |
| 13 | min_biat | The minimum value of parlor time difference in backward subflow |
| 14 | mean_biat | The mean value of parlor time difference in backward subflow |
| 15 | max_biat | The maximum value of parlor time difference in backward subflow |
| 16 | std_biat | The standard deviation of parlor time difference in backward subflow |
For according to the recognition result of Activity recognition, the machine learning recognition result for the encryption flow being obtained ahead of time and
Preset rules identify that abnormal encryption flow is described as follows:
If the recognition result of Activity recognition and the recognition result of machine learning are inconsistent, it is determined that encryption flow is abnormal adds
Close flow.If the recognition result of Activity recognition is consistent with the recognition result of machine learning, it is determined that encryption flow is normal adds
Close flow.The method of identification encryption flow extremely can also include the following steps, is normal in encryption flow file to obtain
Encrypt flow:
Obtain all encryption flows of encryption flow file;By all encryption flows and acquired abnormal encryption flow phase
Subtract, to obtain the normal encryption flow in encryption flow file.
The identification for illustrating abnormal encryption flow below with reference to table 2 is as follows:
Table 2
Referring to 2 the first row of table: behavior pattern recognition result is that Thunder (meets in P2P File Transfer Protocol
Thunder agreement), machine learning recognition result is P2P file download flow, and the recognition result of the two is consistent, it is determined that should
Encryption flow is normal P2P file download flow-Thunder.
Referring to 2 fifth line of table: behavior pattern recognition result is that non-P2P file download flow (does not meet P2P file transmission association
View), machine learning recognition result is P2P file download flow, and the recognition result of the two is inconsistent, it is determined that the encryption flow is
Abnormal P2P file download flow.
Referring to the 6th row of table 2: behavior pattern recognition result is that Thunder (meets in P2P File Transfer Protocol
Thunder agreement), machine learning recognition result is non-P2P file download flow, and the recognition result of the two is inconsistent, it is determined that
The encryption flow is exception P2P file download flow.
Referring to the tenth row of table 2: behavior pattern recognition result is that non-P2P file download flow (does not meet P2P file transmission association
View), machine learning recognition result is non-P2P file download flow, and the recognition result of the two is consistent, it is determined that the encryption flow
For normal non-P2P file download flow.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention can accurately carry out abnormal encryption flow
Identification.
On the basis of the above embodiments, the type of the flow protocol includes underlying cryptographic agreement, C/S instant messaging association
View, P2P instant messaging agreement and P2P File Transfer Protocol, correspondingly, the type according to the flow protocol, selects phase
Corresponding Activity recognition rule carries out Activity recognition to the encryption flow, comprising:
If the flow protocol is the underlying cryptographic agreement, corresponding first behavior recognition rule is selected to add to described
Close flow carries out Activity recognition.
Specifically, if device judges to know that the flow protocol as the underlying cryptographic agreement, selects corresponding first
Activity recognition rule carries out Activity recognition to the encryption flow.It can refer to above-described embodiment, repeat no more.
Or,
If the flow protocol is the C/S instant messaging agreement, select corresponding second Activity recognition rule to institute
It states encryption flow and carries out Activity recognition.
Specifically, if device judges to know that the flow protocol as the C/S instant messaging agreement, selects corresponding the
Two Activity recognition rules carry out Activity recognition to the encryption flow.It can refer to above-described embodiment, repeat no more.
Or,
If the flow protocol is the P2P instant messaging agreement, select corresponding third behavior recognition rule to institute
It states encryption flow and carries out Activity recognition.
Specifically, if device judges to know that the flow protocol as the P2P instant messaging agreement, selects corresponding the
Three Activity recognition rules carry out Activity recognition to the encryption flow.It can refer to above-described embodiment, repeat no more.
Or,
If the flow protocol is the P2P File Transfer Protocol, selecting corresponding fourth line is recognition rule to institute
It states encryption flow and carries out Activity recognition.
Specifically, if device judges to know that the flow protocol as the P2P File Transfer Protocol, selects corresponding the
Four Activity recognition rules carry out Activity recognition to the encryption flow.It can refer to above-described embodiment, repeat no more.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention, by different encryption flow protocol types pair
The encryption flow answered carries out Activity recognition respectively, can more accurately identify to abnormal encryption flow.
On the basis of the above embodiments, it if the flow protocol is the underlying cryptographic agreement, selects corresponding
The first behavior recognition rule to the encryption flow carry out Activity recognition, comprising:
Port identification is carried out to the encryption flow.
Specifically, device carries out port identification to the encryption flow.
If the recognition result of port identification is the first recognition result, according to the encryption header packet information of flow and subsequent
Whether information includes designated character string, determines the Activity recognition result of the encryption flow.
Specifically, if device judges to know the recognition result of port identification as the first recognition result, according to the encryption
Whether the header packet information and follow-up of flow include designated character string, determine the Activity recognition result of the encryption flow.
Or,
If the recognition result of port identification is the second recognition result, client's end segment in the underlying cryptographic agreement is obtained
Point provided encryption method external member title during sending first request handshake packet.
Specifically, if device judges to know that the recognition result of port identification as the second recognition result, obtains the basis
Client node in cryptographic protocol provided encryption method external member title during sending first request handshake packet.
Server node and the client node in the underlying cryptographic agreement carry out the mistake of subsequent data transmission
Cheng Zhong, according to the server node whether to the client node be transmitted across for it is described it is first request handshake packet feed back
Server node requests handshake packet, and whether the specific field of server node request handshake packet is corresponding with the encryption side
Method external member title determines the Activity recognition result of the encryption flow.
Specifically, server node of the device in the underlying cryptographic agreement and the client node carry out subsequent number
During according to transmission, held according to whether the server node is transmitted across to the client node for the first request
The server node of handbag feedback requests handshake packet, and whether the specific field of server node request handshake packet is corresponding with
The encryption method external member title determines the Activity recognition result of the encryption flow.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention, by the corresponding encryption of underlying cryptographic agreement
Flow carries out Activity recognition, can accurately identify to abnormal encryption flow.
On the basis of the above embodiments, if the flow protocol is the C/S instant messaging agreement, selection is opposite
The the second Activity recognition rule answered carries out Activity recognition to the encryption flow, comprising:
Port identification is carried out to the encryption flow.
Specifically, device carries out port identification to the encryption flow.It can refer to above-described embodiment, repeat no more.
If the recognition result of port identification is third recognition result, obtains mark and asked by what client was sent
Ask the type id field of Packet type and the identity field of mark client user's identity;Wherein, request packet is
The list of friends request for the update active user that the client is sent to the server end.
If obtaining mark by client specifically, device judges to know the recognition result of port identification as third recognition result
Hold the type id field of the request Packet type sent to server end and the identity mark of mark client user's identity
Character learning section;Wherein, request packet is the list of friends request for the update active user that the client is sent to the server end.
It can refer to above-described embodiment, repeat no more.
According to the type id field and the identity field, candidate request packet, the candidate request packet are determined
Indicate the same type request packet that same user sends.
Specifically, device determines candidate request packet according to the type id field and the identity field, it is described
Candidate request packet indicates the same type request packet that same user sends.It can refer to above-described embodiment, repeat no more.
The time interval for sending the candidate request packet is obtained, and the time interval is less than or equal to prefixed time interval
The candidate request packet of threshold value is as destination request packet.
Specifically, device obtains the time interval for sending the candidate request packet, and the time interval is less than or equal to
The candidate request packet of prefixed time interval threshold value is as destination request packet.It can refer to above-described embodiment, repeat no more.
The ratio for all request packets sum that the quantity and same user for calculating the destination request packet are sent.
Specifically, the ratio for all request packets sum that device calculates the quantity of the destination request packet and same user sends
Value.It can refer to above-described embodiment, repeat no more.
Whether it is greater than fractional threshold according to the ratio, determines the Activity recognition result of the encryption flow.
Specifically, whether device is greater than fractional threshold according to the ratio, the Activity recognition knot of the encryption flow is determined
Fruit.It can refer to above-described embodiment, repeat no more.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention, by corresponding to C/S instant messaging agreement
It encrypts flow and carries out Activity recognition, accurately abnormal encryption flow can be identified.
On the basis of the above embodiments, if the flow protocol is the P2P instant messaging agreement, selection is opposite
The third behavior recognition rule answered carries out Activity recognition to the encryption flow, comprising:
Port identification is carried out to the encryption flow.
Specifically, device carries out port identification to the encryption flow.It can refer to above-described embodiment, repeat no more.
If the recognition result of port identification is the 4th recognition result, source address and the destination of the encryption flow are obtained
It is corresponding to calculate the corresponding original broadcast address of the source address, the destination address for location, and according to the configuration of current network mask
Purpose broadcast address.
Specifically, if device judges to know that the recognition result of port identification as the 4th recognition result, obtains the encryption
The source address and destination address of flow, and according to the configuration of current network mask, with calculating the corresponding original broadcast of the source address
Location, the corresponding purpose broadcast address of the destination address.It can refer to above-described embodiment, repeat no more.
According to the encryption flow file with the presence or absence of being sent to the original broadcast address from the source address and port is
The broadcast packet of 4th recognition result determines the Activity recognition result of the encryption flow.
Specifically, device whether there is from the source address with being sent to the original broadcast according to the encryption flow file
Location and port are the broadcast packet of the 4th recognition result, determine the Activity recognition result of the encryption flow.It can refer to above-mentioned
Embodiment repeats no more.
Or,
According to the encryption flow with the presence or absence of being sent to the purpose broadcast address from the destination address and port is
The broadcast packet of 4th recognition result determines the Activity recognition result of the encryption flow.
Specifically, device, which whether there is according to the encryption flow from the destination address, is sent to purpose broadcast ground
Location and port are the broadcast packet of the 4th recognition result, determine the Activity recognition result of the encryption flow.It can refer to above-mentioned
Embodiment repeats no more.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention, by corresponding to P2P instant messaging agreement
It encrypts flow and carries out Activity recognition, accurately abnormal encryption flow can be identified.
On the basis of the above embodiments, the method also includes:
If the recognition result of port identification is not the 4th recognition result, the source address of the encryption flow is obtained.
If obtaining institute specifically, device judgement knows that the recognition result of port identification is not the 4th recognition result
State the source address of encryption flow.
First kind request packet or Second Type request packet that the source address issues are obtained in the encryption flow.
Specifically, device obtains the first kind request packet or the second class that the source address issues in the encryption flow
Type request packet.
According to the first kind request packet whether include corresponding first preset quantity the first specific field or institute
State Second Type request packet whether include corresponding second preset quantity the second specific field, determine that the target first kind is asked
Ask packet or target Second Type request packet.
Specifically, device according to the first kind request packet whether include corresponding first preset quantity first refer to
Determine field or the Second Type request packet whether include corresponding second preset quantity the second specific field, determine mesh
Mark first kind request packet or target Second Type request packet.
Whether it is greater than according to the quantity forwarded of the target first kind request packet or the target Second Type request packet
Amount threshold, and whether byte number included by each target first kind request packet or each target Second Type request packet is small
In byte number threshold value, the Activity recognition result of the encryption flow is determined.
Specifically, transmission number of the device according to the target first kind request packet or the target Second Type request packet
Whether amount is greater than amount threshold, and word included by each target first kind request packet or each target Second Type request packet
Whether joint number is less than byte number threshold value, determines the Activity recognition result of the encryption flow.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention, further by P2P instant messaging agreement
Corresponding encryption flow carries out Activity recognition, can accurately identify to abnormal encryption flow.
On the basis of the above embodiments, if the flow protocol is the P2P File Transfer Protocol, selection is opposite
The fourth line answered is that recognition rule carries out Activity recognition to the encryption flow, comprising:
Obtain all communication messages between the every two IP address in the encryption flow.
Specifically, device obtains all communication messages between the every two IP address in the encryption flow.
It whether include TCP and UDP message according to all communication messages, and whether the UDP message length is all
One preset byte is counted between the second predetermined word joint number, whether the UDP message is all along same from sender to recipient
Direction is sent, whether the arrival time interval of each UDP message is preset value, determines the Activity recognition knot of the encryption flow
Fruit.
Specifically, whether device includes TCP and UDP message according to all communication messages, and the UDP message length
Whether all count between the second predetermined word joint number in the first preset byte, whether the UDP message is all along from sender to connecing
The same direction of debit is sent, whether the arrival time interval of each UDP message is preset value, determines the row of the encryption flow
For recognition result.
The method of the abnormal encryption flow of identification provided in an embodiment of the present invention, by corresponding to P2P File Transfer Protocol
It encrypts flow and carries out Activity recognition, accurately abnormal encryption flow can be identified.
Fig. 2 is the apparatus structure schematic diagram of the abnormal encryption flow of identification of the embodiment of the present invention, as shown in Fig. 2, the present invention is real
It applies example and provides a kind of device of abnormal encryption flow of identification, including acquiring unit 1, determination unit 2, selecting unit 3 and identification
Unit 4, in which:
Acquiring unit 1 is for obtaining encryption flow file;Determination unit 2 for locating the encryption flow file in advance
Reason, to determine the corresponding flow protocol of encryption flow;Selecting unit 3 is used for the type according to the flow protocol, and selection is opposite
The Activity recognition rule answered carries out Activity recognition to the encryption flow;Recognition unit 4 is used for the identification knot according to Activity recognition
Fruit, the encryption flow being obtained ahead of time machine learning recognition result and preset rules, identify abnormal encryption flow.
Specifically, acquiring unit 1 is for obtaining encryption flow file;Determination unit 2 is used for the encryption flow file
It is pre-processed, to determine the corresponding flow protocol of encryption flow;Selecting unit 3 is used for the type according to the flow protocol,
Corresponding Activity recognition rule is selected to carry out Activity recognition to the encryption flow;Recognition unit 4 is used for according to Activity recognition
Recognition result, the encryption flow being obtained ahead of time machine learning recognition result and preset rules, identify abnormal encryption stream
Amount.
The device of the abnormal encryption flow of identification provided in an embodiment of the present invention can accurately carry out abnormal encryption flow
Identification.
It is real that the device of the abnormal encryption flow of identification provided in an embodiment of the present invention specifically can be used for executing above-mentioned each method
The process flow of example is applied, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 3 is device entity structural schematic diagram provided in an embodiment of the present invention, as shown in figure 3, described device includes: processing
Device (processor) 301, memory (memory) 302 and bus 303;
Wherein, the processor 301, memory 302 complete mutual communication by bus 303;
The processor 301 is used to call the program instruction in the memory 302, to execute above-mentioned each method embodiment
Provided method, for example, obtain encryption flow file;The encryption flow file is pre-processed, is added with determining
The corresponding flow protocol of close flow;According to the type of the flow protocol, corresponding Activity recognition rule is selected to add to described
Close flow carries out Activity recognition;Known according to the machine learning of the recognition result of Activity recognition, the encryption flow being obtained ahead of time
Other result and preset rules identify abnormal encryption flow.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine executes, computer is able to carry out method provided by above-mentioned each method embodiment, for example, obtains encryption flow text
Part;The encryption flow file is pre-processed, to determine the corresponding flow protocol of encryption flow;According to the flow protocol
Type, select corresponding Activity recognition rule to the encryption flow carry out Activity recognition;According to the identification of Activity recognition
As a result, the machine learning recognition result and preset rules for the encryption flow being obtained ahead of time identify abnormal encryption flow.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Computer instruction is stored, the computer instruction makes the computer execute method provided by above-mentioned each method embodiment, example
It such as include: to obtain encryption flow file;The encryption flow file is pre-processed, to determine the corresponding flow of encryption flow
Agreement;According to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out behavior knowledge to the encryption flow
Not;According to the recognition result of Activity recognition, the machine learning recognition result and preset rules of the encryption flow being obtained ahead of time,
The abnormal encryption flow of identification.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light
The various media that can store program code such as disk.
The embodiments such as device described above are only schematical, wherein the unit as illustrated by the separation member
It may or may not be physically separated, component shown as a unit may or may not be physics list
Member, it can it is in one place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of the modules achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case where, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above various embodiments is only to illustrate the technical solution of the embodiment of the present invention, rather than it is right
It is limited;Although the embodiment of the present invention is described in detail referring to foregoing embodiments, the ordinary skill of this field
Personnel are it is understood that it is still possible to modify the technical solutions described in the foregoing embodiments, or to part
Or all technical features are equivalently replaced;And these are modified or replaceed, it does not separate the essence of the corresponding technical solution
The range of each embodiment technical solution of the embodiment of the present invention.
Claims (8)
1. a kind of method of the abnormal encryption flow of identification characterized by comprising
Obtain encryption flow file;
The encryption flow file is pre-processed, to determine the corresponding flow protocol of encryption flow;
According to the type of the flow protocol, corresponding Activity recognition rule is selected to carry out behavior knowledge to the encryption flow
Not;
According to the recognition result of Activity recognition, the machine learning recognition result for the encryption flow being obtained ahead of time and default rule
Then, the abnormal encryption flow of identification;
The type of the flow protocol includes underlying cryptographic agreement, C/S instant messaging agreement, P2P instant messaging agreement and P2P text
Part transport protocol, correspondingly, the type according to the flow protocol, selects corresponding Activity recognition rule to add to described
Close flow carries out Activity recognition, comprising:
If the flow protocol is the underlying cryptographic agreement, corresponding first behavior recognition rule is selected to flow the encryption
Amount carries out Activity recognition;
Or,
If the flow protocol is the C/S instant messaging agreement, corresponding second Activity recognition rule is selected to add to described
Close flow carries out Activity recognition;
Or,
If the flow protocol is the P2P instant messaging agreement, corresponding third behavior recognition rule is selected to add to described
Close flow carries out Activity recognition;
Or,
If the flow protocol is the P2P File Transfer Protocol, corresponding fourth line is selected to add for recognition rule to described
Close flow carries out Activity recognition;
If the flow protocol is the underlying cryptographic agreement, corresponding first behavior recognition rule is selected to add to described
Close flow carries out Activity recognition, comprising:
Port identification is carried out to the encryption flow;
If the recognition result of port identification is the first recognition result, according to the header packet information and follow-up of the encryption flow
Whether include designated character string, determines the Activity recognition result of the encryption flow;
Or,
If the recognition result of port identification is the second recognition result, the client node obtained in the underlying cryptographic agreement exists
Send first request handshake packet provided encryption method external member title in the process;
During server node and the client node in the underlying cryptographic agreement carry out subsequent data transmission,
According to the server node whether to the client node be transmitted across for it is described it is first request handshake packet feed back service
Device node requests handshake packet, and whether the specific field of server node request handshake packet is corresponding with the encryption method set
Part title determines the Activity recognition result of the encryption flow.
2. if the method according to claim 1, wherein the flow protocol is the C/S instant messaging
Agreement selects corresponding second Activity recognition rule to carry out Activity recognition to the encryption flow, comprising:
Port identification is carried out to the encryption flow;
If the recognition result of port identification is third recognition result, the request packet that mark is sent by client is obtained
The type id field of type and the identity field of mark client user's identity;Wherein, request packet is described
The list of friends request for the update active user that client is sent to the server end;
According to the type id field and the identity field, determine that candidate request packet, the candidate request packet indicate
The same type request packet that same user sends;
The time interval for sending the candidate request packet is obtained, and the time interval is less than or equal to prefixed time interval threshold value
Candidate request packet as destination request packet;
The ratio for all request packets sum that the quantity and same user for calculating the destination request packet are sent;
Whether it is greater than fractional threshold according to the ratio, determines the Activity recognition result of the encryption flow.
3. if the method according to claim 1, wherein the flow protocol is the P2P instant messaging
Agreement selects corresponding third behavior recognition rule to carry out Activity recognition to the encryption flow, comprising:
Port identification is carried out to the encryption flow;
If the recognition result of port identification is the 4th recognition result, the source address and destination address of the encryption flow are obtained,
And according to the configuration of current network mask, the corresponding original broadcast address of the source address, the corresponding mesh of the destination address are calculated
Broadcast address;
According to the encryption flow file with the presence or absence of being sent to the original broadcast address from the source address and port is described
The broadcast packet of 4th recognition result determines the Activity recognition result of the encryption flow;
Or,
According to the encryption flow with the presence or absence of being sent to the purpose broadcast address from the destination address and port is described
The broadcast packet of 4th recognition result determines the Activity recognition result of the encryption flow.
4. according to the method described in claim 3, it is characterized in that, the method also includes:
If the recognition result of port identification is not the 4th recognition result, the source address of the encryption flow is obtained;
First kind request packet or Second Type request packet that the source address issues are obtained in the encryption flow;
According to the first kind request packet whether include corresponding first preset quantity the first specific field or described
Two type requests packets whether include corresponding second preset quantity the second specific field, determine target first kind request packet
Or target Second Type request packet;
Whether it is greater than quantity according to the quantity forwarded of the target first kind request packet or the target Second Type request packet
Threshold value, and whether byte number included by each target first kind request packet or each target Second Type request packet is less than word
Joint number threshold value determines the Activity recognition result of the encryption flow.
5. if the method according to claim 1, wherein the flow protocol is P2P file transmission
Agreement selects corresponding fourth line to carry out Activity recognition to the encryption flow for recognition rule, comprising:
Obtain all communication messages between the every two IP address in the encryption flow;
It whether include TCP and UDP message according to all communication messages, and whether the UDP message length is all pre- first
If byte is counted between the second predetermined word joint number, whether the UDP message is all along the same direction from sender to recipient
Send, whether the arrival time interval of each UDP message is preset value, determine the Activity recognition result of the encryption flow.
6. a kind of device of the abnormal encryption flow of identification characterized by comprising
Acquiring unit, for obtaining encryption flow file;
Determination unit, for being pre-processed to the encryption flow file, to determine the corresponding flow protocol of encryption flow;
Selecting unit selects corresponding Activity recognition rule to flow the encryption for the type according to the flow protocol
Amount carries out Activity recognition;
Recognition unit, the machine learning for recognition result, the encryption flow being obtained ahead of time according to Activity recognition identify
As a result and preset rules, identification exception encrypt flow;
The type of the flow protocol includes underlying cryptographic agreement, C/S instant messaging agreement, P2P instant messaging agreement and P2P text
Part transport protocol, correspondingly, the selecting unit is specifically used for:
If the flow protocol is the underlying cryptographic agreement, corresponding first behavior recognition rule is selected to flow the encryption
Amount carries out Activity recognition;
Or,
If the flow protocol is the C/S instant messaging agreement, corresponding second Activity recognition rule is selected to add to described
Close flow carries out Activity recognition;
Or,
If the flow protocol is the P2P instant messaging agreement, corresponding third behavior recognition rule is selected to add to described
Close flow carries out Activity recognition;
Or,
If the flow protocol is the P2P File Transfer Protocol, corresponding fourth line is selected to add for recognition rule to described
Close flow carries out Activity recognition;
The selecting unit also particularly useful for:
Port identification is carried out to the encryption flow;
If the recognition result of port identification is the first recognition result, according to the header packet information and follow-up of the encryption flow
Whether include designated character string, determines the Activity recognition result of the encryption flow;
Or,
If the recognition result of port identification is the second recognition result, the client node obtained in the underlying cryptographic agreement exists
Send first request handshake packet provided encryption method external member title in the process;
During server node and the client node in the underlying cryptographic agreement carry out subsequent data transmission,
According to the server node whether to the client node be transmitted across for it is described it is first request handshake packet feed back service
Device node requests handshake packet, and whether the specific field of server node request handshake packet is corresponding with the encryption method set
Part title determines the Activity recognition result of the encryption flow.
7. a kind of device of the abnormal encryption flow of identification characterized by comprising processor, memory and bus, wherein
The processor and the memory complete mutual communication by the bus;
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy
Enough execute method as claimed in claim 1 to 5.
8. a kind of non-transient computer readable storage medium, which is characterized in that the non-transient computer readable storage medium is deposited
Computer instruction is stored up, the computer instruction makes the computer execute method as claimed in claim 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710561737.4A CN107360159B (en) | 2017-07-11 | 2017-07-11 | A kind of method and device of the abnormal encryption flow of identification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710561737.4A CN107360159B (en) | 2017-07-11 | 2017-07-11 | A kind of method and device of the abnormal encryption flow of identification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107360159A CN107360159A (en) | 2017-11-17 |
| CN107360159B true CN107360159B (en) | 2019-12-03 |
Family
ID=60292363
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710561737.4A Active CN107360159B (en) | 2017-07-11 | 2017-07-11 | A kind of method and device of the abnormal encryption flow of identification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107360159B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019140554A1 (en) * | 2018-01-16 | 2019-07-25 | Oppo广东移动通信有限公司 | Data verification method, network device, user equipment and computer storage medium |
| CN108833360B (en) * | 2018-05-23 | 2019-11-08 | 四川大学 | A kind of malice encryption method for recognizing flux based on machine learning |
| CN110999256B (en) * | 2018-05-23 | 2021-12-03 | Oppo广东移动通信有限公司 | Communication method, terminal equipment and core network equipment |
| CN108881306B (en) * | 2018-08-08 | 2020-04-28 | 西安交通大学 | Encrypted flow analysis defense method based on data packet size sequence |
| CN109672687B (en) * | 2018-12-31 | 2021-04-13 | 南京理工大学 | HTTP confusion flow detection method based on suspicion degree evaluation |
| CN109547489B (en) * | 2018-12-31 | 2021-08-03 | 南京理工大学 | Detection method for Obfuscated-Openssh protocol traffic |
| CN109818976B (en) * | 2019-03-15 | 2021-09-21 | 杭州迪普科技股份有限公司 | Abnormal flow detection method and device |
| CN114465962B (en) | 2019-09-16 | 2024-01-05 | 华为技术有限公司 | Data stream type identification method and related equipment |
| CN110708341B (en) * | 2019-11-15 | 2020-09-29 | 中国科学院信息工程研究所 | User behavior detection method and system based on remote desktop encryption network traffic mode difference |
| CN111010409B (en) * | 2020-01-07 | 2021-08-17 | 南京林业大学 | Encryption attack network flow detection method |
| CN113595967A (en) * | 2020-04-30 | 2021-11-02 | 深信服科技股份有限公司 | Data identification method, equipment, storage medium and device |
| CN113645176B (en) * | 2020-05-11 | 2023-08-08 | 北京观成科技有限公司 | Method and device for detecting fake flow and electronic equipment |
| CN112019500B (en) * | 2020-07-15 | 2021-11-23 | 中国科学院信息工程研究所 | Encrypted traffic identification method based on deep learning and electronic device |
| CN112367292B (en) * | 2020-10-10 | 2021-09-03 | 浙江大学 | Encrypted flow anomaly detection method based on deep dictionary learning |
| CN112422589B (en) * | 2021-01-25 | 2021-06-08 | 腾讯科技(深圳)有限公司 | Domain name system request identification method, storage medium and electronic device |
| CN114584371B (en) * | 2022-03-04 | 2024-07-12 | 桀安信息安全技术(上海)有限公司 | Method, system and device for detecting encrypted traffic behavior |
| CN114866301B (en) * | 2022-04-25 | 2023-05-02 | 中国科学院信息工程研究所 | Encryption traffic identification and classification method and system based on direct push graph |
| CN117955734A (en) * | 2024-03-21 | 2024-04-30 | 道普信息技术有限公司 | Encryption protocol pcap metadata analysis method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364981A (en) * | 2008-06-27 | 2009-02-11 | 南京邮电大学 | Hybrid intrusion detection method based on Internet protocol version 6 |
| CN103580960A (en) * | 2013-11-19 | 2014-02-12 | 佛山市络思讯环保科技有限公司 | Online pipe network anomaly detection system based on machine learning |
| CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9386034B2 (en) * | 2013-12-17 | 2016-07-05 | Hoplite Industries, Inc. | Behavioral model based malware protection system and method |
-
2017
- 2017-07-11 CN CN201710561737.4A patent/CN107360159B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364981A (en) * | 2008-06-27 | 2009-02-11 | 南京邮电大学 | Hybrid intrusion detection method based on Internet protocol version 6 |
| CN103580960A (en) * | 2013-11-19 | 2014-02-12 | 佛山市络思讯环保科技有限公司 | Online pipe network anomaly detection system based on machine learning |
| CN104135474A (en) * | 2014-07-18 | 2014-11-05 | 国家计算机网络与信息安全管理中心 | Network anomaly behavior detection method based on out-degree and in-degree of host |
| CN106911637A (en) * | 2015-12-23 | 2017-06-30 | 北京奇虎科技有限公司 | Cyberthreat treating method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107360159A (en) | 2017-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107360159B (en) | A kind of method and device of the abnormal encryption flow of identification | |
| US10250466B2 (en) | Application signature generation and distribution | |
| US20180176294A1 (en) | Server load balancing | |
| CN105765921B (en) | For carrying out method, system and the equipment of DIAMETER routing using software defined network function | |
| Mongkolluksamee et al. | Enhancing the performance of mobile traffic identification with communication patterns | |
| US9813442B2 (en) | Server grouping system | |
| CN104601467B (en) | A kind of method and apparatus for sending message | |
| CN108650218A (en) | Network Traffic Monitoring method, apparatus, computer equipment and storage medium | |
| CN104301249B (en) | A kind of SDN flow table issuances method and apparatus | |
| CN105790960B (en) | Method for recognizing flux and system, flow gateway | |
| CN109818997A (en) | A kind of load-balancing method, system and storage medium | |
| EP3942740A1 (en) | System and method for de-anonymizing actions and messages on networks | |
| CN104994016A (en) | Method and apparatus for packet classification | |
| CN108200158A (en) | Ask Transmission system, method, apparatus and storage medium | |
| CN109327479A (en) | Encrypt recognition methods and the device of stream | |
| CN104660592B (en) | A kind of load distributing method based on secure socket layer protocol feature | |
| CN106797384A (en) | Same endpoints in cluster are routed requests to different agreements | |
| TWI294087B (en) | Systems and methods for file transfer management | |
| US9967178B1 (en) | Flow record size reduction | |
| Hyun et al. | A VoLTE traffic classification method in LTE network | |
| CN107864189A (en) | A kind of application layer traffic load-balancing method based on DPI | |
| CN104852955B (en) | A kind of data processing method and system | |
| US11399016B2 (en) | System and method for identifying exchanges of encrypted communication traffic | |
| CN106716974A (en) | Access distribution method, device and system | |
| US11233703B2 (en) | Extending encrypted traffic analytics with traffic flow data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |