CN108985361A - A kind of malicious traffic stream detection implementation method and device based on deep learning - Google Patents

A kind of malicious traffic stream detection implementation method and device based on deep learning Download PDF

Info

Publication number
CN108985361A
CN108985361A CN201810708037.8A CN201810708037A CN108985361A CN 108985361 A CN108985361 A CN 108985361A CN 201810708037 A CN201810708037 A CN 201810708037A CN 108985361 A CN108985361 A CN 108985361A
Authority
CN
China
Prior art keywords
malicious
traffic stream
deep learning
genome
malicious traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810708037.8A
Other languages
Chinese (zh)
Other versions
CN108985361B (en
Inventor
曲武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jinjingyunhua Technology Co ltd
Original Assignee
Beijing Jinjingyunhua Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jinjingyunhua Technology Co ltd filed Critical Beijing Jinjingyunhua Technology Co ltd
Priority to CN201810708037.8A priority Critical patent/CN108985361B/en
Publication of CN108985361A publication Critical patent/CN108985361A/en
Application granted granted Critical
Publication of CN108985361B publication Critical patent/CN108985361B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Abstract

The embodiment of the invention discloses a kind of malicious traffic stream detection implementation method and device based on deep learning, this method may include: that the flow session of malicious code is obtained by dynamic sandbox technology;The flow session of malicious code is mapped as genome and extracts TuPu method, is clustered using the TuPu method of flow session, and malicious code family mark is carried out to cluster result;Using the preset deep learning model of genome training of the malicious code family after mark, to establish malicious traffic stream detection model;Network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection.Pass through the example scheme, solve to a certain extent manual features existing for current detection technique extract difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robustness is higher, and has the characteristics that quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.

Description

A kind of malicious traffic stream detection implementation method and device based on deep learning
Technical field
The present embodiments relate to computer security technique, espespecially a kind of malicious traffic stream based on deep learning, which detects, to be realized Method and apparatus.
Background technique
The detection method of traditional malice (exception) flow is that most of malice (exception) is identified using transport layer port Flow remains continuous monitoring and report abnormal flow is quick, simple method although there is a problem of not accurate.
Later, it proposes the method based on payload, is identified by detection packet content related to malice (exception) flow Byte or character string, or carry out more complicated syntax match.But this method is related to privacy concern, while can not cope with The problems such as encryption, agreement are obscured.
Currently, the algorithm for pattern recognition learnt using conventional machines, is able to solve privacy concern to a certain extent, and Flow can be effectively coped with to obscure and Traffic Encryption.Traditional machine learning method solved the problems, such as it is very much, but it Also it is faced with a new challenge, is how to select suitable feature, needs exist for the suitable feature of artificial selection.
In consideration of it, the prior art has much room for improvement and improves.
Summary of the invention
In order to solve the above-mentioned technical problem, the malicious traffic stream detection based on deep learning that the embodiment of the invention provides a kind of Implementation method and device can solve manual features existing for current detection technique to a certain extent and extract difficult, privacy Reveal, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robustness is higher, and has Quickly, the features such as accuracy rate is high, rate of false alarm is low, cross-platform detection.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning Implementation method is detected, this method may include:
The flow session of malicious code is obtained by dynamic sandbox technology;
The flow session of malicious code is mapped as genome and extracts TuPu method, it is special using the map of flow session Sign is clustered, and carries out malicious code family mark to cluster result;
Using the preset deep learning model of genome training of the malicious code family after mark, to establish malicious stream Measure detection model;
Network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection.
Optionally, may include: by the flow session that dynamic sandbox technology obtains malicious code
The malicious code sample of specified type is obtained from malicious code data library, and is filtered out from malicious code sample Ineligible malicious code sample;
Remaining malicious code sample after filtering is executed using dynamic sandbox technology, and passes through hook HOOK system application journey The behavior act of the performed malicious code sample of the form monitoring of sequence programming interface API, to identify unknown malicious file infiltration With order and control C&C malice external connection;
The network flow of corresponding sample is obtained from the virtual machine of sandbox, and legitimate traffic is filtered out from network flow, Obtain the flow session aggregation of malicious code.
Optionally, the flow session of malicious code is mapped as genome and extracts TuPu method, utilize flow session TuPu method clustered, and to cluster result carry out malicious code family mark include:
The flow session data of malicious code is pre-processed, to retain discrimination more than or equal to preset discrimination The data of threshold value;
Using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as default size Genome;
The TuPu method of genome is extracted using TuPu method extraction algorithm, constructs the map of malicious traffic stream genome Characteristic set;
The TuPu method set of malicious traffic stream genome is sampled, TuPu method subclass is constructed, executes pre-polymerization Class process, to pick out required clustering algorithm;
After determining required clustering algorithm, the TuPu method set based on full dose malicious traffic stream genome is gathered Class;
Family's mark, construction depth study are carried out using clustering cluster of the preset antivirus software to malicious traffic stream genome Required training sample set.
Optionally, this method can also include: to advance with deep learning technology building deep learning model, and depth is arranged Spend the network architecture parameters and training weight of learning model.
Optionally, using the preset deep learning model of genome training of the malicious code family after mark, to build Founding malicious traffic stream detection model includes:
For the malicious traffic stream genome after mark, using preset segmentation algorithm by different malicious code families Malicious traffic stream genome is divided into multiple piecemeals;Wherein, original malicious traffic stream genome and its piecemeal are respectively applied for depth Spend the training of learning model;
Each deep learning model of original malicious traffic stream genome and its piecemeal progress must be trained and passed through respectively The iteration of excessive round, obtains corresponding training result;
By in training result with the deep learning mould corresponding to the immediate training result of preset requirement after training Type is as malicious traffic stream detection model.
Optionally, network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection packet It includes:
Trained malicious traffic stream detection model is directed to memory from Hierarchical Data Format 5HDF5 file;
Network real-time traffic session is obtained, network real-time traffic session is mapped as gene map using preset mapping algorithm Spectrum;
The genome of network real-time traffic session is divided into multiple piecemeals using preset segmentation algorithm;
It is detected, is obtained using genome and its piecemeal of the malicious traffic stream detection model to network real-time traffic session Testing result;
Testing result is handled using malicious traffic stream scoring algorithm MT_Score, realizes malicious traffic stream detection.
Optionally, include: in malicious code data library the malicious file of Windows system, linux system executable and Linkable format ELF malicious file, the malicious file of Mac system and the installation kit APK file of Android android system.
Optionally, the built-in Windows system of dynamic sandbox technology, linux system, Mac system and android system Virtual machine, and it is literary to run the malicious file of Windows system, the ELF malicious file of linux system, the malice of Mac system The APK file of part and android system generates network communication.
Optionally, preset mapping algorithm may include: T2G mapping algorithm;
Preset segmentation algorithm may include: G2S segmentation algorithm.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning Realization device, including processor and computer readable storage medium are detected, is stored with instruction in the computer readable storage medium, When the instruction is executed by processor, the above-mentioned malicious traffic stream detection implementation method based on deep learning is realized.
The embodiment of the present invention includes: the flow session of malicious code is obtained by dynamic sandbox technology;By malicious code Flow session is mapped as genome and extracts TuPu method, is clustered using the TuPu method of flow session, and to cluster As a result malicious code family mark is carried out;Utilize the preset deep learning of genome training of the malicious code family after mark Model, to establish malicious traffic stream detection model;Network real-time traffic is detected using malicious traffic stream detection model, realizes and dislikes Meaning flow detection.By the example scheme, solves manual features existing for current detection technique to a certain extent and mention Take difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robustness It is higher, and have the characteristics that quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
The other feature and advantage of the embodiment of the present invention will illustrate in the following description, also, partly from explanation It is become apparent in book, or understood by implementing the embodiment of the present invention.The purpose of the embodiment of the present invention and other advantages It can be achieved and obtained by structure specifically noted in the specification, claims and drawings.
Detailed description of the invention
Attached drawing is used to provide one for further understanding technical solution of the embodiment of the present invention, and constituting specification Point, it is used to explain the present invention the technical solution of embodiment together with embodiments herein, does not constitute to the embodiment of the present invention The limitation of technical solution.
Fig. 1 is that the malicious traffic stream based on deep learning of the embodiment of the present invention detects implementation method flow chart;
Fig. 2 is that the malicious traffic stream session of the embodiment of the present invention pre-processes field description schematic diagram;
Fig. 3 is the T2G mapping algorithm schematic diagram of the embodiment of the present invention;
Fig. 4 is the malicious code family network flow session map schematic diagram of the embodiment of the present invention;
Fig. 5 is the configuration diagram of the convolutional Neural metanetwork CNN of the embodiment of the present invention;
Fig. 6 is the G2S segmentation algorithm schematic diagram of the embodiment of the present invention;
Fig. 7 is the malicious code family network flow session map piecemeal schematic diagram of the embodiment of the present invention;
Fig. 8 is the MT_Score malicious traffic stream scoring algorithm flow chart of the embodiment of the present invention;
Fig. 9 is that the malicious traffic stream based on deep learning of the embodiment of the present invention detects realization device schematic diagram;
Figure 10 is that the malicious traffic stream based on deep learning of the embodiment of the present invention detects realization device structural schematic diagram.
Specific embodiment
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing pair The embodiment of the present invention is described in detail.It should be noted that in the absence of conflict, embodiment and reality in the application The feature applied in example can mutual any combination.
Step shown in the flowchart of the accompanying drawings can be in a computer system such as a set of computer executable instructions It executes.Also, although logical order is shown in flow charts, and it in some cases, can be to be different from herein suitable Sequence executes shown or described step.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning Implementation method is detected, as shown in Figure 1, this method may include S101-S104:
S101, the flow session that malicious code is obtained by dynamic sandbox technology.
In embodiments of the present invention, which is malicious traffic stream acquisition process, i.e., obtains malicious code from dynamic sandbox Run the malicious traffic stream session generated.In this step, malicious code sample can be obtained from malicious code sample library, utilized Dynamic sandbox technology obtains the bidirectional traffics session that malicious code generates, and filters legitimate traffic, obtains malicious traffic stream session aggregation.
Optionally, obtaining the flow session of malicious code by dynamic sandbox technology may include S1011-S1013:
S1011, the malicious code sample that specified type is obtained from malicious code data library, and from malicious code sample Filter out ineligible malicious code sample.
In embodiments of the present invention, which is malicious code sample acquisition process, is obtained from malicious code data library A large amount of specified type malicious code sample, filtering do not meet the sample of preset condition.Such as: incomplete sample, wrong report sample Sheet, rogue software etc..Meanwhile ensuring that there are network behaviors when malicious code sample is run to a certain extent.
Optionally, include: in malicious code data library the malicious file of Windows system, linux system executable and Linkable format ELF malicious file, the malicious file of Mac system and the installation kit APK file of Android android system.
S1012, remaining malicious code sample after filtering is executed using dynamic sandbox technology, and pass through hook HOOK system The behavior act of the performed malicious code sample of the form monitoring of application programming interface API, to identify unknown malice text Part infiltration and order and control C&C malice external connection.
In embodiments of the present invention, which is dynamic sandbox treatment process, and dynamic sandbox technology referred to herein is special Finger executes malicious code sample using virtual machine technique, is monitored malice sample by way of HOOK system API Behavior act, and then identify the infiltration of unknown malicious file and C&C (order with control, Command&Control, abbreviation C&C) Malice external connection.In order to run multiclass program, dynamic sandbox is required to simulation various software running environment and operating system, And need to provide a variety of anti-escape technologies, it prevents Malware from hiding, hide virtual machine testing.
Optionally, the built-in Windows system of dynamic sandbox technology, linux system, Mac system and android system Virtual machine, and it is literary to run the malicious file of Windows system, the ELF malicious file of linux system, the malice of Mac system The APK file of part and android system generates network communication.
S1013, the network flow that corresponding sample is obtained from the virtual machine of sandbox, and filter out from network flow it is legal Flow obtains the flow session aggregation of malicious code.
In embodiments of the present invention, which is malicious traffic stream acquisition procedure, i.e., the net of corresponding sample is obtained from virtual machine Network flow.Meanwhile according to Internet protocol IP white list, domain name white list, agreement white list, using white name Single list filtering legitimate traffic obtains malicious traffic stream session aggregation.Finally, the feature of every malicious traffic stream session is extracted, such as Session id (identity), timestamp, five-tuple information (source IP, source port, Target IP, target port, 3/4 layer protocol), source MAC (media access control) information, Destination MAC, uplink and downlink uninterrupted, malice session data etc..
S102, the flow session of malicious code is mapped as genome and extracts TuPu method, utilize flow session TuPu method is clustered, and carries out malicious code family mark to cluster result.
In embodiments of the present invention, it can use preset mapping algorithm (including but not limited to T2G mapping algorithm), to evil Meaning flow session aggregation is pre-processed, and malicious traffic stream session is mapped as flow genome, and extract its TuPu method.Benefit With general clustering algorithm, it may for example comprise but be not limited to hierarchical clustering, Density Clustering, K-means (K mean value) cluster etc., convection current The feature of amount genome is clustered, and by cluster result according to preset antivirus software, it may for example comprise but it is not limited to Microsoft MSE (Microsoft Security Essentials Microsoft security software) antivirus software or other antivirus softwares, to malicious stream It measures clustering cluster and carries out malicious code family mark.Its detailed process steps will be introduced below.
In embodiments of the present invention, for malicious traffic stream session (i.e. the flow session of malicious code), in malicious traffic stream base Because excluding the common protocols such as http protocol, DNS Protocol, smtp protocol in map generating process, it is usual to focus malicious code family The Data Transport Protocol used, such as Secure Socket Layer ssl protocol, Internet relay chat IRC agreement, especially unknown association View.
Optionally, the flow session of malicious code is mapped as genome and extracts TuPu method, utilize flow session TuPu method clustered, and to cluster result carry out malicious code family mark may include S1021-S1026:
S1021, the flow session data of malicious code is pre-processed, to retain discrimination more than or equal to preset The data of discrimination threshold value.
In embodiments of the present invention, it before malicious traffic stream session data is mapped as map, needs for malicious traffic stream Session data is pre-processed, and the relatively low field of discrimination is filtered, these fields are identical in most sessions Or it is similar, to retain malicious traffic stream and the higher data of legitimate traffic discrimination, i.e. reservation malicious traffic stream and legitimate traffic Discrimination is greater than or equal to the malicious traffic stream data of preset discrimination threshold value.The higher stream of discrimination is obtained by filter operation Session data is measured, this partial data is considered as malice session data.Content is filtered as shown in Fig. 2, may include but do not limit to In purpose MAC, source MAC, type, version, packet ID, life span, upper-layer protocol, stem verification and source IP address, source It mouth, TCP (Transmission Control Protocol transmission control protocol) serial number, confirmation incidentally, TCP check and waits.
S1022, using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as presetting The genome of size.
In embodiments of the present invention, which is genome mapping process.For the flow session data of malicious code (can be referred to as malice session data), can intercept N2A byte, N >=1.Using T2G mapping algorithm, treated by general maliciously Flow session aggregation is mapped as the map set of M × M, is denoted as malicious traffic stream genome.Wherein, including but not limited to M= Situations such as=N, 3*M==N.For example, 1024 bytes of interception, mapping size is 32*32 gray level image.T2G mapping algorithm shows It is intended to as shown in figure 3, being visible process of the mapping malicious traffic stream to flow genome.As shown in figure 4, malicious traffic stream gene Map can include but is not limited to following family: APT28-Kazy family, Trojan-Fake family, Win32-Angryel family With Backdoor-Zegost family.
Optionally, using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as pre- If the genome of size may include step S10221-S10223:
S10221, for given malice session data, read 8 be a signless shaping (range is 0~ 255), fixed line width is a vector, and entire malice session data ultimately produces a two-dimensional array.
It is [0,255] (0 indicates black, and 255 indicate white) that the range of each element, which is value, in S10222, array, This array is visualized as a map, the width and height of map depend on file size, such as malice session data width For 32 bytes, 32 bytes of height.Map classification includes but is not limited to single channel map, 3 channel maps, 4 channel maps Deng.Wherein, common single channel map is gray images, and 3 channel maps are RGB (RGB) map and Lab (color model) Map, 4 channel maps are CMYK (printing color mode) map.
In embodiments of the present invention, RGB map can be understood as three 2d matrixes (each color is one corresponding) and be stacked in one It rises, the value of each matrix is between 0 to 255.Single pass map can be understood as a 2d matrix, each picture in matrix Between element value or 0 to 255.Wherein, 0 indicate black, 255 indicate white.Map matrix is corresponding with the input resolution ratio of map, N × N pixel defaults N=32.N × N is corresponding with the input resolution ratio of map, and N is bigger, the instruction of convolutional Neural metanetwork CNN White silk time complexity is higher, and required computing resource is bigger.
Map after S10223, mapping will be stored as PNG (the Portable Network Graphic of no compression Format portable network figure format) map, for the map after malicious traffic stream visualization, different texture structures often generation Table different types of data information, renaming flow genome file be the " generation of Target IP _ target port _ session id _ maliciously Code SHA256/Unknown.PNG ".
S1023, the TuPu method that genome is extracted using TuPu method extraction algorithm, construct malicious traffic stream genome TuPu method set.
In embodiments of the present invention, malicious traffic stream genome is extracted using preset TuPu method extraction algorithm The TuPu method of malicious traffic stream genome constructs the TuPu method set of malicious traffic stream genome.
In embodiments of the present invention, for giving map, map texture feature extraction, algorithm workable for the process are carried out More, the algorithm of mainstream includes GIST feature, SIFT feature, GLCM feature, ColorHis feature, Gabor characteristic, Census spy It seeks peace LBP feature etc., these methods will be sketched below, but the map texture characteristic extracting method of the application is not limited to these Method.
GIST feature: the vision that this feature simulates people extracts structural information rough but brief and concise in map, substantially It is by one group of multi-direction, multiple dimensioned Gabor filter group to the profile information obtained after the filtering of scene map;
SIFT feature: Scale invariant features transform, this feature to translation, rotation, scaling, brightness change, block and The invariance that noise etc. has had also has certain stability to the variation of observation visual angle, affine transformation, belongs to partial structurtes Feature;
GLCM feature: gray level co-occurrence matrixes feature, this feature firstly for a width map define a direction and one with Pixel is the step-length of unit, and gray level co-occurrence matrixes T (N × N), then defining M (i, j) is that gray level is i and the pixel of j while occurring In a point and the frequency on the point of defined direction span step-length.Wherein N is that gray level divides number;
ColorHis feature: color histogram feature, this feature describe different colours feature institute in whole picture map The ratio accounted for reflects the statistical distribution of map color, belongs to global characteristics;
Census feature, converts histogram principal component analysis feature, and this feature is a kind of based on local map pixel grey scale Value compares and the textural characteristics that propose.Its core concept is that two values matrix is regarded as to a Binary Texture mode (texture primitive), Transformed value is obtained by comparing the gray value of a pixel and the eight neighborhood pixel around it;
Gabor characteristic: this feature is the feature that raw video is calculated by two-dimensional Gabor function, is suitable for inspection Survey and describe map textural characteristics.Multiple dimensioned multi-direction Gabor filter group be on the basis of Gabor filter by scale and Multi-channel filter scheme made of rotation transformation extension;
LBP feature: partial binary mode characteristic, this feature are a kind of theoretical simple, efficient nonparametric parts of calculating Textural characteristics description.Due to its characteristic differentiation power with higher and lower computation complexity, in atlas analysis, computer Vision and area of pattern recognition are widely used.
S1024, the TuPu method set of malicious traffic stream genome is sampled, constructs TuPu method subclass, holds The pre- cluster process of row, to pick out required clustering algorithm.
In embodiments of the present invention, time cost is low and the good clustering algorithm of Clustering Effect in order to select, can be to malice The TuPu method set of flow genome is sampled, subsetting, is executed pre- cluster process progress clustering algorithm and is selected.
In embodiments of the present invention, it can use pre- clustering technique and obtain optimal clustering algorithm.Select malicious traffic stream base It because of the TuPu method set subset of map, is clustered in advance, for selecting, time cost is low and the good clustering algorithm of Clustering Effect. Optimal clustering algorithm can be selected from test of heuristics set, which can include but is not limited to spectral clustering calculation Method, k-means algorithm, hierarchical clustering algorithm, density clustering algorithm etc..Using the optimal clustering algorithm picked out to malicious stream The TuPu method set of amount genome is clustered.
S1025, after determining required clustering algorithm, the TuPu method set based on full dose malicious traffic stream genome It is clustered.
S1026, family's mark is carried out using clustering cluster of the preset antivirus software to malicious traffic stream genome, construction is deep Training sample set needed for degree study.
In embodiments of the present invention, which is clustering cluster annotation process.Preset antivirus software can be used, such as micro- Soft MSE antivirus software or other antivirus softwares carry out family's mark to malicious traffic stream genome clustering cluster.Mark the evil completed Meaning code family flow genome clustering cluster set will be used to train deep learning model.The malicious code completed for mark Family's flow genome clustering cluster set, by the training sample set as deep learning model.
S103, the preset deep learning model of genome training using the malicious code family after mark, to establish Malicious traffic stream detection model.
Optionally, this method can also include: to advance with deep learning technology building deep learning model, and depth is arranged Spend the network architecture parameters and training weight of learning model.
In embodiments of the present invention, deep learning neural network model can be constructed in advance, and network structure ginseng is set Several and training weight.Using the malicious traffic stream clustering cluster training deep learning model of mark, and carry out cross validation.
In embodiments of the present invention, deep learning technology, including but not limited to RNN (Recognition with Recurrent Neural Network be can use Recurrent Neural Networks), circulation neuroid CNN, transfer learning, ensemble learning and multiclass depth Habit technology such as is applied in combination at the technologies, constructs deep learning model, and network architecture parameters and training weight are arranged.
In embodiments of the present invention, based on the malicious traffic stream genome after mark, training deep learning model.For this Embodiment can carry out embodiment description by taking CNN model as an example, construct CNN model, and network architecture parameters and training power are arranged Weight.The schematic network structure of CNN is as shown in figure 5, indicate the CNN frame of 3 convolutional layers, 3 pond layers and 2 full articulamentums Frame.The model framework of the CNN mentioned in embodiment includes but is not limited to network structure described in Fig. 7;The building of CNN model It can specifically include following steps:
1, input layer, setting input layer parameter are constructed.Inputting map is N*N*num_channel, and num_channel is this The depth of layer.If input map is gray images, which is 1, indicates single channel.If input map is RGB map, which is 3. For different classes of map, port number is different, such as CMYK map default has 4 channels, RGB and Lab map has 3 to lead to Road.
2, convolutional layer is constructed, convolution layer parameter is set.Feature is extracted from input map, uses N × N data matrix Learn TuPu method, while retaining the spatial relationship between pixel.It, can be in order to improve the discrimination of model for CNN model Select multiple convolutional layers.
3, non-linear layer is constructed, non-linear layer parameter is set.After each convolution operation, there is a correction linear unit The extra play of (Rectified Linear Unit, ReLU), which carries out a kind of nonlinear operation, will as unit of pixel value All negative value pixel values replace with 0.
4, pond layer is constructed, pond layer parameter is set.Under the premise of retaining most important information, each Feature Mapping is reduced Dimension.Training speed is improved in order to reduce training data scale for CNN model, accelerates model convergence time, Ke Yixuan Select multiple pond layers.
5, full articulamentum is constructed, full connection layer parameter is set.Use excitation function (such as Softmax function) as output The multi-layer perception (MLP) (Multi-Layer Perceptron, MLP) of layer, by the every of upper one layer each neuron and next layer One neuron is connected with each other.The sum of the output probability of full articulamentum is 1, this is guaranteed by excitation function.Excitation function handle The vector of any real value be transformed into element value 0-1 and and for 1 vector.
6, output layer, setting output layer parameter are constructed.Output valve is the vector of length M, indicates that flow is under the jurisdiction of this M evil The probability value of meaning code family.
It in embodiments of the present invention, can be with after establishing deep learning model (such as above-mentioned CNN model) through the above steps Into training data preprocessing process, for the malicious traffic stream genome after mark, using preset segmentation algorithm (including but It is not limited to G2S segmentation algorithm) malicious traffic stream genome is divided into multiple piecemeals, the instruction for malicious traffic stream detection CNN model Practice, as shown in Figure 6, Figure 7.
Optionally, using the preset deep learning model of genome training of the malicious code family after mark, to build Vertical malicious traffic stream detection model may include S1031-S1033:
S1031, for the malicious traffic stream genome after mark, using preset segmentation algorithm by different malicious codes The malicious traffic stream genome of family is divided into multiple piecemeals;Wherein, original malicious traffic stream genome and its piecemeal are distinguished Training for deep learning model.
In embodiments of the present invention, it for the malicious traffic stream genome after mark, will be disliked using preset segmentation algorithm It may include S10311-S10313 that meaning flow genome, which is divided into multiple piecemeals:
S10311, sample is obtained from training malicious traffic stream genome sample set;
S10312, malicious traffic stream genome file is divided into multiple piecemeals using G2S segmentation algorithm, filtering does not meet item The piecemeal of part, such as filter out the single section of map mode, Quan Bai, it is completely black belong to it is this kind of;
S10313, the malicious traffic stream genome piecemeal that previous step is generated, with malicious traffic stream genome file Itself trains input as training map set, for malicious traffic stream detection CNN.
S1032, each deep learning model carried out for original malicious traffic stream genome and its piecemeal must be trained Iteration respectively through excessive round, obtains corresponding training result;
S1033, by training result with the depth corresponding to the immediate training result of preset requirement after training Learning model is as malicious traffic stream detection model.
In embodiments of the present invention, the step of training malicious traffic stream detection CNN model may include:
1, all filter and parameter/weight are initialized with random number;
2, convolutional Neural metanetwork CNN will be used for trained malicious code map as input, to step (convolution before executing Layer, ReLU layers, the propagated forward of pond layer and full articulamentum), and calculate the correspondence output probability of each classification;
3, the overall error (the sum of classification) of output layer is calculated;
4, back-propagation algorithm calculates gradient of the error relative to all weights, and all filters are updated with gradient descent method The value of wave device weight and parameter, so that output error minimizes;
5, by most nb_epoch iteration, optimal disaggregated model (CNN model) is exported;
6, the CNN model trained is saved.CNN model and weight that training finishes are saved in HDF5 file, this article Part includes following information: the state of model structure, Model Weight, training configuration (loss function, optimizer etc.) and optimizer.
S104, network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection.
In embodiments of the present invention, network real-time traffic session is obtained, network real-time traffic is pre-processed, is obtained Flow session is mapped as map, using malicious traffic stream detection model to flow using T2G mapping algorithm by flow session map Session map is detected, and the testing result of deep learning model is exported.Then, preset malicious traffic stream scoring algorithm is utilized (such as MT_Score) handles testing result, realizes that malicious traffic stream detection, compromised slave identification and malicious code family are sentenced It is fixed.
Optionally, network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection packet Include S1041-S1043:
S1041, trained malicious traffic stream detection model is directed to from HDF5 (Hierarchical Data Format 5) file in It deposits;
S1042, network real-time traffic session is obtained, network real-time traffic session is mapped as base using T2G mapping algorithm Because of map;
S1043, the genome of network real-time traffic session is divided into multiple piecemeals using G2S segmentation algorithm;
S1044, it is examined using genome and its piecemeal of the malicious traffic stream detection model to network real-time traffic session It surveys, obtains testing result;
S1045, testing result is handled using malicious traffic stream scoring algorithm MT_Score, realizes malicious traffic stream inspection It surveys.
In embodiments of the present invention, still illustrate above scheme by taking trained CNN model as an example below, utilize malicious stream Amount detection model detects network real-time traffic, realizes that the step of malicious traffic stream detects may include:
1, trained convolutional Neural metanetwork CNN model is directed to memory from fixed disk file;
2, network flow session to be detected is pre-processed, using T2G mapping algorithm, flow session aggregation maps by treated For the map of M × M;
3, measurement of discharge genome file to be checked is divided into multiple piecemeals using G2S segmentation algorithm, filtered ineligible Piecemeal, such as filter out the single section of map mode, Quan Bai, it is completely black belong to it is this kind of;
4, measurement of discharge genome file to be checked and its segmentation set are input to convolutional Neural metanetwork CNN classification mould Type obtains experiment result list;
5, the testing result based on convolutional Neural metanetwork CNN model, utilizes MT_Score pairs of malicious traffic stream scoring algorithm Testing result is handled, and realizes that malicious traffic stream detection, compromised slave identification and malicious code family determine.
In embodiments of the present invention, the testing result based on convolutional Neural metanetwork CNN model, is scored using malicious traffic stream Algorithm MT_Score carries out processing to testing result
51, the testing result vector of convolutional Neural metanetwork CNN model is obtained;
52, testing result vector is handled using malicious traffic stream scoring algorithm MT_Score, Output estimation knot Fruit, legitimate traffic, or generate the malicious code family of malicious traffic stream.MT_Score malicious traffic stream scoring algorithm flow chart is as schemed Shown in 8;
53, by correlating sessions metadata, the malicious server of the compromised slave and external connection that generate malicious traffic stream is obtained, Generate alarm event;
54, by correlation engine associated alarm event, at the appointed time in window, such as 48 hours, obtain control with Command communication mode, and advanced correlation alarm event is further generated, further confirm that compromised slave and control server.
It in embodiments of the present invention, can be by malicious network traffic by means of the technical solution of the embodiment of the present invention The study of session, and then the network communication detectability of malicious code and its mutation is obtained, while obtaining malicious code family The detectability of control server and compromised slave.The application solve to a certain extent traditional characteristic detection technique (such as Intruding detection system IDS, firewall, website application layer intrusion prevention system WAF etc.) manual features extracting rules it is difficult, hold The problems such as easily being bypassed by malicious code mutation, and there is more efficient, more accurate detectability.Moreover, the present invention can be realized Malicious traffic stream in Windows system, linux system, Mac system and android system is detected, has stronger evil Meaning discharge pattern covering power.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning Realization device 1 is detected, as shown in figure 9, the apparatus may include: malicious traffic stream obtains module 11, training data obtains mould 12, instruction Practice module 13 and detection module 14;
Malicious traffic stream obtains module 11: for obtaining the flow session of malicious code by dynamic sandbox technology.
In embodiments of the present invention, malicious traffic stream obtains module for obtaining malicious traffic stream, filters legitimate traffic.I.e. from evil Meaning obtains malicious code sample in code sample library, and the bidirectional traffics session of malicious code, mistake are obtained using dynamic sandbox technology Legitimate traffic is filtered, malicious traffic stream session aggregation is obtained.
Training data obtains module 12: for the flow session of malicious code to be mapped as genome and extracts map spy Sign, is clustered using the TuPu method of flow session, and carries out malicious code family mark to cluster result.
In embodiments of the present invention, training data obtains the training data that module is used to obtain deep learning needs.It is i.e. sharp With T2G mapping algorithm, malicious traffic stream session aggregation is pre-processed, malicious traffic stream session is mapped as flow genome, And extract its TuPu method.Using general clustering algorithm, such as hierarchical clustering, Density Clustering, K-means cluster etc., to flow The feature of genome is clustered, and by cluster result foundation Microsoft MSE antivirus software or other antivirus softwares to malicious stream It measures clustering cluster and carries out malicious code family mark.
Training module 13: for the preset deep learning mould of genome training using the malicious code family after mark Type, to establish malicious traffic stream detection model.
In embodiments of the present invention, training module is for training deep learning model, i.e. building deep learning neuron net Network model, and network architecture parameters and training weight are set, deep learning model is trained using the malicious traffic stream clustering cluster of mark, And carry out cross validation.
In embodiments of the present invention, training module 13 is default using the genome training of the malicious code family after mark Deep learning model, to establish malicious traffic stream detection model, deep learning model can be convolutional Neural metanetwork CNN mould Type, as shown in figure 5, convolutional Neural metanetwork CNN framework may include with understructure:
1, map input layer provides the unit of map input.Essentially, each map may be expressed as pixel value The matrix of composition.Common map includes the RGB map and single pass map in 3 channels.RGB map can be understood as three 2d Matrix (each color is one corresponding) stacks, and the value of each matrix is between 0 to 255.Single pass map can be managed Solving is a 2d matrix, between each pixel value or 0 to 255 in matrix.Wherein, 0 indicate black, 255 indicate white.Map square Battle array is corresponding with the input resolution ratio of map, N × N pixel, defaults N=32.N × N is corresponding with the input resolution ratio of map, N is bigger, and the training time complexity of convolutional Neural metanetwork CNN is higher, and required computing resource is bigger;
2, convolutional layer, convolutional layer are gained the name because of " convolution " operates.The basic goal of convolution is from input map Extract feature.Convolution learns TuPu method with N × N data matrix, retains the spatial relationship between pixel.In convolutional layer, The number of filter (can also become " core " or " characteristic detector ") is set as 64, and the size of electric-wave filter matrix is 11 × 11. For each filter, the output of convolutional layer is (32-11+1) * (32-11+1)=484 neuron;
3, non-linear layer, non-linear layer is a kind of additional operations layer for being referred to as ReLU, after each convolution operation. The full name of ReLU is to correct linear unit (Rectified Linear Unit), is a kind of nonlinear operation, ReLU is with pixel It comes into force for unit, all negative value pixels is replaced with 0;
4, pond layer, the purpose of space pond (being also sub-sampling or down-sampling) are to reduce the dimension of each Feature Mapping, But retain most important information.Space pondization can be there are many kinds of form: maximum (Max), average (Average), summation (Sum) etc..For the example of Fig. 5, maximum pond layer is selected, the neighborhood (2 × 2 windows) on definition space and from non-linear Maximum element in window is taken out in Feature Mapping layer.Therefore, 11*11*64=7744 nerve is about reduced in the output of pond layer Member;
5, full articulamentum has used multi-layer perception (MLP) (Multi-Layer of the softmax excitation function as output layer Perceptron), other many classifiers such as support vector machines also use softmax." full connection " indicates upper one layer every One neuron, all each neuron with next layer is interconnected.The output of convolutional layer and pond layer represents defeated Enter the advanced features of map, the purpose of full articulamentum is exactly to be classified with these features, and classification is based on training set.Such as Fig. 7 Shown in malicious code family map classification task, have 12 kinds of possible classifications.Other than classification, full articulamentum, which is added, is also The effective way of nonlinear combination between learning characteristic.The sum of the output probability of full articulamentum is 1, this is by excitation function What Softmax guaranteed.Softmax function the vector of any real value be transformed into that element takes 0~1 and and for 1 vector.For The example of Fig. 7, full articulamentum have 4096 neurons, wherein each neuron respectively with each neuron phase of output layer Even;
6, output layer provides the unit of map testing result, i.e. the class categories probability of map.Such as evil shown in Fig. 7 Meaning code family map classification task has 12 kinds of possible classifications, corresponding 12 neurons.Wherein, this 12 neuron difference It is connected with 4096 neurons of full articulamentum.
In embodiments of the present invention, for the convolutional Neural metanetwork of Fig. 5 framework, the number of parameters P that can learn is 39702604, calculating process is described as follows:
P=1024* (11*11*64)+64+ (11*11*64) * 4096+4096+4096*12+12=39702604
It wherein, is the shared weight of each Feature Mapping for (11*11*64)+64,11*11*64,64 be shared biasing The sum of item.
Detection module 14: for detecting using malicious traffic stream detection model to network real-time traffic, malicious stream is realized Amount detection.
In embodiments of the present invention, detection module utilizes trained deep learning model, carries out to unknown flow rate session Detection, i.e., pre-process network real-time traffic, flow session map is obtained, using malicious traffic stream detection model to flow Session map is detected, and the testing result of deep learning model is exported.Then, malicious traffic stream scoring algorithm MT_Score is utilized Testing result is handled, realizes that malicious traffic stream detection, compromised slave identification and malicious code family determine.
In embodiments of the present invention, when the training set of selection covers the malicious traffic stream that enough malicious code families generates, The learning model that training finishes can distinguish malicious traffic stream and legitimate traffic, can carry out accurate malicious code to malicious traffic stream Family's mark.Moreover, the learning model that finishes of training can be realized to Windows system, linux system, Mac system and The network flow that malicious code and its mutation in android system generate is detected.
In embodiments of the present invention, the malicious traffic stream detection implementation method based on deep learning only needs constantly to provide newly Sample, generating network flow using sandbox can be completed by unsupervised learning and deep learning process without manual intervention Study, detection and upgrade function.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning Realization device 2 is detected, as shown in Figure 10, including processor 21 and computer readable storage medium 22, the computer-readable storage It is stored with instruction in medium 22, when the instruction is executed by processor 21, realizes the above-mentioned malicious traffic stream based on deep learning Detect implementation method.
The embodiment of the present invention includes: the flow session of malicious code is obtained by dynamic sandbox technology;By malicious code Flow session is mapped as genome and extracts TuPu method, is clustered using the TuPu method of flow session, and to cluster As a result malicious code family mark is carried out;Utilize the preset deep learning of genome training of the malicious code family after mark Model, to establish malicious traffic stream detection model;Network real-time traffic is detected using malicious traffic stream detection model, realizes and dislikes Meaning flow detection.By the example scheme, solve manual features existing for current detection technique to a certain extent Extract difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robust Property it is higher, and have the characteristics that quickly, accuracy rate is high, rate of false alarm is low, cross-platform detection.
The core of the application is by flow mutation based on malicious code around traditional traffic characteristic detection device, mutation Most flow interactive function sections are remained in the process, but the position of feature and characteristic point are changed.Utilize dynamic Sandbox technology obtains the bidirectional traffics session of malicious code family, filters legitimate traffic, obtains malicious traffic stream session aggregation.It utilizes Unsupervised learning (cluster) method in machine learning carries out family's mark to malicious traffic stream.Using deep learning technology to malice Flow genome is learnt, and then the detectability of malicious traffic stream is obtained by speced learning and identification by stages, is obtained simultaneously Obtained the detectability of malicious code family.The manual features that the application solves feature detection techniques to a certain extent are extracted Difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted.Meanwhile the application is for disliking The malicious traffic stream that meaning code mutation and completely new malicious code generate also has excellent detectability, and robustness is higher, and has There is the features such as quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
The application introduces unsupervised learning (cluster) technology, deep learning technology and figure identification technology, so that the application At least have following advantages:
1, the manual features for solving feature detection to a certain extent extract difficulty, privacy leakage, encrypt and obscure difficulty The problems such as manually being extracted with identification, machine learning feature;
2, by self study process, greatly reduce the manual intervention process of security expert, reduce system maintenance and The cost of upgrading;
3, the malicious traffic stream generated for malicious code mutation and completely new malicious code also has excellent detectability, Robustness is higher, and has the characteristics that quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
4, the flow session characteristics of malicious code and its mutation are quickly and accurately detected, and then determine to generate the flow The family of malicious code and its mutation, improves detection efficiency and precision.
Although embodiment disclosed by the embodiment of the present invention is as above, the content only for ease of understanding the present invention and The embodiment of use, is not intended to limit the invention embodiment.Technical staff in any fields of the embodiment of the present invention, Under the premise of not departing from spirit and scope disclosed by the embodiment of the present invention, it can be appointed in the form and details of implementation What modification and variation, but the scope of patent protection of the embodiment of the present invention, the model that must be still defined with appended claims Subject to enclosing.

Claims (10)

1. a kind of malicious traffic stream based on deep learning detects implementation method, which is characterized in that the described method includes:
The flow session of malicious code is obtained by dynamic sandbox technology;
The flow session of the malicious code is mapped as genome and extracts TuPu method, utilizes the figure of the flow session Spectrum signature is clustered, and carries out malicious code family mark to cluster result;
Using the preset deep learning model of genome training of the malicious code family after mark, to establish malicious traffic stream inspection Survey model;
Network real-time traffic is detected using the malicious traffic stream detection model, realizes malicious traffic stream detection.
2. the malicious traffic stream according to claim 1 based on deep learning detects implementation method, which is characterized in that described logical Cross dynamic sandbox technology obtain malicious code flow session include:
The malicious code sample of specified type is obtained from malicious code data library, and is filtered out from the malicious code sample Ineligible malicious code sample;
Remaining malicious code sample after filtering is executed using the dynamic sandbox technology, and passes through hook HOOK system application journey The behavior act of the performed malicious code sample of the form monitoring of sequence programming interface API, to identify unknown malicious file infiltration With order and control C&C malice external connection;
The network flow of corresponding sample is obtained from the virtual machine of sandbox, and filters out legitimate traffic from the network flow, Obtain the flow session aggregation of the malicious code.
3. the malicious traffic stream according to claim 1 based on deep learning detects implementation method, which is characterized in that described to incite somebody to action The flow session of the malicious code is mapped as genome and extracts TuPu method, utilizes the TuPu method of the flow session It is clustered, and malicious code family mark is carried out to cluster result and includes:
The flow session data of the malicious code is pre-processed, to retain discrimination more than or equal to preset discrimination The data of threshold value;
Using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as to the gene of default size Map;
The TuPu method of the genome is extracted using TuPu method extraction algorithm, constructs the map of malicious traffic stream genome Characteristic set;
The TuPu method set of the malicious traffic stream genome is sampled, TuPu method subclass is constructed, executes pre-polymerization Class process, to pick out required clustering algorithm;
After determining required clustering algorithm, the TuPu method set based on full dose malicious traffic stream genome is clustered;
Family's mark is carried out using clustering cluster of the preset antivirus software to malicious traffic stream genome, needed for construction depth study Training sample set.
4. the malicious traffic stream according to claim 1 based on deep learning detects implementation method, which is characterized in that the side Method further include: advance with deep learning technology and construct the deep learning model, and the net of the deep learning model is set Network structural parameters and training weight.
5. the malicious traffic stream according to claim 3 based on deep learning detects implementation method, which is characterized in that the benefit Preset deep learning model is trained with the genome of the malicious code family after mark, to establish malicious traffic stream detection model Include:
For the malicious traffic stream genome after mark, using preset segmentation algorithm by the malice of different malicious code families Flow genome is divided into multiple piecemeals;Wherein, original malicious traffic stream genome and its piecemeal are respectively applied for the depth Spend the training of learning model;
Each of original malicious traffic stream genome and its piecemeal progress the deep learning model must be trained and passed through respectively The iteration of excessive round, obtains corresponding training result;
By in the training result with the deep learning mould corresponding to the immediate training result of preset requirement after training Type is as the malicious traffic stream detection model.
6. the malicious traffic stream according to claim 3 based on deep learning detects implementation method, which is characterized in that the benefit Network real-time traffic is detected with the malicious traffic stream detection model, realizes that malicious traffic stream detection includes:
The trained malicious traffic stream detection model is directed to memory from Hierarchical Data Format 5HDF5 file;
Network real-time traffic session is obtained, the network real-time traffic session is mapped as gene map using preset mapping algorithm Spectrum;
The genome of the network real-time traffic session is divided into multiple piecemeals using preset segmentation algorithm;
It is detected using genome and its piecemeal of the malicious traffic stream detection model to the network real-time traffic session, Obtain testing result;
The testing result is handled using malicious traffic stream scoring algorithm MT_Score, realizes malicious traffic stream detection.
7. the malicious traffic stream according to claim 2 based on deep learning detects implementation method, which is characterized in that the evil Include: in meaning code database the malicious file of Windows system, linux system executable and linkable format ELF dislike Meaning file, the malicious file of Mac system and the installation kit APK file of Android android system.
8. the malicious traffic stream according to claim 7 based on deep learning detects implementation method, which is characterized in that described dynamic The built-in Windows system of state sandbox technology, linux system, Mac system and android system virtual machine, and can run The malicious file of Windows system, the ELF malicious file of linux system, the malicious file of Mac system and android system APK file generates network communication.
9. the malicious traffic stream according to claim 5 or 6 based on deep learning detects implementation method, which is characterized in that institute Stating preset mapping algorithm includes: T2G mapping algorithm;
The preset segmentation algorithm includes: G2S segmentation algorithm.
10. a kind of malicious traffic stream detection device based on deep learning, including processor and computer readable storage medium, described Instruction is stored in computer readable storage medium, which is characterized in that when described instruction is executed by the processor, realize such as Malicious traffic stream described in any one of claim 1-9 based on deep learning detects implementation method.
CN201810708037.8A 2018-07-02 2018-07-02 Malicious traffic detection implementation method and device based on deep learning Active CN108985361B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810708037.8A CN108985361B (en) 2018-07-02 2018-07-02 Malicious traffic detection implementation method and device based on deep learning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810708037.8A CN108985361B (en) 2018-07-02 2018-07-02 Malicious traffic detection implementation method and device based on deep learning

Publications (2)

Publication Number Publication Date
CN108985361A true CN108985361A (en) 2018-12-11
CN108985361B CN108985361B (en) 2021-06-18

Family

ID=64539384

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810708037.8A Active CN108985361B (en) 2018-07-02 2018-07-02 Malicious traffic detection implementation method and device based on deep learning

Country Status (1)

Country Link
CN (1) CN108985361B (en)

Cited By (40)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768985A (en) * 2019-01-30 2019-05-17 电子科技大学 A kind of intrusion detection method based on traffic visualization and machine learning algorithm
CN109905288A (en) * 2018-12-21 2019-06-18 中国科学院信息工程研究所 A kind of application service classification method and device
CN110048905A (en) * 2019-03-26 2019-07-23 清华大学 The recognition methods of internet of things equipment communication pattern and device
CN110414231A (en) * 2019-06-25 2019-11-05 中国人民解放军战略支援部队信息工程大学 Software gene Dynamic Extraction method in memory based on Markov model
CN110475043A (en) * 2019-07-31 2019-11-19 西安工程大学 A kind of conversion method of CMYK to Lab color space
CN110535728A (en) * 2019-09-05 2019-12-03 烽火通信科技股份有限公司 A kind of network flow cognitive method and system
CN110730140A (en) * 2019-10-12 2020-01-24 西安电子科技大学 Deep learning flow classification method based on combination of space-time characteristics
CN110852374A (en) * 2019-11-08 2020-02-28 腾讯云计算(北京)有限责任公司 Data detection method and device, electronic equipment and storage medium
CN111031071A (en) * 2019-12-30 2020-04-17 杭州迪普科技股份有限公司 Malicious traffic identification method and device, computer equipment and storage medium
CN111131314A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111191767A (en) * 2019-12-17 2020-05-22 博雅信安科技(北京)有限公司 Vectorization-based malicious traffic attack type judgment method
CN111242441A (en) * 2020-01-06 2020-06-05 上海孚厘金融信息服务有限公司 Adaptive parameter fitting method suitable for small and micro enterprise risk control model
CN111464485A (en) * 2019-01-22 2020-07-28 北京金睛云华科技有限公司 Encrypted proxy flow detection method and device
TWI700603B (en) * 2017-10-30 2020-08-01 香港商阿里巴巴集團服務有限公司 Implementation method for using digital certificate, computer equipment and computer readable storage medium for implementing the method
CN111651751A (en) * 2019-03-04 2020-09-11 腾讯科技(深圳)有限公司 Security event analysis report generation method and device, storage medium and equipment
CN111726259A (en) * 2019-03-20 2020-09-29 上海御行信息技术有限公司 VPN tunnel flow monitoring system, method and device based on deep learning
CN111901282A (en) * 2019-05-05 2020-11-06 四川大学 Method for generating malicious code flow behavior detection structure
CN112054992A (en) * 2020-07-28 2020-12-08 北京邮电大学 Malicious traffic identification method and device, electronic equipment and storage medium
CN112104677A (en) * 2020-11-23 2020-12-18 北京金睛云华科技有限公司 Controlled host detection method and device based on knowledge graph
CN112187716A (en) * 2020-08-26 2021-01-05 中国科学院信息工程研究所 Knowledge graph display method for malicious codes in network attack
CN112235314A (en) * 2020-10-29 2021-01-15 东巽科技(北京)有限公司 Network flow detection method, device and equipment
CN112235305A (en) * 2020-10-15 2021-01-15 四川长虹电器股份有限公司 Malicious traffic detection method based on convolutional neural network
CN112257062A (en) * 2020-12-23 2021-01-22 北京金睛云华科技有限公司 Sandbox knowledge base generation method and device based on frequent item set mining
CN112311814A (en) * 2020-12-23 2021-02-02 中国航空油料集团有限公司 Malicious encrypted traffic identification method and system based on deep learning and electronic equipment
CN112347478A (en) * 2020-10-13 2021-02-09 北京天融信网络安全技术有限公司 Malicious software detection method and device
CN112380535A (en) * 2020-11-13 2021-02-19 重庆科技学院 CBOW-based malicious code three-channel visual identification method
CN112738109A (en) * 2020-12-30 2021-04-30 杭州迪普科技股份有限公司 Web attack detection method and device
CN112866179A (en) * 2019-11-27 2021-05-28 北京沃东天骏信息技术有限公司 Current limiting method and current limiting device
CN113010268A (en) * 2021-03-22 2021-06-22 腾讯科技(深圳)有限公司 Malicious program identification method and device, storage medium and electronic equipment
CN113747443A (en) * 2021-02-26 2021-12-03 上海观安信息技术股份有限公司 Machine learning algorithm-based security detection method and device
CN113949531A (en) * 2021-09-14 2022-01-18 北京邮电大学 Malicious encrypted flow detection method and device
CN113992349A (en) * 2021-09-23 2022-01-28 云南财经大学 Malicious traffic identification method, device, equipment and storage medium
CN114070602A (en) * 2021-11-11 2022-02-18 北京天融信网络安全技术有限公司 HTTP tunnel detection method, device, electronic equipment and storage medium
CN114268484A (en) * 2021-12-17 2022-04-01 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device, electronic equipment and storage medium
CN114710322A (en) * 2022-03-15 2022-07-05 清华大学 Hidden malicious traffic detection method and device based on traffic interaction graph
CN115001789A (en) * 2022-05-27 2022-09-02 绿盟科技集团股份有限公司 Method, device, equipment and medium for detecting defect-losing equipment
CN115134168A (en) * 2022-08-29 2022-09-30 成都盛思睿信息技术有限公司 Method and system for detecting cloud platform hidden channel based on convolutional neural network
CN116186503A (en) * 2022-12-05 2023-05-30 广州大学 Industrial control system-oriented malicious flow detection method and device and computer storage medium
CN114401229B (en) * 2021-12-31 2023-09-19 北京理工大学 Encryption traffic identification method based on transform deep learning model
CN117118745A (en) * 2023-10-20 2023-11-24 山东慧贝行信息技术有限公司 Network security dynamic early warning system based on deep learning

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102142068A (en) * 2011-03-29 2011-08-03 华北电力大学 Method for detecting unknown malicious code
CN107103235A (en) * 2017-02-27 2017-08-29 广东工业大学 A kind of Android malware detection method based on convolutional neural networks
CN107392019A (en) * 2017-07-05 2017-11-24 北京金睛云华科技有限公司 A kind of training of malicious code family and detection method and device
US9942268B1 (en) * 2015-08-11 2018-04-10 Symantec Corporation Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments
CN108009425A (en) * 2017-11-29 2018-05-08 四川无声信息技术有限公司 File detects and threat level decision method, apparatus and system
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102142068A (en) * 2011-03-29 2011-08-03 华北电力大学 Method for detecting unknown malicious code
US9942268B1 (en) * 2015-08-11 2018-04-10 Symantec Corporation Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments
CN107103235A (en) * 2017-02-27 2017-08-29 广东工业大学 A kind of Android malware detection method based on convolutional neural networks
CN107392019A (en) * 2017-07-05 2017-11-24 北京金睛云华科技有限公司 A kind of training of malicious code family and detection method and device
CN108009425A (en) * 2017-11-29 2018-05-08 四川无声信息技术有限公司 File detects and threat level decision method, apparatus and system
CN108200030A (en) * 2017-12-27 2018-06-22 深信服科技股份有限公司 Detection method, system, device and the computer readable storage medium of malicious traffic stream

Cited By (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI700603B (en) * 2017-10-30 2020-08-01 香港商阿里巴巴集團服務有限公司 Implementation method for using digital certificate, computer equipment and computer readable storage medium for implementing the method
CN109905288A (en) * 2018-12-21 2019-06-18 中国科学院信息工程研究所 A kind of application service classification method and device
CN109905288B (en) * 2018-12-21 2021-09-14 中国科学院信息工程研究所 Application service classification method and device
CN111464485A (en) * 2019-01-22 2020-07-28 北京金睛云华科技有限公司 Encrypted proxy flow detection method and device
CN109768985A (en) * 2019-01-30 2019-05-17 电子科技大学 A kind of intrusion detection method based on traffic visualization and machine learning algorithm
CN111651751A (en) * 2019-03-04 2020-09-11 腾讯科技(深圳)有限公司 Security event analysis report generation method and device, storage medium and equipment
CN111651751B (en) * 2019-03-04 2022-04-15 腾讯科技(深圳)有限公司 Security event analysis report generation method and device, storage medium and equipment
CN111726259A (en) * 2019-03-20 2020-09-29 上海御行信息技术有限公司 VPN tunnel flow monitoring system, method and device based on deep learning
CN110048905A (en) * 2019-03-26 2019-07-23 清华大学 The recognition methods of internet of things equipment communication pattern and device
CN110048905B (en) * 2019-03-26 2021-01-15 清华大学 Internet of things equipment communication mode identification method and device
CN111901282A (en) * 2019-05-05 2020-11-06 四川大学 Method for generating malicious code flow behavior detection structure
CN110414231A (en) * 2019-06-25 2019-11-05 中国人民解放军战略支援部队信息工程大学 Software gene Dynamic Extraction method in memory based on Markov model
CN110475043B (en) * 2019-07-31 2021-08-17 西安工程大学 Method for converting CMYK to Lab color space
CN110475043A (en) * 2019-07-31 2019-11-19 西安工程大学 A kind of conversion method of CMYK to Lab color space
CN110535728A (en) * 2019-09-05 2019-12-03 烽火通信科技股份有限公司 A kind of network flow cognitive method and system
CN110730140B (en) * 2019-10-12 2022-04-08 西安电子科技大学 Deep learning flow classification method based on combination of space-time characteristics
CN110730140A (en) * 2019-10-12 2020-01-24 西安电子科技大学 Deep learning flow classification method based on combination of space-time characteristics
CN110852374A (en) * 2019-11-08 2020-02-28 腾讯云计算(北京)有限责任公司 Data detection method and device, electronic equipment and storage medium
CN110852374B (en) * 2019-11-08 2023-05-02 腾讯云计算(北京)有限责任公司 Data detection method, device, electronic equipment and storage medium
CN112866179A (en) * 2019-11-27 2021-05-28 北京沃东天骏信息技术有限公司 Current limiting method and current limiting device
CN111191767A (en) * 2019-12-17 2020-05-22 博雅信安科技(北京)有限公司 Vectorization-based malicious traffic attack type judgment method
CN111191767B (en) * 2019-12-17 2023-06-06 博雅信安科技(北京)有限公司 Vectorization-based malicious traffic attack type judging method
CN111031071B (en) * 2019-12-30 2023-01-24 杭州迪普科技股份有限公司 Malicious traffic identification method and device, computer equipment and storage medium
CN111031071A (en) * 2019-12-30 2020-04-17 杭州迪普科技股份有限公司 Malicious traffic identification method and device, computer equipment and storage medium
CN111131314B (en) * 2019-12-31 2022-04-12 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111131314A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111242441A (en) * 2020-01-06 2020-06-05 上海孚厘金融信息服务有限公司 Adaptive parameter fitting method suitable for small and micro enterprise risk control model
CN111242441B (en) * 2020-01-06 2023-06-30 上海孚厘科技有限公司 Self-adaptive parameter fitting method suitable for small micro-enterprise risk control model
CN112054992B (en) * 2020-07-28 2021-06-29 北京邮电大学 Malicious traffic identification method and device, electronic equipment and storage medium
CN112054992A (en) * 2020-07-28 2020-12-08 北京邮电大学 Malicious traffic identification method and device, electronic equipment and storage medium
CN112187716B (en) * 2020-08-26 2021-07-20 中国科学院信息工程研究所 Knowledge graph display method for malicious codes in network attack
CN112187716A (en) * 2020-08-26 2021-01-05 中国科学院信息工程研究所 Knowledge graph display method for malicious codes in network attack
CN112347478B (en) * 2020-10-13 2021-08-24 北京天融信网络安全技术有限公司 Malicious software detection method and device
CN112347478A (en) * 2020-10-13 2021-02-09 北京天融信网络安全技术有限公司 Malicious software detection method and device
CN112235305A (en) * 2020-10-15 2021-01-15 四川长虹电器股份有限公司 Malicious traffic detection method based on convolutional neural network
CN112235314A (en) * 2020-10-29 2021-01-15 东巽科技(北京)有限公司 Network flow detection method, device and equipment
CN112380535A (en) * 2020-11-13 2021-02-19 重庆科技学院 CBOW-based malicious code three-channel visual identification method
CN112380535B (en) * 2020-11-13 2022-04-19 重庆科技学院 CBOW-based malicious code three-channel visual identification method
CN112104677A (en) * 2020-11-23 2020-12-18 北京金睛云华科技有限公司 Controlled host detection method and device based on knowledge graph
CN112311814B (en) * 2020-12-23 2021-11-26 中国航空油料集团有限公司 Malicious encrypted traffic identification method and system based on deep learning and electronic equipment
CN112311814A (en) * 2020-12-23 2021-02-02 中国航空油料集团有限公司 Malicious encrypted traffic identification method and system based on deep learning and electronic equipment
CN112257062A (en) * 2020-12-23 2021-01-22 北京金睛云华科技有限公司 Sandbox knowledge base generation method and device based on frequent item set mining
CN112738109A (en) * 2020-12-30 2021-04-30 杭州迪普科技股份有限公司 Web attack detection method and device
CN113747443A (en) * 2021-02-26 2021-12-03 上海观安信息技术股份有限公司 Machine learning algorithm-based security detection method and device
CN113010268A (en) * 2021-03-22 2021-06-22 腾讯科技(深圳)有限公司 Malicious program identification method and device, storage medium and electronic equipment
CN113949531A (en) * 2021-09-14 2022-01-18 北京邮电大学 Malicious encrypted flow detection method and device
CN113949531B (en) * 2021-09-14 2022-06-17 北京邮电大学 Malicious encrypted flow detection method and device
CN113992349A (en) * 2021-09-23 2022-01-28 云南财经大学 Malicious traffic identification method, device, equipment and storage medium
CN113992349B (en) * 2021-09-23 2023-05-19 云南财经大学 Malicious traffic identification method, device, equipment and storage medium
CN114070602A (en) * 2021-11-11 2022-02-18 北京天融信网络安全技术有限公司 HTTP tunnel detection method, device, electronic equipment and storage medium
CN114268484A (en) * 2021-12-17 2022-04-01 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device, electronic equipment and storage medium
CN114401229B (en) * 2021-12-31 2023-09-19 北京理工大学 Encryption traffic identification method based on transform deep learning model
CN114710322A (en) * 2022-03-15 2022-07-05 清华大学 Hidden malicious traffic detection method and device based on traffic interaction graph
CN115001789A (en) * 2022-05-27 2022-09-02 绿盟科技集团股份有限公司 Method, device, equipment and medium for detecting defect-losing equipment
CN115001789B (en) * 2022-05-27 2024-04-02 绿盟科技集团股份有限公司 Method, device, equipment and medium for detecting collapse equipment
CN115134168A (en) * 2022-08-29 2022-09-30 成都盛思睿信息技术有限公司 Method and system for detecting cloud platform hidden channel based on convolutional neural network
CN116186503A (en) * 2022-12-05 2023-05-30 广州大学 Industrial control system-oriented malicious flow detection method and device and computer storage medium
CN117118745A (en) * 2023-10-20 2023-11-24 山东慧贝行信息技术有限公司 Network security dynamic early warning system based on deep learning
CN117118745B (en) * 2023-10-20 2024-01-05 山东慧贝行信息技术有限公司 Network security dynamic early warning system based on deep learning

Also Published As

Publication number Publication date
CN108985361B (en) 2021-06-18

Similar Documents

Publication Publication Date Title
CN108985361A (en) A kind of malicious traffic stream detection implementation method and device based on deep learning
Fawaz et al. Adversarial attacks on deep neural networks for time series classification
CN107392019A (en) A kind of training of malicious code family and detection method and device
CN110796196B (en) Network traffic classification system and method based on depth discrimination characteristics
Swaminathan et al. Digital image forensics via intrinsic fingerprints
CN109450842A (en) A kind of network malicious act recognition methods neural network based
CN112953924A (en) Network abnormal flow detection method, system, storage medium, terminal and application
Nahmias et al. Deep feature transfer learning for trusted and automated malware signature generation in private cloud environments
US11354917B2 (en) Detection of fraudulently generated and photocopied credential documents
CN112491796B (en) Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network
WO2022222575A1 (en) Method and system for target recognition
WO2022222569A1 (en) Target discrimation method and system
CN114330544A (en) Method for establishing business flow abnormity detection model and abnormity detection method
CN111899251A (en) Copy-move type forged image detection method for distinguishing forged source and target area
CN115050064A (en) Face living body detection method, device, equipment and medium
CN107809343B (en) Network protocol identification method and device
Mareen et al. Comprint: Image forgery detection and localization using compression fingerprints
CN115292722B (en) Model safety detection method and device based on different color spaces
CN113762326A (en) Data identification method, device and equipment and readable storage medium
CN116346452B (en) Multi-feature fusion malicious encryption traffic identification method and device based on stacking
CN115277065B (en) Anti-attack method and device in abnormal traffic detection of Internet of things
CN111368128A (en) Target picture identification method and device and computer readable storage medium
Subrahmanyeswara Rao A fuzzy fusion approach for modified contrast enhancement based image forensics against attacks
CN113033305B (en) Living body detection method, living body detection device, terminal equipment and storage medium
Iorliam Application of power laws to biometrics, forensics and network traffic analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant