CN108985361A - A kind of malicious traffic stream detection implementation method and device based on deep learning - Google Patents
A kind of malicious traffic stream detection implementation method and device based on deep learning Download PDFInfo
- Publication number
- CN108985361A CN108985361A CN201810708037.8A CN201810708037A CN108985361A CN 108985361 A CN108985361 A CN 108985361A CN 201810708037 A CN201810708037 A CN 201810708037A CN 108985361 A CN108985361 A CN 108985361A
- Authority
- CN
- China
- Prior art keywords
- malicious
- traffic stream
- deep learning
- genome
- malicious traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the invention discloses a kind of malicious traffic stream detection implementation method and device based on deep learning, this method may include: that the flow session of malicious code is obtained by dynamic sandbox technology;The flow session of malicious code is mapped as genome and extracts TuPu method, is clustered using the TuPu method of flow session, and malicious code family mark is carried out to cluster result;Using the preset deep learning model of genome training of the malicious code family after mark, to establish malicious traffic stream detection model;Network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection.Pass through the example scheme, solve to a certain extent manual features existing for current detection technique extract difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robustness is higher, and has the characteristics that quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
Description
Technical field
The present embodiments relate to computer security technique, espespecially a kind of malicious traffic stream based on deep learning, which detects, to be realized
Method and apparatus.
Background technique
The detection method of traditional malice (exception) flow is that most of malice (exception) is identified using transport layer port
Flow remains continuous monitoring and report abnormal flow is quick, simple method although there is a problem of not accurate.
Later, it proposes the method based on payload, is identified by detection packet content related to malice (exception) flow
Byte or character string, or carry out more complicated syntax match.But this method is related to privacy concern, while can not cope with
The problems such as encryption, agreement are obscured.
Currently, the algorithm for pattern recognition learnt using conventional machines, is able to solve privacy concern to a certain extent, and
Flow can be effectively coped with to obscure and Traffic Encryption.Traditional machine learning method solved the problems, such as it is very much, but it
Also it is faced with a new challenge, is how to select suitable feature, needs exist for the suitable feature of artificial selection.
In consideration of it, the prior art has much room for improvement and improves.
Summary of the invention
In order to solve the above-mentioned technical problem, the malicious traffic stream detection based on deep learning that the embodiment of the invention provides a kind of
Implementation method and device can solve manual features existing for current detection technique to a certain extent and extract difficult, privacy
Reveal, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robustness is higher, and has
Quickly, the features such as accuracy rate is high, rate of false alarm is low, cross-platform detection.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning
Implementation method is detected, this method may include:
The flow session of malicious code is obtained by dynamic sandbox technology;
The flow session of malicious code is mapped as genome and extracts TuPu method, it is special using the map of flow session
Sign is clustered, and carries out malicious code family mark to cluster result;
Using the preset deep learning model of genome training of the malicious code family after mark, to establish malicious stream
Measure detection model;
Network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection.
Optionally, may include: by the flow session that dynamic sandbox technology obtains malicious code
The malicious code sample of specified type is obtained from malicious code data library, and is filtered out from malicious code sample
Ineligible malicious code sample;
Remaining malicious code sample after filtering is executed using dynamic sandbox technology, and passes through hook HOOK system application journey
The behavior act of the performed malicious code sample of the form monitoring of sequence programming interface API, to identify unknown malicious file infiltration
With order and control C&C malice external connection;
The network flow of corresponding sample is obtained from the virtual machine of sandbox, and legitimate traffic is filtered out from network flow,
Obtain the flow session aggregation of malicious code.
Optionally, the flow session of malicious code is mapped as genome and extracts TuPu method, utilize flow session
TuPu method clustered, and to cluster result carry out malicious code family mark include:
The flow session data of malicious code is pre-processed, to retain discrimination more than or equal to preset discrimination
The data of threshold value;
Using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as default size
Genome;
The TuPu method of genome is extracted using TuPu method extraction algorithm, constructs the map of malicious traffic stream genome
Characteristic set;
The TuPu method set of malicious traffic stream genome is sampled, TuPu method subclass is constructed, executes pre-polymerization
Class process, to pick out required clustering algorithm;
After determining required clustering algorithm, the TuPu method set based on full dose malicious traffic stream genome is gathered
Class;
Family's mark, construction depth study are carried out using clustering cluster of the preset antivirus software to malicious traffic stream genome
Required training sample set.
Optionally, this method can also include: to advance with deep learning technology building deep learning model, and depth is arranged
Spend the network architecture parameters and training weight of learning model.
Optionally, using the preset deep learning model of genome training of the malicious code family after mark, to build
Founding malicious traffic stream detection model includes:
For the malicious traffic stream genome after mark, using preset segmentation algorithm by different malicious code families
Malicious traffic stream genome is divided into multiple piecemeals;Wherein, original malicious traffic stream genome and its piecemeal are respectively applied for depth
Spend the training of learning model;
Each deep learning model of original malicious traffic stream genome and its piecemeal progress must be trained and passed through respectively
The iteration of excessive round, obtains corresponding training result;
By in training result with the deep learning mould corresponding to the immediate training result of preset requirement after training
Type is as malicious traffic stream detection model.
Optionally, network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection packet
It includes:
Trained malicious traffic stream detection model is directed to memory from Hierarchical Data Format 5HDF5 file;
Network real-time traffic session is obtained, network real-time traffic session is mapped as gene map using preset mapping algorithm
Spectrum;
The genome of network real-time traffic session is divided into multiple piecemeals using preset segmentation algorithm;
It is detected, is obtained using genome and its piecemeal of the malicious traffic stream detection model to network real-time traffic session
Testing result;
Testing result is handled using malicious traffic stream scoring algorithm MT_Score, realizes malicious traffic stream detection.
Optionally, include: in malicious code data library the malicious file of Windows system, linux system executable and
Linkable format ELF malicious file, the malicious file of Mac system and the installation kit APK file of Android android system.
Optionally, the built-in Windows system of dynamic sandbox technology, linux system, Mac system and android system
Virtual machine, and it is literary to run the malicious file of Windows system, the ELF malicious file of linux system, the malice of Mac system
The APK file of part and android system generates network communication.
Optionally, preset mapping algorithm may include: T2G mapping algorithm;
Preset segmentation algorithm may include: G2S segmentation algorithm.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning
Realization device, including processor and computer readable storage medium are detected, is stored with instruction in the computer readable storage medium,
When the instruction is executed by processor, the above-mentioned malicious traffic stream detection implementation method based on deep learning is realized.
The embodiment of the present invention includes: the flow session of malicious code is obtained by dynamic sandbox technology;By malicious code
Flow session is mapped as genome and extracts TuPu method, is clustered using the TuPu method of flow session, and to cluster
As a result malicious code family mark is carried out;Utilize the preset deep learning of genome training of the malicious code family after mark
Model, to establish malicious traffic stream detection model;Network real-time traffic is detected using malicious traffic stream detection model, realizes and dislikes
Meaning flow detection.By the example scheme, solves manual features existing for current detection technique to a certain extent and mention
Take difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robustness
It is higher, and have the characteristics that quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
The other feature and advantage of the embodiment of the present invention will illustrate in the following description, also, partly from explanation
It is become apparent in book, or understood by implementing the embodiment of the present invention.The purpose of the embodiment of the present invention and other advantages
It can be achieved and obtained by structure specifically noted in the specification, claims and drawings.
Detailed description of the invention
Attached drawing is used to provide one for further understanding technical solution of the embodiment of the present invention, and constituting specification
Point, it is used to explain the present invention the technical solution of embodiment together with embodiments herein, does not constitute to the embodiment of the present invention
The limitation of technical solution.
Fig. 1 is that the malicious traffic stream based on deep learning of the embodiment of the present invention detects implementation method flow chart;
Fig. 2 is that the malicious traffic stream session of the embodiment of the present invention pre-processes field description schematic diagram;
Fig. 3 is the T2G mapping algorithm schematic diagram of the embodiment of the present invention;
Fig. 4 is the malicious code family network flow session map schematic diagram of the embodiment of the present invention;
Fig. 5 is the configuration diagram of the convolutional Neural metanetwork CNN of the embodiment of the present invention;
Fig. 6 is the G2S segmentation algorithm schematic diagram of the embodiment of the present invention;
Fig. 7 is the malicious code family network flow session map piecemeal schematic diagram of the embodiment of the present invention;
Fig. 8 is the MT_Score malicious traffic stream scoring algorithm flow chart of the embodiment of the present invention;
Fig. 9 is that the malicious traffic stream based on deep learning of the embodiment of the present invention detects realization device schematic diagram;
Figure 10 is that the malicious traffic stream based on deep learning of the embodiment of the present invention detects realization device structural schematic diagram.
Specific embodiment
Understand in order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with attached drawing pair
The embodiment of the present invention is described in detail.It should be noted that in the absence of conflict, embodiment and reality in the application
The feature applied in example can mutual any combination.
Step shown in the flowchart of the accompanying drawings can be in a computer system such as a set of computer executable instructions
It executes.Also, although logical order is shown in flow charts, and it in some cases, can be to be different from herein suitable
Sequence executes shown or described step.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning
Implementation method is detected, as shown in Figure 1, this method may include S101-S104:
S101, the flow session that malicious code is obtained by dynamic sandbox technology.
In embodiments of the present invention, which is malicious traffic stream acquisition process, i.e., obtains malicious code from dynamic sandbox
Run the malicious traffic stream session generated.In this step, malicious code sample can be obtained from malicious code sample library, utilized
Dynamic sandbox technology obtains the bidirectional traffics session that malicious code generates, and filters legitimate traffic, obtains malicious traffic stream session aggregation.
Optionally, obtaining the flow session of malicious code by dynamic sandbox technology may include S1011-S1013:
S1011, the malicious code sample that specified type is obtained from malicious code data library, and from malicious code sample
Filter out ineligible malicious code sample.
In embodiments of the present invention, which is malicious code sample acquisition process, is obtained from malicious code data library
A large amount of specified type malicious code sample, filtering do not meet the sample of preset condition.Such as: incomplete sample, wrong report sample
Sheet, rogue software etc..Meanwhile ensuring that there are network behaviors when malicious code sample is run to a certain extent.
Optionally, include: in malicious code data library the malicious file of Windows system, linux system executable and
Linkable format ELF malicious file, the malicious file of Mac system and the installation kit APK file of Android android system.
S1012, remaining malicious code sample after filtering is executed using dynamic sandbox technology, and pass through hook HOOK system
The behavior act of the performed malicious code sample of the form monitoring of application programming interface API, to identify unknown malice text
Part infiltration and order and control C&C malice external connection.
In embodiments of the present invention, which is dynamic sandbox treatment process, and dynamic sandbox technology referred to herein is special
Finger executes malicious code sample using virtual machine technique, is monitored malice sample by way of HOOK system API
Behavior act, and then identify the infiltration of unknown malicious file and C&C (order with control, Command&Control, abbreviation C&C)
Malice external connection.In order to run multiclass program, dynamic sandbox is required to simulation various software running environment and operating system,
And need to provide a variety of anti-escape technologies, it prevents Malware from hiding, hide virtual machine testing.
Optionally, the built-in Windows system of dynamic sandbox technology, linux system, Mac system and android system
Virtual machine, and it is literary to run the malicious file of Windows system, the ELF malicious file of linux system, the malice of Mac system
The APK file of part and android system generates network communication.
S1013, the network flow that corresponding sample is obtained from the virtual machine of sandbox, and filter out from network flow it is legal
Flow obtains the flow session aggregation of malicious code.
In embodiments of the present invention, which is malicious traffic stream acquisition procedure, i.e., the net of corresponding sample is obtained from virtual machine
Network flow.Meanwhile according to Internet protocol IP white list, domain name white list, agreement white list, using white name
Single list filtering legitimate traffic obtains malicious traffic stream session aggregation.Finally, the feature of every malicious traffic stream session is extracted, such as
Session id (identity), timestamp, five-tuple information (source IP, source port, Target IP, target port, 3/4 layer protocol), source
MAC (media access control) information, Destination MAC, uplink and downlink uninterrupted, malice session data etc..
S102, the flow session of malicious code is mapped as genome and extracts TuPu method, utilize flow session
TuPu method is clustered, and carries out malicious code family mark to cluster result.
In embodiments of the present invention, it can use preset mapping algorithm (including but not limited to T2G mapping algorithm), to evil
Meaning flow session aggregation is pre-processed, and malicious traffic stream session is mapped as flow genome, and extract its TuPu method.Benefit
With general clustering algorithm, it may for example comprise but be not limited to hierarchical clustering, Density Clustering, K-means (K mean value) cluster etc., convection current
The feature of amount genome is clustered, and by cluster result according to preset antivirus software, it may for example comprise but it is not limited to Microsoft
MSE (Microsoft Security Essentials Microsoft security software) antivirus software or other antivirus softwares, to malicious stream
It measures clustering cluster and carries out malicious code family mark.Its detailed process steps will be introduced below.
In embodiments of the present invention, for malicious traffic stream session (i.e. the flow session of malicious code), in malicious traffic stream base
Because excluding the common protocols such as http protocol, DNS Protocol, smtp protocol in map generating process, it is usual to focus malicious code family
The Data Transport Protocol used, such as Secure Socket Layer ssl protocol, Internet relay chat IRC agreement, especially unknown association
View.
Optionally, the flow session of malicious code is mapped as genome and extracts TuPu method, utilize flow session
TuPu method clustered, and to cluster result carry out malicious code family mark may include S1021-S1026:
S1021, the flow session data of malicious code is pre-processed, to retain discrimination more than or equal to preset
The data of discrimination threshold value.
In embodiments of the present invention, it before malicious traffic stream session data is mapped as map, needs for malicious traffic stream
Session data is pre-processed, and the relatively low field of discrimination is filtered, these fields are identical in most sessions
Or it is similar, to retain malicious traffic stream and the higher data of legitimate traffic discrimination, i.e. reservation malicious traffic stream and legitimate traffic
Discrimination is greater than or equal to the malicious traffic stream data of preset discrimination threshold value.The higher stream of discrimination is obtained by filter operation
Session data is measured, this partial data is considered as malice session data.Content is filtered as shown in Fig. 2, may include but do not limit to
In purpose MAC, source MAC, type, version, packet ID, life span, upper-layer protocol, stem verification and source IP address, source
It mouth, TCP (Transmission Control Protocol transmission control protocol) serial number, confirmation incidentally, TCP check and waits.
S1022, using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as presetting
The genome of size.
In embodiments of the present invention, which is genome mapping process.For the flow session data of malicious code
(can be referred to as malice session data), can intercept N2A byte, N >=1.Using T2G mapping algorithm, treated by general maliciously
Flow session aggregation is mapped as the map set of M × M, is denoted as malicious traffic stream genome.Wherein, including but not limited to M=
Situations such as=N, 3*M==N.For example, 1024 bytes of interception, mapping size is 32*32 gray level image.T2G mapping algorithm shows
It is intended to as shown in figure 3, being visible process of the mapping malicious traffic stream to flow genome.As shown in figure 4, malicious traffic stream gene
Map can include but is not limited to following family: APT28-Kazy family, Trojan-Fake family, Win32-Angryel family
With Backdoor-Zegost family.
Optionally, using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as pre-
If the genome of size may include step S10221-S10223:
S10221, for given malice session data, read 8 be a signless shaping (range is 0~
255), fixed line width is a vector, and entire malice session data ultimately produces a two-dimensional array.
It is [0,255] (0 indicates black, and 255 indicate white) that the range of each element, which is value, in S10222, array,
This array is visualized as a map, the width and height of map depend on file size, such as malice session data width
For 32 bytes, 32 bytes of height.Map classification includes but is not limited to single channel map, 3 channel maps, 4 channel maps
Deng.Wherein, common single channel map is gray images, and 3 channel maps are RGB (RGB) map and Lab (color model)
Map, 4 channel maps are CMYK (printing color mode) map.
In embodiments of the present invention, RGB map can be understood as three 2d matrixes (each color is one corresponding) and be stacked in one
It rises, the value of each matrix is between 0 to 255.Single pass map can be understood as a 2d matrix, each picture in matrix
Between element value or 0 to 255.Wherein, 0 indicate black, 255 indicate white.Map matrix is corresponding with the input resolution ratio of map, N
× N pixel defaults N=32.N × N is corresponding with the input resolution ratio of map, and N is bigger, the instruction of convolutional Neural metanetwork CNN
White silk time complexity is higher, and required computing resource is bigger.
Map after S10223, mapping will be stored as PNG (the Portable Network Graphic of no compression
Format portable network figure format) map, for the map after malicious traffic stream visualization, different texture structures often generation
Table different types of data information, renaming flow genome file be the " generation of Target IP _ target port _ session id _ maliciously
Code SHA256/Unknown.PNG ".
S1023, the TuPu method that genome is extracted using TuPu method extraction algorithm, construct malicious traffic stream genome
TuPu method set.
In embodiments of the present invention, malicious traffic stream genome is extracted using preset TuPu method extraction algorithm
The TuPu method of malicious traffic stream genome constructs the TuPu method set of malicious traffic stream genome.
In embodiments of the present invention, for giving map, map texture feature extraction, algorithm workable for the process are carried out
More, the algorithm of mainstream includes GIST feature, SIFT feature, GLCM feature, ColorHis feature, Gabor characteristic, Census spy
It seeks peace LBP feature etc., these methods will be sketched below, but the map texture characteristic extracting method of the application is not limited to these
Method.
GIST feature: the vision that this feature simulates people extracts structural information rough but brief and concise in map, substantially
It is by one group of multi-direction, multiple dimensioned Gabor filter group to the profile information obtained after the filtering of scene map;
SIFT feature: Scale invariant features transform, this feature to translation, rotation, scaling, brightness change, block and
The invariance that noise etc. has had also has certain stability to the variation of observation visual angle, affine transformation, belongs to partial structurtes
Feature;
GLCM feature: gray level co-occurrence matrixes feature, this feature firstly for a width map define a direction and one with
Pixel is the step-length of unit, and gray level co-occurrence matrixes T (N × N), then defining M (i, j) is that gray level is i and the pixel of j while occurring
In a point and the frequency on the point of defined direction span step-length.Wherein N is that gray level divides number;
ColorHis feature: color histogram feature, this feature describe different colours feature institute in whole picture map
The ratio accounted for reflects the statistical distribution of map color, belongs to global characteristics;
Census feature, converts histogram principal component analysis feature, and this feature is a kind of based on local map pixel grey scale
Value compares and the textural characteristics that propose.Its core concept is that two values matrix is regarded as to a Binary Texture mode (texture primitive),
Transformed value is obtained by comparing the gray value of a pixel and the eight neighborhood pixel around it;
Gabor characteristic: this feature is the feature that raw video is calculated by two-dimensional Gabor function, is suitable for inspection
Survey and describe map textural characteristics.Multiple dimensioned multi-direction Gabor filter group be on the basis of Gabor filter by scale and
Multi-channel filter scheme made of rotation transformation extension;
LBP feature: partial binary mode characteristic, this feature are a kind of theoretical simple, efficient nonparametric parts of calculating
Textural characteristics description.Due to its characteristic differentiation power with higher and lower computation complexity, in atlas analysis, computer
Vision and area of pattern recognition are widely used.
S1024, the TuPu method set of malicious traffic stream genome is sampled, constructs TuPu method subclass, holds
The pre- cluster process of row, to pick out required clustering algorithm.
In embodiments of the present invention, time cost is low and the good clustering algorithm of Clustering Effect in order to select, can be to malice
The TuPu method set of flow genome is sampled, subsetting, is executed pre- cluster process progress clustering algorithm and is selected.
In embodiments of the present invention, it can use pre- clustering technique and obtain optimal clustering algorithm.Select malicious traffic stream base
It because of the TuPu method set subset of map, is clustered in advance, for selecting, time cost is low and the good clustering algorithm of Clustering Effect.
Optimal clustering algorithm can be selected from test of heuristics set, which can include but is not limited to spectral clustering calculation
Method, k-means algorithm, hierarchical clustering algorithm, density clustering algorithm etc..Using the optimal clustering algorithm picked out to malicious stream
The TuPu method set of amount genome is clustered.
S1025, after determining required clustering algorithm, the TuPu method set based on full dose malicious traffic stream genome
It is clustered.
S1026, family's mark is carried out using clustering cluster of the preset antivirus software to malicious traffic stream genome, construction is deep
Training sample set needed for degree study.
In embodiments of the present invention, which is clustering cluster annotation process.Preset antivirus software can be used, such as micro-
Soft MSE antivirus software or other antivirus softwares carry out family's mark to malicious traffic stream genome clustering cluster.Mark the evil completed
Meaning code family flow genome clustering cluster set will be used to train deep learning model.The malicious code completed for mark
Family's flow genome clustering cluster set, by the training sample set as deep learning model.
S103, the preset deep learning model of genome training using the malicious code family after mark, to establish
Malicious traffic stream detection model.
Optionally, this method can also include: to advance with deep learning technology building deep learning model, and depth is arranged
Spend the network architecture parameters and training weight of learning model.
In embodiments of the present invention, deep learning neural network model can be constructed in advance, and network structure ginseng is set
Several and training weight.Using the malicious traffic stream clustering cluster training deep learning model of mark, and carry out cross validation.
In embodiments of the present invention, deep learning technology, including but not limited to RNN (Recognition with Recurrent Neural Network be can use
Recurrent Neural Networks), circulation neuroid CNN, transfer learning, ensemble learning and multiclass depth
Habit technology such as is applied in combination at the technologies, constructs deep learning model, and network architecture parameters and training weight are arranged.
In embodiments of the present invention, based on the malicious traffic stream genome after mark, training deep learning model.For this
Embodiment can carry out embodiment description by taking CNN model as an example, construct CNN model, and network architecture parameters and training power are arranged
Weight.The schematic network structure of CNN is as shown in figure 5, indicate the CNN frame of 3 convolutional layers, 3 pond layers and 2 full articulamentums
Frame.The model framework of the CNN mentioned in embodiment includes but is not limited to network structure described in Fig. 7;The building of CNN model
It can specifically include following steps:
1, input layer, setting input layer parameter are constructed.Inputting map is N*N*num_channel, and num_channel is this
The depth of layer.If input map is gray images, which is 1, indicates single channel.If input map is RGB map, which is 3.
For different classes of map, port number is different, such as CMYK map default has 4 channels, RGB and Lab map has 3 to lead to
Road.
2, convolutional layer is constructed, convolution layer parameter is set.Feature is extracted from input map, uses N × N data matrix
Learn TuPu method, while retaining the spatial relationship between pixel.It, can be in order to improve the discrimination of model for CNN model
Select multiple convolutional layers.
3, non-linear layer is constructed, non-linear layer parameter is set.After each convolution operation, there is a correction linear unit
The extra play of (Rectified Linear Unit, ReLU), which carries out a kind of nonlinear operation, will as unit of pixel value
All negative value pixel values replace with 0.
4, pond layer is constructed, pond layer parameter is set.Under the premise of retaining most important information, each Feature Mapping is reduced
Dimension.Training speed is improved in order to reduce training data scale for CNN model, accelerates model convergence time, Ke Yixuan
Select multiple pond layers.
5, full articulamentum is constructed, full connection layer parameter is set.Use excitation function (such as Softmax function) as output
The multi-layer perception (MLP) (Multi-Layer Perceptron, MLP) of layer, by the every of upper one layer each neuron and next layer
One neuron is connected with each other.The sum of the output probability of full articulamentum is 1, this is guaranteed by excitation function.Excitation function handle
The vector of any real value be transformed into element value 0-1 and and for 1 vector.
6, output layer, setting output layer parameter are constructed.Output valve is the vector of length M, indicates that flow is under the jurisdiction of this M evil
The probability value of meaning code family.
It in embodiments of the present invention, can be with after establishing deep learning model (such as above-mentioned CNN model) through the above steps
Into training data preprocessing process, for the malicious traffic stream genome after mark, using preset segmentation algorithm (including but
It is not limited to G2S segmentation algorithm) malicious traffic stream genome is divided into multiple piecemeals, the instruction for malicious traffic stream detection CNN model
Practice, as shown in Figure 6, Figure 7.
Optionally, using the preset deep learning model of genome training of the malicious code family after mark, to build
Vertical malicious traffic stream detection model may include S1031-S1033:
S1031, for the malicious traffic stream genome after mark, using preset segmentation algorithm by different malicious codes
The malicious traffic stream genome of family is divided into multiple piecemeals;Wherein, original malicious traffic stream genome and its piecemeal are distinguished
Training for deep learning model.
In embodiments of the present invention, it for the malicious traffic stream genome after mark, will be disliked using preset segmentation algorithm
It may include S10311-S10313 that meaning flow genome, which is divided into multiple piecemeals:
S10311, sample is obtained from training malicious traffic stream genome sample set;
S10312, malicious traffic stream genome file is divided into multiple piecemeals using G2S segmentation algorithm, filtering does not meet item
The piecemeal of part, such as filter out the single section of map mode, Quan Bai, it is completely black belong to it is this kind of;
S10313, the malicious traffic stream genome piecemeal that previous step is generated, with malicious traffic stream genome file
Itself trains input as training map set, for malicious traffic stream detection CNN.
S1032, each deep learning model carried out for original malicious traffic stream genome and its piecemeal must be trained
Iteration respectively through excessive round, obtains corresponding training result;
S1033, by training result with the depth corresponding to the immediate training result of preset requirement after training
Learning model is as malicious traffic stream detection model.
In embodiments of the present invention, the step of training malicious traffic stream detection CNN model may include:
1, all filter and parameter/weight are initialized with random number;
2, convolutional Neural metanetwork CNN will be used for trained malicious code map as input, to step (convolution before executing
Layer, ReLU layers, the propagated forward of pond layer and full articulamentum), and calculate the correspondence output probability of each classification;
3, the overall error (the sum of classification) of output layer is calculated;
4, back-propagation algorithm calculates gradient of the error relative to all weights, and all filters are updated with gradient descent method
The value of wave device weight and parameter, so that output error minimizes;
5, by most nb_epoch iteration, optimal disaggregated model (CNN model) is exported;
6, the CNN model trained is saved.CNN model and weight that training finishes are saved in HDF5 file, this article
Part includes following information: the state of model structure, Model Weight, training configuration (loss function, optimizer etc.) and optimizer.
S104, network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection.
In embodiments of the present invention, network real-time traffic session is obtained, network real-time traffic is pre-processed, is obtained
Flow session is mapped as map, using malicious traffic stream detection model to flow using T2G mapping algorithm by flow session map
Session map is detected, and the testing result of deep learning model is exported.Then, preset malicious traffic stream scoring algorithm is utilized
(such as MT_Score) handles testing result, realizes that malicious traffic stream detection, compromised slave identification and malicious code family are sentenced
It is fixed.
Optionally, network real-time traffic is detected using malicious traffic stream detection model, realizes malicious traffic stream detection packet
Include S1041-S1043:
S1041, trained malicious traffic stream detection model is directed to from HDF5 (Hierarchical Data Format 5) file in
It deposits;
S1042, network real-time traffic session is obtained, network real-time traffic session is mapped as base using T2G mapping algorithm
Because of map;
S1043, the genome of network real-time traffic session is divided into multiple piecemeals using G2S segmentation algorithm;
S1044, it is examined using genome and its piecemeal of the malicious traffic stream detection model to network real-time traffic session
It surveys, obtains testing result;
S1045, testing result is handled using malicious traffic stream scoring algorithm MT_Score, realizes malicious traffic stream inspection
It surveys.
In embodiments of the present invention, still illustrate above scheme by taking trained CNN model as an example below, utilize malicious stream
Amount detection model detects network real-time traffic, realizes that the step of malicious traffic stream detects may include:
1, trained convolutional Neural metanetwork CNN model is directed to memory from fixed disk file;
2, network flow session to be detected is pre-processed, using T2G mapping algorithm, flow session aggregation maps by treated
For the map of M × M;
3, measurement of discharge genome file to be checked is divided into multiple piecemeals using G2S segmentation algorithm, filtered ineligible
Piecemeal, such as filter out the single section of map mode, Quan Bai, it is completely black belong to it is this kind of;
4, measurement of discharge genome file to be checked and its segmentation set are input to convolutional Neural metanetwork CNN classification mould
Type obtains experiment result list;
5, the testing result based on convolutional Neural metanetwork CNN model, utilizes MT_Score pairs of malicious traffic stream scoring algorithm
Testing result is handled, and realizes that malicious traffic stream detection, compromised slave identification and malicious code family determine.
In embodiments of the present invention, the testing result based on convolutional Neural metanetwork CNN model, is scored using malicious traffic stream
Algorithm MT_Score carries out processing to testing result
51, the testing result vector of convolutional Neural metanetwork CNN model is obtained;
52, testing result vector is handled using malicious traffic stream scoring algorithm MT_Score, Output estimation knot
Fruit, legitimate traffic, or generate the malicious code family of malicious traffic stream.MT_Score malicious traffic stream scoring algorithm flow chart is as schemed
Shown in 8;
53, by correlating sessions metadata, the malicious server of the compromised slave and external connection that generate malicious traffic stream is obtained,
Generate alarm event;
54, by correlation engine associated alarm event, at the appointed time in window, such as 48 hours, obtain control with
Command communication mode, and advanced correlation alarm event is further generated, further confirm that compromised slave and control server.
It in embodiments of the present invention, can be by malicious network traffic by means of the technical solution of the embodiment of the present invention
The study of session, and then the network communication detectability of malicious code and its mutation is obtained, while obtaining malicious code family
The detectability of control server and compromised slave.The application solve to a certain extent traditional characteristic detection technique (such as
Intruding detection system IDS, firewall, website application layer intrusion prevention system WAF etc.) manual features extracting rules it is difficult, hold
The problems such as easily being bypassed by malicious code mutation, and there is more efficient, more accurate detectability.Moreover, the present invention can be realized
Malicious traffic stream in Windows system, linux system, Mac system and android system is detected, has stronger evil
Meaning discharge pattern covering power.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning
Realization device 1 is detected, as shown in figure 9, the apparatus may include: malicious traffic stream obtains module 11, training data obtains mould 12, instruction
Practice module 13 and detection module 14;
Malicious traffic stream obtains module 11: for obtaining the flow session of malicious code by dynamic sandbox technology.
In embodiments of the present invention, malicious traffic stream obtains module for obtaining malicious traffic stream, filters legitimate traffic.I.e. from evil
Meaning obtains malicious code sample in code sample library, and the bidirectional traffics session of malicious code, mistake are obtained using dynamic sandbox technology
Legitimate traffic is filtered, malicious traffic stream session aggregation is obtained.
Training data obtains module 12: for the flow session of malicious code to be mapped as genome and extracts map spy
Sign, is clustered using the TuPu method of flow session, and carries out malicious code family mark to cluster result.
In embodiments of the present invention, training data obtains the training data that module is used to obtain deep learning needs.It is i.e. sharp
With T2G mapping algorithm, malicious traffic stream session aggregation is pre-processed, malicious traffic stream session is mapped as flow genome,
And extract its TuPu method.Using general clustering algorithm, such as hierarchical clustering, Density Clustering, K-means cluster etc., to flow
The feature of genome is clustered, and by cluster result foundation Microsoft MSE antivirus software or other antivirus softwares to malicious stream
It measures clustering cluster and carries out malicious code family mark.
Training module 13: for the preset deep learning mould of genome training using the malicious code family after mark
Type, to establish malicious traffic stream detection model.
In embodiments of the present invention, training module is for training deep learning model, i.e. building deep learning neuron net
Network model, and network architecture parameters and training weight are set, deep learning model is trained using the malicious traffic stream clustering cluster of mark,
And carry out cross validation.
In embodiments of the present invention, training module 13 is default using the genome training of the malicious code family after mark
Deep learning model, to establish malicious traffic stream detection model, deep learning model can be convolutional Neural metanetwork CNN mould
Type, as shown in figure 5, convolutional Neural metanetwork CNN framework may include with understructure:
1, map input layer provides the unit of map input.Essentially, each map may be expressed as pixel value
The matrix of composition.Common map includes the RGB map and single pass map in 3 channels.RGB map can be understood as three 2d
Matrix (each color is one corresponding) stacks, and the value of each matrix is between 0 to 255.Single pass map can be managed
Solving is a 2d matrix, between each pixel value or 0 to 255 in matrix.Wherein, 0 indicate black, 255 indicate white.Map square
Battle array is corresponding with the input resolution ratio of map, N × N pixel, defaults N=32.N × N is corresponding with the input resolution ratio of map,
N is bigger, and the training time complexity of convolutional Neural metanetwork CNN is higher, and required computing resource is bigger;
2, convolutional layer, convolutional layer are gained the name because of " convolution " operates.The basic goal of convolution is from input map
Extract feature.Convolution learns TuPu method with N × N data matrix, retains the spatial relationship between pixel.In convolutional layer,
The number of filter (can also become " core " or " characteristic detector ") is set as 64, and the size of electric-wave filter matrix is 11 × 11.
For each filter, the output of convolutional layer is (32-11+1) * (32-11+1)=484 neuron;
3, non-linear layer, non-linear layer is a kind of additional operations layer for being referred to as ReLU, after each convolution operation.
The full name of ReLU is to correct linear unit (Rectified Linear Unit), is a kind of nonlinear operation, ReLU is with pixel
It comes into force for unit, all negative value pixels is replaced with 0;
4, pond layer, the purpose of space pond (being also sub-sampling or down-sampling) are to reduce the dimension of each Feature Mapping,
But retain most important information.Space pondization can be there are many kinds of form: maximum (Max), average (Average), summation
(Sum) etc..For the example of Fig. 5, maximum pond layer is selected, the neighborhood (2 × 2 windows) on definition space and from non-linear
Maximum element in window is taken out in Feature Mapping layer.Therefore, 11*11*64=7744 nerve is about reduced in the output of pond layer
Member;
5, full articulamentum has used multi-layer perception (MLP) (Multi-Layer of the softmax excitation function as output layer
Perceptron), other many classifiers such as support vector machines also use softmax." full connection " indicates upper one layer every
One neuron, all each neuron with next layer is interconnected.The output of convolutional layer and pond layer represents defeated
Enter the advanced features of map, the purpose of full articulamentum is exactly to be classified with these features, and classification is based on training set.Such as Fig. 7
Shown in malicious code family map classification task, have 12 kinds of possible classifications.Other than classification, full articulamentum, which is added, is also
The effective way of nonlinear combination between learning characteristic.The sum of the output probability of full articulamentum is 1, this is by excitation function
What Softmax guaranteed.Softmax function the vector of any real value be transformed into that element takes 0~1 and and for 1 vector.For
The example of Fig. 7, full articulamentum have 4096 neurons, wherein each neuron respectively with each neuron phase of output layer
Even;
6, output layer provides the unit of map testing result, i.e. the class categories probability of map.Such as evil shown in Fig. 7
Meaning code family map classification task has 12 kinds of possible classifications, corresponding 12 neurons.Wherein, this 12 neuron difference
It is connected with 4096 neurons of full articulamentum.
In embodiments of the present invention, for the convolutional Neural metanetwork of Fig. 5 framework, the number of parameters P that can learn is
39702604, calculating process is described as follows:
P=1024* (11*11*64)+64+ (11*11*64) * 4096+4096+4096*12+12=39702604
It wherein, is the shared weight of each Feature Mapping for (11*11*64)+64,11*11*64,64 be shared biasing
The sum of item.
Detection module 14: for detecting using malicious traffic stream detection model to network real-time traffic, malicious stream is realized
Amount detection.
In embodiments of the present invention, detection module utilizes trained deep learning model, carries out to unknown flow rate session
Detection, i.e., pre-process network real-time traffic, flow session map is obtained, using malicious traffic stream detection model to flow
Session map is detected, and the testing result of deep learning model is exported.Then, malicious traffic stream scoring algorithm MT_Score is utilized
Testing result is handled, realizes that malicious traffic stream detection, compromised slave identification and malicious code family determine.
In embodiments of the present invention, when the training set of selection covers the malicious traffic stream that enough malicious code families generates,
The learning model that training finishes can distinguish malicious traffic stream and legitimate traffic, can carry out accurate malicious code to malicious traffic stream
Family's mark.Moreover, the learning model that finishes of training can be realized to Windows system, linux system, Mac system and
The network flow that malicious code and its mutation in android system generate is detected.
In embodiments of the present invention, the malicious traffic stream detection implementation method based on deep learning only needs constantly to provide newly
Sample, generating network flow using sandbox can be completed by unsupervised learning and deep learning process without manual intervention
Study, detection and upgrade function.
In order to reach purpose of the embodiment of the present invention, the embodiment of the invention provides a kind of malicious traffic streams based on deep learning
Realization device 2 is detected, as shown in Figure 10, including processor 21 and computer readable storage medium 22, the computer-readable storage
It is stored with instruction in medium 22, when the instruction is executed by processor 21, realizes the above-mentioned malicious traffic stream based on deep learning
Detect implementation method.
The embodiment of the present invention includes: the flow session of malicious code is obtained by dynamic sandbox technology;By malicious code
Flow session is mapped as genome and extracts TuPu method, is clustered using the TuPu method of flow session, and to cluster
As a result malicious code family mark is carried out;Utilize the preset deep learning of genome training of the malicious code family after mark
Model, to establish malicious traffic stream detection model;Network real-time traffic is detected using malicious traffic stream detection model, realizes and dislikes
Meaning flow detection.By the example scheme, solve manual features existing for current detection technique to a certain extent
Extract difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted, and robust
Property it is higher, and have the characteristics that quickly, accuracy rate is high, rate of false alarm is low, cross-platform detection.
The core of the application is by flow mutation based on malicious code around traditional traffic characteristic detection device, mutation
Most flow interactive function sections are remained in the process, but the position of feature and characteristic point are changed.Utilize dynamic
Sandbox technology obtains the bidirectional traffics session of malicious code family, filters legitimate traffic, obtains malicious traffic stream session aggregation.It utilizes
Unsupervised learning (cluster) method in machine learning carries out family's mark to malicious traffic stream.Using deep learning technology to malice
Flow genome is learnt, and then the detectability of malicious traffic stream is obtained by speced learning and identification by stages, is obtained simultaneously
Obtained the detectability of malicious code family.The manual features that the application solves feature detection techniques to a certain extent are extracted
Difficulty, privacy leakage, encrypt and obscure be difficult to, the problems such as machine learning feature is manually extracted.Meanwhile the application is for disliking
The malicious traffic stream that meaning code mutation and completely new malicious code generate also has excellent detectability, and robustness is higher, and has
There is the features such as quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
The application introduces unsupervised learning (cluster) technology, deep learning technology and figure identification technology, so that the application
At least have following advantages:
1, the manual features for solving feature detection to a certain extent extract difficulty, privacy leakage, encrypt and obscure difficulty
The problems such as manually being extracted with identification, machine learning feature;
2, by self study process, greatly reduce the manual intervention process of security expert, reduce system maintenance and
The cost of upgrading;
3, the malicious traffic stream generated for malicious code mutation and completely new malicious code also has excellent detectability,
Robustness is higher, and has the characteristics that quick, accuracy rate is high, rate of false alarm is low, cross-platform detection.
4, the flow session characteristics of malicious code and its mutation are quickly and accurately detected, and then determine to generate the flow
The family of malicious code and its mutation, improves detection efficiency and precision.
Although embodiment disclosed by the embodiment of the present invention is as above, the content only for ease of understanding the present invention and
The embodiment of use, is not intended to limit the invention embodiment.Technical staff in any fields of the embodiment of the present invention,
Under the premise of not departing from spirit and scope disclosed by the embodiment of the present invention, it can be appointed in the form and details of implementation
What modification and variation, but the scope of patent protection of the embodiment of the present invention, the model that must be still defined with appended claims
Subject to enclosing.
Claims (10)
1. a kind of malicious traffic stream based on deep learning detects implementation method, which is characterized in that the described method includes:
The flow session of malicious code is obtained by dynamic sandbox technology;
The flow session of the malicious code is mapped as genome and extracts TuPu method, utilizes the figure of the flow session
Spectrum signature is clustered, and carries out malicious code family mark to cluster result;
Using the preset deep learning model of genome training of the malicious code family after mark, to establish malicious traffic stream inspection
Survey model;
Network real-time traffic is detected using the malicious traffic stream detection model, realizes malicious traffic stream detection.
2. the malicious traffic stream according to claim 1 based on deep learning detects implementation method, which is characterized in that described logical
Cross dynamic sandbox technology obtain malicious code flow session include:
The malicious code sample of specified type is obtained from malicious code data library, and is filtered out from the malicious code sample
Ineligible malicious code sample;
Remaining malicious code sample after filtering is executed using the dynamic sandbox technology, and passes through hook HOOK system application journey
The behavior act of the performed malicious code sample of the form monitoring of sequence programming interface API, to identify unknown malicious file infiltration
With order and control C&C malice external connection;
The network flow of corresponding sample is obtained from the virtual machine of sandbox, and filters out legitimate traffic from the network flow,
Obtain the flow session aggregation of the malicious code.
3. the malicious traffic stream according to claim 1 based on deep learning detects implementation method, which is characterized in that described to incite somebody to action
The flow session of the malicious code is mapped as genome and extracts TuPu method, utilizes the TuPu method of the flow session
It is clustered, and malicious code family mark is carried out to cluster result and includes:
The flow session data of the malicious code is pre-processed, to retain discrimination more than or equal to preset discrimination
The data of threshold value;
Using preset mapping algorithm, the flow session aggregation of pretreated malicious code is mapped as to the gene of default size
Map;
The TuPu method of the genome is extracted using TuPu method extraction algorithm, constructs the map of malicious traffic stream genome
Characteristic set;
The TuPu method set of the malicious traffic stream genome is sampled, TuPu method subclass is constructed, executes pre-polymerization
Class process, to pick out required clustering algorithm;
After determining required clustering algorithm, the TuPu method set based on full dose malicious traffic stream genome is clustered;
Family's mark is carried out using clustering cluster of the preset antivirus software to malicious traffic stream genome, needed for construction depth study
Training sample set.
4. the malicious traffic stream according to claim 1 based on deep learning detects implementation method, which is characterized in that the side
Method further include: advance with deep learning technology and construct the deep learning model, and the net of the deep learning model is set
Network structural parameters and training weight.
5. the malicious traffic stream according to claim 3 based on deep learning detects implementation method, which is characterized in that the benefit
Preset deep learning model is trained with the genome of the malicious code family after mark, to establish malicious traffic stream detection model
Include:
For the malicious traffic stream genome after mark, using preset segmentation algorithm by the malice of different malicious code families
Flow genome is divided into multiple piecemeals;Wherein, original malicious traffic stream genome and its piecemeal are respectively applied for the depth
Spend the training of learning model;
Each of original malicious traffic stream genome and its piecemeal progress the deep learning model must be trained and passed through respectively
The iteration of excessive round, obtains corresponding training result;
By in the training result with the deep learning mould corresponding to the immediate training result of preset requirement after training
Type is as the malicious traffic stream detection model.
6. the malicious traffic stream according to claim 3 based on deep learning detects implementation method, which is characterized in that the benefit
Network real-time traffic is detected with the malicious traffic stream detection model, realizes that malicious traffic stream detection includes:
The trained malicious traffic stream detection model is directed to memory from Hierarchical Data Format 5HDF5 file;
Network real-time traffic session is obtained, the network real-time traffic session is mapped as gene map using preset mapping algorithm
Spectrum;
The genome of the network real-time traffic session is divided into multiple piecemeals using preset segmentation algorithm;
It is detected using genome and its piecemeal of the malicious traffic stream detection model to the network real-time traffic session,
Obtain testing result;
The testing result is handled using malicious traffic stream scoring algorithm MT_Score, realizes malicious traffic stream detection.
7. the malicious traffic stream according to claim 2 based on deep learning detects implementation method, which is characterized in that the evil
Include: in meaning code database the malicious file of Windows system, linux system executable and linkable format ELF dislike
Meaning file, the malicious file of Mac system and the installation kit APK file of Android android system.
8. the malicious traffic stream according to claim 7 based on deep learning detects implementation method, which is characterized in that described dynamic
The built-in Windows system of state sandbox technology, linux system, Mac system and android system virtual machine, and can run
The malicious file of Windows system, the ELF malicious file of linux system, the malicious file of Mac system and android system
APK file generates network communication.
9. the malicious traffic stream according to claim 5 or 6 based on deep learning detects implementation method, which is characterized in that institute
Stating preset mapping algorithm includes: T2G mapping algorithm;
The preset segmentation algorithm includes: G2S segmentation algorithm.
10. a kind of malicious traffic stream detection device based on deep learning, including processor and computer readable storage medium, described
Instruction is stored in computer readable storage medium, which is characterized in that when described instruction is executed by the processor, realize such as
Malicious traffic stream described in any one of claim 1-9 based on deep learning detects implementation method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810708037.8A CN108985361B (en) | 2018-07-02 | 2018-07-02 | Malicious traffic detection implementation method and device based on deep learning |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810708037.8A CN108985361B (en) | 2018-07-02 | 2018-07-02 | Malicious traffic detection implementation method and device based on deep learning |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108985361A true CN108985361A (en) | 2018-12-11 |
CN108985361B CN108985361B (en) | 2021-06-18 |
Family
ID=64539384
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810708037.8A Active CN108985361B (en) | 2018-07-02 | 2018-07-02 | Malicious traffic detection implementation method and device based on deep learning |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108985361B (en) |
Cited By (40)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109768985A (en) * | 2019-01-30 | 2019-05-17 | 电子科技大学 | A kind of intrusion detection method based on traffic visualization and machine learning algorithm |
CN109905288A (en) * | 2018-12-21 | 2019-06-18 | 中国科学院信息工程研究所 | A kind of application service classification method and device |
CN110048905A (en) * | 2019-03-26 | 2019-07-23 | 清华大学 | The recognition methods of internet of things equipment communication pattern and device |
CN110414231A (en) * | 2019-06-25 | 2019-11-05 | 中国人民解放军战略支援部队信息工程大学 | Software gene Dynamic Extraction method in memory based on Markov model |
CN110475043A (en) * | 2019-07-31 | 2019-11-19 | 西安工程大学 | A kind of conversion method of CMYK to Lab color space |
CN110535728A (en) * | 2019-09-05 | 2019-12-03 | 烽火通信科技股份有限公司 | A kind of network flow cognitive method and system |
CN110730140A (en) * | 2019-10-12 | 2020-01-24 | 西安电子科技大学 | Deep learning flow classification method based on combination of space-time characteristics |
CN110852374A (en) * | 2019-11-08 | 2020-02-28 | 腾讯云计算(北京)有限责任公司 | Data detection method and device, electronic equipment and storage medium |
CN111031071A (en) * | 2019-12-30 | 2020-04-17 | 杭州迪普科技股份有限公司 | Malicious traffic identification method and device, computer equipment and storage medium |
CN111131314A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
CN111191767A (en) * | 2019-12-17 | 2020-05-22 | 博雅信安科技(北京)有限公司 | Vectorization-based malicious traffic attack type judgment method |
CN111242441A (en) * | 2020-01-06 | 2020-06-05 | 上海孚厘金融信息服务有限公司 | Adaptive parameter fitting method suitable for small and micro enterprise risk control model |
CN111464485A (en) * | 2019-01-22 | 2020-07-28 | 北京金睛云华科技有限公司 | Encrypted proxy flow detection method and device |
TWI700603B (en) * | 2017-10-30 | 2020-08-01 | 香港商阿里巴巴集團服務有限公司 | Implementation method for using digital certificate, computer equipment and computer readable storage medium for implementing the method |
CN111651751A (en) * | 2019-03-04 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Security event analysis report generation method and device, storage medium and equipment |
CN111726259A (en) * | 2019-03-20 | 2020-09-29 | 上海御行信息技术有限公司 | VPN tunnel flow monitoring system, method and device based on deep learning |
CN111901282A (en) * | 2019-05-05 | 2020-11-06 | 四川大学 | Method for generating malicious code flow behavior detection structure |
CN112054992A (en) * | 2020-07-28 | 2020-12-08 | 北京邮电大学 | Malicious traffic identification method and device, electronic equipment and storage medium |
CN112104677A (en) * | 2020-11-23 | 2020-12-18 | 北京金睛云华科技有限公司 | Controlled host detection method and device based on knowledge graph |
CN112187716A (en) * | 2020-08-26 | 2021-01-05 | 中国科学院信息工程研究所 | Knowledge graph display method for malicious codes in network attack |
CN112235314A (en) * | 2020-10-29 | 2021-01-15 | 东巽科技(北京)有限公司 | Network flow detection method, device and equipment |
CN112235305A (en) * | 2020-10-15 | 2021-01-15 | 四川长虹电器股份有限公司 | Malicious traffic detection method based on convolutional neural network |
CN112257062A (en) * | 2020-12-23 | 2021-01-22 | 北京金睛云华科技有限公司 | Sandbox knowledge base generation method and device based on frequent item set mining |
CN112311814A (en) * | 2020-12-23 | 2021-02-02 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
CN112347478A (en) * | 2020-10-13 | 2021-02-09 | 北京天融信网络安全技术有限公司 | Malicious software detection method and device |
CN112380535A (en) * | 2020-11-13 | 2021-02-19 | 重庆科技学院 | CBOW-based malicious code three-channel visual identification method |
CN112738109A (en) * | 2020-12-30 | 2021-04-30 | 杭州迪普科技股份有限公司 | Web attack detection method and device |
CN112866179A (en) * | 2019-11-27 | 2021-05-28 | 北京沃东天骏信息技术有限公司 | Current limiting method and current limiting device |
CN113010268A (en) * | 2021-03-22 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Malicious program identification method and device, storage medium and electronic equipment |
CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
CN113949531A (en) * | 2021-09-14 | 2022-01-18 | 北京邮电大学 | Malicious encrypted flow detection method and device |
CN113992349A (en) * | 2021-09-23 | 2022-01-28 | 云南财经大学 | Malicious traffic identification method, device, equipment and storage medium |
CN114070602A (en) * | 2021-11-11 | 2022-02-18 | 北京天融信网络安全技术有限公司 | HTTP tunnel detection method, device, electronic equipment and storage medium |
CN114268484A (en) * | 2021-12-17 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Malicious encrypted flow detection method and device, electronic equipment and storage medium |
CN114710322A (en) * | 2022-03-15 | 2022-07-05 | 清华大学 | Hidden malicious traffic detection method and device based on traffic interaction graph |
CN115001789A (en) * | 2022-05-27 | 2022-09-02 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for detecting defect-losing equipment |
CN115134168A (en) * | 2022-08-29 | 2022-09-30 | 成都盛思睿信息技术有限公司 | Method and system for detecting cloud platform hidden channel based on convolutional neural network |
CN116186503A (en) * | 2022-12-05 | 2023-05-30 | 广州大学 | Industrial control system-oriented malicious flow detection method and device and computer storage medium |
CN114401229B (en) * | 2021-12-31 | 2023-09-19 | 北京理工大学 | Encryption traffic identification method based on transform deep learning model |
CN117118745A (en) * | 2023-10-20 | 2023-11-24 | 山东慧贝行信息技术有限公司 | Network security dynamic early warning system based on deep learning |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102142068A (en) * | 2011-03-29 | 2011-08-03 | 华北电力大学 | Method for detecting unknown malicious code |
CN107103235A (en) * | 2017-02-27 | 2017-08-29 | 广东工业大学 | A kind of Android malware detection method based on convolutional neural networks |
CN107392019A (en) * | 2017-07-05 | 2017-11-24 | 北京金睛云华科技有限公司 | A kind of training of malicious code family and detection method and device |
US9942268B1 (en) * | 2015-08-11 | 2018-04-10 | Symantec Corporation | Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments |
CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
CN108200030A (en) * | 2017-12-27 | 2018-06-22 | 深信服科技股份有限公司 | Detection method, system, device and the computer readable storage medium of malicious traffic stream |
-
2018
- 2018-07-02 CN CN201810708037.8A patent/CN108985361B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102142068A (en) * | 2011-03-29 | 2011-08-03 | 华北电力大学 | Method for detecting unknown malicious code |
US9942268B1 (en) * | 2015-08-11 | 2018-04-10 | Symantec Corporation | Systems and methods for thwarting unauthorized attempts to disable security managers within runtime environments |
CN107103235A (en) * | 2017-02-27 | 2017-08-29 | 广东工业大学 | A kind of Android malware detection method based on convolutional neural networks |
CN107392019A (en) * | 2017-07-05 | 2017-11-24 | 北京金睛云华科技有限公司 | A kind of training of malicious code family and detection method and device |
CN108009425A (en) * | 2017-11-29 | 2018-05-08 | 四川无声信息技术有限公司 | File detects and threat level decision method, apparatus and system |
CN108200030A (en) * | 2017-12-27 | 2018-06-22 | 深信服科技股份有限公司 | Detection method, system, device and the computer readable storage medium of malicious traffic stream |
Cited By (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI700603B (en) * | 2017-10-30 | 2020-08-01 | 香港商阿里巴巴集團服務有限公司 | Implementation method for using digital certificate, computer equipment and computer readable storage medium for implementing the method |
CN109905288A (en) * | 2018-12-21 | 2019-06-18 | 中国科学院信息工程研究所 | A kind of application service classification method and device |
CN109905288B (en) * | 2018-12-21 | 2021-09-14 | 中国科学院信息工程研究所 | Application service classification method and device |
CN111464485A (en) * | 2019-01-22 | 2020-07-28 | 北京金睛云华科技有限公司 | Encrypted proxy flow detection method and device |
CN109768985A (en) * | 2019-01-30 | 2019-05-17 | 电子科技大学 | A kind of intrusion detection method based on traffic visualization and machine learning algorithm |
CN111651751A (en) * | 2019-03-04 | 2020-09-11 | 腾讯科技(深圳)有限公司 | Security event analysis report generation method and device, storage medium and equipment |
CN111651751B (en) * | 2019-03-04 | 2022-04-15 | 腾讯科技(深圳)有限公司 | Security event analysis report generation method and device, storage medium and equipment |
CN111726259A (en) * | 2019-03-20 | 2020-09-29 | 上海御行信息技术有限公司 | VPN tunnel flow monitoring system, method and device based on deep learning |
CN110048905A (en) * | 2019-03-26 | 2019-07-23 | 清华大学 | The recognition methods of internet of things equipment communication pattern and device |
CN110048905B (en) * | 2019-03-26 | 2021-01-15 | 清华大学 | Internet of things equipment communication mode identification method and device |
CN111901282A (en) * | 2019-05-05 | 2020-11-06 | 四川大学 | Method for generating malicious code flow behavior detection structure |
CN110414231A (en) * | 2019-06-25 | 2019-11-05 | 中国人民解放军战略支援部队信息工程大学 | Software gene Dynamic Extraction method in memory based on Markov model |
CN110475043B (en) * | 2019-07-31 | 2021-08-17 | 西安工程大学 | Method for converting CMYK to Lab color space |
CN110475043A (en) * | 2019-07-31 | 2019-11-19 | 西安工程大学 | A kind of conversion method of CMYK to Lab color space |
CN110535728A (en) * | 2019-09-05 | 2019-12-03 | 烽火通信科技股份有限公司 | A kind of network flow cognitive method and system |
CN110730140B (en) * | 2019-10-12 | 2022-04-08 | 西安电子科技大学 | Deep learning flow classification method based on combination of space-time characteristics |
CN110730140A (en) * | 2019-10-12 | 2020-01-24 | 西安电子科技大学 | Deep learning flow classification method based on combination of space-time characteristics |
CN110852374A (en) * | 2019-11-08 | 2020-02-28 | 腾讯云计算(北京)有限责任公司 | Data detection method and device, electronic equipment and storage medium |
CN110852374B (en) * | 2019-11-08 | 2023-05-02 | 腾讯云计算(北京)有限责任公司 | Data detection method, device, electronic equipment and storage medium |
CN112866179A (en) * | 2019-11-27 | 2021-05-28 | 北京沃东天骏信息技术有限公司 | Current limiting method and current limiting device |
CN111191767A (en) * | 2019-12-17 | 2020-05-22 | 博雅信安科技(北京)有限公司 | Vectorization-based malicious traffic attack type judgment method |
CN111191767B (en) * | 2019-12-17 | 2023-06-06 | 博雅信安科技(北京)有限公司 | Vectorization-based malicious traffic attack type judging method |
CN111031071B (en) * | 2019-12-30 | 2023-01-24 | 杭州迪普科技股份有限公司 | Malicious traffic identification method and device, computer equipment and storage medium |
CN111031071A (en) * | 2019-12-30 | 2020-04-17 | 杭州迪普科技股份有限公司 | Malicious traffic identification method and device, computer equipment and storage medium |
CN111131314B (en) * | 2019-12-31 | 2022-04-12 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
CN111131314A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Network behavior detection method and device, computer equipment and storage medium |
CN111242441A (en) * | 2020-01-06 | 2020-06-05 | 上海孚厘金融信息服务有限公司 | Adaptive parameter fitting method suitable for small and micro enterprise risk control model |
CN111242441B (en) * | 2020-01-06 | 2023-06-30 | 上海孚厘科技有限公司 | Self-adaptive parameter fitting method suitable for small micro-enterprise risk control model |
CN112054992B (en) * | 2020-07-28 | 2021-06-29 | 北京邮电大学 | Malicious traffic identification method and device, electronic equipment and storage medium |
CN112054992A (en) * | 2020-07-28 | 2020-12-08 | 北京邮电大学 | Malicious traffic identification method and device, electronic equipment and storage medium |
CN112187716B (en) * | 2020-08-26 | 2021-07-20 | 中国科学院信息工程研究所 | Knowledge graph display method for malicious codes in network attack |
CN112187716A (en) * | 2020-08-26 | 2021-01-05 | 中国科学院信息工程研究所 | Knowledge graph display method for malicious codes in network attack |
CN112347478B (en) * | 2020-10-13 | 2021-08-24 | 北京天融信网络安全技术有限公司 | Malicious software detection method and device |
CN112347478A (en) * | 2020-10-13 | 2021-02-09 | 北京天融信网络安全技术有限公司 | Malicious software detection method and device |
CN112235305A (en) * | 2020-10-15 | 2021-01-15 | 四川长虹电器股份有限公司 | Malicious traffic detection method based on convolutional neural network |
CN112235314A (en) * | 2020-10-29 | 2021-01-15 | 东巽科技(北京)有限公司 | Network flow detection method, device and equipment |
CN112380535A (en) * | 2020-11-13 | 2021-02-19 | 重庆科技学院 | CBOW-based malicious code three-channel visual identification method |
CN112380535B (en) * | 2020-11-13 | 2022-04-19 | 重庆科技学院 | CBOW-based malicious code three-channel visual identification method |
CN112104677A (en) * | 2020-11-23 | 2020-12-18 | 北京金睛云华科技有限公司 | Controlled host detection method and device based on knowledge graph |
CN112311814B (en) * | 2020-12-23 | 2021-11-26 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
CN112311814A (en) * | 2020-12-23 | 2021-02-02 | 中国航空油料集团有限公司 | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment |
CN112257062A (en) * | 2020-12-23 | 2021-01-22 | 北京金睛云华科技有限公司 | Sandbox knowledge base generation method and device based on frequent item set mining |
CN112738109A (en) * | 2020-12-30 | 2021-04-30 | 杭州迪普科技股份有限公司 | Web attack detection method and device |
CN113747443A (en) * | 2021-02-26 | 2021-12-03 | 上海观安信息技术股份有限公司 | Machine learning algorithm-based security detection method and device |
CN113010268A (en) * | 2021-03-22 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Malicious program identification method and device, storage medium and electronic equipment |
CN113949531A (en) * | 2021-09-14 | 2022-01-18 | 北京邮电大学 | Malicious encrypted flow detection method and device |
CN113949531B (en) * | 2021-09-14 | 2022-06-17 | 北京邮电大学 | Malicious encrypted flow detection method and device |
CN113992349A (en) * | 2021-09-23 | 2022-01-28 | 云南财经大学 | Malicious traffic identification method, device, equipment and storage medium |
CN113992349B (en) * | 2021-09-23 | 2023-05-19 | 云南财经大学 | Malicious traffic identification method, device, equipment and storage medium |
CN114070602A (en) * | 2021-11-11 | 2022-02-18 | 北京天融信网络安全技术有限公司 | HTTP tunnel detection method, device, electronic equipment and storage medium |
CN114268484A (en) * | 2021-12-17 | 2022-04-01 | 北京天融信网络安全技术有限公司 | Malicious encrypted flow detection method and device, electronic equipment and storage medium |
CN114401229B (en) * | 2021-12-31 | 2023-09-19 | 北京理工大学 | Encryption traffic identification method based on transform deep learning model |
CN114710322A (en) * | 2022-03-15 | 2022-07-05 | 清华大学 | Hidden malicious traffic detection method and device based on traffic interaction graph |
CN115001789A (en) * | 2022-05-27 | 2022-09-02 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for detecting defect-losing equipment |
CN115001789B (en) * | 2022-05-27 | 2024-04-02 | 绿盟科技集团股份有限公司 | Method, device, equipment and medium for detecting collapse equipment |
CN115134168A (en) * | 2022-08-29 | 2022-09-30 | 成都盛思睿信息技术有限公司 | Method and system for detecting cloud platform hidden channel based on convolutional neural network |
CN116186503A (en) * | 2022-12-05 | 2023-05-30 | 广州大学 | Industrial control system-oriented malicious flow detection method and device and computer storage medium |
CN117118745A (en) * | 2023-10-20 | 2023-11-24 | 山东慧贝行信息技术有限公司 | Network security dynamic early warning system based on deep learning |
CN117118745B (en) * | 2023-10-20 | 2024-01-05 | 山东慧贝行信息技术有限公司 | Network security dynamic early warning system based on deep learning |
Also Published As
Publication number | Publication date |
---|---|
CN108985361B (en) | 2021-06-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108985361A (en) | A kind of malicious traffic stream detection implementation method and device based on deep learning | |
Fawaz et al. | Adversarial attacks on deep neural networks for time series classification | |
CN107392019A (en) | A kind of training of malicious code family and detection method and device | |
CN110796196B (en) | Network traffic classification system and method based on depth discrimination characteristics | |
Swaminathan et al. | Digital image forensics via intrinsic fingerprints | |
CN109450842A (en) | A kind of network malicious act recognition methods neural network based | |
CN112953924A (en) | Network abnormal flow detection method, system, storage medium, terminal and application | |
Nahmias et al. | Deep feature transfer learning for trusted and automated malware signature generation in private cloud environments | |
US11354917B2 (en) | Detection of fraudulently generated and photocopied credential documents | |
CN112491796B (en) | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network | |
WO2022222575A1 (en) | Method and system for target recognition | |
WO2022222569A1 (en) | Target discrimation method and system | |
CN114330544A (en) | Method for establishing business flow abnormity detection model and abnormity detection method | |
CN111899251A (en) | Copy-move type forged image detection method for distinguishing forged source and target area | |
CN115050064A (en) | Face living body detection method, device, equipment and medium | |
CN107809343B (en) | Network protocol identification method and device | |
Mareen et al. | Comprint: Image forgery detection and localization using compression fingerprints | |
CN115292722B (en) | Model safety detection method and device based on different color spaces | |
CN113762326A (en) | Data identification method, device and equipment and readable storage medium | |
CN116346452B (en) | Multi-feature fusion malicious encryption traffic identification method and device based on stacking | |
CN115277065B (en) | Anti-attack method and device in abnormal traffic detection of Internet of things | |
CN111368128A (en) | Target picture identification method and device and computer readable storage medium | |
Subrahmanyeswara Rao | A fuzzy fusion approach for modified contrast enhancement based image forensics against attacks | |
CN113033305B (en) | Living body detection method, living body detection device, terminal equipment and storage medium | |
Iorliam | Application of power laws to biometrics, forensics and network traffic analysis |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |