CN109194657A - A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length - Google Patents
A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length Download PDFInfo
- Publication number
- CN109194657A CN109194657A CN201811053659.8A CN201811053659A CN109194657A CN 109194657 A CN109194657 A CN 109194657A CN 201811053659 A CN201811053659 A CN 201811053659A CN 109194657 A CN109194657 A CN 109194657A
- Authority
- CN
- China
- Prior art keywords
- data packet
- address
- length
- hash
- packet length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/535—Tracking the activity of the user
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of fine granularity web page characteristics extracting methods based on accumulation data packet length, belong to network service safe technical field.Referred to as WPF includes the following steps: step 1, obtains encryption data on flows collection;Step 2, the data packet length for extracting encryption data on flows collection are simultaneously ranked up, extract data packet length and upstream data packet length sets 0 processing, the long data packet degree series after being added up;Step 3, will it is cumulative after long data packet degree series carry out Hash operation, obtain sequence of data packet after Hash;Step 4 is based on data packet sequence column-generation encrypting web traffic characteristic after Hash.1. the refined net traffic scene that the present invention is suitable for SSL/TLS agreement;This method has high-accuracy and high efficiency;It can be combined with conventional machines learning algorithm, construct webpage traffic classifier;Low with characteristic dimension, calculating process is simple, and time complexity is low, online webpage flow detection is able to achieve, suitable for putting into the advantage of practical application.
Description
Technical field
The present invention relates to a kind of fine granularity web page characteristics extracting methods based on accumulation data packet length, belong to network service
Security technology area.
Background technique
Flow is the carrier of network communication Yu network service, and flow analysis can obtain a large amount of useful informations, and such as detection is disliked
Meaning flow obtains user's history and accesses behavior.It runs well to Logistics networks, provides personalized service for user with important meaning
Justice.Traditional traffic characteristic extracting method mostly be based on depth data packet cleartext information detect, but with SSL/TLS (safety
Cover stratum/Transport Layer Security) extensive use of agreement, network flow is encrypted, this loses traditional traffic characteristic extracting method
Go validity.
The research of encryption flow is directed to the identification and classification of different web sites flow mostly at present.Compared with website traffic, webpage
Flow carries the information for being more worth probing into, such as the different web pages flow by identifying same shopping website, can obtain
User's Shopping Behaviors simultaneously further speculate user preferences.Therefore, how effective classification is extracted to fine granularity webpage flow and is known
Other feature becomes research hotspot in recent years.
There is a large amount of research work in terms of refined net traffic characteristics analysis, has there is work to propose to use long data packet
Degree and quantity information as traffic characteristic, specifically: upstream data packet length is set to negative, downlink data packet length is set to just,
It is cumulative total using upstream data packet total number, downlink data packet total number, the cumulative total length of upstream data packet and downlink data packet
This four features of length are classified and are identified as encryption flow essential characteristic, to encryption flow, and this method is known as CUMUL.
The encryption flow of different web sites however, the method can only classify and identify, for the different web pages of same website, data packet
Length and quantity are closely similar, therefore fine granularity webpage flow cannot be distinguished.In addition, there is work to propose to use dynamic time warping
To classify and identify webpage flow, referred to as DTW.This method only uses the timestamp information of data packet as feature, however, the time
It stabs influence and dynamic time warping process of the information vulnerable to network fluctuation and expends very much the time, therefore this method is not particularly suited for fastly
Speed effectively detects the different web pages flow of same website.
In conclusion above method can not achieve high accuracy and height in terms of encryption webpage traffic classification and identification
Standard needed for effect property, with investment practical application still has certain distance.
Summary of the invention
It is an object of the invention to realize that fine granularity encrypting web traffic characteristic extracts, guarantee that this method can classify and know
The different web pages flow of not same website as further analyzes user access activity, finds and shield malicious traffic stream, improves net
It provides personalized service while network is safe for user and possibility is provided, there is high-accuracy and high efficiency, add specific to existing
Close method for recognizing flux there are the problem of, propose it is a kind of based on accumulation data packet length encryption webpage traffic characteristic extraction side
Method.
A kind of encryption webpage traffic characteristic extracting method based on accumulation data packet length, referred to as WPF, including walk as follows
It is rapid:
Step 1 obtains encryption data on flows collection;
Step 1.1 grabs the SSL/TLS refined net flow that a webpage once loads generation using packet catcher, wherein
Packet catcher is one of Wireshark or Tshark, and the refined net flow is by several data packet groups at every number
According to including following information in packet: the capture time of the data packet, source IP address, purpose IP address, agreement, data packet length,
Interaction port numbers and encrypted packet content;
Wherein, source IP address is one in client ip address or server end IP address, and purpose IP address is client
One in end IP address or server end IP address, source IP address and purpose IP address cannot be identical;
The data packet that step 1.2 is included to refined net flow is filtered, and filters out hash packet, obtains remaining number
According to packet;
Wherein, the hash packet refers to the data packet of TCP erroneous packets and checksum error;
The remaining data packet that step 1.3 exports step 1.2 carries out homologous network flow classification, specifically: will have identical
The data packet of interaction IP address, interaction port numbers and transport protocol is classified as a stream, then by all numbers in remaining data packet
It is handled according to packet, combing becomes a plurality of network flow;
Wherein, the data packet with identical interactive IP address refers to that source IP address and purpose IP address in data packet are to hand over
Mutual;
The data packet number for every network flow that step 1.4 statistic procedure 1.3 combs retains one of data packet number at most
Item stream abandons other network flows;All data packet groups in a most stream of the data packet number are gathered at one, note
To encrypt data on flows collection;
Step 2, the data packet length for extracting encryption data on flows collection are simultaneously ranked up, extract data packet length and uplink
Data packet length sets 0 processing, the long data packet degree series after being added up;
Step 2.1 is arranged all data packets that data on flows is concentrated are encrypted according to the capture time sequencing of the data packet
Column, obtain network flow F;
Step 2.2 successively extracts the data packet length in network flow F, and length is indicated with p, piRepresent i-th of data packet
Length, wherein the value range of i is 1 to N, therefore, indicates that the data packet length of network flow F is (p1,……,pN);
Upstream data packet length in network flow F is set to 0 by step 2.3, and downlink data packet length remains unchanged;
Wherein, upstream data packet refers to that source IP address is client ip address, and purpose IP address is server end IP address;Under
Row data packet refers to that source IP address is server end IP address, and purpose IP address is client ip address;
Step 2.4 adds up the length of the preceding K data packet in network flow F, K < N, i-th of data packet after adding up
Length aiIt indicates;
Wherein, the value range of i is 1 to K;
When i=1, a1=p1;1 < i≤K, ai=pi+ai-1, it is cumulative after data packet length sequence be expressed as A (F)=
(a1,……,aK);
Step 3, will it is cumulative after long data packet degree series carry out Hash operation, obtain sequence of data packet after Hash, specifically
Are as follows: the long data packet degree series after will be cumulative carry out Hash operation, for each of A (F) data packet length ai, Hash
Formula isCryptographic Hash, v are indicated using vi=Hash (ai), the data after Hash
Packet sequence indicates with I, at this time I=(v1,…,vn);
Step 4 is based on data packet sequence column-generation encrypting web traffic characteristic after Hash, specifically: calculate data after Hash
The mode v of packet sequence ImaxThe number k occurred with the modemax;Use (vmax,kmax) feature as refined net stream F.
Beneficial effect
A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length proposed by the present invention, and it is existing
Encryption stream recognition method is compared, and is had the following beneficial effects:
1. the present invention is suitable for the refined net traffic scene using SSL/TLS agreement;
2. the present invention for existing encryption method for recognizing flux there are aiming at the problem that improve, the method is with high precision
Rate and high efficiency;
3. the present invention, can be with conventional machines learning algorithm phase only using data packet length information as webpage traffic characteristic
In conjunction with construction webpage traffic classifier;
4. the present invention has characteristic dimension low, calculating process is simple, and time complexity is low, can be realized online webpage flow
Detection, suitable for putting into the advantage of practical application.
Detailed description of the invention
Fig. 1 is a kind of overall flow of the encrypting web traffic characteristic extracting method based on accumulation data packet length of the present invention
Figure;
Fig. 2 is based on a kind of encrypting web traffic characteristic extracting method step 1 institute based on accumulation data packet length of the present invention
The gripping tool stated grabs the cumulative data packet length sequence of 5 different web pages of same website;
Fig. 3 is based on step 2 in a kind of encrypting web traffic characteristic extracting method based on accumulation data packet length of the present invention
Webpage cumulative data packet length sequence after upstream data packet is set 0.
Specific embodiment
With reference to the accompanying drawings and examples, a kind of present invention " encrypting web based on accumulation data packet length is illustrated
The process of traffic characteristic extracting method ", and illustrate its advantage.It should be understood that implementation of the invention is not limited to following embodiment, it is right
The accommodation made in any form or change of the invention will fall into the scope of the present invention.
Embodiment 1
The present embodiment is that the complete encrypting web traffic characteristic extraction carried out based on step 1 of the invention to step 4 is imitated
Very, overall flow figure is as shown in Figure 1.Assuming that certain network flow is expressed as F=(p in network1,…,pN), wherein piRepresent i-th
A data packet length, F are the long data packet degree series of network flow.If data packet is downlink data, pi> 0, if data packet is upper
Row data, then pi<0.According to step 1, the flow of 5 different web pages of same website is grabbed, and carries out above-mentioned processing, after processing
Result it is as shown in Figure 2.Wherein, preceding 100 accumulations data packet length sequence of webpage 1 is as shown in table 1.
The preceding 100 accumulations data packet length sequence of 1 webpage of table 1
The accumulation data packet length of network flow is handled, downlink data packet length and upstream data package location are only retained
Information, concrete operations are according to step 2, and K takes 100 in step 2.4.By taking above-mentioned webpage as an example, the section with discrimination is concentrated on
Between 30 to 80th data packet, treated, and the interval censored data packet sequence is as shown in Figure 3.Wherein webpage 1 after treatment
30 to 80 accumulation data packet length sequences are as shown in table 2.
2 webpage of table, 1 upstream data packet length accumulates data packet length sequence after setting 0
9231 | 10745 | 12259 | 13773 | 15287 | 16801 | 16801 | 18315 | 18315 | 19829 |
21343 | 22857 | 24371 | 25885 | 25885 | 27399 | 28913 | 30427 | 31941 | 33455 |
33455 | 34969 | 36483 | 36483 | 37997 | 39511 | 41025 | 42539 | 44053 | 44053 |
45567 | 47081 | 47491 | 47491 | 47491 | 47491 | 47491 | 47491 | 47491 | 47491 |
47551 | 49065 | 50579 | 50579 | 52093 | 53607 | 55121 | 55197 | 55289 | 55289 |
56803 | 58317 | 58317 | 59831 | 59831 | 59891 | 61405 | 62919 | 62919 | 64433 |
Next, by taking above-mentioned webpage flow amount as an example, carrying out Hash operation, Hash to accumulation data packet length according to step 3
Operation is described as follows:
Wherein viRepresent cryptographic Hash, aiRepresent i-th of accumulation data packet length.
After Hash operation, the long data packet degree series of webpage 1 are as shown in table 3.
1 sequence of data packet of webpage after 3 Hash operation of table
-192 | 186 | 565 | 943 | 1322 | 1700 | 1700 | 2079 | 2079 | 2457 |
2836 | 3214 | 3593 | 3971 | 3971 | 4350 | 4728 | 5107 | 5485 | 5864 |
5864 | 6242 | 6621 | 6621 | 6999 | 7378 | 7756 | 8135 | 8513 | 8513 |
8892 | 9270 | 9373 | 9373 | 9373 | 9373 | 9373 | 9373 | 9373 | 9373 |
9388 | 9766 | 10145 | 10145 | 10523 | 10902 | 11280 | 11299 | 11322 | 11322 |
11701 | 12079 | 12079 | 12458 | 12458 | 12473 | 12851 | 13230 | 13230 | 13608 |
Finally, calculating the mode v of sequence of data packet after Hash according to step 4maxWith the number k of appearancemax, (vmax,kmax)
That is the feature of network flow F.By taking webpage 1 as an example, the mode of sequence of data packet is 9373 after Hash, and the number of appearance is 8,
(9373,8) i.e. webpage 1 encrypt flow feature.
Treated webpage traffic characteristic can construct the traffic classification of fine granularity webpage in conjunction with conventional machines learning algorithm
Device.
Embodiment 2
The present embodiment is to compare the method for the invention and other traffic classification algorithms, of the invention excellent to verify
Gesture and validity.Webpage traffic characteristic extracting method (WPF) of the present invention and conventional machines learning algorithm arest neighbors are calculated
Method (k-NN) combines, and constructs webpage traffic classifier, then calculates with CUMUL the and DTW Web page classifying mentioned in background technique
Method compares.Three kinds of methods classify to webpage flow using same flow data set, and classification results are as shown in table 4.
4 webpage flow classification results of table compare
Sorting algorithm | Accurate rate | Recall rate | F1 value |
WPF | 91.8% | 92.0% | 91.8% |
CUMUL | 8.7% | 7.9% | 8.3% |
DTW | 39.4% | 42.7% | 37.7% |
It can be seen from Table 4 that the present invention has a clear superiority, accurately compared with existing encryption flow analysis method
Rate, recall rate and F1 value are all much higher than other two kinds of sorting algorithms.The present invention realizes the spy to fine granularity encrypting web flow
Sign is extracted, and operating process is simple and efficient, and computation complexity and time complexity are low, and classification accuracy is high, and it is practical to be suitable for investment
Using.
Although describing the embodiment of this patent herein in conjunction with attached Example, those skilled in the art are come
It says, under the premise of not departing from this patent principle, can also make several improvement, these are also considered as belonging to the protection model of this patent
It encloses.
Claims (2)
1. a kind of encryption webpage traffic characteristic extracting method based on accumulation data packet length, it is characterised in that: including walking as follows
It is rapid:
Step 1 obtains encryption data on flows collection;
Step 1.1 grabs the SSL/TLS refined net flow that a webpage once loads generation, wherein packet capturing using packet catcher
Tool is one of Wireshark or Tshark, and the refined net flow is by several data packet groups at each data packet
In include following information: the capture time of the data packet, source IP address, purpose IP address, agreement, data packet length, interaction
Port numbers and encrypted data packet content;
The data packet that step 1.2 is included to refined net flow is filtered, and is filtered out hash packet, is obtained remaining data
Packet;
Wherein, the hash packet refers to the data packet of TCP erroneous packets and checksum error;
The remaining data packet that step 1.3 exports step 1.2 carries out homologous network flow classification, specifically: there will be identical interaction
The data packet of IP address, interaction port numbers and transport protocol is classified as a stream, then by all data packets in remaining data packet
It is handled, combing becomes a plurality of network flow;
Wherein, the data packet with identical interactive IP address refers to that source IP address and purpose IP address in data packet are interactive
's;
The data packet number for every network flow that step 1.4 statistic procedure 1.3 combs retains one of data packet number at most
Stream, abandons other network flows;All data packet groups in a most stream of the data packet number are gathered at one, are denoted as
Encrypt data on flows collection;
Step 2, the data packet length for extracting encryption data on flows collection are simultaneously ranked up, extract data packet length and upstream data
Packet length set 0 based on processing, the long data packet degree series after being added up;
Step 2.1 is arranged all data packets that data on flows is concentrated are encrypted according to the capture time sequencing of the data packet,
Obtain network flow F;
Step 2.2 successively extracts the data packet length in network flow F, and length is indicated with p, piThe length of i-th of data packet is represented,
Wherein, the value range of i is 1 to N, therefore, indicates that the data packet length of network flow F is (p1..., pN);
Upstream data packet length in network flow F is set to 0 by step 2.3, and downlink data packet length remains unchanged;
Step 2.4 adds up the length of the preceding K data packet in network flow F, K < N, the length of i-th of data packet after adding up
Degree uses aiIt indicates;
Wherein, the value range of i is 1 to K;
When i=1, a1=p1;1 < i≤K, ai=pi+ai-1, it is cumulative after data packet length sequence be expressed as A (F)=
(a1..., aK);
Step 3, will it is cumulative after long data packet degree series carry out Hash operation, obtain sequence of data packet after Hash, specifically: will
Long data packet degree series after cumulative carry out Hash operation, for each of A (F) data packet length ai, Hash formula
ForCryptographic Hash, v are indicated using vi=Hash (ai), the data packet sequence after Hash
Arranging is indicated with I, at this time I=(v1..., vn);
Step 4 is based on data packet sequence column-generation encrypting web traffic characteristic after Hash, specifically: calculate data packet sequence after Hash
Arrange the mode v of ImaxThe number k occurred with the modemax;Use (vmax, kmax) feature as refined net stream F.
2. a kind of encryption webpage traffic characteristic extracting method based on accumulation data packet length according to claim 1,
Be characterized in that: the source IP address in step 1.1 is one in client ip address or server end IP address, purpose IP address
It is one in client ip address or server end IP address, source IP address and purpose IP address cannot be identical;In step 2.3
Upstream data packet refer to source IP address be client ip address, purpose IP address be server end IP address;Downlink data packet refers to
Source IP address is server end IP address, and purpose IP address is client ip address.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811053659.8A CN109194657B (en) | 2018-09-11 | 2018-09-11 | Webpage encryption traffic characteristic extraction method based on accumulated data packet length |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811053659.8A CN109194657B (en) | 2018-09-11 | 2018-09-11 | Webpage encryption traffic characteristic extraction method based on accumulated data packet length |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109194657A true CN109194657A (en) | 2019-01-11 |
CN109194657B CN109194657B (en) | 2020-05-12 |
Family
ID=64915980
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811053659.8A Active CN109194657B (en) | 2018-09-11 | 2018-09-11 | Webpage encryption traffic characteristic extraction method based on accumulated data packet length |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109194657B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110011931A (en) * | 2019-01-25 | 2019-07-12 | 中国科学院信息工程研究所 | A kind of encryption traffic classes detection method and system |
CN110113338A (en) * | 2019-05-08 | 2019-08-09 | 北京理工大学 | A kind of encryption traffic characteristic extracting method based on Fusion Features |
CN110391958A (en) * | 2019-08-15 | 2019-10-29 | 北京中安智达科技有限公司 | A kind of pair of network encryption flow carries out feature extraction automatically and knows method for distinguishing |
CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
CN116016365A (en) * | 2023-01-06 | 2023-04-25 | 哈尔滨工业大学 | Webpage identification method based on data packet length information under encrypted flow |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
CN104135385A (en) * | 2014-07-30 | 2014-11-05 | 南京市公安局 | Method of application classification in Tor anonymous communication flow |
CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
CN106850547A (en) * | 2016-12-15 | 2017-06-13 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | A kind of data restoration method and system based on http protocol |
CN107294966A (en) * | 2017-06-21 | 2017-10-24 | 四川大学 | A kind of IP white list construction methods based on Intranet flow |
-
2018
- 2018-09-11 CN CN201811053659.8A patent/CN109194657B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104038389A (en) * | 2014-06-19 | 2014-09-10 | 高长喜 | Multiple application protocol identification method and device |
CN104135385A (en) * | 2014-07-30 | 2014-11-05 | 南京市公安局 | Method of application classification in Tor anonymous communication flow |
CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
CN106850547A (en) * | 2016-12-15 | 2017-06-13 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | A kind of data restoration method and system based on http protocol |
CN107294966A (en) * | 2017-06-21 | 2017-10-24 | 四川大学 | A kind of IP white list construction methods based on Intranet flow |
Non-Patent Citations (2)
Title |
---|
SHEN M, WEI M, ZHU L, ET AL.: "Certificate-aware encrypted traffic classification using second-order markov chain", 《IEEE》 * |
SHEN M, WEI M, ZHU L, ET AL.: "Classification of encrypted traffic with second-order markov chains and application attribute bigrams", 《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110011931A (en) * | 2019-01-25 | 2019-07-12 | 中国科学院信息工程研究所 | A kind of encryption traffic classes detection method and system |
CN110011931B (en) * | 2019-01-25 | 2020-10-16 | 中国科学院信息工程研究所 | Encrypted flow type detection method and system |
CN110113338A (en) * | 2019-05-08 | 2019-08-09 | 北京理工大学 | A kind of encryption traffic characteristic extracting method based on Fusion Features |
CN110113338B (en) * | 2019-05-08 | 2020-06-26 | 北京理工大学 | Encrypted flow characteristic extraction method based on characteristic fusion |
CN110391958A (en) * | 2019-08-15 | 2019-10-29 | 北京中安智达科技有限公司 | A kind of pair of network encryption flow carries out feature extraction automatically and knows method for distinguishing |
CN110391958B (en) * | 2019-08-15 | 2021-04-09 | 北京中安智达科技有限公司 | Method for automatically extracting and identifying characteristics of network encrypted flow |
CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
CN116016365A (en) * | 2023-01-06 | 2023-04-25 | 哈尔滨工业大学 | Webpage identification method based on data packet length information under encrypted flow |
CN116016365B (en) * | 2023-01-06 | 2023-09-19 | 哈尔滨工业大学 | Webpage identification method based on data packet length information under encrypted flow |
Also Published As
Publication number | Publication date |
---|---|
CN109194657B (en) | 2020-05-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109194657A (en) | A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length | |
Meidan et al. | ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis | |
CN110247930B (en) | Encrypted network flow identification method based on deep neural network | |
CN104809377B (en) | Network user identity monitoring method based on webpage input behavior feature | |
US10187412B2 (en) | Robust representation of network traffic for detecting malware variations | |
CN107370752B (en) | Efficient remote control Trojan detection method | |
CN103746982B (en) | A kind of http network condition code automatic generation method and its system | |
CN111817982A (en) | Encrypted flow identification method for category imbalance | |
CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
CN111224994A (en) | Botnet detection method based on feature selection | |
CN102571487B (en) | Distributed bot network scale measuring and tracking method based on multiple data sources | |
WO2016157075A1 (en) | Continuous user authentication | |
CN104244035A (en) | Network video flow classification method based on multilayer clustering | |
CN112381119B (en) | Multi-scene classification method and system based on decentralized application encryption flow characteristics | |
CN110493142B (en) | Mobile application program behavior identification method based on spectral clustering and random forest algorithm | |
CN102984269B (en) | A kind of point-to-point method for recognizing flux and device | |
CN114866485B (en) | Network traffic classification method and classification system based on aggregation entropy | |
CN110113338A (en) | A kind of encryption traffic characteristic extracting method based on Fusion Features | |
Hejun et al. | Encrypted network behaviors identification based on dynamic time warping and k-nearest neighbor | |
Wang et al. | TextDroid: Semantics-based detection of mobile malware using network flows | |
Liu et al. | A new network flow grouping method for preventing periodic shrew DDoS attacks in cloud computing | |
CN107209834A (en) | Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program | |
CN107368592A (en) | A kind of text feature model modeling method and device for network security report | |
CN108055227B (en) | WAF unknown attack defense method based on site self-learning | |
Li et al. | Activetracker: Uncovering the trajectory of app activities over encrypted internet traffic streams |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |