CN109194657A - A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length - Google Patents

A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length Download PDF

Info

Publication number
CN109194657A
CN109194657A CN201811053659.8A CN201811053659A CN109194657A CN 109194657 A CN109194657 A CN 109194657A CN 201811053659 A CN201811053659 A CN 201811053659A CN 109194657 A CN109194657 A CN 109194657A
Authority
CN
China
Prior art keywords
data packet
address
length
hash
packet length
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811053659.8A
Other languages
Chinese (zh)
Other versions
CN109194657B (en
Inventor
沈蒙
刘怡婷
陈偲祺
祝烈煌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201811053659.8A priority Critical patent/CN109194657B/en
Publication of CN109194657A publication Critical patent/CN109194657A/en
Application granted granted Critical
Publication of CN109194657B publication Critical patent/CN109194657B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of fine granularity web page characteristics extracting methods based on accumulation data packet length, belong to network service safe technical field.Referred to as WPF includes the following steps: step 1, obtains encryption data on flows collection;Step 2, the data packet length for extracting encryption data on flows collection are simultaneously ranked up, extract data packet length and upstream data packet length sets 0 processing, the long data packet degree series after being added up;Step 3, will it is cumulative after long data packet degree series carry out Hash operation, obtain sequence of data packet after Hash;Step 4 is based on data packet sequence column-generation encrypting web traffic characteristic after Hash.1. the refined net traffic scene that the present invention is suitable for SSL/TLS agreement;This method has high-accuracy and high efficiency;It can be combined with conventional machines learning algorithm, construct webpage traffic classifier;Low with characteristic dimension, calculating process is simple, and time complexity is low, online webpage flow detection is able to achieve, suitable for putting into the advantage of practical application.

Description

A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length
Technical field
The present invention relates to a kind of fine granularity web page characteristics extracting methods based on accumulation data packet length, belong to network service Security technology area.
Background technique
Flow is the carrier of network communication Yu network service, and flow analysis can obtain a large amount of useful informations, and such as detection is disliked Meaning flow obtains user's history and accesses behavior.It runs well to Logistics networks, provides personalized service for user with important meaning Justice.Traditional traffic characteristic extracting method mostly be based on depth data packet cleartext information detect, but with SSL/TLS (safety Cover stratum/Transport Layer Security) extensive use of agreement, network flow is encrypted, this loses traditional traffic characteristic extracting method Go validity.
The research of encryption flow is directed to the identification and classification of different web sites flow mostly at present.Compared with website traffic, webpage Flow carries the information for being more worth probing into, such as the different web pages flow by identifying same shopping website, can obtain User's Shopping Behaviors simultaneously further speculate user preferences.Therefore, how effective classification is extracted to fine granularity webpage flow and is known Other feature becomes research hotspot in recent years.
There is a large amount of research work in terms of refined net traffic characteristics analysis, has there is work to propose to use long data packet Degree and quantity information as traffic characteristic, specifically: upstream data packet length is set to negative, downlink data packet length is set to just, It is cumulative total using upstream data packet total number, downlink data packet total number, the cumulative total length of upstream data packet and downlink data packet This four features of length are classified and are identified as encryption flow essential characteristic, to encryption flow, and this method is known as CUMUL. The encryption flow of different web sites however, the method can only classify and identify, for the different web pages of same website, data packet Length and quantity are closely similar, therefore fine granularity webpage flow cannot be distinguished.In addition, there is work to propose to use dynamic time warping To classify and identify webpage flow, referred to as DTW.This method only uses the timestamp information of data packet as feature, however, the time It stabs influence and dynamic time warping process of the information vulnerable to network fluctuation and expends very much the time, therefore this method is not particularly suited for fastly Speed effectively detects the different web pages flow of same website.
In conclusion above method can not achieve high accuracy and height in terms of encryption webpage traffic classification and identification Standard needed for effect property, with investment practical application still has certain distance.
Summary of the invention
It is an object of the invention to realize that fine granularity encrypting web traffic characteristic extracts, guarantee that this method can classify and know The different web pages flow of not same website as further analyzes user access activity, finds and shield malicious traffic stream, improves net It provides personalized service while network is safe for user and possibility is provided, there is high-accuracy and high efficiency, add specific to existing Close method for recognizing flux there are the problem of, propose it is a kind of based on accumulation data packet length encryption webpage traffic characteristic extraction side Method.
A kind of encryption webpage traffic characteristic extracting method based on accumulation data packet length, referred to as WPF, including walk as follows It is rapid:
Step 1 obtains encryption data on flows collection;
Step 1.1 grabs the SSL/TLS refined net flow that a webpage once loads generation using packet catcher, wherein Packet catcher is one of Wireshark or Tshark, and the refined net flow is by several data packet groups at every number According to including following information in packet: the capture time of the data packet, source IP address, purpose IP address, agreement, data packet length, Interaction port numbers and encrypted packet content;
Wherein, source IP address is one in client ip address or server end IP address, and purpose IP address is client One in end IP address or server end IP address, source IP address and purpose IP address cannot be identical;
The data packet that step 1.2 is included to refined net flow is filtered, and filters out hash packet, obtains remaining number According to packet;
Wherein, the hash packet refers to the data packet of TCP erroneous packets and checksum error;
The remaining data packet that step 1.3 exports step 1.2 carries out homologous network flow classification, specifically: will have identical The data packet of interaction IP address, interaction port numbers and transport protocol is classified as a stream, then by all numbers in remaining data packet It is handled according to packet, combing becomes a plurality of network flow;
Wherein, the data packet with identical interactive IP address refers to that source IP address and purpose IP address in data packet are to hand over Mutual;
The data packet number for every network flow that step 1.4 statistic procedure 1.3 combs retains one of data packet number at most Item stream abandons other network flows;All data packet groups in a most stream of the data packet number are gathered at one, note To encrypt data on flows collection;
Step 2, the data packet length for extracting encryption data on flows collection are simultaneously ranked up, extract data packet length and uplink Data packet length sets 0 processing, the long data packet degree series after being added up;
Step 2.1 is arranged all data packets that data on flows is concentrated are encrypted according to the capture time sequencing of the data packet Column, obtain network flow F;
Step 2.2 successively extracts the data packet length in network flow F, and length is indicated with p, piRepresent i-th of data packet Length, wherein the value range of i is 1 to N, therefore, indicates that the data packet length of network flow F is (p1,……,pN);
Upstream data packet length in network flow F is set to 0 by step 2.3, and downlink data packet length remains unchanged;
Wherein, upstream data packet refers to that source IP address is client ip address, and purpose IP address is server end IP address;Under Row data packet refers to that source IP address is server end IP address, and purpose IP address is client ip address;
Step 2.4 adds up the length of the preceding K data packet in network flow F, K < N, i-th of data packet after adding up Length aiIt indicates;
Wherein, the value range of i is 1 to K;
When i=1, a1=p1;1 < i≤K, ai=pi+ai-1, it is cumulative after data packet length sequence be expressed as A (F)= (a1,……,aK);
Step 3, will it is cumulative after long data packet degree series carry out Hash operation, obtain sequence of data packet after Hash, specifically Are as follows: the long data packet degree series after will be cumulative carry out Hash operation, for each of A (F) data packet length ai, Hash Formula isCryptographic Hash, v are indicated using vi=Hash (ai), the data after Hash Packet sequence indicates with I, at this time I=(v1,…,vn);
Step 4 is based on data packet sequence column-generation encrypting web traffic characteristic after Hash, specifically: calculate data after Hash The mode v of packet sequence ImaxThe number k occurred with the modemax;Use (vmax,kmax) feature as refined net stream F.
Beneficial effect
A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length proposed by the present invention, and it is existing Encryption stream recognition method is compared, and is had the following beneficial effects:
1. the present invention is suitable for the refined net traffic scene using SSL/TLS agreement;
2. the present invention for existing encryption method for recognizing flux there are aiming at the problem that improve, the method is with high precision Rate and high efficiency;
3. the present invention, can be with conventional machines learning algorithm phase only using data packet length information as webpage traffic characteristic In conjunction with construction webpage traffic classifier;
4. the present invention has characteristic dimension low, calculating process is simple, and time complexity is low, can be realized online webpage flow Detection, suitable for putting into the advantage of practical application.
Detailed description of the invention
Fig. 1 is a kind of overall flow of the encrypting web traffic characteristic extracting method based on accumulation data packet length of the present invention Figure;
Fig. 2 is based on a kind of encrypting web traffic characteristic extracting method step 1 institute based on accumulation data packet length of the present invention The gripping tool stated grabs the cumulative data packet length sequence of 5 different web pages of same website;
Fig. 3 is based on step 2 in a kind of encrypting web traffic characteristic extracting method based on accumulation data packet length of the present invention Webpage cumulative data packet length sequence after upstream data packet is set 0.
Specific embodiment
With reference to the accompanying drawings and examples, a kind of present invention " encrypting web based on accumulation data packet length is illustrated The process of traffic characteristic extracting method ", and illustrate its advantage.It should be understood that implementation of the invention is not limited to following embodiment, it is right The accommodation made in any form or change of the invention will fall into the scope of the present invention.
Embodiment 1
The present embodiment is that the complete encrypting web traffic characteristic extraction carried out based on step 1 of the invention to step 4 is imitated Very, overall flow figure is as shown in Figure 1.Assuming that certain network flow is expressed as F=(p in network1,…,pN), wherein piRepresent i-th A data packet length, F are the long data packet degree series of network flow.If data packet is downlink data, pi> 0, if data packet is upper Row data, then pi<0.According to step 1, the flow of 5 different web pages of same website is grabbed, and carries out above-mentioned processing, after processing Result it is as shown in Figure 2.Wherein, preceding 100 accumulations data packet length sequence of webpage 1 is as shown in table 1.
The preceding 100 accumulations data packet length sequence of 1 webpage of table 1
The accumulation data packet length of network flow is handled, downlink data packet length and upstream data package location are only retained Information, concrete operations are according to step 2, and K takes 100 in step 2.4.By taking above-mentioned webpage as an example, the section with discrimination is concentrated on Between 30 to 80th data packet, treated, and the interval censored data packet sequence is as shown in Figure 3.Wherein webpage 1 after treatment 30 to 80 accumulation data packet length sequences are as shown in table 2.
2 webpage of table, 1 upstream data packet length accumulates data packet length sequence after setting 0
9231 10745 12259 13773 15287 16801 16801 18315 18315 19829
21343 22857 24371 25885 25885 27399 28913 30427 31941 33455
33455 34969 36483 36483 37997 39511 41025 42539 44053 44053
45567 47081 47491 47491 47491 47491 47491 47491 47491 47491
47551 49065 50579 50579 52093 53607 55121 55197 55289 55289
56803 58317 58317 59831 59831 59891 61405 62919 62919 64433
Next, by taking above-mentioned webpage flow amount as an example, carrying out Hash operation, Hash to accumulation data packet length according to step 3 Operation is described as follows:
Wherein viRepresent cryptographic Hash, aiRepresent i-th of accumulation data packet length.
After Hash operation, the long data packet degree series of webpage 1 are as shown in table 3.
1 sequence of data packet of webpage after 3 Hash operation of table
-192 186 565 943 1322 1700 1700 2079 2079 2457
2836 3214 3593 3971 3971 4350 4728 5107 5485 5864
5864 6242 6621 6621 6999 7378 7756 8135 8513 8513
8892 9270 9373 9373 9373 9373 9373 9373 9373 9373
9388 9766 10145 10145 10523 10902 11280 11299 11322 11322
11701 12079 12079 12458 12458 12473 12851 13230 13230 13608
Finally, calculating the mode v of sequence of data packet after Hash according to step 4maxWith the number k of appearancemax, (vmax,kmax) That is the feature of network flow F.By taking webpage 1 as an example, the mode of sequence of data packet is 9373 after Hash, and the number of appearance is 8, (9373,8) i.e. webpage 1 encrypt flow feature.
Treated webpage traffic characteristic can construct the traffic classification of fine granularity webpage in conjunction with conventional machines learning algorithm Device.
Embodiment 2
The present embodiment is to compare the method for the invention and other traffic classification algorithms, of the invention excellent to verify Gesture and validity.Webpage traffic characteristic extracting method (WPF) of the present invention and conventional machines learning algorithm arest neighbors are calculated Method (k-NN) combines, and constructs webpage traffic classifier, then calculates with CUMUL the and DTW Web page classifying mentioned in background technique Method compares.Three kinds of methods classify to webpage flow using same flow data set, and classification results are as shown in table 4.
4 webpage flow classification results of table compare
Sorting algorithm Accurate rate Recall rate F1 value
WPF 91.8% 92.0% 91.8%
CUMUL 8.7% 7.9% 8.3%
DTW 39.4% 42.7% 37.7%
It can be seen from Table 4 that the present invention has a clear superiority, accurately compared with existing encryption flow analysis method Rate, recall rate and F1 value are all much higher than other two kinds of sorting algorithms.The present invention realizes the spy to fine granularity encrypting web flow Sign is extracted, and operating process is simple and efficient, and computation complexity and time complexity are low, and classification accuracy is high, and it is practical to be suitable for investment Using.
Although describing the embodiment of this patent herein in conjunction with attached Example, those skilled in the art are come It says, under the premise of not departing from this patent principle, can also make several improvement, these are also considered as belonging to the protection model of this patent It encloses.

Claims (2)

1. a kind of encryption webpage traffic characteristic extracting method based on accumulation data packet length, it is characterised in that: including walking as follows It is rapid:
Step 1 obtains encryption data on flows collection;
Step 1.1 grabs the SSL/TLS refined net flow that a webpage once loads generation, wherein packet capturing using packet catcher Tool is one of Wireshark or Tshark, and the refined net flow is by several data packet groups at each data packet In include following information: the capture time of the data packet, source IP address, purpose IP address, agreement, data packet length, interaction Port numbers and encrypted data packet content;
The data packet that step 1.2 is included to refined net flow is filtered, and is filtered out hash packet, is obtained remaining data Packet;
Wherein, the hash packet refers to the data packet of TCP erroneous packets and checksum error;
The remaining data packet that step 1.3 exports step 1.2 carries out homologous network flow classification, specifically: there will be identical interaction The data packet of IP address, interaction port numbers and transport protocol is classified as a stream, then by all data packets in remaining data packet It is handled, combing becomes a plurality of network flow;
Wherein, the data packet with identical interactive IP address refers to that source IP address and purpose IP address in data packet are interactive 's;
The data packet number for every network flow that step 1.4 statistic procedure 1.3 combs retains one of data packet number at most Stream, abandons other network flows;All data packet groups in a most stream of the data packet number are gathered at one, are denoted as Encrypt data on flows collection;
Step 2, the data packet length for extracting encryption data on flows collection are simultaneously ranked up, extract data packet length and upstream data Packet length set 0 based on processing, the long data packet degree series after being added up;
Step 2.1 is arranged all data packets that data on flows is concentrated are encrypted according to the capture time sequencing of the data packet, Obtain network flow F;
Step 2.2 successively extracts the data packet length in network flow F, and length is indicated with p, piThe length of i-th of data packet is represented, Wherein, the value range of i is 1 to N, therefore, indicates that the data packet length of network flow F is (p1..., pN);
Upstream data packet length in network flow F is set to 0 by step 2.3, and downlink data packet length remains unchanged;
Step 2.4 adds up the length of the preceding K data packet in network flow F, K < N, the length of i-th of data packet after adding up Degree uses aiIt indicates;
Wherein, the value range of i is 1 to K;
When i=1, a1=p1;1 < i≤K, ai=pi+ai-1, it is cumulative after data packet length sequence be expressed as A (F)= (a1..., aK);
Step 3, will it is cumulative after long data packet degree series carry out Hash operation, obtain sequence of data packet after Hash, specifically: will Long data packet degree series after cumulative carry out Hash operation, for each of A (F) data packet length ai, Hash formula ForCryptographic Hash, v are indicated using vi=Hash (ai), the data packet sequence after Hash Arranging is indicated with I, at this time I=(v1..., vn);
Step 4 is based on data packet sequence column-generation encrypting web traffic characteristic after Hash, specifically: calculate data packet sequence after Hash Arrange the mode v of ImaxThe number k occurred with the modemax;Use (vmax, kmax) feature as refined net stream F.
2. a kind of encryption webpage traffic characteristic extracting method based on accumulation data packet length according to claim 1, Be characterized in that: the source IP address in step 1.1 is one in client ip address or server end IP address, purpose IP address It is one in client ip address or server end IP address, source IP address and purpose IP address cannot be identical;In step 2.3 Upstream data packet refer to source IP address be client ip address, purpose IP address be server end IP address;Downlink data packet refers to Source IP address is server end IP address, and purpose IP address is client ip address.
CN201811053659.8A 2018-09-11 2018-09-11 Webpage encryption traffic characteristic extraction method based on accumulated data packet length Active CN109194657B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811053659.8A CN109194657B (en) 2018-09-11 2018-09-11 Webpage encryption traffic characteristic extraction method based on accumulated data packet length

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811053659.8A CN109194657B (en) 2018-09-11 2018-09-11 Webpage encryption traffic characteristic extraction method based on accumulated data packet length

Publications (2)

Publication Number Publication Date
CN109194657A true CN109194657A (en) 2019-01-11
CN109194657B CN109194657B (en) 2020-05-12

Family

ID=64915980

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811053659.8A Active CN109194657B (en) 2018-09-11 2018-09-11 Webpage encryption traffic characteristic extraction method based on accumulated data packet length

Country Status (1)

Country Link
CN (1) CN109194657B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110011931A (en) * 2019-01-25 2019-07-12 中国科学院信息工程研究所 A kind of encryption traffic classes detection method and system
CN110113338A (en) * 2019-05-08 2019-08-09 北京理工大学 A kind of encryption traffic characteristic extracting method based on Fusion Features
CN110391958A (en) * 2019-08-15 2019-10-29 北京中安智达科技有限公司 A kind of pair of network encryption flow carries out feature extraction automatically and knows method for distinguishing
CN111277587A (en) * 2020-01-19 2020-06-12 武汉思普崚技术有限公司 Malicious encrypted traffic detection method and system based on behavior analysis
CN116016365A (en) * 2023-01-06 2023-04-25 哈尔滨工业大学 Webpage identification method based on data packet length information under encrypted flow

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038389A (en) * 2014-06-19 2014-09-10 高长喜 Multiple application protocol identification method and device
CN104135385A (en) * 2014-07-30 2014-11-05 南京市公安局 Method of application classification in Tor anonymous communication flow
CN106209775A (en) * 2016-06-24 2016-12-07 深圳信息职业技术学院 The application type recognition methods of a kind of SSL encryption network flow and device
CN106850547A (en) * 2016-12-15 2017-06-13 华北计算技术研究所(中国电子科技集团公司第十五研究所) A kind of data restoration method and system based on http protocol
CN107294966A (en) * 2017-06-21 2017-10-24 四川大学 A kind of IP white list construction methods based on Intranet flow

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104038389A (en) * 2014-06-19 2014-09-10 高长喜 Multiple application protocol identification method and device
CN104135385A (en) * 2014-07-30 2014-11-05 南京市公安局 Method of application classification in Tor anonymous communication flow
CN106209775A (en) * 2016-06-24 2016-12-07 深圳信息职业技术学院 The application type recognition methods of a kind of SSL encryption network flow and device
CN106850547A (en) * 2016-12-15 2017-06-13 华北计算技术研究所(中国电子科技集团公司第十五研究所) A kind of data restoration method and system based on http protocol
CN107294966A (en) * 2017-06-21 2017-10-24 四川大学 A kind of IP white list construction methods based on Intranet flow

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
SHEN M, WEI M, ZHU L, ET AL.: "Certificate-aware encrypted traffic classification using second-order markov chain", 《IEEE》 *
SHEN M, WEI M, ZHU L, ET AL.: "Classification of encrypted traffic with second-order markov chains and application attribute bigrams", 《IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110011931A (en) * 2019-01-25 2019-07-12 中国科学院信息工程研究所 A kind of encryption traffic classes detection method and system
CN110011931B (en) * 2019-01-25 2020-10-16 中国科学院信息工程研究所 Encrypted flow type detection method and system
CN110113338A (en) * 2019-05-08 2019-08-09 北京理工大学 A kind of encryption traffic characteristic extracting method based on Fusion Features
CN110113338B (en) * 2019-05-08 2020-06-26 北京理工大学 Encrypted flow characteristic extraction method based on characteristic fusion
CN110391958A (en) * 2019-08-15 2019-10-29 北京中安智达科技有限公司 A kind of pair of network encryption flow carries out feature extraction automatically and knows method for distinguishing
CN110391958B (en) * 2019-08-15 2021-04-09 北京中安智达科技有限公司 Method for automatically extracting and identifying characteristics of network encrypted flow
CN111277587A (en) * 2020-01-19 2020-06-12 武汉思普崚技术有限公司 Malicious encrypted traffic detection method and system based on behavior analysis
CN116016365A (en) * 2023-01-06 2023-04-25 哈尔滨工业大学 Webpage identification method based on data packet length information under encrypted flow
CN116016365B (en) * 2023-01-06 2023-09-19 哈尔滨工业大学 Webpage identification method based on data packet length information under encrypted flow

Also Published As

Publication number Publication date
CN109194657B (en) 2020-05-12

Similar Documents

Publication Publication Date Title
CN109194657A (en) A kind of encrypting web traffic characteristic extracting method based on accumulation data packet length
Meidan et al. ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis
CN110247930B (en) Encrypted network flow identification method based on deep neural network
CN104809377B (en) Network user identity monitoring method based on webpage input behavior feature
US10187412B2 (en) Robust representation of network traffic for detecting malware variations
CN107370752B (en) Efficient remote control Trojan detection method
CN103746982B (en) A kind of http network condition code automatic generation method and its system
CN111817982A (en) Encrypted flow identification method for category imbalance
CN102315974A (en) Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows
CN111224994A (en) Botnet detection method based on feature selection
CN102571487B (en) Distributed bot network scale measuring and tracking method based on multiple data sources
WO2016157075A1 (en) Continuous user authentication
CN104244035A (en) Network video flow classification method based on multilayer clustering
CN112381119B (en) Multi-scene classification method and system based on decentralized application encryption flow characteristics
CN110493142B (en) Mobile application program behavior identification method based on spectral clustering and random forest algorithm
CN102984269B (en) A kind of point-to-point method for recognizing flux and device
CN114866485B (en) Network traffic classification method and classification system based on aggregation entropy
CN110113338A (en) A kind of encryption traffic characteristic extracting method based on Fusion Features
Hejun et al. Encrypted network behaviors identification based on dynamic time warping and k-nearest neighbor
Wang et al. TextDroid: Semantics-based detection of mobile malware using network flows
Liu et al. A new network flow grouping method for preventing periodic shrew DDoS attacks in cloud computing
CN107209834A (en) Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program
CN107368592A (en) A kind of text feature model modeling method and device for network security report
CN108055227B (en) WAF unknown attack defense method based on site self-learning
Li et al. Activetracker: Uncovering the trajectory of app activities over encrypted internet traffic streams

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant