CN109379341A - A kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis - Google Patents
A kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis Download PDFInfo
- Publication number
- CN109379341A CN109379341A CN201811117592.XA CN201811117592A CN109379341A CN 109379341 A CN109379341 A CN 109379341A CN 201811117592 A CN201811117592 A CN 201811117592A CN 109379341 A CN109379341 A CN 109379341A
- Authority
- CN
- China
- Prior art keywords
- flow
- session
- trojan
- model
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of Recall remote control Trojan network flow detection methods of Behavior-based control analysis, after carrying out TCP session recombination, session characteristics extraction and session tokens to training sample first, it will words feature and session tokens input random forest detection model.By comparing the index performance of different parameters drag, model is adjusted, and finally determine the trojan horse detection model after optimization.Then TCP session recombination is carried out for the real-time original data on flows acquired on probe and session characteristics extracts, it will in the trojan horse detection model after words feature input first stage optimization, model is classified as wooden horse flow or regular traffic flow.The technical effects of the invention are that, the traffic characteristic caused by the wooden horse own characteristic, directly flow file is detected by model, therefore the present invention does not depend on existing Trojan characteristics library, also it is able to detect unknown novel remote control Trojan, additionally it is possible to detect the wooden horse that communication flows is encrypted.
Description
Technical field
The present invention relates to network safety filed, in particular to a kind of Recall remote control Trojan network flow of Behavior-based control analysis
Quantity measuring method.
Background technique
Since hacker can steal enterprise's sensitive data, monitoring key user's behavior by remotely controlling wooden horse and execute malice
Operation, remote control Trojan have become one of the important information security threat that enterprise faces.Remote control Trojan program is by independent two parts
Composition --- control terminal and controlled terminal, this two parts carry out data interaction by internet.Controlled terminal program passes through fishing
The modes secret such as mail or USB flash disk ferry-boat is mounted on infected computer, and remotely receives the order of hacker.Control terminal program
It is grasped by hacker, and sends and order to infected computer.Remote control Trojan can be divided into two classes according to the direction that wooden horse connects:
Forward direction remote control Trojan and rebound remote control Trojan.In the connection of forward direction remote control Trojan, controlled terminal opens service interface, control terminal master
Dynamic connection controlled terminal, but in rebound remote control Trojan is that controlled terminal actively connects port in control terminal.
Forward direction remote control Trojan can pass through the ports filter strategy combination enterprise open end spoken parts in an opera in firewall or interchanger
The mode of list is taken precautions against, but this security strategy is invalid to rebound remote control Trojan, because only cannot be distinguished from port anti-
Play the network flow of wooden horse and regular traffic.Carrying out remote control Trojan detection using depth data packet inspection technical is a kind of master in the industry
Flow Technique direction, main thought are to load network flow packet to be compared with Trojan characteristics library, but the method can not be to encryption
Data packet is detected, and computation complexity is high, it is difficult to accomplish the real-time trojan horse detection of enterprise-level.Another trojan horse detection skill
Art is Intrusion Detection based on host behavioral value, but it needs the installation detection program on every host, it is more difficult to be promoted.In addition, part is high
Grade wooden horse can perceive safety detection program, and hide wooden horse process and escaped detection.
From the angle of user's behaviors analysis, rebound there will necessarily be between remote control type wooden horse and regular traffic behavior difference it
Place, but at present there has been no open source literature propose a kind of method can intellectual analysis network behavior, efficiently and accurately detect to rebound
The network flow of remote control Trojan.
Summary of the invention
The invention proposes the rebound remote control Trojan network flow detection methods of Behavior-based control analysis.This method extract real-time
Behavioural characteristic in network flow, and using the method for machine learning training trojan horse detection model, to realize to the remote control of rebound
The accurate detection of wooden horse.
The technical scheme is that
A kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis, comprising the following steps:
Step 1, training trojan horse detection model: acquisition wooden horse flow file and normal network traffic flow file both
Different types of flow file;Then the complete network flow of each TCP session is extracted from flow file;Again from TCP session
In flow extract include upload and download the ratio between flow packet payload length, flag bit PSH Flag value equal to 1 flow packet ratio,
The session behavioural characteristic of the data packet number in conversation initial stage and heartbeat behavior mark;Finally by session behavioural characteristic and flow
File type is input in the trojan horse detection model based on random forests algorithm and is trained, and adjusts in model in the training process
The quantity of decision tree, until obtaining identification wooden horse flow file and normal network traffic flow file trojan horse detection the most accurate
Model.This completes the training for model, can be by the model come automatic identification wooden horse flow and proper network industry
Business flow.
Step 2, the trojan horse detection model according to obtained in step 1 are detected: monitoring real-time network flow first, so
The complete network flow of each TCP session is extracted from flow afterwards, then extracts session behavioural characteristic from TCP session traffic, most
The session behavioural characteristic extracted is input in trojan horse detection model afterwards, each TCP session classification is by model according to input
Wooden horse flow or normal network traffic flow.
The method in the step one, extracts the complete network flow packet of each TCP session from flow file
Include following steps:
Flow file is reorganized as unit of TCP session, is judged based on the Flag value in flow packet includes SYN
Session start judges conversation end comprising RST or FIN, and filters out from all TCP sessions from internal network to extranets
The session that network is initiated abandons the TCP session being connected into from external network.
The method in the step one, extracts session behavioural characteristic, is by extraction source IP, source port, purpose
This 7 essential attributes of IP, destination port, timestamp, FLAG value, net load byte number simultaneously obtain after being handled.
The method in the step one, in session behavioural characteristic, uploads and downloads the ratio between flow packet payload length
Refer to the ratio between the upload total amount of byte and downloading total amount of byte of a TCP session;Flag bit PSH Flag value is equal to 1 flow
Packet ratio refers to that the flow packet that the value of flag bit PSH Flag is 1 accounts for the ratio of flow packet in entire session;The conversation initial stage
Data packet number refer to the quantity of data packet in the preset time since TCP session establishment;Heartbeat behavior mark refers to meeting
It whether there is the mark of heartbeat behavior in words.
The method, in the step one, the step of training trojan horse detection model, includes:
Using the method for 10 folding cross validations, training sample is divided into training set and verifying collects, is carried out on training set
Algorithm training, is classified, and calculate accuracy and AUC index with the sample that the algorithm after training concentrates verifying, wherein just
True rate refers to the ratio for being classified correct sample number and total sample number, and AUC index refers to for describing classifier in true positives
Area between rate and false positive rate under the ROC curve of relationship;After obtaining accuracy and AUC index, adjustment random forest is calculated
The number of decision tree in method, and take the optimal decision tree number of integrated value of two indexs of accuracy and AUC index as wood
The decision tree number of horse detection model.
The technical effects of the invention are that the traffic characteristic caused by the wooden horse own characteristic, direct by model
Flow file is detected, therefore the present invention does not depend on existing Trojan characteristics library, is able to detect unknown novel remote control wood yet
Horse, additionally it is possible to detect the wooden horse that communication flows is encrypted.
Detailed description of the invention
Fig. 1 be the present invention implement Behavior-based control analysis Recall remote control Trojan network flow detection method frame show
It is intended to;
Fig. 2 is flow data collector probe structure figure in Fig. 1;
Fig. 3 is network behavior daily record data cell format.
Specific embodiment
The present embodiment includes the following two stage:
First stage model training stage
The first step collects training sample.370 true Recall remote control Trojan flow texts are had collected from open website
Part, wherein about 30% is encrypted flow.2190 normal network traffic flow files are had collected from enterprise switch, just
Normal service traffics include the flow of the instant messagings such as Email, QQ, browsing webpage, P2P and other cloud services.By all collections
The network flow arrived is labeled as malice wooden horse flow or normal network traffic flow.
Second step extracts the complete network flow of each TCP session from network flow.The flow file that the first step is collected
In data packet be sort by arrival time, in local area network all flows set, it is necessary first to by flow with network session
For unit reorganization.One TCP session, which refers to, to be located at one between a pair of of source IP, source port, destination IP, destination port
Secondary complete TCP session.Under the premise of the given port IP, a TCP session start in TCP three-way handshake, end at TCP tetra- times
It waves, can judge whether session starts by the way that whether the Flag value in flow packet includes SYN, whether include RST or FIN
To judge whether session terminates.In addition, due to being concerned with Recall wooden horse, so need to also be filtered out from all TCP sessions
The session initiated from internal network external network, abandons the TCP session being connected into from external network.
Third step extracts session behavioural characteristic from TCP session traffic.It is mentioned from each flow packet of composition TCP session
Take this 7 essential attributes of source IP, source port, destination IP, destination port, timestamp, FLAG value, net load byte number, then from one
Statistics obtains following 4 behavioural characteristics in the above-mentioned attribute of a session:
1, it uploads and downloads the ratio between flow packet payload length: uploading flow and refer to from the transmission of internal network external network
Flow, downloading flow then refer to flow from outside to inside.This feature refers to the upload total amount of byte and downloading of a TCP session
The ratio between total amount of byte.
2, the ratio of flow packet of the flag bit PSH Flag value equal to 1: this feature refers to the flag bit PSH in flow packet
The flow packet that the value of Flag is 1 accounts for the ratio of flow packet in entire session.
3, the data packet number in conversation initial stage: the conversation initial stage refers to a series of since TCP session establishment
Continuous to wrap, adjacent time inter is respectively less than t between these packets, and taking the value of t here is 1 second.This is characterized at the beginning of being located at session
The quantity of the packet in stage beginning.
4, heartbeat behavior identify: heartbeat behavior refer to the both ends of TCP connection in the free time for not sending business datum,
Send regular length small data packets with confirm other side whether also online mechanism.Here heartbeat behavior is designated as side transmission
The data packet that one length is A, another party returns to the data packet that a length is B, and repeat length is the data packet of A and B
Transmission behavior 3 times.This is characterized in a Boolean, if this value is very that otherwise this value is there are heartbeat behavior in session
It is false.
4th step, wooden horse flow detection model of the training based on random forest.Random forests algorithm is a kind of to be made extensively
Machine learning classifiers are suitable for wooden horse flow and identify this two classification problem.Comprehensive following two refers in training process
It marks to carry out the adjustment of model key parameter:
1, accuracy: it is classified the ratio of correct sample number and total sample number.
2, AUC: training sample set be it is unbalanced, i.e., the sample number of wooden horse flow be much smaller than normal network traffic sample
Number.The algorithm performance on non-equilibrium data collection can not be measured comprehensively according only to accuracy, and AUC this index is able to solve this
One problem.It is true positive rate that the abscissa of each point, which is false positive rate, ordinate, in ROC curve, it is to describe classifier true
The curve of relationship between positive rate and false positive rate.AUC value is the area under ROC curve.
Training sample is divided into training set and verifying collects, instructed by the method that 10 folding cross validations are used in model training
Practice and carry out algorithm training on collection, is classified with the sample that the algorithm after training concentrates verifying, and calculate accuracy and AUC refers to
Mark.The number of decision tree in random forests algorithm is manually adjusted, and optimal decision tree number is selected according to algorithm index.By
Model training, the present embodiment set 10 for decision tree number, and the accuracy of random forests algorithm is 95.7% at this time, AUC value
It is 97.9%.
Second stage: model inspection stage
The first step, on-premise network flow collection probe, acquisition passes through the whole of network boundary switch or router in real time
Flow.
Second step, the complete network flow of each TCP session of extract real-time from network flow.Method is the same as the first stage
Two steps.
Third step extracts session behavioural characteristic from TCP session traffic.Method is the same as first stage third step.
The session behavioural characteristic of extraction is inputted trained Random Forest model in the 4th step of first stage by the 4th step,
Session is classified as Recall remote control Trojan or normal network traffic flow by model.
Fig. 1 is the Recall remote control Trojan network flow detection method frame signal for the Behavior-based control analysis that the present invention is implemented
Figure, method are made of two stages.First stage is the model training stage for having supervision, carries out TCP session weight to training sample
After group, session characteristics extraction and session tokens, it will words feature and session tokens input random forest detection model.Pass through comparison
The index performance of different parameters drag adjusts model, and finally determines the trojan horse detection model after optimization.Second stage is anti-
The real-time detection stage of bullet type wooden horse carries out TCP session recombination and session for the real-time original data on flows acquired on probe
Feature extraction, it will in the trojan horse detection model after words feature input first stage optimization, model is classified as wooden horse flow
Or regular traffic flow.
Fig. 2 is the flow chart of TCP session recombination and session characteristics extraction module in Fig. 1.It is filtered from network flow first
All flow packets of a reversed TCP session out obtain 7 essential attributes composition flow packet attribute list of each flow packet.
By traversing flow packet attribute column, counts PSH Flag value in session and be really packet accounting, upload and download flow packet load length
Degree the ratio between, the data packet number in conversation initial stage, with the presence or absence of the mark of heartbeat behavior.
Fig. 3 is the heartbeat behavioral value module in Fig. 2, and module input is the flow attribution list an of session.For stream
Every continuous 6 flow packets in attribute list are measured, first determine whether their data transfer direction meets in upload-downloading-
Biography-downloading-upload-downloading, if meeting, further wherein whether 3 length for uploading packet are equal, 3 download packages for judgement
Whether length is equal, and showing this session if equal, there are heartbeat behaviors, terminates heartbeat behavioral value process.If the entire stream of traversal
Amount attribute list does not all find continuous 6 packets for meeting above-mentioned condition, then illustrating this session, there is no heartbeat behaviors, terminates heartbeat
Behavioral value process.
Choose the reason of above-mentioned 4 behavioural characteristics are as trojan horse detection mode input feature explanation:
1, the ratio between flow packet payload length is uploaded and downloaded:
It is smaller than downloading data amount that the network service traffic of normal Opposite direction connection usually uploads data volume, for example, browse webpage,
File etc. is downloaded, and reversed remote control Trojan is just opposite.
2, the ratio of flow packet of the flag bit PSH Flag value equal to 1:
Flag bit PSH value is equal to 1 and shows data sender in reminder application layer in higher priority processing flow packet
Content, remote control Trojan it is generally desirable to which data transmission can be completed as early as possible, therefore wooden horse flow-rate ratio normal discharge is more likely to set
Setting this this flag bit is 1.
3, the data packet number in conversation initial stage:
Usually horse back starts automatic transmission data after proper network connection is established, but remote control type wooden horse is connected after establishing and needed
Hacker's operation is waited, therefore the conversation initial phase data packet quantity of wooden horse connection is relatively fewer.
4, heartbeat behavior identifies:
After wooden horse connection is established, also tend to keep connection even if operating wooden horse without hacker, and heartbeat mechanism is to maintain
A kind of common methods of connection.Therefore, a possibility that there are heartbeat behaviors in the connection of malice wooden horse is greater than regular traffic and connects.
Claims (5)
1. a kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis, which is characterized in that including following step
It is rapid:
Step 1, training trojan horse detection model: both are different for acquisition wooden horse flow file and normal network traffic flow file
The flow file of type;Then the complete network flow of each TCP session is extracted from flow file;Again from TCP session traffic
Middle extract includes uploading and downloading the flow packet ratio of the ratio between flow packet payload length, flag bit PSH Flag value equal to 1, session
The session behavioural characteristic of the data packet number of initial stage and heartbeat behavior mark;Finally by session behavioural characteristic and flow file
Type is input in the trojan horse detection model based on random forests algorithm and is trained, and adjusts decision in model in the training process
The quantity of tree, until obtaining identification wooden horse flow file and normal network traffic flow file trojan horse detection mould the most accurate
Type;
Step 2, the trojan horse detection model according to obtained in step 1 are detected: first monitoring real-time network flow, then from
The complete network flow of each TCP session is extracted in flow, then extracts session behavioural characteristic from TCP session traffic, finally will
The session behavioural characteristic extracted is input in trojan horse detection model, and each TCP session classification is wooden horse according to input by model
Flow or normal network traffic flow.
2. the method according to claim 1, wherein being extracted from flow file each in the step one
The complete network flow of TCP session the following steps are included:
Flow file is reorganized as unit of TCP session, judges that session is opened based on the Flag value in flow packet includes SYN
Begin, conversation end is judged comprising RST or FIN, and filters out from all TCP sessions and initiated from internal network external network
Session, abandon the TCP session that is connected into from external network.
3. the method according to claim 1, wherein extracting session behavioural characteristic in the step one, being logical
Extraction source IP, source port, destination IP, destination port, timestamp, FLAG value, net load byte number this 7 essential attributes are crossed to go forward side by side
It is obtained after row processing.
4. the method according to claim 1, wherein in the step one, in session behavioural characteristic, upload with
The ratio between downloading flow packet payload length refers to the ratio between upload total amount of byte and downloading total amount of byte of a TCP session;Flag bit
The flow packet that flow packet ratio of the PSH Flag value equal to 1 refers to that the value of flag bit PSH Flag is 1 accounts for flow in entire session
The ratio of packet;The data packet number in conversation initial stage refers to the number of data packet in the preset time since TCP session establishment
Amount;Heartbeat behavior mark refers to the mark that whether there is heartbeat behavior in session.
5. the method according to claim 1, wherein training the step of trojan horse detection model in the step one
Suddenly include:
Using the method for 10 folding cross validations, training sample is divided into training set and verifying collects, algorithm is carried out on training set
Training is classified with the sample that the algorithm after training concentrates verifying, and calculates accuracy and AUC index, wherein accuracy
Refer to the ratio for being classified correct sample number and total sample number, AUC index refer to for describe classifier true positive rate with
Area between false positive rate under the ROC curve of relationship;After obtaining accuracy and AUC index, adjust in random forests algorithm
The number of decision tree, and take the optimal decision tree number of integrated value of two indexs of accuracy and AUC index as wooden horse inspection
Survey the decision tree number of model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811117592.XA CN109379341B (en) | 2018-09-21 | 2018-09-21 | Rebound remote control Trojan network flow detection method based on behavior analysis |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811117592.XA CN109379341B (en) | 2018-09-21 | 2018-09-21 | Rebound remote control Trojan network flow detection method based on behavior analysis |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109379341A true CN109379341A (en) | 2019-02-22 |
| CN109379341B CN109379341B (en) | 2022-02-01 |
Family
ID=65402457
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811117592.XA Active CN109379341B (en) | 2018-09-21 | 2018-09-21 | Rebound remote control Trojan network flow detection method based on behavior analysis |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109379341B (en) |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110266678A (en) * | 2019-06-13 | 2019-09-20 | 深圳市腾讯计算机系统有限公司 | Security attack detection method, device, computer equipment and storage medium |
| CN110674010A (en) * | 2019-09-10 | 2020-01-10 | 西安电子科技大学 | Intelligent device application program identification method based on session length probability distribution |
| CN111859386A (en) * | 2020-08-03 | 2020-10-30 | 深圳市联软科技股份有限公司 | Trojan horse detection method and system based on behavior analysis |
| CN113037646A (en) * | 2021-03-04 | 2021-06-25 | 西南交通大学 | Train communication network flow identification method based on deep learning |
| CN113591085A (en) * | 2021-07-27 | 2021-11-02 | 深圳市纽创信安科技开发有限公司 | Android malicious application detection method, device and equipment |
| CN113949531A (en) * | 2021-09-14 | 2022-01-18 | 北京邮电大学 | Malicious encrypted flow detection method and device |
| CN114124463A (en) * | 2021-10-27 | 2022-03-01 | 中国电子科技集团公司第三十研究所 | Method and system for identifying hidden network encryption application service based on network behavior characteristics |
| CN115002760A (en) * | 2022-07-20 | 2022-09-02 | 广东南方电信规划咨询设计院有限公司 | 5G terminal encrypted flow data security detection method and system |
| CN115134096A (en) * | 2021-03-11 | 2022-09-30 | 深信服科技股份有限公司 | RAT connection detection method, flow audit equipment and medium |
| CN115277152A (en) * | 2022-07-22 | 2022-11-01 | 长扬科技(北京)股份有限公司 | Network flow security detection method and device |
| CN116260660A (en) * | 2023-05-15 | 2023-06-13 | 杭州美创科技股份有限公司 | Webpage Trojan backdoor identification method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572711A (en) * | 2009-06-08 | 2009-11-04 | 北京理工大学 | Network-based detection method of rebound ports Trojan horse |
| CN102761458A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Detection method and system of rebound type Trojan |
| CN103491077A (en) * | 2013-09-09 | 2014-01-01 | 无锡华御信息技术有限公司 | Method and system for recall Trojan horse control site network behavior function reconstruction |
| CN107423622A (en) * | 2017-07-04 | 2017-12-01 | 上海高重信息科技有限公司 | A kind of method and system for detecting and taking precautions against bounce-back shell |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
| KR20180055957A (en) * | 2016-11-16 | 2018-05-28 | 순천향대학교 산학협력단 | Apparatus and method for detecting network intrusion based on anomaly analysis |
-
2018
- 2018-09-21 CN CN201811117592.XA patent/CN109379341B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572711A (en) * | 2009-06-08 | 2009-11-04 | 北京理工大学 | Network-based detection method of rebound ports Trojan horse |
| CN102761458A (en) * | 2011-12-20 | 2012-10-31 | 北京安天电子设备有限公司 | Detection method and system of rebound type Trojan |
| CN103491077A (en) * | 2013-09-09 | 2014-01-01 | 无锡华御信息技术有限公司 | Method and system for recall Trojan horse control site network behavior function reconstruction |
| KR20180055957A (en) * | 2016-11-16 | 2018-05-28 | 순천향대학교 산학협력단 | Apparatus and method for detecting network intrusion based on anomaly analysis |
| CN107423622A (en) * | 2017-07-04 | 2017-12-01 | 上海高重信息科技有限公司 | A kind of method and system for detecting and taking precautions against bounce-back shell |
| CN107733851A (en) * | 2017-08-23 | 2018-02-23 | 刘胜利 | DNS tunnels Trojan detecting method based on communication behavior analysis |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110266678B (en) * | 2019-06-13 | 2022-03-25 | 深圳市腾讯计算机系统有限公司 | Security attack detection method and device, computer equipment and storage medium |
| CN110266678A (en) * | 2019-06-13 | 2019-09-20 | 深圳市腾讯计算机系统有限公司 | Security attack detection method, device, computer equipment and storage medium |
| CN110674010A (en) * | 2019-09-10 | 2020-01-10 | 西安电子科技大学 | Intelligent device application program identification method based on session length probability distribution |
| CN110674010B (en) * | 2019-09-10 | 2021-04-06 | 西安电子科技大学 | Intelligent device application program identification method based on session length probability distribution |
| CN111859386A (en) * | 2020-08-03 | 2020-10-30 | 深圳市联软科技股份有限公司 | Trojan horse detection method and system based on behavior analysis |
| CN113037646A (en) * | 2021-03-04 | 2021-06-25 | 西南交通大学 | Train communication network flow identification method based on deep learning |
| CN115134096A (en) * | 2021-03-11 | 2022-09-30 | 深信服科技股份有限公司 | RAT connection detection method, flow audit equipment and medium |
| CN115134096B (en) * | 2021-03-11 | 2024-08-16 | 深信服科技股份有限公司 | RAT connection detection method, flow auditing equipment and medium |
| CN113591085B (en) * | 2021-07-27 | 2024-05-14 | 深圳市纽创信安科技开发有限公司 | Android malicious application detection method, device and equipment |
| CN113591085A (en) * | 2021-07-27 | 2021-11-02 | 深圳市纽创信安科技开发有限公司 | Android malicious application detection method, device and equipment |
| CN113949531B (en) * | 2021-09-14 | 2022-06-17 | 北京邮电大学 | Malicious encrypted flow detection method and device |
| CN113949531A (en) * | 2021-09-14 | 2022-01-18 | 北京邮电大学 | Malicious encrypted flow detection method and device |
| CN114124463A (en) * | 2021-10-27 | 2022-03-01 | 中国电子科技集团公司第三十研究所 | Method and system for identifying hidden network encryption application service based on network behavior characteristics |
| CN114124463B (en) * | 2021-10-27 | 2023-05-16 | 中国电子科技集团公司第三十研究所 | Method and system for identifying hidden network encryption application service based on network behavior characteristics |
| CN115002760A (en) * | 2022-07-20 | 2022-09-02 | 广东南方电信规划咨询设计院有限公司 | 5G terminal encrypted flow data security detection method and system |
| CN115277152A (en) * | 2022-07-22 | 2022-11-01 | 长扬科技(北京)股份有限公司 | Network flow security detection method and device |
| CN115277152B (en) * | 2022-07-22 | 2023-09-05 | 长扬科技(北京)股份有限公司 | Network traffic safety detection method and device |
| CN116260660B (en) * | 2023-05-15 | 2023-07-25 | 杭州美创科技股份有限公司 | Webpage Trojan backdoor identification method and system |
| CN116260660A (en) * | 2023-05-15 | 2023-06-13 | 杭州美创科技股份有限公司 | Webpage Trojan backdoor identification method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109379341B (en) | 2022-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109379341A (en) | A kind of Recall remote control Trojan network flow detection method of Behavior-based control analysis | |
| CN108282497B (en) | DDoS attack detection method for SDN control plane | |
| Alshammari et al. | Machine learning based encrypted traffic classification: Identifying ssh and skype | |
| CN106464577B (en) | Network system, control device, communication device and communication control method | |
| Chen et al. | Deep learning for malicious flow detection | |
| CN101714952B (en) | Method and device for identifying traffic of access network | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| CN103312565B (en) | A kind of peer-to-peer network method for recognizing flux based on autonomous learning | |
| CN102739457B (en) | Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology | |
| CN109802924A (en) | A kind of method and device identifying encrypting traffic | |
| CN103532957B (en) | A kind of long-range shell behavioral values device and method of wooden horse | |
| CN110166480B (en) | Data packet analysis method and device | |
| CN111817982A (en) | Encrypted flow identification method for category imbalance | |
| CN104468507B (en) | Based on the Trojan detecting method without control terminal flow analysis | |
| CN107370752B (en) | Efficient remote control Trojan detection method | |
| CN102315974A (en) | Stratification characteristic analysis-based method and apparatus thereof for on-line identification for TCP, UDP flows | |
| CN102821002A (en) | Method and system for network flow anomaly detection | |
| CN103532969A (en) | Zombie network detection method, device and processor | |
| CN111611280A (en) | Encrypted traffic identification method based on CNN and SAE | |
| CN109600394A (en) | A kind of tunnel HTTP Trojan detecting method based on deep learning | |
| CN108833430B (en) | Topology protection method of software defined network | |
| CN114785563A (en) | Encrypted malicious flow detection method for soft voting strategy | |
| Li et al. | ETCC: Encrypted Two‐Label Classification Using CNN | |
| Tropková et al. | Novel HTTPS classifier driven by packet bursts, flows, and machine learning | |
| Shamsimukhametov et al. | Are neural networks the best way for encrypted traffic classification? |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |