CN110113349A - A kind of malice encryption traffic characteristics analysis method - Google Patents
A kind of malice encryption traffic characteristics analysis method Download PDFInfo
- Publication number
- CN110113349A CN110113349A CN201910402969.4A CN201910402969A CN110113349A CN 110113349 A CN110113349 A CN 110113349A CN 201910402969 A CN201910402969 A CN 201910402969A CN 110113349 A CN110113349 A CN 110113349A
- Authority
- CN
- China
- Prior art keywords
- feature
- flow
- certificate
- tuple
- malice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Abstract
The invention discloses a kind of malice to encrypt traffic characteristics analysis method, belongs to the crossing domain of network security and machine learning, for analyzing HTTPS flow and detecting deliberate threat therein.Data on flows is carried out data modeling as data structure to connect four-tuple by the present invention, and flow is encrypted from four step analyses as unit of connecting four-tuple, extraction connects the stream grade feature of four-tuple, TLS shakes hands feature, X.509 certificate feature and contextual feature, obtain initial characteristics collection.The present invention, which using the recursion feature removing method based on decision tree is screened to obtain optimal characteristics collection to initial characteristics collection and obtains malice for machine learning model training, encrypts flow detection model.
Description
Technical field:
The invention belongs to the crossing domains of network security and machine learning, are related to a kind of malice encryption traffic characteristics analysis side
Method.
Background technique:
It has been trend of the times that Global Internet, which moves towards comprehensive encryption epoch,.Encryption technology can ensure communication security and use
Family privacy, more and more enterprises services and application software are using encryption technology as the main means for ensuring information security.However
Encryption flow also brings new challenge and threat to security fields.By encrypted tunnel, attacker can bypass detection system
Implement malice to encroach on.
Due to the machine learning algorithm using flow metadata whether encrypted by flow influenced it is smaller, utilize with
The machine learning algorithm that flow metadata is characterized becomes the emphasis of encryption flow Study of recognition.However, existing be based on machine
The malice encryption flow rate testing methods of study are made slow progress in practical application there is many problems.
One of the main reasons be machine learning method training effect depend on traffic characteristic extraction, but at present for
The research of malice encryption traffic characteristic is comprehensive not enough, often rule of thumb extracts feature, the feature extracted with expertise
Effect is difficult to be guaranteed, so that machine learning method can not play best effect.
Therefore, in the case where cryptographic means are taken in current more and more malicious attacks, a kind of efficient malice is realized
Encryption traffic characteristics analysis method has great importance to the malice encryption flow detection based on machine learning.
Summary of the invention:
It is being difficult to effectively extract malice encryption traffic characteristic and optimized for extracting feature to solve existing method
Selection etc. problem, the present invention is to connect four-tuple as basic unit, and analysis encrypts flow comprehensively on four levels, especially
It is HTTPS flow.HTTPS traffic characteristic is divided into stream grade feature by the present invention, and TLS shakes hands feature, X.509 certificate feature and upper
Four major class of following traits is further optimized sieve to traffic characteristic using the recursion feature removing method based on decision tree
Choosing, obtains the sample data for being actually used in training pattern.
The technical solution adopted in the present invention:
The present invention pre-processes encryption data on flows as unit of connecting four-tuple, and connection four-tuple is with source IP
Location, purpose IP address, destination slogan and transport layer protocol are key word index, contain the institute of a pair of of communicating pair in network
There is HTTPS to flow and DNS flows accordingly.
The present invention extracts corresponding traffic characteristic as data structure to connect four-tuple.Traffic characteristic is divided into stream grade feature,
TLS shakes hands feature, X.509 four major class of certificate feature and contextual feature.Flow the behavioural characteristic and connection of grade feature description flow
Mode, TLS shake hands the TLS/SSL protocol attribute that uses of feature description encryption flow, and X.509 the network communication of certificate feature description is double
The authentication information of side, contextual feature illustrate the corresponding DNS stream information of HTTPS stream.Connect the traffic characteristic set structure of four-tuple
At initial characteristics collection.
The present invention screens initial characteristics collection using the recursion feature removing method based on decision tree, obtains optimal
Character subset.Optimal feature subset and the tag set of connection four-tuple constitute the training sample for being used for machine learning method.
The invention has the advantages that the present invention realizes a kind of efficient malice encryption traffic characteristics analysis method, benefit
Signature analysis is carried out to encryption flow with this method, using two kinds of machine learning algorithm training moulds of random forest and gradient boosted tree
Type, accuracy rate of the obtained malice encryption flow detection model in test sample, accurate rate and recall rate are up to 100%,
Rate of failing to report and rate of false alarm are 0%.The recursion feature removing method based on decision tree that the present invention applies can be to flow spy
The importance of sign is ranked up, and training result can with the formal intuition of decision tree show judgement malice encryption flow according to
According to good interpretation.
Detailed description of the invention:
Fig. 1 is connection four-tuple structure chart of the invention;
Fig. 2 is feature of present invention analysis flow chart diagram.
Specific embodiment:
[embodiment 1]
The present invention carries out data cleansing using data on flows file of the flow analysis detection instrument to acquisition, filters out encryption
Flow, and flow is marked according to flow label file existing in data set, label is divided into malicious traffic stream, normal stream
Amount and background traffic.Filter background flow pre-processes the data on flows filtered out as unit of connecting four-tuple, will
Source IP address, purpose IP address, destination slogan and the identical HTTPS stream of transport layer protocol and corresponding context flow
DNS stream is added in corresponding connection four-tuple structure.
[embodiment 2]
The present invention analyzes flow as unit of connecting four-tuple, extracts corresponding stream grade feature, and TLS shakes hands spy
Sign, certificate feature and contextual feature.Four major class traffic characteristics are specific as follows:
(1) grade feature is flowed
Average value, the maximum value, standard deviation for flowing interarrival time, connect average value, the maximum value, standard of duration
Difference, the average value of data package size, the average value of data packet number, the data package size ratio sent and received send and connect
The data packet number ratio of receipts, number of dropped packets, the ratio of normal connection status.
(2) TLS shakes hands feature
TLS/SSL protocol version, the encrypted component and extension that TLS handshake phase client provides, TLS handshake phase service
The encrypted component of device selection and extension, when TLS is reconnected whether the key before use, the HTTPS comprising SNI flows ratio.
(3) X.509 certificate feature
X.509 certificate whether oneself signature, the public key length that certificate includes, the cryptographic algorithm and password type that certificate uses,
Certificate signature algorithm, validity period of certificate and the ratio of remaining effective time Zhan total validity period, the domain name that the SAN of certificate is supported
Number, the user of certificate and CN, O, L, ST field of label originator, trusted certificates chain length.
(4) contextual feature
HTTPS flows the TTL of corresponding DNS stream, the average and standard deviation of the domain name length of DNS request field, DNS response
The IP address number of field.
The traffic characteristic set of connection four-tuple of the invention forms initial characteristics collection.
[embodiment 3]
The present invention carries out feature choosing to above-mentioned initial characteristics collection using the recursion feature removing method based on decision tree
It selects.Recursion feature removing method is ranked up importance of the initial characteristics collection in model training, every by a wheel training
The minimum feature of importance is rejected, new feature set is formed, is then trained, repeats the above process in new feature set
Until the scale of residue character collection reaches threshold value, optimal characteristics collection is generated.Optimal characteristics collection and sample label form training sample.
[embodiment 4]
Present invention application machine learning algorithm carries out assessment test to the effect of optimal characteristics collection.The present invention is by training sample
It is divided into training set and test set.Two kinds of algorithm training patterns of random forest and gradient boosted tree are applied on training set, are obtained
Malice encryption flow detection model.The present invention carries out analysis verifying, assessment training to malice encryption discharge model on test set
Effect.The evaluation index that the present invention uses includes training speed, accuracy rate, accurate rate, recall rate, F1 value, rate of failing to report and wrong report
Rate.
Claims (6)
1. a kind of malice encrypts traffic characteristics analysis method, it is characterised in that: to connect four-tuple as basic unit, in four layers
Secondary comprehensive analysis encrypts flow;HTTPS traffic characteristic is divided into stream grade feature, TLS shakes hands feature, X.509 certificate feature
With four major class of contextual feature, flow grade feature description flow behavioural characteristic and connection mode, TLS shake hands feature description encryption stream
The TLS/SSL protocol attribute used is measured, X.509 the authentication information of certificate feature description network communication both sides, contextual feature are said
The corresponding DNS stream information of bright HTTPS stream;The traffic characteristic set of connection four-tuple constitutes initial characteristics collection;Using based on certainly
The recursion feature removing method of plan tree screens traffic characteristic, obtains optimal feature subset;Optimal feature subset and connection
The tag set of four-tuple constitutes the training sample for being used for machine learning method.
2. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Encryption data on flows is pre-processed as unit of connecting four-tuple, connects four-tuple with source IP address, destination IP
Location, destination slogan and transport layer protocol are key word index, contain in network all HTTPS stream of a pair of of communicating pair with
And corresponding DNS stream.
3. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Data cleansing is carried out using data on flows file of the flow analysis detection instrument to acquisition, filters out encryption flow, and
Flow is marked according to flow label file existing in data set, label is divided into malicious traffic stream, normal discharge and background
Flow;Filter background flow pre-processes the data on flows filtered out as unit of connecting four-tuple, will by source IP
Location, purpose IP address, destination slogan and the identical HTTPS stream of transport layer protocol and corresponding context flow DNS stream add
Enter in corresponding connection four-tuple structure.
4. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, which is characterized in that four major class flows are special
It levies specific as follows:
(1) grade feature is flowed
Average value, the maximum value, standard deviation for flowing interarrival time, connect average value, the maximum value, standard deviation of duration,
The average value of data package size, the average value of data packet number, the data package size ratio sent and received send and receive
Data packet number ratio, number of dropped packets, the ratio of normal connection status;
(2) TLS shakes hands feature
TLS/SSL protocol version, the encrypted component and extension that TLS handshake phase client provides, the choosing of TLS handshake phase server
The encrypted component selected and extension, when TLS is reconnected whether the key before use, the HTTPS comprising SNI flows ratio;
(3) X.509 certificate feature
X.509 certificate whether oneself signature, the public key length that certificate includes, the cryptographic algorithm and password type that certificate uses, certificate
Signature algorithm, validity period of certificate and the ratio of remaining effective time Zhan total validity period, the domain name number that the SAN of certificate is supported,
The user of certificate and CN, O, L, ST field of label originator, trusted certificates chain length;
(4) contextual feature
HTTPS flows the TTL of corresponding DNS stream, the average and standard deviation of the domain name length of DNS request field, DNS acknowledgement field
IP address number.
5. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Feature selecting is carried out to above-mentioned initial characteristics collection using the recursion feature removing method based on decision tree;Recursion is special
Sign removing method is ranked up importance of the initial characteristics collection in model training, every by a wheel training that importance is minimum
Feature reject, form new feature set, be then trained in new feature set, repeated the above process until residue character
The scale of collection reaches threshold value, generates optimal characteristics collection;Optimal characteristics collection and sample label form training sample.
6. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Assessment test is carried out using effect of the machine learning algorithm to optimal characteristics collection;Training sample is divided into training set and survey
Examination collection;Two kinds of algorithm training patterns of random forest and gradient boosted tree are applied on training set, are obtained malice and are encrypted flow detection
Model;Analysis verifying is carried out to malice encryption discharge model on test set, assesses training effect;The evaluation index used includes
Training speed, accuracy rate, accurate rate, recall rate, F1 value, rate of failing to report and rate of false alarm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910402969.4A CN110113349A (en) | 2019-05-15 | 2019-05-15 | A kind of malice encryption traffic characteristics analysis method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910402969.4A CN110113349A (en) | 2019-05-15 | 2019-05-15 | A kind of malice encryption traffic characteristics analysis method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110113349A true CN110113349A (en) | 2019-08-09 |
Family
ID=67490201
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910402969.4A Pending CN110113349A (en) | 2019-05-15 | 2019-05-15 | A kind of malice encryption traffic characteristics analysis method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110113349A (en) |
Cited By (41)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110598774A (en) * | 2019-09-03 | 2019-12-20 | 中电长城网际安全技术研究院(北京)有限公司 | Encrypted flow detection method and device, computer readable storage medium and electronic equipment |
CN111277578A (en) * | 2020-01-14 | 2020-06-12 | 西安电子科技大学 | Encrypted flow analysis feature extraction method, system, storage medium and security device |
CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
CN111447232A (en) * | 2020-03-30 | 2020-07-24 | 杭州迪普科技股份有限公司 | Network flow detection method and device |
CN111884813A (en) * | 2020-08-05 | 2020-11-03 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
CN112261007A (en) * | 2020-09-27 | 2021-01-22 | 北京六方云信息技术有限公司 | Https malicious encrypted traffic detection method and system based on machine learning |
CN112422474A (en) * | 2019-08-20 | 2021-02-26 | 中移(苏州)软件技术有限公司 | Encrypted data stream monitoring method, first electronic device and storage medium |
CN112800424A (en) * | 2021-02-02 | 2021-05-14 | 西南交通大学 | Botnet malicious traffic monitoring method based on random forest |
CN112822167A (en) * | 2020-12-31 | 2021-05-18 | 杭州立思辰安科科技有限公司 | Abnormal TLS encrypted traffic detection method and system |
EP3826261A1 (en) * | 2019-11-25 | 2021-05-26 | Cisco Technology, Inc. | Network telemetry collection with packet metadata filtering |
CN113067839A (en) * | 2021-06-02 | 2021-07-02 | 中国人民解放军国防科技大学 | Malicious encrypted flow detection method based on multi-mode neural network |
CN113259313A (en) * | 2021-03-30 | 2021-08-13 | 浙江工业大学 | Malicious HTTPS flow intelligent analysis method based on online training algorithm |
CN113329023A (en) * | 2021-05-31 | 2021-08-31 | 西北大学 | Encrypted flow malice detection model establishing and detecting method and system |
CN113469366A (en) * | 2020-03-31 | 2021-10-01 | 北京观成科技有限公司 | Encrypted flow identification method, device and equipment |
CN113518080A (en) * | 2021-06-23 | 2021-10-19 | 北京观成科技有限公司 | TLS encrypted traffic detection method and device and electronic equipment |
CN113595967A (en) * | 2020-04-30 | 2021-11-02 | 深信服科技股份有限公司 | Data identification method, equipment, storage medium and device |
CN113904861A (en) * | 2021-10-21 | 2022-01-07 | 厦门安胜网络科技有限公司 | Encrypted flow security detection method and device |
CN113965390A (en) * | 2021-10-26 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Malicious encrypted traffic detection method, system and related device |
CN114079579A (en) * | 2021-10-21 | 2022-02-22 | 北京天融信网络安全技术有限公司 | Malicious encrypted flow detection method and device |
CN114172748A (en) * | 2022-02-10 | 2022-03-11 | 中国矿业大学(北京) | Encrypted malicious traffic detection method |
US11310256B2 (en) | 2020-09-23 | 2022-04-19 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
CN114448819A (en) * | 2021-12-24 | 2022-05-06 | 固安县艾拉信息科技有限公司 | Network real-time data-based password analysis and implementation method |
CN114553605A (en) * | 2022-04-26 | 2022-05-27 | 中国矿业大学(北京) | Encrypted malicious flow detection method for voting strategy |
US11349861B1 (en) | 2021-06-18 | 2022-05-31 | Extrahop Networks, Inc. | Identifying network entities based on beaconing activity |
US11388072B2 (en) * | 2019-08-05 | 2022-07-12 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
CN114785563A (en) * | 2022-03-28 | 2022-07-22 | 中国矿业大学(北京) | Encrypted malicious flow detection method for soft voting strategy |
CN114866486A (en) * | 2022-03-18 | 2022-08-05 | 广州大学 | Encrypted flow classification system based on data packet |
CN114900360A (en) * | 2022-05-12 | 2022-08-12 | 国家计算机网络与信息安全管理中心山西分中心 | Method for detecting DoH flow in HTTPS flow |
US11431744B2 (en) | 2018-02-09 | 2022-08-30 | Extrahop Networks, Inc. | Detection of denial of service attacks |
US11438247B2 (en) | 2019-08-05 | 2022-09-06 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US11463466B2 (en) | 2020-09-23 | 2022-10-04 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
US11463465B2 (en) | 2019-09-04 | 2022-10-04 | Extrahop Networks, Inc. | Automatic determination of user roles and asset types based on network monitoring |
US11463299B2 (en) | 2018-02-07 | 2022-10-04 | Extrahop Networks, Inc. | Ranking alerts based on network monitoring |
US11496378B2 (en) | 2018-08-09 | 2022-11-08 | Extrahop Networks, Inc. | Correlating causes and effects associated with network activity |
CN115396163A (en) * | 2022-08-10 | 2022-11-25 | 广州天懋信息系统股份有限公司 | Malicious periodic behavior detection method |
US11546153B2 (en) | 2017-03-22 | 2023-01-03 | Extrahop Networks, Inc. | Managing session secrets for continuous packet capture systems |
US11665207B2 (en) | 2017-10-25 | 2023-05-30 | Extrahop Networks, Inc. | Inline secret sharing |
US11706233B2 (en) | 2019-05-28 | 2023-07-18 | Extrahop Networks, Inc. | Detecting injection attacks using passive network monitoring |
CN117081865A (en) * | 2023-10-17 | 2023-11-17 | 北京启天安信科技有限公司 | Network security defense system based on malicious domain name detection method |
US11843606B2 (en) | 2022-03-30 | 2023-12-12 | Extrahop Networks, Inc. | Detecting abnormal data access based on data similarity |
US11916771B2 (en) | 2021-09-23 | 2024-02-27 | Extrahop Networks, Inc. | Combining passive network analysis and active probing |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130056630A1 (en) * | 2010-05-03 | 2013-03-07 | The Cleveland Clinic Foundation | Detection and monitoring of nonalcoholic fatty liver disease |
CN106716455A (en) * | 2014-09-17 | 2017-05-24 | 卡特彼勒公司 | Method for developing machine operation classifier using machine learning |
CN108833360A (en) * | 2018-05-23 | 2018-11-16 | 四川大学 | A kind of malice encryption flow identification technology based on machine learning |
CN109698835A (en) * | 2019-01-19 | 2019-04-30 | 郑州轻工业学院 | A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS |
CN109726735A (en) * | 2018-11-27 | 2019-05-07 | 南京邮电大学 | A kind of mobile applications recognition methods based on K-means cluster and random forests algorithm |
-
2019
- 2019-05-15 CN CN201910402969.4A patent/CN110113349A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130056630A1 (en) * | 2010-05-03 | 2013-03-07 | The Cleveland Clinic Foundation | Detection and monitoring of nonalcoholic fatty liver disease |
CN106716455A (en) * | 2014-09-17 | 2017-05-24 | 卡特彼勒公司 | Method for developing machine operation classifier using machine learning |
CN108833360A (en) * | 2018-05-23 | 2018-11-16 | 四川大学 | A kind of malice encryption flow identification technology based on machine learning |
CN109726735A (en) * | 2018-11-27 | 2019-05-07 | 南京邮电大学 | A kind of mobile applications recognition methods based on K-means cluster and random forests algorithm |
CN109698835A (en) * | 2019-01-19 | 2019-04-30 | 郑州轻工业学院 | A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS |
Non-Patent Citations (2)
Title |
---|
AQNIU 安全牛: "一篇报告了解国内首个针对加密流量的检测引擎", 《URL:HTTPS://BLOG.CSDN.NET/LIQIUMAN180688/ARTICLE/DETAILS/88572869》 * |
高猛: "基于递归和SVM的特征选择方法研究", 《电子测试》 * |
Cited By (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11546153B2 (en) | 2017-03-22 | 2023-01-03 | Extrahop Networks, Inc. | Managing session secrets for continuous packet capture systems |
US11665207B2 (en) | 2017-10-25 | 2023-05-30 | Extrahop Networks, Inc. | Inline secret sharing |
US11463299B2 (en) | 2018-02-07 | 2022-10-04 | Extrahop Networks, Inc. | Ranking alerts based on network monitoring |
US11431744B2 (en) | 2018-02-09 | 2022-08-30 | Extrahop Networks, Inc. | Detection of denial of service attacks |
US11496378B2 (en) | 2018-08-09 | 2022-11-08 | Extrahop Networks, Inc. | Correlating causes and effects associated with network activity |
US11706233B2 (en) | 2019-05-28 | 2023-07-18 | Extrahop Networks, Inc. | Detecting injection attacks using passive network monitoring |
US11388072B2 (en) * | 2019-08-05 | 2022-07-12 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US11438247B2 (en) | 2019-08-05 | 2022-09-06 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US11652714B2 (en) | 2019-08-05 | 2023-05-16 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
CN112422474A (en) * | 2019-08-20 | 2021-02-26 | 中移(苏州)软件技术有限公司 | Encrypted data stream monitoring method, first electronic device and storage medium |
CN112422474B (en) * | 2019-08-20 | 2023-07-18 | 中移(苏州)软件技术有限公司 | Method for monitoring encrypted data stream, first electronic device and storage medium |
CN110598774A (en) * | 2019-09-03 | 2019-12-20 | 中电长城网际安全技术研究院(北京)有限公司 | Encrypted flow detection method and device, computer readable storage medium and electronic equipment |
US11463465B2 (en) | 2019-09-04 | 2022-10-04 | Extrahop Networks, Inc. | Automatic determination of user roles and asset types based on network monitoring |
EP4277207A3 (en) * | 2019-11-25 | 2024-02-21 | Cisco Technology, Inc. | Network telemetry collection with packet metadata filtering |
EP3826261A1 (en) * | 2019-11-25 | 2021-05-26 | Cisco Technology, Inc. | Network telemetry collection with packet metadata filtering |
US11563771B2 (en) | 2019-11-25 | 2023-01-24 | Cisco Technology, Inc. | Network telemetry collection with packet metadata filtering |
CN111277578A (en) * | 2020-01-14 | 2020-06-12 | 西安电子科技大学 | Encrypted flow analysis feature extraction method, system, storage medium and security device |
CN111277587A (en) * | 2020-01-19 | 2020-06-12 | 武汉思普崚技术有限公司 | Malicious encrypted traffic detection method and system based on behavior analysis |
CN111447232A (en) * | 2020-03-30 | 2020-07-24 | 杭州迪普科技股份有限公司 | Network flow detection method and device |
CN113469366A (en) * | 2020-03-31 | 2021-10-01 | 北京观成科技有限公司 | Encrypted flow identification method, device and equipment |
CN113595967A (en) * | 2020-04-30 | 2021-11-02 | 深信服科技股份有限公司 | Data identification method, equipment, storage medium and device |
CN111884813B (en) * | 2020-08-05 | 2022-03-25 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
CN111884813A (en) * | 2020-08-05 | 2020-11-03 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
US11310256B2 (en) | 2020-09-23 | 2022-04-19 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
US11558413B2 (en) | 2020-09-23 | 2023-01-17 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
US11463466B2 (en) | 2020-09-23 | 2022-10-04 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
CN112261007A (en) * | 2020-09-27 | 2021-01-22 | 北京六方云信息技术有限公司 | Https malicious encrypted traffic detection method and system based on machine learning |
CN112822167A (en) * | 2020-12-31 | 2021-05-18 | 杭州立思辰安科科技有限公司 | Abnormal TLS encrypted traffic detection method and system |
CN112800424A (en) * | 2021-02-02 | 2021-05-14 | 西南交通大学 | Botnet malicious traffic monitoring method based on random forest |
CN113259313A (en) * | 2021-03-30 | 2021-08-13 | 浙江工业大学 | Malicious HTTPS flow intelligent analysis method based on online training algorithm |
CN113329023A (en) * | 2021-05-31 | 2021-08-31 | 西北大学 | Encrypted flow malice detection model establishing and detecting method and system |
CN113067839A (en) * | 2021-06-02 | 2021-07-02 | 中国人民解放军国防科技大学 | Malicious encrypted flow detection method based on multi-mode neural network |
US11349861B1 (en) | 2021-06-18 | 2022-05-31 | Extrahop Networks, Inc. | Identifying network entities based on beaconing activity |
CN113518080B (en) * | 2021-06-23 | 2021-11-19 | 北京观成科技有限公司 | TLS encrypted traffic detection method and device and electronic equipment |
CN113518080A (en) * | 2021-06-23 | 2021-10-19 | 北京观成科技有限公司 | TLS encrypted traffic detection method and device and electronic equipment |
US11916771B2 (en) | 2021-09-23 | 2024-02-27 | Extrahop Networks, Inc. | Combining passive network analysis and active probing |
CN113904861B (en) * | 2021-10-21 | 2023-10-17 | 厦门安胜网络科技有限公司 | Encryption traffic safety detection method and device |
CN114079579A (en) * | 2021-10-21 | 2022-02-22 | 北京天融信网络安全技术有限公司 | Malicious encrypted flow detection method and device |
CN113904861A (en) * | 2021-10-21 | 2022-01-07 | 厦门安胜网络科技有限公司 | Encrypted flow security detection method and device |
CN114079579B (en) * | 2021-10-21 | 2024-03-15 | 北京天融信网络安全技术有限公司 | Malicious encryption traffic detection method and device |
CN113965390A (en) * | 2021-10-26 | 2022-01-21 | 杭州安恒信息技术股份有限公司 | Malicious encrypted traffic detection method, system and related device |
CN114448819B (en) * | 2021-12-24 | 2024-03-22 | 固安县艾拉信息科技有限公司 | Cryptographic analysis and implementation method based on network real-time data |
CN114448819A (en) * | 2021-12-24 | 2022-05-06 | 固安县艾拉信息科技有限公司 | Network real-time data-based password analysis and implementation method |
CN114172748A (en) * | 2022-02-10 | 2022-03-11 | 中国矿业大学(北京) | Encrypted malicious traffic detection method |
WO2023173790A1 (en) * | 2022-03-18 | 2023-09-21 | 广州大学 | Data packet-based encrypted traffic classification system |
CN114866486A (en) * | 2022-03-18 | 2022-08-05 | 广州大学 | Encrypted flow classification system based on data packet |
CN114785563A (en) * | 2022-03-28 | 2022-07-22 | 中国矿业大学(北京) | Encrypted malicious flow detection method for soft voting strategy |
US11843606B2 (en) | 2022-03-30 | 2023-12-12 | Extrahop Networks, Inc. | Detecting abnormal data access based on data similarity |
CN114553605A (en) * | 2022-04-26 | 2022-05-27 | 中国矿业大学(北京) | Encrypted malicious flow detection method for voting strategy |
CN114900360B (en) * | 2022-05-12 | 2023-09-22 | 国家计算机网络与信息安全管理中心山西分中心 | Method for detecting DoH flow in HTTPS flow |
CN114900360A (en) * | 2022-05-12 | 2022-08-12 | 国家计算机网络与信息安全管理中心山西分中心 | Method for detecting DoH flow in HTTPS flow |
CN115396163A (en) * | 2022-08-10 | 2022-11-25 | 广州天懋信息系统股份有限公司 | Malicious periodic behavior detection method |
CN117081865B (en) * | 2023-10-17 | 2023-12-29 | 北京启天安信科技有限公司 | Network security defense system based on malicious domain name detection method |
CN117081865A (en) * | 2023-10-17 | 2023-11-17 | 北京启天安信科技有限公司 | Network security defense system based on malicious domain name detection method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110113349A (en) | A kind of malice encryption traffic characteristics analysis method | |
Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
Dainotti et al. | Issues and future directions in traffic classification | |
Hoque et al. | An implementation of intrusion detection system using genetic algorithm | |
EP2633646B1 (en) | Methods and systems for detecting suspected data leakage using traffic samples | |
Dusi et al. | Quantifying the accuracy of the ground truth associated with Internet traffic traces | |
CN109167754A (en) | A kind of network application layer security protection system | |
Wan et al. | Feature-selection-based ransomware detection with machine learning of data analysis | |
CN106341282A (en) | Malicious code behavior analyzer | |
CN107370752A (en) | A kind of efficient remote control Trojan detection method | |
Sun et al. | Detection and classification of malicious patterns in network traffic using Benford's law | |
CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
Mohammed et al. | Honeycyber: Automated signature generation for zero-day polymorphic worms | |
Fallahi et al. | Automated flow-based rule generation for network intrusion detection systems | |
Canini et al. | GTVS: Boosting the collection of application traffic ground truth | |
CN112800424A (en) | Botnet malicious traffic monitoring method based on random forest | |
Raman et al. | Network measurement methods for locating and examining censorship devices | |
Hnamte et al. | An extensive survey on intrusion detection systems: Datasets and challenges for modern scenario | |
Salehi et al. | A novel approach for detecting DGA-based ransomwares | |
Ren et al. | App identification based on encrypted multi-smartphone sources traffic fingerprints | |
Liu et al. | TPII: tracking personally identifiable information via user behaviors in HTTP traffic | |
Gomez et al. | Unsupervised detection and clustering of malicious tls flows | |
KR101398740B1 (en) | System, method and computer readable recording medium for detecting a malicious domain | |
Mishari et al. | Harvesting SSL certificate data to identify web-fraud | |
Gou et al. | Discovering abnormal behaviors via HTTP header fields measurement |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190809 |