CN110113349A - A kind of malice encryption traffic characteristics analysis method - Google Patents

A kind of malice encryption traffic characteristics analysis method Download PDF

Info

Publication number
CN110113349A
CN110113349A CN201910402969.4A CN201910402969A CN110113349A CN 110113349 A CN110113349 A CN 110113349A CN 201910402969 A CN201910402969 A CN 201910402969A CN 110113349 A CN110113349 A CN 110113349A
Authority
CN
China
Prior art keywords
feature
flow
certificate
tuple
malice
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910402969.4A
Other languages
Chinese (zh)
Inventor
刘静
袁新雨
赖英旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Technology
Original Assignee
Beijing University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Technology filed Critical Beijing University of Technology
Priority to CN201910402969.4A priority Critical patent/CN110113349A/en
Publication of CN110113349A publication Critical patent/CN110113349A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer

Abstract

The invention discloses a kind of malice to encrypt traffic characteristics analysis method, belongs to the crossing domain of network security and machine learning, for analyzing HTTPS flow and detecting deliberate threat therein.Data on flows is carried out data modeling as data structure to connect four-tuple by the present invention, and flow is encrypted from four step analyses as unit of connecting four-tuple, extraction connects the stream grade feature of four-tuple, TLS shakes hands feature, X.509 certificate feature and contextual feature, obtain initial characteristics collection.The present invention, which using the recursion feature removing method based on decision tree is screened to obtain optimal characteristics collection to initial characteristics collection and obtains malice for machine learning model training, encrypts flow detection model.

Description

A kind of malice encryption traffic characteristics analysis method
Technical field:
The invention belongs to the crossing domains of network security and machine learning, are related to a kind of malice encryption traffic characteristics analysis side Method.
Background technique:
It has been trend of the times that Global Internet, which moves towards comprehensive encryption epoch,.Encryption technology can ensure communication security and use Family privacy, more and more enterprises services and application software are using encryption technology as the main means for ensuring information security.However Encryption flow also brings new challenge and threat to security fields.By encrypted tunnel, attacker can bypass detection system Implement malice to encroach on.
Due to the machine learning algorithm using flow metadata whether encrypted by flow influenced it is smaller, utilize with The machine learning algorithm that flow metadata is characterized becomes the emphasis of encryption flow Study of recognition.However, existing be based on machine The malice encryption flow rate testing methods of study are made slow progress in practical application there is many problems.
One of the main reasons be machine learning method training effect depend on traffic characteristic extraction, but at present for The research of malice encryption traffic characteristic is comprehensive not enough, often rule of thumb extracts feature, the feature extracted with expertise Effect is difficult to be guaranteed, so that machine learning method can not play best effect.
Therefore, in the case where cryptographic means are taken in current more and more malicious attacks, a kind of efficient malice is realized Encryption traffic characteristics analysis method has great importance to the malice encryption flow detection based on machine learning.
Summary of the invention:
It is being difficult to effectively extract malice encryption traffic characteristic and optimized for extracting feature to solve existing method Selection etc. problem, the present invention is to connect four-tuple as basic unit, and analysis encrypts flow comprehensively on four levels, especially It is HTTPS flow.HTTPS traffic characteristic is divided into stream grade feature by the present invention, and TLS shakes hands feature, X.509 certificate feature and upper Four major class of following traits is further optimized sieve to traffic characteristic using the recursion feature removing method based on decision tree Choosing, obtains the sample data for being actually used in training pattern.
The technical solution adopted in the present invention:
The present invention pre-processes encryption data on flows as unit of connecting four-tuple, and connection four-tuple is with source IP Location, purpose IP address, destination slogan and transport layer protocol are key word index, contain the institute of a pair of of communicating pair in network There is HTTPS to flow and DNS flows accordingly.
The present invention extracts corresponding traffic characteristic as data structure to connect four-tuple.Traffic characteristic is divided into stream grade feature, TLS shakes hands feature, X.509 four major class of certificate feature and contextual feature.Flow the behavioural characteristic and connection of grade feature description flow Mode, TLS shake hands the TLS/SSL protocol attribute that uses of feature description encryption flow, and X.509 the network communication of certificate feature description is double The authentication information of side, contextual feature illustrate the corresponding DNS stream information of HTTPS stream.Connect the traffic characteristic set structure of four-tuple At initial characteristics collection.
The present invention screens initial characteristics collection using the recursion feature removing method based on decision tree, obtains optimal Character subset.Optimal feature subset and the tag set of connection four-tuple constitute the training sample for being used for machine learning method.
The invention has the advantages that the present invention realizes a kind of efficient malice encryption traffic characteristics analysis method, benefit Signature analysis is carried out to encryption flow with this method, using two kinds of machine learning algorithm training moulds of random forest and gradient boosted tree Type, accuracy rate of the obtained malice encryption flow detection model in test sample, accurate rate and recall rate are up to 100%, Rate of failing to report and rate of false alarm are 0%.The recursion feature removing method based on decision tree that the present invention applies can be to flow spy The importance of sign is ranked up, and training result can with the formal intuition of decision tree show judgement malice encryption flow according to According to good interpretation.
Detailed description of the invention:
Fig. 1 is connection four-tuple structure chart of the invention;
Fig. 2 is feature of present invention analysis flow chart diagram.
Specific embodiment:
[embodiment 1]
The present invention carries out data cleansing using data on flows file of the flow analysis detection instrument to acquisition, filters out encryption Flow, and flow is marked according to flow label file existing in data set, label is divided into malicious traffic stream, normal stream Amount and background traffic.Filter background flow pre-processes the data on flows filtered out as unit of connecting four-tuple, will Source IP address, purpose IP address, destination slogan and the identical HTTPS stream of transport layer protocol and corresponding context flow DNS stream is added in corresponding connection four-tuple structure.
[embodiment 2]
The present invention analyzes flow as unit of connecting four-tuple, extracts corresponding stream grade feature, and TLS shakes hands spy Sign, certificate feature and contextual feature.Four major class traffic characteristics are specific as follows:
(1) grade feature is flowed
Average value, the maximum value, standard deviation for flowing interarrival time, connect average value, the maximum value, standard of duration Difference, the average value of data package size, the average value of data packet number, the data package size ratio sent and received send and connect The data packet number ratio of receipts, number of dropped packets, the ratio of normal connection status.
(2) TLS shakes hands feature
TLS/SSL protocol version, the encrypted component and extension that TLS handshake phase client provides, TLS handshake phase service The encrypted component of device selection and extension, when TLS is reconnected whether the key before use, the HTTPS comprising SNI flows ratio.
(3) X.509 certificate feature
X.509 certificate whether oneself signature, the public key length that certificate includes, the cryptographic algorithm and password type that certificate uses, Certificate signature algorithm, validity period of certificate and the ratio of remaining effective time Zhan total validity period, the domain name that the SAN of certificate is supported Number, the user of certificate and CN, O, L, ST field of label originator, trusted certificates chain length.
(4) contextual feature
HTTPS flows the TTL of corresponding DNS stream, the average and standard deviation of the domain name length of DNS request field, DNS response The IP address number of field.
The traffic characteristic set of connection four-tuple of the invention forms initial characteristics collection.
[embodiment 3]
The present invention carries out feature choosing to above-mentioned initial characteristics collection using the recursion feature removing method based on decision tree It selects.Recursion feature removing method is ranked up importance of the initial characteristics collection in model training, every by a wheel training The minimum feature of importance is rejected, new feature set is formed, is then trained, repeats the above process in new feature set Until the scale of residue character collection reaches threshold value, optimal characteristics collection is generated.Optimal characteristics collection and sample label form training sample.
[embodiment 4]
Present invention application machine learning algorithm carries out assessment test to the effect of optimal characteristics collection.The present invention is by training sample It is divided into training set and test set.Two kinds of algorithm training patterns of random forest and gradient boosted tree are applied on training set, are obtained Malice encryption flow detection model.The present invention carries out analysis verifying, assessment training to malice encryption discharge model on test set Effect.The evaluation index that the present invention uses includes training speed, accuracy rate, accurate rate, recall rate, F1 value, rate of failing to report and wrong report Rate.

Claims (6)

1. a kind of malice encrypts traffic characteristics analysis method, it is characterised in that: to connect four-tuple as basic unit, in four layers Secondary comprehensive analysis encrypts flow;HTTPS traffic characteristic is divided into stream grade feature, TLS shakes hands feature, X.509 certificate feature With four major class of contextual feature, flow grade feature description flow behavioural characteristic and connection mode, TLS shake hands feature description encryption stream The TLS/SSL protocol attribute used is measured, X.509 the authentication information of certificate feature description network communication both sides, contextual feature are said The corresponding DNS stream information of bright HTTPS stream;The traffic characteristic set of connection four-tuple constitutes initial characteristics collection;Using based on certainly The recursion feature removing method of plan tree screens traffic characteristic, obtains optimal feature subset;Optimal feature subset and connection The tag set of four-tuple constitutes the training sample for being used for machine learning method.
2. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Encryption data on flows is pre-processed as unit of connecting four-tuple, connects four-tuple with source IP address, destination IP Location, destination slogan and transport layer protocol are key word index, contain in network all HTTPS stream of a pair of of communicating pair with And corresponding DNS stream.
3. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Data cleansing is carried out using data on flows file of the flow analysis detection instrument to acquisition, filters out encryption flow, and Flow is marked according to flow label file existing in data set, label is divided into malicious traffic stream, normal discharge and background Flow;Filter background flow pre-processes the data on flows filtered out as unit of connecting four-tuple, will by source IP Location, purpose IP address, destination slogan and the identical HTTPS stream of transport layer protocol and corresponding context flow DNS stream add Enter in corresponding connection four-tuple structure.
4. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, which is characterized in that four major class flows are special It levies specific as follows:
(1) grade feature is flowed
Average value, the maximum value, standard deviation for flowing interarrival time, connect average value, the maximum value, standard deviation of duration, The average value of data package size, the average value of data packet number, the data package size ratio sent and received send and receive Data packet number ratio, number of dropped packets, the ratio of normal connection status;
(2) TLS shakes hands feature
TLS/SSL protocol version, the encrypted component and extension that TLS handshake phase client provides, the choosing of TLS handshake phase server The encrypted component selected and extension, when TLS is reconnected whether the key before use, the HTTPS comprising SNI flows ratio;
(3) X.509 certificate feature
X.509 certificate whether oneself signature, the public key length that certificate includes, the cryptographic algorithm and password type that certificate uses, certificate Signature algorithm, validity period of certificate and the ratio of remaining effective time Zhan total validity period, the domain name number that the SAN of certificate is supported, The user of certificate and CN, O, L, ST field of label originator, trusted certificates chain length;
(4) contextual feature
HTTPS flows the TTL of corresponding DNS stream, the average and standard deviation of the domain name length of DNS request field, DNS acknowledgement field IP address number.
5. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Feature selecting is carried out to above-mentioned initial characteristics collection using the recursion feature removing method based on decision tree;Recursion is special Sign removing method is ranked up importance of the initial characteristics collection in model training, every by a wheel training that importance is minimum Feature reject, form new feature set, be then trained in new feature set, repeated the above process until residue character The scale of collection reaches threshold value, generates optimal characteristics collection;Optimal characteristics collection and sample label form training sample.
6. a kind of malice according to claim 1 encrypts traffic characteristics analysis method, it is characterised in that:
Assessment test is carried out using effect of the machine learning algorithm to optimal characteristics collection;Training sample is divided into training set and survey Examination collection;Two kinds of algorithm training patterns of random forest and gradient boosted tree are applied on training set, are obtained malice and are encrypted flow detection Model;Analysis verifying is carried out to malice encryption discharge model on test set, assesses training effect;The evaluation index used includes Training speed, accuracy rate, accurate rate, recall rate, F1 value, rate of failing to report and rate of false alarm.
CN201910402969.4A 2019-05-15 2019-05-15 A kind of malice encryption traffic characteristics analysis method Pending CN110113349A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910402969.4A CN110113349A (en) 2019-05-15 2019-05-15 A kind of malice encryption traffic characteristics analysis method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910402969.4A CN110113349A (en) 2019-05-15 2019-05-15 A kind of malice encryption traffic characteristics analysis method

Publications (1)

Publication Number Publication Date
CN110113349A true CN110113349A (en) 2019-08-09

Family

ID=67490201

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910402969.4A Pending CN110113349A (en) 2019-05-15 2019-05-15 A kind of malice encryption traffic characteristics analysis method

Country Status (1)

Country Link
CN (1) CN110113349A (en)

Cited By (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110598774A (en) * 2019-09-03 2019-12-20 中电长城网际安全技术研究院(北京)有限公司 Encrypted flow detection method and device, computer readable storage medium and electronic equipment
CN111277578A (en) * 2020-01-14 2020-06-12 西安电子科技大学 Encrypted flow analysis feature extraction method, system, storage medium and security device
CN111277587A (en) * 2020-01-19 2020-06-12 武汉思普崚技术有限公司 Malicious encrypted traffic detection method and system based on behavior analysis
CN111447232A (en) * 2020-03-30 2020-07-24 杭州迪普科技股份有限公司 Network flow detection method and device
CN111884813A (en) * 2020-08-05 2020-11-03 哈尔滨工业大学(威海) Malicious certificate detection method
CN112261007A (en) * 2020-09-27 2021-01-22 北京六方云信息技术有限公司 Https malicious encrypted traffic detection method and system based on machine learning
CN112422474A (en) * 2019-08-20 2021-02-26 中移(苏州)软件技术有限公司 Encrypted data stream monitoring method, first electronic device and storage medium
CN112800424A (en) * 2021-02-02 2021-05-14 西南交通大学 Botnet malicious traffic monitoring method based on random forest
CN112822167A (en) * 2020-12-31 2021-05-18 杭州立思辰安科科技有限公司 Abnormal TLS encrypted traffic detection method and system
EP3826261A1 (en) * 2019-11-25 2021-05-26 Cisco Technology, Inc. Network telemetry collection with packet metadata filtering
CN113067839A (en) * 2021-06-02 2021-07-02 中国人民解放军国防科技大学 Malicious encrypted flow detection method based on multi-mode neural network
CN113259313A (en) * 2021-03-30 2021-08-13 浙江工业大学 Malicious HTTPS flow intelligent analysis method based on online training algorithm
CN113329023A (en) * 2021-05-31 2021-08-31 西北大学 Encrypted flow malice detection model establishing and detecting method and system
CN113469366A (en) * 2020-03-31 2021-10-01 北京观成科技有限公司 Encrypted flow identification method, device and equipment
CN113518080A (en) * 2021-06-23 2021-10-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment
CN113595967A (en) * 2020-04-30 2021-11-02 深信服科技股份有限公司 Data identification method, equipment, storage medium and device
CN113904861A (en) * 2021-10-21 2022-01-07 厦门安胜网络科技有限公司 Encrypted flow security detection method and device
CN113965390A (en) * 2021-10-26 2022-01-21 杭州安恒信息技术股份有限公司 Malicious encrypted traffic detection method, system and related device
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN114172748A (en) * 2022-02-10 2022-03-11 中国矿业大学(北京) Encrypted malicious traffic detection method
US11310256B2 (en) 2020-09-23 2022-04-19 Extrahop Networks, Inc. Monitoring encrypted network traffic
CN114448819A (en) * 2021-12-24 2022-05-06 固安县艾拉信息科技有限公司 Network real-time data-based password analysis and implementation method
CN114553605A (en) * 2022-04-26 2022-05-27 中国矿业大学(北京) Encrypted malicious flow detection method for voting strategy
US11349861B1 (en) 2021-06-18 2022-05-31 Extrahop Networks, Inc. Identifying network entities based on beaconing activity
US11388072B2 (en) * 2019-08-05 2022-07-12 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
CN114785563A (en) * 2022-03-28 2022-07-22 中国矿业大学(北京) Encrypted malicious flow detection method for soft voting strategy
CN114866486A (en) * 2022-03-18 2022-08-05 广州大学 Encrypted flow classification system based on data packet
CN114900360A (en) * 2022-05-12 2022-08-12 国家计算机网络与信息安全管理中心山西分中心 Method for detecting DoH flow in HTTPS flow
US11431744B2 (en) 2018-02-09 2022-08-30 Extrahop Networks, Inc. Detection of denial of service attacks
US11438247B2 (en) 2019-08-05 2022-09-06 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11463466B2 (en) 2020-09-23 2022-10-04 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11463465B2 (en) 2019-09-04 2022-10-04 Extrahop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
US11463299B2 (en) 2018-02-07 2022-10-04 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US11496378B2 (en) 2018-08-09 2022-11-08 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
CN115396163A (en) * 2022-08-10 2022-11-25 广州天懋信息系统股份有限公司 Malicious periodic behavior detection method
US11546153B2 (en) 2017-03-22 2023-01-03 Extrahop Networks, Inc. Managing session secrets for continuous packet capture systems
US11665207B2 (en) 2017-10-25 2023-05-30 Extrahop Networks, Inc. Inline secret sharing
US11706233B2 (en) 2019-05-28 2023-07-18 Extrahop Networks, Inc. Detecting injection attacks using passive network monitoring
CN117081865A (en) * 2023-10-17 2023-11-17 北京启天安信科技有限公司 Network security defense system based on malicious domain name detection method
US11843606B2 (en) 2022-03-30 2023-12-12 Extrahop Networks, Inc. Detecting abnormal data access based on data similarity
US11916771B2 (en) 2021-09-23 2024-02-27 Extrahop Networks, Inc. Combining passive network analysis and active probing

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130056630A1 (en) * 2010-05-03 2013-03-07 The Cleveland Clinic Foundation Detection and monitoring of nonalcoholic fatty liver disease
CN106716455A (en) * 2014-09-17 2017-05-24 卡特彼勒公司 Method for developing machine operation classifier using machine learning
CN108833360A (en) * 2018-05-23 2018-11-16 四川大学 A kind of malice encryption flow identification technology based on machine learning
CN109698835A (en) * 2019-01-19 2019-04-30 郑州轻工业学院 A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS
CN109726735A (en) * 2018-11-27 2019-05-07 南京邮电大学 A kind of mobile applications recognition methods based on K-means cluster and random forests algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130056630A1 (en) * 2010-05-03 2013-03-07 The Cleveland Clinic Foundation Detection and monitoring of nonalcoholic fatty liver disease
CN106716455A (en) * 2014-09-17 2017-05-24 卡特彼勒公司 Method for developing machine operation classifier using machine learning
CN108833360A (en) * 2018-05-23 2018-11-16 四川大学 A kind of malice encryption flow identification technology based on machine learning
CN109726735A (en) * 2018-11-27 2019-05-07 南京邮电大学 A kind of mobile applications recognition methods based on K-means cluster and random forests algorithm
CN109698835A (en) * 2019-01-19 2019-04-30 郑州轻工业学院 A kind of encryption Trojan detecting method towards the hidden tunnel HTTPS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AQNIU 安全牛: "一篇报告了解国内首个针对加密流量的检测引擎", 《URL:HTTPS://BLOG.CSDN.NET/LIQIUMAN180688/ARTICLE/DETAILS/88572869》 *
高猛: "基于递归和SVM的特征选择方法研究", 《电子测试》 *

Cited By (54)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11546153B2 (en) 2017-03-22 2023-01-03 Extrahop Networks, Inc. Managing session secrets for continuous packet capture systems
US11665207B2 (en) 2017-10-25 2023-05-30 Extrahop Networks, Inc. Inline secret sharing
US11463299B2 (en) 2018-02-07 2022-10-04 Extrahop Networks, Inc. Ranking alerts based on network monitoring
US11431744B2 (en) 2018-02-09 2022-08-30 Extrahop Networks, Inc. Detection of denial of service attacks
US11496378B2 (en) 2018-08-09 2022-11-08 Extrahop Networks, Inc. Correlating causes and effects associated with network activity
US11706233B2 (en) 2019-05-28 2023-07-18 Extrahop Networks, Inc. Detecting injection attacks using passive network monitoring
US11388072B2 (en) * 2019-08-05 2022-07-12 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11438247B2 (en) 2019-08-05 2022-09-06 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
US11652714B2 (en) 2019-08-05 2023-05-16 Extrahop Networks, Inc. Correlating network traffic that crosses opaque endpoints
CN112422474A (en) * 2019-08-20 2021-02-26 中移(苏州)软件技术有限公司 Encrypted data stream monitoring method, first electronic device and storage medium
CN112422474B (en) * 2019-08-20 2023-07-18 中移(苏州)软件技术有限公司 Method for monitoring encrypted data stream, first electronic device and storage medium
CN110598774A (en) * 2019-09-03 2019-12-20 中电长城网际安全技术研究院(北京)有限公司 Encrypted flow detection method and device, computer readable storage medium and electronic equipment
US11463465B2 (en) 2019-09-04 2022-10-04 Extrahop Networks, Inc. Automatic determination of user roles and asset types based on network monitoring
EP4277207A3 (en) * 2019-11-25 2024-02-21 Cisco Technology, Inc. Network telemetry collection with packet metadata filtering
EP3826261A1 (en) * 2019-11-25 2021-05-26 Cisco Technology, Inc. Network telemetry collection with packet metadata filtering
US11563771B2 (en) 2019-11-25 2023-01-24 Cisco Technology, Inc. Network telemetry collection with packet metadata filtering
CN111277578A (en) * 2020-01-14 2020-06-12 西安电子科技大学 Encrypted flow analysis feature extraction method, system, storage medium and security device
CN111277587A (en) * 2020-01-19 2020-06-12 武汉思普崚技术有限公司 Malicious encrypted traffic detection method and system based on behavior analysis
CN111447232A (en) * 2020-03-30 2020-07-24 杭州迪普科技股份有限公司 Network flow detection method and device
CN113469366A (en) * 2020-03-31 2021-10-01 北京观成科技有限公司 Encrypted flow identification method, device and equipment
CN113595967A (en) * 2020-04-30 2021-11-02 深信服科技股份有限公司 Data identification method, equipment, storage medium and device
CN111884813B (en) * 2020-08-05 2022-03-25 哈尔滨工业大学(威海) Malicious certificate detection method
CN111884813A (en) * 2020-08-05 2020-11-03 哈尔滨工业大学(威海) Malicious certificate detection method
US11310256B2 (en) 2020-09-23 2022-04-19 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11558413B2 (en) 2020-09-23 2023-01-17 Extrahop Networks, Inc. Monitoring encrypted network traffic
US11463466B2 (en) 2020-09-23 2022-10-04 Extrahop Networks, Inc. Monitoring encrypted network traffic
CN112261007A (en) * 2020-09-27 2021-01-22 北京六方云信息技术有限公司 Https malicious encrypted traffic detection method and system based on machine learning
CN112822167A (en) * 2020-12-31 2021-05-18 杭州立思辰安科科技有限公司 Abnormal TLS encrypted traffic detection method and system
CN112800424A (en) * 2021-02-02 2021-05-14 西南交通大学 Botnet malicious traffic monitoring method based on random forest
CN113259313A (en) * 2021-03-30 2021-08-13 浙江工业大学 Malicious HTTPS flow intelligent analysis method based on online training algorithm
CN113329023A (en) * 2021-05-31 2021-08-31 西北大学 Encrypted flow malice detection model establishing and detecting method and system
CN113067839A (en) * 2021-06-02 2021-07-02 中国人民解放军国防科技大学 Malicious encrypted flow detection method based on multi-mode neural network
US11349861B1 (en) 2021-06-18 2022-05-31 Extrahop Networks, Inc. Identifying network entities based on beaconing activity
CN113518080B (en) * 2021-06-23 2021-11-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment
CN113518080A (en) * 2021-06-23 2021-10-19 北京观成科技有限公司 TLS encrypted traffic detection method and device and electronic equipment
US11916771B2 (en) 2021-09-23 2024-02-27 Extrahop Networks, Inc. Combining passive network analysis and active probing
CN113904861B (en) * 2021-10-21 2023-10-17 厦门安胜网络科技有限公司 Encryption traffic safety detection method and device
CN114079579A (en) * 2021-10-21 2022-02-22 北京天融信网络安全技术有限公司 Malicious encrypted flow detection method and device
CN113904861A (en) * 2021-10-21 2022-01-07 厦门安胜网络科技有限公司 Encrypted flow security detection method and device
CN114079579B (en) * 2021-10-21 2024-03-15 北京天融信网络安全技术有限公司 Malicious encryption traffic detection method and device
CN113965390A (en) * 2021-10-26 2022-01-21 杭州安恒信息技术股份有限公司 Malicious encrypted traffic detection method, system and related device
CN114448819B (en) * 2021-12-24 2024-03-22 固安县艾拉信息科技有限公司 Cryptographic analysis and implementation method based on network real-time data
CN114448819A (en) * 2021-12-24 2022-05-06 固安县艾拉信息科技有限公司 Network real-time data-based password analysis and implementation method
CN114172748A (en) * 2022-02-10 2022-03-11 中国矿业大学(北京) Encrypted malicious traffic detection method
WO2023173790A1 (en) * 2022-03-18 2023-09-21 广州大学 Data packet-based encrypted traffic classification system
CN114866486A (en) * 2022-03-18 2022-08-05 广州大学 Encrypted flow classification system based on data packet
CN114785563A (en) * 2022-03-28 2022-07-22 中国矿业大学(北京) Encrypted malicious flow detection method for soft voting strategy
US11843606B2 (en) 2022-03-30 2023-12-12 Extrahop Networks, Inc. Detecting abnormal data access based on data similarity
CN114553605A (en) * 2022-04-26 2022-05-27 中国矿业大学(北京) Encrypted malicious flow detection method for voting strategy
CN114900360B (en) * 2022-05-12 2023-09-22 国家计算机网络与信息安全管理中心山西分中心 Method for detecting DoH flow in HTTPS flow
CN114900360A (en) * 2022-05-12 2022-08-12 国家计算机网络与信息安全管理中心山西分中心 Method for detecting DoH flow in HTTPS flow
CN115396163A (en) * 2022-08-10 2022-11-25 广州天懋信息系统股份有限公司 Malicious periodic behavior detection method
CN117081865B (en) * 2023-10-17 2023-12-29 北京启天安信科技有限公司 Network security defense system based on malicious domain name detection method
CN117081865A (en) * 2023-10-17 2023-11-17 北京启天安信科技有限公司 Network security defense system based on malicious domain name detection method

Similar Documents

Publication Publication Date Title
CN110113349A (en) A kind of malice encryption traffic characteristics analysis method
Protić Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets
Dainotti et al. Issues and future directions in traffic classification
Hoque et al. An implementation of intrusion detection system using genetic algorithm
EP2633646B1 (en) Methods and systems for detecting suspected data leakage using traffic samples
Dusi et al. Quantifying the accuracy of the ground truth associated with Internet traffic traces
CN109167754A (en) A kind of network application layer security protection system
Wan et al. Feature-selection-based ransomware detection with machine learning of data analysis
CN106341282A (en) Malicious code behavior analyzer
CN107370752A (en) A kind of efficient remote control Trojan detection method
Sun et al. Detection and classification of malicious patterns in network traffic using Benford's law
CN110460611B (en) Machine learning-based full-flow attack detection technology
Mohammed et al. Honeycyber: Automated signature generation for zero-day polymorphic worms
Fallahi et al. Automated flow-based rule generation for network intrusion detection systems
Canini et al. GTVS: Boosting the collection of application traffic ground truth
CN112800424A (en) Botnet malicious traffic monitoring method based on random forest
Raman et al. Network measurement methods for locating and examining censorship devices
Hnamte et al. An extensive survey on intrusion detection systems: Datasets and challenges for modern scenario
Salehi et al. A novel approach for detecting DGA-based ransomwares
Ren et al. App identification based on encrypted multi-smartphone sources traffic fingerprints
Liu et al. TPII: tracking personally identifiable information via user behaviors in HTTP traffic
Gomez et al. Unsupervised detection and clustering of malicious tls flows
KR101398740B1 (en) System, method and computer readable recording medium for detecting a malicious domain
Mishari et al. Harvesting SSL certificate data to identify web-fraud
Gou et al. Discovering abnormal behaviors via HTTP header fields measurement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20190809