CN111031071B - Malicious traffic identification method and device, computer equipment and storage medium - Google Patents

Malicious traffic identification method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN111031071B
CN111031071B CN201911397339.9A CN201911397339A CN111031071B CN 111031071 B CN111031071 B CN 111031071B CN 201911397339 A CN201911397339 A CN 201911397339A CN 111031071 B CN111031071 B CN 111031071B
Authority
CN
China
Prior art keywords
malicious
traffic
cluster
network
image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911397339.9A
Other languages
Chinese (zh)
Other versions
CN111031071A (en
Inventor
谭天
陈忠良
李小龙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201911397339.9A priority Critical patent/CN111031071B/en
Publication of CN111031071A publication Critical patent/CN111031071A/en
Application granted granted Critical
Publication of CN111031071B publication Critical patent/CN111031071B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for identifying malicious traffic, computer equipment and a storage medium. Wherein the method comprises the following steps: acquiring an image describing a behavior mode of the network traffic on a transmission layer based on the acquired network traffic; and performing cluster analysis on the cluster of the image input malicious flow to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing a behavior pattern of each network flow sample in a transmission layer. Because the behavior pattern of the network traffic at the transport layer cannot be encrypted, the cluster of the malicious traffic can also identify whether the encrypted traffic is malicious traffic. The images can completely represent the dynamic change of the network flow in the time sequence in the process of receiving and sending by both communication parties, the cluster of the malicious flow is generated by clustering the images describing the behavior patterns of the transmission layer based on a large number of network flow samples, and the accuracy of identifying whether the network flow is the malicious flow can be improved.

Description

Malicious traffic identification method and device, computer equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for identifying malicious traffic, a computer device, and a storage medium.
Background
With the development of the technology, network traffic tends to be transmitted in an encrypted manner, so that user data can be effectively protected, attack behaviors can be prevented, and the like. However, encrypted traffic also has drawbacks, and more attackers are using this to avoid network scrutiny and thus achieve their attack. Because the data content of the encrypted traffic is encrypted, network examination means such as protocol identification and intrusion detection based on the traditional Deep Packet Inspection (DPI) technology cannot be used without decrypting the encrypted traffic, and once the encrypted traffic is decrypted, certain invasion can be caused to the privacy of a user. How to identify malicious traffic without decrypting encrypted traffic is being of interest to an increasing number of researchers.
In the related art, a Deep Flow Inspection (DFI) technology is adopted to identify whether encrypted traffic is malicious traffic. The DFI technology obtains some statistical characteristics of the encrypted traffic in the communication process, such as: the statistical values such as the communication duration, the size of an average packet in the communication process, the maximum/minimum value of a transmitted data packet, the maximum/minimum value of a received data packet and the like are modeled and calculated, and the characteristics of encrypted traffic can be reflected to a certain extent, so that whether the traffic is malicious or not is identified. However, the use of statistical features does not fully and accurately describe the encrypted traffic, which results in a low recognition accuracy.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides a malicious traffic identification method, a malicious traffic identification device, computer equipment and a storage medium.
According to a first aspect of embodiments of the present application, there is provided a method for identifying malicious traffic, the method including:
acquiring an image describing a behavior pattern of the network traffic at a transmission layer based on the acquired network traffic;
and performing cluster analysis on the cluster of the image input malicious flow to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing a behavior pattern of each network flow sample in a transmission layer.
In an exemplary embodiment, the behavior pattern of the network traffic at the transport layer includes: the size of the transmitted segments, the size of the received segments, the number of transmitted segments, the number of received segments, the size of the transmission time interval, the size of the reception time interval, and the type of the message.
In an exemplary embodiment, the types of messages include encrypted messages and unencrypted messages.
In an exemplary embodiment, in the image, the transmitted segment and the received segment are represented by a line, a length size of the line representing a size of the segment.
In an exemplary embodiment, the step of cluster generation of malicious traffic comprises:
collecting a large number of network flow samples;
acquiring an image set which describes the behavior mode of each network traffic sample on a transmission layer according to each network traffic sample;
clustering each image in the image set to generate two clusters;
based on the sizes of the two clusters, the smaller cluster is determined to be a cluster of malicious traffic.
In an exemplary embodiment, the step of determining a smaller cluster as a cluster of malicious traffic based on the sizes of the two clusters comprises:
comparing the sizes of the two clusters;
and if the difference between the sizes of the two clusters is larger than or equal to a set threshold value, determining the smaller cluster as the cluster of the malicious traffic.
In an exemplary embodiment, the method further comprises: and inputting the identified image of the malicious traffic into a malicious attack type identification model to identify the malicious attack type of the malicious traffic, wherein the malicious attack type identification model is established based on image set training of a behavior pattern of each network traffic sample in a transmission layer. According to a second aspect of the embodiments of the present application, there is provided an apparatus for identifying malicious traffic, the apparatus including:
the acquisition module is used for acquiring an image describing a behavior mode of the network traffic on a transmission layer based on the acquired network traffic;
and the input module is used for carrying out cluster analysis on the cluster of the image input malicious flow so as to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing the behavior pattern of each network flow sample in a transmission layer.
According to a third aspect of the embodiments of the present application, there is provided a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the method for identifying malicious traffic described in any of the above embodiments when executing the program.
According to a fourth aspect of embodiments of the present application, there is provided a computer-readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method for identifying malicious traffic as described in any of the above embodiments.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
according to the technical scheme, the behavior mode of the acquired network flow on the transmission layer is described through the image, the acquired image of the network flow is input into a cluster of malicious flow for clustering analysis, and whether the network flow described by the image is the malicious flow is identified. On one hand, because the behavior pattern of the network traffic at the transport layer is not encrypted, the cluster of the malicious traffic can also identify whether the encrypted traffic is malicious traffic. On the other hand, the images related in the technical scheme can relatively completely represent the dynamic changes of the network traffic in the time sequence in the transceiving process of the two communication parties, and the cluster of the malicious traffic is generated by clustering the images describing the behavior patterns of the transmission layer based on a large number of network traffic samples, so that the accuracy of identifying whether the network traffic is the malicious traffic can be improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1A is a flowchart of a method for identifying malicious traffic according to an exemplary embodiment of the present application.
Fig. 1B is a diagram illustrating an image depicting a behavior pattern of network traffic at a transport layer according to an exemplary embodiment of the present application.
Fig. 2 is a flowchart illustrating a cluster generation process for malicious traffic identification according to an exemplary embodiment of the present application.
Fig. 3 is a flowchart illustrating a cluster determination process for malicious traffic according to an exemplary embodiment of the present application.
Fig. 4 is a flowchart of a malicious attack type model building process according to an exemplary embodiment of the present application.
Fig. 5 is a block diagram illustrating a structure of an apparatus for identifying malicious traffic according to an exemplary embodiment of the present application.
Fig. 6 is a block diagram illustrating a computer device according to an exemplary embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if," as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination," depending on the context.
The method, the apparatus, the computer device, and the storage medium for identifying malicious traffic according to the present application are described in detail below with reference to the accompanying drawings. The features of the following examples and embodiments may be combined with each other without conflict.
The application provides a method for identifying malicious traffic, which comprises the following steps: fig. 1A is a flowchart illustrating a method for identifying malicious traffic according to an exemplary embodiment of the present application. As shown in fig. 1A, the identification method of malicious traffic includes the following steps 101 to 102:
step 101, acquiring an image describing a behavior pattern of the network traffic at a transport layer based on the acquired network traffic.
In step 101, the obtained network traffic is represented by an image, and the image can describe the behavior pattern of the network traffic in the transport layer more intuitively, and since the encryption of the network traffic in the related art is to encrypt the data content, and the behavior pattern of the network traffic in the transport layer is not encrypted, it can be identified whether the encrypted traffic is malicious traffic or not on the image describing the behavior pattern of the network traffic in the transport layer, or whether the encryption of the network traffic does not affect the identification of the malicious traffic or not. In addition, the image can completely represent the dynamic change of the network flow in the time sequence in the transceiving process of the two communication parties, and compared with the prior art that whether the network flow is malicious flow is identified by adopting the statistical characteristics of the network flow, the image can be used for more comprehensively describing the network flow, so that the identification accuracy is improved.
In a possible embodiment of the present application, the behavior pattern of the network traffic at the transport layer may include: the size of the transmitted segments, the size of the received segments, the number of transmitted segments, the number of received segments, the size of the transmission time interval, the size of the reception time interval, and the type of the message. By combining these behavior patterns, it is possible to identify whether the network traffic is malicious traffic.
In one possible embodiment of the present application, the types of the message may include an encrypted message and an unencrypted message.
In one possible embodiment of the present application, in the image, the sending segment and the receiving segment may be represented by a line, and a length size of the line may be used to represent a size of the segment. In one possible embodiment of the present application, the line may be a straight line.
In a possible embodiment of the present application, the types of the messages may be distinguished by different colors of lines. In another possible embodiment of the present application, the types of the messages may also be distinguished by different line thicknesses.
To better illustrate an image describing a behavior pattern of network traffic at a transport layer, fig. 1B is a schematic diagram illustrating an image describing a behavior pattern of network traffic at a transport layer according to an exemplary embodiment of the present application. As shown in fig. 1B, in the image 10, a line 100 along the direction of the horizontal coordinate axis represents a communication time axis, and lines in the upper part of the line 100 represent transmission segments 110, wherein one line represents one transmission segment, the length of the line corresponds to the size of the represented transmission segment, and the interval of any two lines in the direction of the communication time axis represents the time interval between the transmission segments; accordingly, each line in the lower portion of line 100 represents a received segment 120, wherein one line represents one received segment, the length of the line corresponds to the size of the represented received segment, and the interval of any two lines in the direction of the communication timeline represents the time interval between received segments. In this embodiment, the types of the messages are distinguished by using different thicknesses of lines, and the image 10 includes relatively thick lines and relatively thin lines, where the relatively thick lines represent unencrypted messages and the relatively thin lines represent encrypted messages.
Generally, communication with encrypted traffic goes through two phases: and the negotiation stage and the communication stage, wherein the negotiation stage is that the two communication parties negotiate an encryption key according to related rules, and the key is used by the two communication parties to encrypt the transmitted data in the communication stage. In the negotiation stage, both communication parties communicate by using non-encrypted messages or can become plaintext messages; in the communication stage, the two parties communicate by using the encrypted message. In the image 10 of the above embodiment, the sending segment and the receiving segment of the relatively thick line and the corresponding time interval may represent a negotiation stage, and the sending segment and the receiving segment of the relatively thin line and the corresponding time interval may represent a communication stage, so that it can be known that the image 10 is an image of an encrypted traffic describing a behavior pattern of the encrypted traffic at a transport layer.
It should be understood that the unencrypted traffic depicted in the image of the transport layer behavior pattern has only one unencrypted packet represented by the relatively thick line, including both the transmitted segment and the received segment.
And 102, performing cluster analysis on the cluster of the image input malicious traffic to identify whether the network traffic is the malicious traffic, wherein the cluster of the malicious traffic is generated by clustering on the basis of an image set describing a behavior pattern of each network traffic sample in a transmission layer.
In step 102, an image describing a behavior pattern of the network traffic on a transport layer is input as input data into a trained cluster of malicious traffic, and cluster analysis is performed using the cluster of malicious traffic to identify whether the network traffic is malicious traffic. The cluster for identifying the malicious traffic utilizes an unsupervised clustering method to process a large number of network traffic samples, obtains an image set for describing the behavior patterns of the network traffic samples on a transmission layer, performs clustering analysis based on the characteristics embodied on the images, generates two clusters of the malicious traffic and non-malicious traffic, and can perform clustering analysis on other network traffic to be identified according to the two clusters to identify the malicious traffic.
In the method provided by this embodiment, the behavior pattern of the acquired network traffic on the transport layer is described by using an image, the acquired image of the network traffic is input to a cluster of malicious traffic for cluster analysis, and whether the network traffic described by the image is malicious traffic is identified. On one hand, because the behavior pattern of the network traffic at the transport layer is not encrypted, the cluster of the malicious traffic can also identify whether the encrypted traffic is malicious traffic. On the other hand, the images related to the method can relatively completely represent the dynamic change of the network traffic in the time sequence in the transceiving process of the two communication parties, and the cluster of the malicious traffic is generated by clustering the images describing the behavior patterns of the transmission layer based on a large number of network traffic samples, so that the accuracy of identifying whether the network traffic is the malicious traffic can be improved.
Fig. 2 is a flowchart of a cluster generation process of malicious traffic according to an exemplary embodiment of the present application, and this embodiment explains how to generate a cluster of malicious traffic based on the embodiment shown in fig. 1A. As shown in fig. 2, the step of cluster generation of malicious traffic specifically includes the following steps 201 to 204:
step 201, a large number of network traffic samples are collected.
In step 201, the network traffic sample may include encrypted traffic and unencrypted traffic, where the encrypted traffic may include malicious traffic and non-malicious traffic, and the unencrypted traffic may also include malicious traffic and non-malicious traffic, so that the obtained traffic sample is more comprehensive.
Step 202, obtaining an image set describing a behavior pattern of each network traffic sample at a transport layer according to each network traffic sample.
In step 202, an image describing the behavior pattern of each network traffic sample at the transport layer is obtained as a data set for clustering.
Step 203, performing clustering processing on each image in the image set to generate two clusters.
In step 203, each image in the image set may be clustered according to features such as a line thickness histogram, a gradient histogram, a color histogram, a Scale-Invariant Feature Transform (SIFT), an image similarity, etc. of each image to generate two clusters representing malicious traffic and non-malicious traffic, respectively.
In one possible embodiment of the present application, the image similarity may be implemented by using a pHash algorithm (image perception algorithm).
And step 204, determining the smaller cluster as the cluster of the malicious traffic based on the sizes of the two clusters.
In step 204, the size of the cluster refers to the size of the number of members of the cluster, that is, the number of images contained in each cluster. Generally, in a network, relatively non-malicious traffic or normal traffic is the most abundant, and malicious traffic is the least abundant, so that a cluster containing a smaller number of images can be determined as a cluster of malicious traffic. Accordingly, a cluster containing a larger number of images may be determined as a cluster of non-malicious traffic. In the embodiment, a large number of network traffic samples are collected, an image describing a behavior pattern of each network traffic sample on a transmission layer is obtained, an image set is formed, each image of the image set is subjected to clustering processing, two clusters are generated, and the cluster with the smaller number of members in the cluster can be determined as a cluster with malicious traffic, so that whether the network traffic is the malicious traffic or not can be identified by using the cluster with the malicious traffic and the cluster with non-malicious traffic.
Fig. 3 is a flowchart of a cluster determination process for malicious traffic according to an exemplary embodiment of the present application. As shown in fig. 3, the step of determining a smaller cluster as a cluster of malicious traffic specifically includes the following steps 301 to 302:
step 301, comparing the sizes of the two clusters.
Step 302, if the difference between the sizes of the two clusters is greater than or equal to a set threshold, determining the smaller cluster as a cluster of malicious traffic.
In this embodiment, a set threshold is set to compare the size difference between two clusters, and if the size difference between two clusters is greater than or equal to the set threshold, it indicates that the size difference between the two clusters is large, because in a general network, non-malicious traffic or normal traffic occupies the majority, and malicious traffic occupies the minority, two clusters generated by clustering each image of an image set can be determined as two clusters representing malicious traffic and non-malicious traffic, and then the smaller cluster is determined as the cluster of malicious traffic; if the difference between the sizes of the two clusters is smaller than the set threshold, which indicates that the difference between the sizes of the two clusters is small, then the two clusters generated by clustering each image of the image set may represent two clusters of normal traffic of two different behavior patterns, respectively, and thus, one of the two clusters may not be determined as a cluster of malicious traffic.
In one possible embodiment of the present application, the setting threshold may be set based on empirical values.
In one possible embodiment of the present application, the method further includes: and inputting the identified image of the malicious traffic into a malicious attack type identification model to identify the malicious attack type of the malicious traffic, wherein the malicious attack type identification model is established based on image set training of a behavior pattern of each network traffic sample in a transmission layer. And inputting a malicious attack type identification model into the image determined as the malicious flow, so that the malicious attack type of the malicious flow can be judged, and the malicious flow can be further identified, so that a worker can process malicious attacks existing in the network according to the malicious attack type. Fig. 4 is a flowchart illustrating a malicious attack type identification model establishing process according to an exemplary embodiment of the present application. As shown in fig. 4, the step of establishing the malicious attack type identification model specifically includes the following steps 401 to 405:
step 401, a large number of network traffic samples are collected.
Step 402, obtaining an image set describing a behavior pattern of each network traffic sample at a transport layer according to each network traffic sample.
And 403, performing labeling classification on each image in the image set based on the malicious attack type.
And step 404, training a set deep neural network model by using the classified images, and establishing the malicious attack type identification model.
In the embodiment, a large number of network traffic samples are collected, an image of each network traffic sample describing a behavior pattern of the network traffic sample on a transmission layer is obtained, an image set is formed, each image of the image set is classified, and a set deep neural network model is trained by using training data obtained by a supervised classification method, so that a malicious attack type identification model is established, and the malicious attack type of malicious traffic can be identified and judged.
In one possible implementation manner of the present application, after identifying that the network traffic is malicious traffic, the method further includes: and acquiring an original data packet of the malicious traffic, and analyzing the malicious traffic according to the original data packet. Because the acquired image is a behavior pattern describing the network traffic on a transmission layer, the network traffic has other information which is not reflected on the image, and further analysis can be performed according to the stored original data packet corresponding to the malicious traffic. In addition, when classification errors occur in the modeling process, the original data packet can be manually analyzed to search error causes so as to improve the model.
In one possible embodiment of the present application, the method further comprises: inputting the acquired image of the behavior pattern of the network flow in the transmission layer into a session protocol type identification model to identify the session protocol type attack type of the network flow, wherein the session protocol type identification model is trained and established based on an image set describing the behavior pattern of each network flow sample in the transmission layer. The step of identifying the session protocol type of the network traffic may be performed before the step of identifying whether the network traffic is malicious traffic, or may be performed after the step of identifying whether the network traffic is malicious traffic, and the application is not particularly limited. It should be noted that, from the viewpoint of the transport layer, the two communicating parties transmit or receive individual segments, and the sizes of the segments may be different from each other, and the time interval between transmitted segments and the time interval between transmitted and received segments may not be fixed. The traffic of different protocols is analyzed, so that the sizes and time intervals of message segments sent and received by two communication parties of the same protocol have great similarity, the session protocol type corresponding to the network traffic can be identified according to the information, and the image describing the behavior pattern of the network traffic on the transmission layer can embody the information, so that a session protocol type identification model can be trained and established on the basis of the image set describing the behavior pattern of each network traffic sample on the transmission layer.
In a possible implementation manner of the present application, the session protocol type recognition model may use a supervised classification method to obtain training data to train a set deep neural network model, so as to establish the session protocol type recognition model. The method for establishing the session protocol type identification model can refer to the related technology for establishing the malicious attack type identification model, and details are not repeated in the application.
In one possible embodiment of the present application, the session protocol type may include https, smtp, ssh, kerberos, s/mime, and the like.
Fig. 5 is a block diagram of a structure of an apparatus for identifying malicious traffic according to an exemplary embodiment of the present disclosure. As shown in fig. 5, the malicious traffic identification apparatus 50 includes:
an obtaining module 510, configured to obtain, based on the obtained network traffic, an image that describes a behavior pattern of the network traffic at a transport layer;
an input module 520, configured to perform cluster analysis on the cluster of the image input malicious traffic to identify whether the network traffic is malicious traffic, where the cluster of the malicious traffic is generated by clustering based on an image set that describes a behavior pattern of each network traffic sample on a transport layer.
In an exemplary embodiment of the present application, the behavior pattern of the network traffic at the transport layer includes: the size of the transmitted segments, the size of the received segments, the number of transmitted segments, the number of received segments, the size of the transmission time interval, the size of the reception time interval, and the type of the message.
In an exemplary embodiment of the present application, the types of the messages include encrypted messages and unencrypted messages.
In an exemplary embodiment of the present application, the sending segment and the receiving segment are represented by a line in the image, and a length size of the line represents a size of the segment.
In an exemplary embodiment of the present application, the apparatus includes a generating module configured to generate a cluster of malicious traffic, where the generating module includes:
the first acquisition submodule is used for acquiring a large number of network flow samples;
the first obtaining submodule is used for obtaining an image set which describes a behavior mode of each network flow sample in a transmission layer according to each network flow sample;
the generation submodule is used for clustering each image in the image set to generate two clusters;
and the determining submodule is used for determining the smaller cluster as the cluster of the malicious traffic based on the sizes of the two clusters.
In an exemplary embodiment of the present application, the determining sub-module includes:
a comparison unit for comparing sizes of the two clusters;
and the determining unit is used for determining the smaller cluster as the cluster of the malicious traffic if the difference between the sizes of the two clusters is greater than or equal to a set threshold value.
In an exemplary embodiment of the present application, the apparatus further includes:
and the second input module is used for inputting the identified image of the malicious traffic into a malicious attack type identification model so as to identify the malicious attack type of the malicious traffic, wherein the malicious attack type identification model is established on the basis of image set training describing the behavior pattern of each network traffic sample on a transmission layer.
In an exemplary embodiment of the present application, the apparatus includes an establishing module, configured to establish a malicious attack type identification model, where the establishing module includes:
the second acquisition submodule is used for acquiring a large number of network flow samples;
the second obtaining submodule is used for obtaining an image set which describes the behavior mode of each network flow sample in a transmission layer according to each network flow sample;
the classification submodule is used for performing labeling classification on each image in the image set based on the malicious attack type;
and the establishing submodule is used for training a set deep neural network model by using each classified image and establishing the malicious traffic identification model.
It should be noted that, in addition to the identification device for malicious traffic in the foregoing embodiment, other devices may also generate a cluster for malicious traffic and establish a malicious attack type identification model, and the cluster for malicious traffic obtained through cluster analysis on a network traffic sample and the malicious attack type identification model obtained through modeling on the network traffic sample are stored in the identification device for malicious traffic and are applied, so as to identify whether the network traffic acquired by the identification device for malicious traffic is malicious traffic and identify the malicious attack type of malicious traffic. The cluster generation device of the malicious traffic and the malicious attack type identification model establishment device can be different devices or the same device. The implementation processes of the functions and the functions of the cluster generating the malicious traffic and the modules establishing the malicious attack type identification model related to the malicious traffic identification device in the above embodiment may also be applied to the cluster generating device generating the malicious traffic and the malicious attack type identification model establishing device, and are not described herein again.
The implementation process of the functions and actions of each module in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment for relevant points. The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
Fig. 6 is a block diagram illustrating a structure of a computer device according to an exemplary embodiment of the present application. As shown in fig. 6, the computer device 60 comprises a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to perform the following steps:
acquiring an image describing a behavior pattern of the network traffic at a transmission layer based on the acquired network traffic;
and performing cluster analysis on the cluster of the image input malicious flow to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing a behavior pattern of each network flow sample in a transmission layer.
The present application further provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
acquiring an image describing a behavior pattern of the network traffic at a transmission layer based on the acquired network traffic;
and performing cluster analysis on the cluster of the image input malicious flow to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing a behavior pattern of each network flow sample in a transmission layer.
Embodiments of the application may take the form of a computer program product embodied on one or more readable media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having program code embodied therein. Computer-usable readable media, which include both non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer readable media include, but are not limited to: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), erasable programmable read only memory (EEPROM), flash memory or other memory technologies, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic tape cassettes, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium, may be used to store information that may be accessed by a computing device.
The foregoing description has been directed to specific embodiments of this application. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the technical features.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (9)

1. A method for identifying malicious traffic, the method comprising:
acquiring an image describing a behavior pattern of the network traffic at a transport layer based on the acquired network traffic, wherein the behavior pattern of the network traffic at the transport layer comprises: a size of a transmitted segment, a size of a received segment, the behavior pattern being described in an image in the form of a line, the size of the transmitted segment and the size of the received segment being represented in a length size of the line;
and performing cluster analysis on the cluster of the image input malicious flow to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing a behavior pattern of each network flow sample in a transmission layer.
2. The method for identifying malicious traffic according to claim 1, wherein a behavior pattern of the network traffic at a transport layer further comprises: the number of transmitted segments, the number of received segments, the size of the transmission time interval, the size of the reception time interval, and the type of the message.
3. The method according to claim 2, wherein the types of the packets include encrypted packets and unencrypted packets.
4. A method of identifying malicious traffic according to any one of claims 1 to 3, wherein the step of cluster generation of the malicious traffic comprises:
collecting a large number of network flow samples;
acquiring an image set which describes the behavior mode of each network traffic sample on a transmission layer according to each network traffic sample;
clustering each image in the image set to generate two clusters;
based on the sizes of the two clusters, the smaller cluster is determined to be a cluster of malicious traffic.
5. The method according to claim 4, wherein the step of determining a smaller cluster as a cluster of malicious traffic based on the sizes of the two clusters comprises:
comparing the sizes of the two clusters;
and if the difference between the sizes of the two clusters is larger than or equal to a set threshold value, determining the smaller cluster as the cluster of the malicious traffic.
6. A method of identifying malicious traffic according to any one of claims 1 to 3, wherein the method further comprises:
and inputting the identified image of the malicious traffic into a malicious attack type identification model to identify the malicious attack type of the malicious traffic, wherein the malicious attack type identification model is established based on image set training of a behavior pattern of each network traffic sample in a transmission layer.
7. An apparatus for identifying malicious traffic, the apparatus comprising:
an obtaining module, configured to obtain, based on the obtained network traffic, an image that describes a behavior pattern of the network traffic on a transport layer, where the behavior pattern of the network traffic on the transport layer includes: a size of a transmitted segment, a size of a received segment, the behavior pattern being described in an image in the form of a line, the size of the transmitted segment and the size of the received segment being represented in a length size of the line;
and the input module is used for carrying out cluster analysis on the cluster of the image input malicious flow so as to identify whether the network flow is the malicious flow, wherein the cluster of the malicious flow is generated by clustering on the basis of an image set describing the behavior pattern of each network flow sample in a transmission layer.
8. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method for identification of malicious traffic as claimed in any one of claims 1 to 6 are implemented by the processor when executing the program.
9. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the method of identification of malicious traffic according to any one of claims 1 to 6.
CN201911397339.9A 2019-12-30 2019-12-30 Malicious traffic identification method and device, computer equipment and storage medium Active CN111031071B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911397339.9A CN111031071B (en) 2019-12-30 2019-12-30 Malicious traffic identification method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911397339.9A CN111031071B (en) 2019-12-30 2019-12-30 Malicious traffic identification method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111031071A CN111031071A (en) 2020-04-17
CN111031071B true CN111031071B (en) 2023-01-24

Family

ID=70196170

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911397339.9A Active CN111031071B (en) 2019-12-30 2019-12-30 Malicious traffic identification method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111031071B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112235264B (en) * 2020-09-28 2022-10-14 国家计算机网络与信息安全管理中心 Network traffic identification method and device based on deep migration learning
WO2022114025A1 (en) * 2020-11-24 2022-06-02 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Abnormality detection method, abnormality detection device, and program
CN114697068A (en) * 2020-12-31 2022-07-01 华为技术有限公司 Malicious traffic identification method and related device
CN112688961B (en) * 2021-01-06 2021-09-21 北京科技大学 Network flow image security classification method based on feature adaptive hierarchical clustering
CN113452685B (en) * 2021-06-22 2024-04-09 上海明略人工智能(集团)有限公司 Processing method, system, storage medium and electronic equipment for recognition rule
CN113992349B (en) * 2021-09-23 2023-05-19 云南财经大学 Malicious traffic identification method, device, equipment and storage medium
CN115102728B (en) * 2022-06-09 2024-02-20 江苏保旺达软件技术有限公司 Scanner identification method, device, equipment and medium for information security
CN115314240A (en) * 2022-06-22 2022-11-08 国家计算机网络与信息安全管理中心 Data processing method for encryption abnormal flow identification
CN117240615B (en) * 2023-11-13 2024-01-30 四川大学 Migration learning network traffic correlation method based on time interval diagram watermark

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070943A (en) * 2017-05-05 2017-08-18 兰州理工大学 Industry internet intrusion detection method based on traffic characteristic figure and perception Hash
CN107637041A (en) * 2015-03-17 2018-01-26 英国电讯有限公司 The overview of the acquistion of malice refined net flow identification
CN108985361A (en) * 2018-07-02 2018-12-11 北京金睛云华科技有限公司 A kind of malicious traffic stream detection implementation method and device based on deep learning
CN109768985A (en) * 2019-01-30 2019-05-17 电子科技大学 A kind of intrusion detection method based on traffic visualization and machine learning algorithm
CN109960729A (en) * 2019-03-28 2019-07-02 国家计算机网络与信息安全管理中心 The detection method and system of HTTP malicious traffic stream
CN110213227A (en) * 2019-04-24 2019-09-06 华为技术有限公司 A kind of network data flow detection method and device
CN110278189A (en) * 2019-05-17 2019-09-24 杭州电子科技大学 A kind of intrusion detection method based on network flow characteristic weight map

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107637041A (en) * 2015-03-17 2018-01-26 英国电讯有限公司 The overview of the acquistion of malice refined net flow identification
CN107070943A (en) * 2017-05-05 2017-08-18 兰州理工大学 Industry internet intrusion detection method based on traffic characteristic figure and perception Hash
CN108985361A (en) * 2018-07-02 2018-12-11 北京金睛云华科技有限公司 A kind of malicious traffic stream detection implementation method and device based on deep learning
CN109768985A (en) * 2019-01-30 2019-05-17 电子科技大学 A kind of intrusion detection method based on traffic visualization and machine learning algorithm
CN109960729A (en) * 2019-03-28 2019-07-02 国家计算机网络与信息安全管理中心 The detection method and system of HTTP malicious traffic stream
CN110213227A (en) * 2019-04-24 2019-09-06 华为技术有限公司 A kind of network data flow detection method and device
CN110278189A (en) * 2019-05-17 2019-09-24 杭州电子科技大学 A kind of intrusion detection method based on network flow characteristic weight map

Also Published As

Publication number Publication date
CN111031071A (en) 2020-04-17

Similar Documents

Publication Publication Date Title
CN111031071B (en) Malicious traffic identification method and device, computer equipment and storage medium
US20190373014A1 (en) Anonymized network data collection and network threat assessment and monitoring systems and methods
CN111447190A (en) Encrypted malicious traffic identification method, equipment and device
Piskozub et al. Malalert: Detecting malware in large-scale network traffic using statistical features
CN112949545B (en) Method, apparatus, computing device and medium for recognizing face image
CN112769633B (en) Proxy traffic detection method and device, electronic equipment and readable storage medium
KR100859215B1 (en) Apparatus, system, and method for protecting content using fingerprinting and real-time evidence gathering
Ferrando et al. Classification of device behaviour in internet of things infrastructures: towards distinguishing the abnormal from security threats
Yan et al. Identifying wechat red packets and fund transfers via analyzing encrypted network traffic
Zhang et al. STNN: A novel TLS/SSL encrypted traffic classification system based on stereo transform neural network
CN116108491B (en) Data leakage early warning method, device and system based on semi-supervised federal learning
WO2021133791A1 (en) Method for network traffic analysis
CN114741708A (en) Model data processing method, device and equipment
CN115426137A (en) Malicious encrypted network flow detection tracing method and system
CN111464510A (en) Network real-time intrusion detection method based on rapid gradient lifting tree model
CN112839055B (en) Network application identification method and device for TLS encrypted traffic and electronic equipment
CN110598794A (en) Classified countermeasure network attack detection method and system
CN112134829A (en) Method and device for generating encrypted flow characteristic set
Costa et al. Improving ddos detection in iot networks through analysis of network traffic characteristics
CN112235242A (en) C & C channel detection method and system
Ramström Botnet detection on flow data using the reconstruction error from Autoencoders trained on Word2Vec network embeddings
Wu et al. A graph-theoretic model to steganography on social networks
Stanciu et al. Anonymized counting of nonstationary Wi-Fi devices when monitoring crowds
CN113177203A (en) Method and device for identifying encrypted malicious message flow
Song et al. A comparative study of unsupervised anomaly detection techniques using honeypot data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant