CN111447190A - Encrypted malicious traffic identification method, equipment and device - Google Patents

Abstract

The invention discloses a method, equipment and a device for identifying encrypted malicious traffic, wherein the method comprises the following steps: separating encrypted network traffic to be detected from network traffic, and dividing the network traffic to be detected into a plurality of traffic packets according to a time sequence; the flow packets are judged through first neural network learning to obtain the time sequence characteristics and/or the space characteristics of each flow packet; summarizing the time sequence characteristics and/or the spatial characteristics of all the flow packets into summary characteristics according to the time sequence, and obtaining the summary time sequence characteristics of the flow to be detected from the summary characteristics through learning judgment through a second neural network; and comparing the summary time sequence feature of the to-be-detected flow with a preset normal flow summary time sequence feature to judge whether the to-be-detected network flow is a malicious feature. According to the method and the device, the spatial and temporal characteristics of the traffic are learned by adopting the neural network, a multi-stream network traffic processing mode is introduced, the behavior characteristics between streams are fully considered, and the accuracy of malicious traffic can be more accurately identified.

Description

Encrypted malicious traffic identification method, equipment and device

Technical Field

The present application relates to the technical field of malicious traffic analysis, and in particular, to a method, device, and apparatus for identifying encrypted malicious traffic.

Background

With the rapid development of the internet and the wide application of encryption technology, the proportion of encryption traffic is continuously increased. Relevant organizations predict that there will be over 80% of enterprise network traffic to be encrypted, where over 70% of malicious network traffic is hidden and network security issues are severely challenged. How to identify encrypted malicious traffic is a difficult problem for regulatory agencies and legitimate users.

The encrypted malicious traffic usually adopts the same security protocol as the normal traffic, and the traditional traffic detection technology can be avoided during traffic transmission, so that a new challenge is brought to the encrypted traffic detection. Most of the existing traffic detection technologies detect the payload of traffic, and for encrypted traffic, the traditional detection means cannot decrypt the traffic, so the traditional means obviously cannot do the best.

On the other hand, the existing traffic detection device detects a single network flow based on a network traffic packet, but behavior characteristics also exist among malicious traffic network flows, and the characteristics are not extracted due to the design structure of the detection device.

Machine learning-based encrypted traffic security detection and analysis methods have gradually appeared in recent years. In the field of traditional machine learning, the quality of feature engineering is often directly determined by the machine learning effect, manual extraction and selection of features are usually required according to expert experience, and the problem of inaccurate selected features caused by the inevitable problem of subjectivity in the feature engineering influences the subsequent machine learning effect. How to design a malicious traffic identification method which can efficiently and accurately identify whether traffic behaviors are abnormal and avoid the problem of inaccurate characteristics caused by subjectively selecting characteristics becomes an urgent problem to be solved.

Disclosure of Invention

In view of the above, the present application is proposed to provide a method, device and apparatus for identifying encrypted malicious traffic that overcomes or at least partially solves the above problems. The specific scheme is as follows:

an identification method of encrypted malicious traffic, the method comprising:

separating encrypted network traffic to be detected from network traffic, and dividing the network traffic to be detected into a plurality of traffic packets according to a time sequence;

the flow packets are judged through first neural network learning to obtain the time sequence characteristics and/or the space characteristics of each flow packet;

summarizing the time sequence characteristics and/or the spatial characteristics of all the flow packets into summary characteristics according to the time sequence, and obtaining the summary time sequence characteristics of the flow to be detected from the summary characteristics through learning judgment through a second neural network;

and comparing the summary time sequence feature of the to-be-detected flow with a preset normal flow summary time sequence feature to judge whether the to-be-detected network flow is a malicious feature.

Further, the second neural network comprises a recurrent neural network with the aggregated features as inputs.

Furthermore, the second neural network comprises a recurrent neural network, the recurrent neural network comprises L STM neural units and/or GRU neural units which are sequentially connected in time sequence, a full connection layer and a Sigmoid layer which carries out classification discrimination by using a Sigmoid function, the full connection layer converts the output of the L STM recurrent neural units and/or GRU neural units into the input of the Sigmoid layer, and maps vectors into scalars.

Further, the first neural network converts each traffic packet into two-dimensional image format data; the first neural network comprises a first space judgment neural network, and the first space judgment neural network learns the two-dimensional image format data to obtain a data packet vector corresponding to the spatial feature of the data of each flow packet and a corresponding data packet vector sequence.

Further, the two-dimensional image format data is an m × m grayscale image: and m represents the height and the width of the image, the byte number of m × m is larger than or equal to the byte length of the flow packets, each flow packet is sequentially filled into the m × m matrix according to the byte sequence, and if the matrix filling is not full, the flow packets are continuously filled with 0, so that the byte stream of the flow packets is converted into the m × m gray-scale image.

Further, the first spatial judgment neural network includes a convolutional neural network, and the convolutional neural network inputs a traffic packet and converts the spatial features of the identified traffic packet into a data packet vector sequence.

Further, the first neural network further includes a first timing judgment neural network, which is a cyclic recursive network and learns timing characteristics of the traffic packet based on the spatial characteristics obtained by the first spatial judgment network.

Further, the first timing judgment neural network comprises a recurrent neural network including L STM neural units, and the recurrent neural network inputs the data packet vector sequence.

Further, before separating the encrypted network traffic to be tested from the network traffic, the method further includes: and converging the single network traffic with the same source IP address, the client fingerprint, the destination IP address and the destination port number into the network traffic to be tested.

Further, the step of separating the encrypted network traffic to be detected from the network traffic includes identifying the encrypted network traffic through a T L S encryption protocol feature, and the client fingerprint is a T L S client fingerprint.

An identification device for encrypted malicious traffic comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for implementing any one of the above identification methods for malicious traffic when executing the computer program.

An identification apparatus for encrypting malicious traffic, comprising:

the system comprises a preprocessing module, a data processing module and a data processing module, wherein the preprocessing module is used for separating encrypted network traffic to be detected from network traffic and dividing the network traffic to be detected into a plurality of traffic packets according to a time sequence;

the first learning module comprises a first neural network and is used for learning and judging the traffic packets through the first neural network to obtain the time sequence characteristics and/or the spatial characteristics of each traffic packet;

the second learning module comprises a second neural network, the second judging module collects the time sequence characteristics and/or the space characteristics of all the flow packets of the first judging module into a summary characteristic according to a time sequence, and the summary time sequence characteristic of the flow to be detected is obtained from the summary characteristic through learning judgment through the second neural network;

and the judging module is used for comparing the summary time sequence characteristics of the to-be-detected traffic with the summary time sequence characteristics of the preset normal traffic so as to judge whether the to-be-detected network traffic is malicious characteristics.

By means of the technical scheme, the application discloses a method, equipment and a device for identifying encrypted malicious traffic. The method simultaneously utilizes the CNN (conditional Neural Network Convolutional Neural Network) and the RNN (Recurrent Neural Network) in the deep learning field to identify the malicious flow, and compared with the traditional malicious flow detection technology, the method does not need to decrypt the flow; more importantly, compared with the traditional detection technology based on the network traffic packet or the single network traffic, the multi-stream network traffic processing mode is creatively introduced, the behavior characteristics between the streams are fully considered, the network traffic can be represented more accurately and objectively, and the accuracy rate of identifying the malicious traffic is improved.

According to the method, any feature is not extracted from the encrypted network flow, the adopted neural network structure simultaneously utilizes the space dimension and the time dimension of the network flow, the space feature of the flow is learned through the CNN, the time feature of the flow is learned through the RNN, and compared with a traditional machine learning method, the method avoids the problems of subjectivity and inaccurate feature caused by manual feature selection. The foregoing description is only an overview of the technical solutions of the present application, and the present application can be implemented according to the content of the description in order to make the technical means of the present application more clearly understood, and the following detailed description of the present application is given in order to make the above and other objects, features, and advantages of the present application more clearly understandable.

Drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:

fig. 1 is a schematic flowchart of an identification method for encrypted malicious traffic according to an embodiment of the present disclosure;

fig. 2 is a schematic diagram illustrating an implementation process of an identification method for encrypted malicious traffic according to an embodiment of the present application;

fig. 3 is a schematic structural diagram of a first neural network of an identification method for encrypted malicious traffic according to an embodiment of the present disclosure;

fig. 4 is a schematic structural diagram of a first spatial decision neural network of a first neural network according to an embodiment of the present disclosure;

FIG. 5 is a structural diagram of an L STM neural unit of a first timing determination neural network provided in an embodiment of the present application;

FIG. 6 is a schematic diagram of a network structure of a second neural network provided in an embodiment of the present application;

fig. 7 is a schematic structural diagram of an identification apparatus for encrypting malicious traffic according to an embodiment of the present disclosure.

Detailed Description

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

The following describes in detail specific implementations provided in embodiments of the present application.

Example 1

Referring to fig. 1, fig. 1 is a schematic flow chart of an identification method for encrypted malicious traffic according to an embodiment of the present application, where the method includes the following steps:

s100: preprocessing the flow, and dividing the network flow to be detected into a plurality of flow packets according to a time sequence;

s200: the flow packets are judged through the first neural network learning to obtain the time sequence characteristics and/or the space characteristics of each flow packet;

s300: summarizing the time sequence characteristics and/or the spatial characteristics of all the flow packets into summary characteristics according to the time sequence, and obtaining the summary time sequence characteristics of the flow to be detected from the summary characteristics through learning judgment through a second neural network;

s400: and comparing the summary time sequence feature of the to-be-detected flow with a preset normal flow summary time sequence feature to judge whether the to-be-detected network flow is a malicious feature.

T L S (Transport L eyer security Transport layer) protocol is the most widely applied security protocol at present, T L S protocol adopts a master-slave architecture, a secure connection is established between application layers through a network, and eavesdropping and tampering are prevented when data are exchanged.T L S protocol is transparent to the application layer protocols (HTTP, FTP and the like) at the upper layer, an encryption channel is established through negotiation and authentication, and data transmitted by the application layer are encrypted when passing through the T L S protocol, so that the privacy of communication is ensured.

The method mainly aims at identifying the malicious traffic of the network traffic encrypted by the T L S encryption protocol, and points out that the processing method is also suitable for the network traffic encrypted by other encryption protocols.

Specific implementation processes are shown in fig. 2 and fig. 7, and fig. 2 provides schematic diagrams of implementation processes of the malicious traffic identification method, and it can be seen that: the preprocessing module 100 first performs traffic preprocessing on network traffic, where the traffic preprocessing process mainly separates encrypted network traffic to be detected from the network traffic, and divides the network traffic to be detected into multiple traffic packets according to a time sequence, i.e., separates original network multiple streams; then, the network multi-stream data enters the single-stream neural network, i.e. the first learning module 200, for processing according to the time sequence: the single-flow neural network directly converts the flow packets in the single flow into m × m images and uses the m × m images as input of a CNN (computer network), and the CNN obtains vectors corresponding to the flow packets after operation; the packet vector is subjected to a single-stream RNN circular operation and then used as an input of a second learning module 300, namely a multi-stream RNN; after all the traffic packets to be tested are subjected to the loop processing of the second learning module 300, namely multi-flow RNN, the final learning result of the encrypted traffic is obtained, and then the learning result is compared with the preset normal traffic summary time sequence feature, so that whether the network traffic feature to be tested is a malicious feature or not can be judged, that is, whether the network traffic to be tested is a malicious traffic or not is judged. The overall flow framework can perform normal malicious encrypted traffic identification after completing model training of the single-flow neural network and the multi-flow RNN through the training set.

The concrete description is as follows:

in this embodiment, in order to effectively identify the attribute of malicious traffic and improve the traffic processing speed, during the network traffic preprocessing, a single piece of network traffic having the same source IP address, the client fingerprint, the destination IP address and the destination port number is first aggregated into the network traffic to be detected, the encrypted traffic is identified according to the T L S encryption protocol characteristics, and the network traffic to be detected is divided into a plurality of traffic packets according to a time sequence.

As shown in fig. 2, each individual traffic packet to be detected is learned and determined by the first learning module 200 to obtain a time sequence feature and/or a spatial feature of each traffic packet. The first learning module 200 in this embodiment is a single-flow neural network, i.e., a first neural network, and as shown in fig. 3, the first neural network includes a first spatial judgment neural network 201, which is a Convolutional Neural Network (CNN) in this embodiment, and a first timing judgment neural network, which is a Recurrent Neural Network (RNN) in this embodiment, which is a single-flow RNN. The CNN is used for extracting the spatial characteristics of single stream data corresponding to a single flow packet to be detected, and the RNN is used for extracting the time characteristics of corresponding single stream data.

As shown in fig. 3, the first spatial judgment neural network 201 is a Convolutional Neural Network (CNN), which has a very good application effect in the field of image recognition, avoids complex feature engineering, and reduces the computation complexity by using methods such as convolutional operation and pooling. The method is also widely applied to the fields of natural language processing, voice processing and the like.

As shown in fig. 4, the convolutional neural network adopted in the present embodiment is mainly used for learning the spatial features of the network traffic, and includes an input layer, a convolutional layer, a pooling layer, and a full connection layer. The concrete description is as follows:

a. input layer

And sequentially filling the preprocessed single flow packets to be detected into the m-m matrix according to the byte sequence. And m represents the height and the width of the image, the byte number of m × m is larger than or equal to the byte length of the flow packets, each flow packet is sequentially filled into the matrix of m × m according to the byte sequence, and if the matrix is not filled, the flow packets are continuously filled with 0, so that the byte stream of the flow packets is converted into the m × m gray-scale image which is used as the input of the convolution layer.

Such as: and unifying the number of the flow packets to be detected in each network flow to be 8. If the number of the flow packets in the original network flow is more than 8, discarding all the flow packets after 9; if the number of the traffic packets in the original network traffic is less than 8, adding a plurality of data packets with the content of 0x00 until 8 traffic packets to be detected are filled. Then, the length of each traffic packet to be detected is unified to 100 bytes. If the number of bytes in the original flow packet to be detected is more than 100, discarding all bytes after 101; if the number of bytes in the original data packet is less than 100, a plurality of 0x00 bytes are added until 100 bytes are filled.

The obtaining of the data in the two-dimensional image format by performing the flow coding on the to-be-detected flow packets after the uniform processing of the number and the length may include: all bytes in the network flow are coded in a mode of one-hot coding, or embedded coding, or pixel coding, wherein the result of the one-hot coding and the embedded coding is a byte vector with fixed dimension, a plurality of vectors form a two-dimensional image, and the pixel coding refers to that the bytes are regarded as gray pixel values and flow bytes are arranged into the two-dimensional image.

b. Convolutional layer (Convolutional layer)

The convolution layer is composed of a plurality of convolution units, the convolution operation aims to extract different input features, and the weight of each convolution unit is obtained through optimization of a back propagation algorithm during training. The part used for convolution calculation is called convolution kernel (kernel) or filter (filter), and the size is usually 3 × 3, 5 × 5, and the depth is not limited.

The convolution operation is to select data with the same size as the convolution kernel in the input layer, calculate the product sum of the corresponding positions, and the convolution kernel slides through the whole input layer in sequence according to the step length, and the operation result is the output value of the convolution operation.

After the convolution operation, a linear rectification (Rectified L inner Units, Re L U) function f (x) max (0, x) is used as an excitation function (Activation function) of the neuron.

c. Pooling layer

The operation of the pooling layer is similar to that of the convolutional layer, with a window of n x n, where n is the width and height of the window, and is typically set to 2. Then every n x n region in the input is replaced with a value. The most common is maximal pooling, i.e., selecting the maximum of every n x n region in place of the region. The pooling layer can effectively reduce the size of the matrix, further reduce the number of parameters, accelerate the operation and prevent overfitting.

d. Full connection layer

In practical application, the convolutional neural network can adopt a multilayer convolution and pooling method to achieve the effect of identifying multi-dimensional features. After convolution and pooling of a plurality of layers, the flow packet vector needs to be converted into a flow packet vector through a full connection layer and is continuously used as the input of a single-flow cyclic neural network in the next step.

Therefore, the first neural network passes each traffic packet through the first spatial judgment neural network to obtain a data packet vector corresponding to the spatial feature of the data of each traffic packet, and the data packet vectors are further integrated into a data packet vector sequence corresponding to the data packet vector according to a time sequence or other predetermined rules.

As shown in fig. 3, a data packet vector sequence obtained by a first spatial judgment neural network (the convolutional neural network of the present embodiment) is input to a first timing judgment neural network 202 (single-Stream RNN), the first timing judgment neural network 202 of the present embodiment uses a single-Stream recurrent neural network SS-RNN (single Stream RNN), the single-Stream recurrent neural network uses a recurrent network structure, in which sequence data is used as input, and the current output of the sequence is related to the current input and the output of the previous sequence, and specifically, the input values of the following layers are added to the output values of the previous layer, that is, hidden layers are not connected but connected.

The L STM (L ong Short-Term Memory) neural unit can solve the problem that the traditional RNN cannot process information long-distance dependence, L STM enables information to selectively pass through an input gate control unit, a forgetting gate control unit and an output gate control unit, and has the capability of removing or adding information to a neural unit state.

All the traffic packets to be tested are subjected to the cyclic operation of the single-flow RNN, and then the learned time sequence features and/or spatial features are summarized into summary features in a time series manner, which are used as the input of the second learning module 300, i.e., the second neural network (in this embodiment, the multi-flow RNN). And obtaining the summary time sequence feature of the flow to be detected from the summary feature through learning and judgment by a second neural network (in this embodiment, a multi-flow RNN).

As shown in fig. 6, the module mainly comprises L STM neural units, full connection layers and Sigmoid layers, and the cost function adopts a cross-entropy loss function, which is specifically described as follows:

a, L STM neural unit

The present embodiment uses L STM neural elements that are identical to the L STM neural elements used in the single-flow recurrent neural network of the first learning module 200, as shown in FIG. 6, and GRU neural elements may be used in other embodiments.

b. Full connection layer

The fully-connected layer converts the output of L STM cyclic neural units into the input of the sigmoid layer, and maps vectors into scalars.

Sigmoid layer

The layer mainly utilizes the Sigmoid function to carry out classification judgment, and can improve the judgment threshold of the Sigmoid function according to the actual application scene.

And finally, comparing the summary time sequence characteristics of the to-be-detected flow with the summary time sequence characteristics of the preset normal flow, and judging whether the to-be-detected network flow is malicious characteristics or not very conveniently according to a preset judgment standard. The preset normal traffic summary time sequence feature can be obtained by learning the normal network traffic in advance according to the method of the embodiment through the first learning module and the second learning module to obtain the corresponding summary time sequence feature.

Compared with the traditional detection technology based on network traffic packets or single network traffic, the method disclosed by the embodiment creatively introduces a multi-stream network traffic processing mode, and can effectively identify malicious traffic in the encrypted traffic through convolutional neural network operation and cyclic neural network operation by mapping the network byte stream in the encrypted traffic into an image matrix, so that the defects of the traditional traffic detection technology are overcome, and the CNN-RNN network structure is comprehensively utilized for judgment under the condition of not decrypting the traffic. The process of feature extraction that takes a lot of time and effort is avoided.

Example 2

The embodiment discloses identification equipment for encrypted malicious traffic. The traffic flow identification method comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for realizing the traffic flow identification method disclosed in embodiment 1 when the computer program is executed.

Example 3

The embodiment discloses a device for identifying encrypted malicious traffic. As shown in fig. 7, the method for identifying encrypted malicious traffic, disclosed in embodiment 1, includes:

the system comprises a preprocessing module 100, a data processing module and a data processing module, wherein the preprocessing module 100 is used for separating encrypted network traffic to be detected from network traffic and dividing the network traffic to be detected into a plurality of traffic packets according to a time sequence;

the first learning module 200 includes a first neural network, and is configured to learn and judge the traffic packets through the first neural network to obtain a time sequence feature and/or a spatial feature of each traffic packet;

the second learning module 300 comprises a second neural network, and the second judging module summarizes the time sequence characteristics and/or the spatial characteristics of all the traffic packets of the first judging module into summary characteristics according to a time sequence, and obtains summary time sequence characteristics of the traffic to be detected from the summary characteristics through learning judgment through the second neural network;

the determining module 400 compares the summarized time sequence feature of the to-be-detected traffic with the summarized time sequence feature of the preset normal traffic to determine whether the to-be-detected network traffic is a malicious feature.

The flow and the manner executed by each module in this embodiment include the manner disclosed in embodiment 1, and are not described herein again.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.

As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (12)

1. An identification method of encrypted malicious traffic, characterized in that the method comprises:

separating encrypted network traffic to be detected from network traffic, and dividing the network traffic to be detected into a plurality of traffic packets according to a time sequence;

the flow packets are judged through first neural network learning to obtain the time sequence characteristics and/or the space characteristics of each flow packet;

summarizing the time sequence characteristics and/or the spatial characteristics of all the flow packets into summary characteristics according to the time sequence, and obtaining the summary time sequence characteristics of the flow to be detected from the summary characteristics through learning judgment through a second neural network;

and comparing the summary time sequence feature of the to-be-detected flow with a preset normal flow summary time sequence feature to judge whether the to-be-detected network flow is a malicious feature.

2. The method of claim 1, wherein the second neural network comprises a recurrent neural network that has the aggregated features as inputs.

3. The method of claim 2, wherein the second neural network comprises a recurrent neural network, the recurrent neural network comprises L STM neural units and/or GRU neural units which are connected in sequence in time, a full connection layer and a Sigmoid layer which carries out classification discrimination by using a Sigmoid function, and the full connection layer is used for converting the output of L STM recurrent neural units and/or GRU neural units into the input of the Sigmoid layer and mapping vectors into scalars.

4. The method of claim 1, wherein the first neural network converts each traffic packet into two-dimensional image format data; the first neural network comprises a first space judgment neural network, and the first space judgment neural network learns the two-dimensional image format data to obtain a data packet vector corresponding to the spatial feature of the data of each flow packet and a corresponding data packet vector sequence.

5. The method of claim 4, wherein the two-dimensional image format data is an m x m grayscale image: and m represents the height and the width of the image, the byte number of m × m is larger than or equal to the byte length of the flow packets, each flow packet is sequentially filled into the m × m matrix according to the byte sequence, and if the matrix filling is not full, the flow packets are continuously filled with 0, so that the byte stream of the flow packets is converted into the m × m gray-scale image.

6. The method of claim 4, wherein the first spatial decision neural network comprises a convolutional neural network that inputs traffic packets and converts spatial features of the identified traffic packets into a sequence of data packet vectors.

7. The method of claim 4, wherein the first neural network further comprises a first timing decision neural network, wherein the first timing decision neural network is a recursive network that learns timing characteristics of the traffic packets based on the spatial characteristics obtained by the first spatial decision network.

8. The method of claim 7, wherein the first timing decision neural network comprises a recurrent neural network, including L STM neural units, that inputs the sequence of data packet vectors.

9. The method according to claim 1, further comprising, before said separating the encrypted network traffic under test from the network traffic: and converging the single network traffic with the same source IP address, the client fingerprint, the destination IP address and the destination port number into the network traffic to be tested.

10. The method of claim 9, wherein separating the encrypted network traffic under test from the network traffic comprises identifying the encrypted network traffic by a T L S encryption protocol feature, and wherein the client fingerprint is a T L S client fingerprint.

11. An identification device for encrypted malicious traffic, comprising a memory for storing a computer program and a processor for implementing the identification method for malicious traffic according to any one of claims 1 to 10 when executing the computer program.

12. An apparatus for identifying encrypted malicious traffic, comprising:

the system comprises a preprocessing module, a data processing module and a data processing module, wherein the preprocessing module is used for separating encrypted network traffic to be detected from network traffic and dividing the network traffic to be detected into a plurality of traffic packets according to a time sequence;

the first learning module comprises a first neural network and is used for learning and judging the traffic packets through the first neural network to obtain the time sequence characteristics and/or the spatial characteristics of each traffic packet;

the second learning module comprises a second neural network, the second judging module collects the time sequence characteristics and/or the space characteristics of all the flow packets of the first judging module into a summary characteristic according to a time sequence, and the summary time sequence characteristic of the flow to be detected is obtained from the summary characteristic through learning judgment through the second neural network;

and the judging module is used for comparing the summary time sequence characteristics of the to-be-detected traffic with the summary time sequence characteristics of the preset normal traffic so as to judge whether the to-be-detected network traffic is malicious characteristics.

Images