CN111490945A - VPN tunnel flow identification method based on deep learning method and DFI - Google Patents
VPN tunnel flow identification method based on deep learning method and DFI Download PDFInfo
- Publication number
- CN111490945A CN111490945A CN201910087208.4A CN201910087208A CN111490945A CN 111490945 A CN111490945 A CN 111490945A CN 201910087208 A CN201910087208 A CN 201910087208A CN 111490945 A CN111490945 A CN 111490945A
- Authority
- CN
- China
- Prior art keywords
- dfi
- identification
- flow
- network
- convolutional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000013135 deep learning Methods 0.000 title claims abstract description 11
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims abstract description 11
- 238000011217 control strategy Methods 0.000 claims abstract description 10
- 230000006870 function Effects 0.000 claims description 15
- 210000002569 neuron Anatomy 0.000 claims description 13
- 238000012549 training Methods 0.000 claims description 9
- 239000011159 matrix material Substances 0.000 claims description 6
- 238000013528 artificial neural network Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 4
- 230000003213 activating effect Effects 0.000 claims description 3
- 230000004913 activation Effects 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 230000009286 beneficial effect Effects 0.000 abstract description 3
- 238000000605 extraction Methods 0.000 abstract description 2
- 230000009471 action Effects 0.000 description 3
- 210000004556 brain Anatomy 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 235000003642 hunger Nutrition 0.000 description 1
- 238000010191 image analysis Methods 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a VPN tunnel flow identification method based on a deep learning method and DFI, which comprises the following steps: step 1, identifying connection identification information between an application program and a VPN client; step 2, verifying the identification information and the corresponding program, if the verification is passed, establishing a network interface, and if the verification is not passed, disconnecting the application program from the VPN client; step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol; step 4, constructing a convolutional neural network; and step 5, the flow identification module acquires the service identification information of the flow, prepares a sample module according to a control strategy and controls the DFI identification unit to identify the network flow according to the flow control strategy. The method can automatically extract the characteristics beneficial to the classification task without spending energy on the extraction and selection of the protocol characteristics; the mobile terminal VPN is accessed, and representation information between an application program and a VPN client can be identified.
Description
Technical Field
The invention relates to the technical field of flow identification, in particular to a VPN tunnel flow identification method based on a deep learning method and DFI.
Background
A network protocol is a set of rules, standards, or conventions established for the exchange of data over a computer network. The identification and analysis of the network protocol are the basis of network security, and have important significance on network supervision, anomaly detection and network security maintenance, and the traditional network flow protocol identification method mainly comprises the following steps: port-based network traffic protocol identification, deep packet inspection-based network traffic protocol identification, and machine learning method-based network traffic protocol identification.
In the existing network flow identification technology based on DFI and DPI, a DFI sample module and a DPI sample module are independently arranged; the DFI identification unit can realize the DFI identification of the network flow by acquiring the service characteristics of the network flow and the DFI sample characteristics of the DFI sample module and comparing the service characteristics and the DFI sample characteristics to realize the DFI identification of the network flow by the DFI identification unit; the DPI identification unit can realize DPI identification of the network flow by recombining the application layer characteristics of the network flow and acquiring the DPI sample characteristics of the DPI sample module and starving the application layer characteristics and the DPI sample characteristics to match the DPI sample module and the DPI sample module; deep learning is a new field of machine learning, and is characterized in that a neuron network for analyzing and learning the human brain is established and simulated, the mechanism of the human brain is simulated to read data, and the method can be applied to the fields of language processing, image analysis tasks and voice recognition.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a VPN tunnel flow identification method based on a deep learning method and DFI, which comprises the following steps:
step 1, identifying connection identification information between an application program and a VPN client;
step 2, verifying the identification information and the corresponding program, if the verification is passed, establishing a network interface, and if the verification is not passed, disconnecting the application program from the VPN client;
step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol;
step 4, constructing a convolutional neural network, wherein the convolutional neural network comprises an input layer, a first convolutional layer, a second convolutional layer, a third convolutional layer, a full-connection layer and an output layer;
and 5, the flow identification module acquires the service identification information of the flow, prepares a sample module according to a control strategy, controls the DFI identification unit to identify the network flow according to the flow control strategy, and stores the identification result in the data exchange module.
Preferably, the convolutional neural network construction method in step 4 is as follows:
the input layer takes the original characteristic array of the flow as input, and the input is an array X with 1024 bits;
the first convolutional layer, regarding 1024-bit original feature array X as 32X 32 matrix, using 32 single-channel 5X 5 convolutional kernels to convolute the input original feature array, then adding bias terms, and using Re-L u function to activate and obtain convolutional layer C1;
a second convolutional layer, deconvoluted with 5 x 5 convolutional kernels of 64 groups of 32 channels S2, then added with bias terms, activated with Re-L u function to obtain convolutional layer C3;
a third convolutional layer, deconvoluting S4 by using 128 groups of 5-by-5 convolutional kernels of 64 channels, adding a bias term, and activating by using a Re-L u function to obtain a convolutional layer C5;
fully-connected layers, considering the 128 4 x 4 signatures of S6 as a 32 x 32 matrix, fully connected to S6 with 1024 sets of single-channel 32 x 32 neurons, like a classical neural network, compute the dot product between the input vector and the weight vector, plus a bias term, and then input it to the Re-L u activation function to produce the corresponding output F7;
the output layer is a multi-classification Softmax classifier; n groups of single-channel 1024 neurons are fully connected with F7, the n groups of single-channel 1024 neurons are converted into n characteristic graphs of 1 x 1, namely an n-dimensional characteristic vector, an n-dimensional prediction array Y is calculated by using a Softmax function, and the n-dimensional prediction array Y is output by the convolutional neuron network and corresponds to the prediction probability identified by the sample protocol.
Preferably, in the network traffic identification result obtained by the DFI identifying unit in step 5, the traffic identification control module controls the DFI identifying unit to obtain the DFI identification result when the DFI identifying unit detects and identifies the network traffic according to the traffic identification control policy.
Preferably, in step 5, the DFI recognition unit includes a DFI classification training module, the DFI classification training module is in signal connection with a traffic recognition control module, and the DFI traffic detection module is in signal connection with the traffic recognition control module and the data exchange module, respectively.
Advantageous effects
The invention provides a VPN tunnel flow identification method based on a deep learning method and DFI. The method has the following beneficial effects:
1. the method can automatically extract the features beneficial to the classification task without spending energy on the extraction and selection of the protocol features; the method has learning and expansion capabilities.
2. The mobile terminal VPN is accessed, the representation information between the application program and the VPN client can be identified, the application program is further verified, and the security of VPN screenshot is improved.
Drawings
Fig. 1 is a flow chart of a network flow management and control method of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a VPN tunnel flow identification method based on a deep learning method and DFI, which comprises the following steps:
step 1, identifying connection identification information between an application program and a VPN client;
step 2, verifying the identification information and the corresponding program, establishing a network interface on a verification passing side, and disconnecting the application program from the VPN client if the verification fails; the verification of the application program corresponding to the identification information comprises the following steps: extracting fingerprint information of the App; comparing the App fingerprint information with App fingerprint information in an App fingerprint database; if the App fingerprint information exists in the App fingerprint database, the verification is passed; and if the App fingerprint information does not exist in the App fingerprint database, the verification is not passed.
Step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol;
step 4, constructing a convolutional neural network, wherein the convolutional neural network comprises an input layer, a first convolutional layer, a second convolutional layer, a third convolutional layer, a full-connection layer and an output layer;
step 5, a flow identification module acquires service identification information of flow, a sample module is prepared according to a control strategy, a DFI identification unit is controlled to identify network flow according to a flow control strategy, an identification result is stored in a data exchange module, the network flow identification result obtained by the DFI identification unit in the step 5 is controlled by the flow identification control module according to the flow identification control strategy, the DFI identification result obtained by the DFI identification unit is obtained when the DFI identification unit detects and identifies the network flow, the flow identification control module needs to control the DFI identification unit to detect and identify the network flow according to the flow identification control strategy, and then the obtained network flow identification result is the DFI identification result.
The convolutional neural network construction method in the step 4 comprises the following steps:
the input layer takes the original characteristic array of the flow as input, and the input is an array X with 1024 bits;
the first convolutional layer, regarding 1024-bit original feature array X as 32X 32 matrix, using 32 single-channel 5X 5 convolutional kernels to convolute the input original feature array, then adding bias terms, and using Re-L u function to activate and obtain convolutional layer C1;
a second convolutional layer, deconvoluted with 5 x 5 convolutional kernels of 64 groups of 32 channels S2, then added with bias terms, activated with Re-L u function to obtain convolutional layer C3;
a third convolutional layer, deconvoluting S4 by using 128 groups of 5-by-5 convolutional kernels of 64 channels, adding a bias term, and activating by using a Re-L u function to obtain a convolutional layer C5;
fully-connected layers, considering the 128 4 x 4 signatures of S6 as a 32 x 32 matrix, fully connected to S6 with 1024 sets of single-channel 32 x 32 neurons, like a classical neural network, compute the dot product between the input vector and the weight vector, plus a bias term, and then input it to the Re-L u activation function to produce the corresponding output F7;
the output layer is a multi-classification Softmax classifier; n groups of single-channel 1024 neurons are fully connected with F7, the single-channel 1024 neurons are converted into n characteristic graphs of 1 x 1, namely an n-dimensional characteristic vector, an n-dimensional prediction array Y is calculated by using a Softmax function, and the n-dimensional prediction array Y is output by a convolutional neuron network and corresponds to the prediction probability identified by a sample protocol; in step 5, the DFI recognition unit comprises a DFI classification training module, the DFI classification training module is in signal connection with a traffic recognition control module, and the DFI traffic detection module is in signal connection with the traffic recognition control module and the data exchange module respectively. In order to make the convolutional neural network capable of converging, during training, 100 samples in each batch are taken as input, the training times are mmod100, a gradient descent algorithm is adopted to minimize cross entropy at a learning rate of 0.0001, the direction of continuously reducing loss values is updated, neural network parameters are stored after training is completed, and finally, the labeled test set data is input into the stored neural network, and the accuracy of protocol identification is recorded.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.
Claims (4)
1. A VPN tunnel flow identification method based on a deep learning method and DFI is characterized by comprising the following steps:
step 1, identifying connection identification information between an application program and a VPN client;
step 2, verifying the identification information and the corresponding program, if the verification is passed, establishing a network interface, and if the verification is not passed, disconnecting the application program from the VPN client;
step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol;
step 4, constructing a convolutional neural network, wherein the convolutional neural network comprises an input layer, a first convolutional layer, a second convolutional layer, a third convolutional layer, a full-connection layer and an output layer;
and 5, the flow identification module acquires the service identification information of the flow, a sample module is prepared according to the control strategy, the DFI identification unit is controlled to identify the network flow according to the flow control strategy, the identification result is stored in the data exchange module, and the data exchange module feeds the result back to the flow identification module.
2. The VPN tunnel traffic identification method based on the deep learning method and DFI as claimed in claim 1, wherein the convolutional neural network construction method in step 4 is as follows:
the input layer takes the original characteristic array of the flow as input, and the input is an array X with 1024 bits;
the first convolutional layer, regarding 1024-bit original feature array X as 32X 32 matrix, using 32 single-channel 5X 5 convolutional kernels to convolute the input original feature array, then adding bias terms, and using Re-L u function to activate and obtain convolutional layer C1;
a second convolutional layer, deconvoluted with 5 x 5 convolutional kernels of 64 groups of 32 channels S2, then added with bias terms, activated with Re-L u function to obtain convolutional layer C3;
a third convolutional layer, deconvoluting S4 by using 128 groups of 5-by-5 convolutional kernels of 64 channels, adding a bias term, and activating by using a Re-L u function to obtain a convolutional layer C5;
fully-connected layers, considering the 128 4 x 4 signatures of S6 as a 32 x 32 matrix, fully connected to S6 with 1024 sets of single-channel 32 x 32 neurons, like a classical neural network, compute the dot product between the input vector and the weight vector, plus a bias term, and then input it to the Re-L u activation function to produce the corresponding output F7;
the output layer is a multi-classification Softmax classifier; n groups of single-channel 1024 neurons are fully connected with F7, the n groups of single-channel 1024 neurons are converted into n characteristic graphs of 1 x 1, namely an n-dimensional characteristic vector, an n-dimensional prediction array Y is calculated by using a Softmax function, and the n-dimensional prediction array Y is output by the convolutional neuron network and corresponds to the prediction probability identified by the sample protocol.
3. The method according to claim 1, wherein in step 5, the traffic identification control module controls the DFI recognition unit to obtain the DFI recognition result when the DFI recognition unit detects and recognizes the network traffic according to the traffic identification control policy based on the network traffic recognition result obtained by the DFI recognition unit based on the deep learning method and the DFI.
4. The method according to claim 1, wherein the DFI recognition unit in step 5 comprises a DFI classification training module, the DFI classification training module is in signal connection with a traffic recognition control module, and the DFI traffic detection module is in signal connection with the traffic recognition control module and the data exchange module, respectively.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910087208.4A CN111490945A (en) | 2019-01-29 | 2019-01-29 | VPN tunnel flow identification method based on deep learning method and DFI |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910087208.4A CN111490945A (en) | 2019-01-29 | 2019-01-29 | VPN tunnel flow identification method based on deep learning method and DFI |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111490945A true CN111490945A (en) | 2020-08-04 |
Family
ID=71797151
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910087208.4A Pending CN111490945A (en) | 2019-01-29 | 2019-01-29 | VPN tunnel flow identification method based on deep learning method and DFI |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111490945A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113726561A (en) * | 2021-08-18 | 2021-11-30 | 西安电子科技大学 | Business type recognition method for training convolutional neural network by using federal learning |
CN113949672A (en) * | 2021-10-18 | 2022-01-18 | 南京中孚信息技术有限公司 | Novel VPN identification universal technology and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101764754A (en) * | 2009-12-28 | 2010-06-30 | 东南大学 | Sample acquiring method in business identifying system based on DPI and DFI |
CN106790019A (en) * | 2016-12-14 | 2017-05-31 | 北京天融信网络安全技术有限公司 | The encryption method for recognizing flux and device of feature based self study |
CN107682216A (en) * | 2017-09-01 | 2018-02-09 | 南京南瑞集团公司 | A kind of network traffics protocol recognition method based on deep learning |
CN108183834A (en) * | 2017-12-04 | 2018-06-19 | 中国联合网络通信集团有限公司 | A kind of network flow management-control method and managing and control system based on DFI and DPI |
-
2019
- 2019-01-29 CN CN201910087208.4A patent/CN111490945A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101764754A (en) * | 2009-12-28 | 2010-06-30 | 东南大学 | Sample acquiring method in business identifying system based on DPI and DFI |
CN106790019A (en) * | 2016-12-14 | 2017-05-31 | 北京天融信网络安全技术有限公司 | The encryption method for recognizing flux and device of feature based self study |
CN107682216A (en) * | 2017-09-01 | 2018-02-09 | 南京南瑞集团公司 | A kind of network traffics protocol recognition method based on deep learning |
CN108183834A (en) * | 2017-12-04 | 2018-06-19 | 中国联合网络通信集团有限公司 | A kind of network flow management-control method and managing and control system based on DFI and DPI |
Non-Patent Citations (1)
Title |
---|
张路煜;廖鹏;赵俊峰;郭靓;: "基于卷积神经网络的未知协议识别方法", 微电子学与计算机, no. 07 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113726561A (en) * | 2021-08-18 | 2021-11-30 | 西安电子科技大学 | Business type recognition method for training convolutional neural network by using federal learning |
CN113949672A (en) * | 2021-10-18 | 2022-01-18 | 南京中孚信息技术有限公司 | Novel VPN identification universal technology and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112564974B (en) | Deep learning-based fingerprint identification method for Internet of things equipment | |
CN109299741B (en) | Network attack type identification method based on multi-layer detection | |
CN111783442A (en) | Intrusion detection method, device, server and storage medium | |
Agrawal et al. | Grape leaf disease detection and classification using multi-class support vector machine | |
CN113011357B (en) | Depth fake face video positioning method based on space-time fusion | |
CN113076994B (en) | Open-set domain self-adaptive image classification method and system | |
CN111783534B (en) | Sleep stage method based on deep learning | |
CN112766355B (en) | Electroencephalogram signal emotion recognition method under label noise | |
CN111767707A (en) | Method, device, equipment and storage medium for detecting Rayleigh case | |
CN109977980A (en) | A kind of method for recognizing verification code and device | |
US11615166B2 (en) | System and method for classifying image data | |
CN114615093A (en) | Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning | |
CN113269647B (en) | Graph-based transaction abnormity associated user detection method | |
WO2021037280A2 (en) | Rnn-based anti-money laundering model training method, apparatus and device, and medium | |
CN111490945A (en) | VPN tunnel flow identification method based on deep learning method and DFI | |
CN111382783A (en) | Malicious software identification method and device and storage medium | |
CN114513367B (en) | Cellular network anomaly detection method based on graph neural network | |
CN115913691A (en) | Network flow abnormity detection method and system | |
CN111224998A (en) | Botnet identification method based on extreme learning machine | |
CN117155706B (en) | Network abnormal behavior detection method and system | |
US11397868B2 (en) | Fungal identification by pattern recognition | |
CN111832540B (en) | Identity verification method based on unsteady-state iris video stream bionic neural network | |
CN116416486A (en) | Image recognition method and system | |
CN111639718A (en) | Classifier application method and device | |
CN111915437B (en) | Training method, device, equipment and medium of money backwashing model based on RNN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |