CN111490945A - VPN tunnel flow identification method based on deep learning method and DFI - Google Patents

VPN tunnel flow identification method based on deep learning method and DFI Download PDF

Info

Publication number
CN111490945A
CN111490945A CN201910087208.4A CN201910087208A CN111490945A CN 111490945 A CN111490945 A CN 111490945A CN 201910087208 A CN201910087208 A CN 201910087208A CN 111490945 A CN111490945 A CN 111490945A
Authority
CN
China
Prior art keywords
dfi
identification
flow
network
convolutional
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910087208.4A
Other languages
Chinese (zh)
Inventor
王路遥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Hancheng Electronic Equipment Co ltd
Original Assignee
Shanghai Hancheng Electronic Equipment Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Hancheng Electronic Equipment Co ltd filed Critical Shanghai Hancheng Electronic Equipment Co ltd
Priority to CN201910087208.4A priority Critical patent/CN111490945A/en
Publication of CN111490945A publication Critical patent/CN111490945A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a VPN tunnel flow identification method based on a deep learning method and DFI, which comprises the following steps: step 1, identifying connection identification information between an application program and a VPN client; step 2, verifying the identification information and the corresponding program, if the verification is passed, establishing a network interface, and if the verification is not passed, disconnecting the application program from the VPN client; step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol; step 4, constructing a convolutional neural network; and step 5, the flow identification module acquires the service identification information of the flow, prepares a sample module according to a control strategy and controls the DFI identification unit to identify the network flow according to the flow control strategy. The method can automatically extract the characteristics beneficial to the classification task without spending energy on the extraction and selection of the protocol characteristics; the mobile terminal VPN is accessed, and representation information between an application program and a VPN client can be identified.

Description

VPN tunnel flow identification method based on deep learning method and DFI
Technical Field
The invention relates to the technical field of flow identification, in particular to a VPN tunnel flow identification method based on a deep learning method and DFI.
Background
A network protocol is a set of rules, standards, or conventions established for the exchange of data over a computer network. The identification and analysis of the network protocol are the basis of network security, and have important significance on network supervision, anomaly detection and network security maintenance, and the traditional network flow protocol identification method mainly comprises the following steps: port-based network traffic protocol identification, deep packet inspection-based network traffic protocol identification, and machine learning method-based network traffic protocol identification.
In the existing network flow identification technology based on DFI and DPI, a DFI sample module and a DPI sample module are independently arranged; the DFI identification unit can realize the DFI identification of the network flow by acquiring the service characteristics of the network flow and the DFI sample characteristics of the DFI sample module and comparing the service characteristics and the DFI sample characteristics to realize the DFI identification of the network flow by the DFI identification unit; the DPI identification unit can realize DPI identification of the network flow by recombining the application layer characteristics of the network flow and acquiring the DPI sample characteristics of the DPI sample module and starving the application layer characteristics and the DPI sample characteristics to match the DPI sample module and the DPI sample module; deep learning is a new field of machine learning, and is characterized in that a neuron network for analyzing and learning the human brain is established and simulated, the mechanism of the human brain is simulated to read data, and the method can be applied to the fields of language processing, image analysis tasks and voice recognition.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a VPN tunnel flow identification method based on a deep learning method and DFI, which comprises the following steps:
step 1, identifying connection identification information between an application program and a VPN client;
step 2, verifying the identification information and the corresponding program, if the verification is passed, establishing a network interface, and if the verification is not passed, disconnecting the application program from the VPN client;
step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol;
step 4, constructing a convolutional neural network, wherein the convolutional neural network comprises an input layer, a first convolutional layer, a second convolutional layer, a third convolutional layer, a full-connection layer and an output layer;
and 5, the flow identification module acquires the service identification information of the flow, prepares a sample module according to a control strategy, controls the DFI identification unit to identify the network flow according to the flow control strategy, and stores the identification result in the data exchange module.
Preferably, the convolutional neural network construction method in step 4 is as follows:
the input layer takes the original characteristic array of the flow as input, and the input is an array X with 1024 bits;
the first convolutional layer, regarding 1024-bit original feature array X as 32X 32 matrix, using 32 single-channel 5X 5 convolutional kernels to convolute the input original feature array, then adding bias terms, and using Re-L u function to activate and obtain convolutional layer C1;
a second convolutional layer, deconvoluted with 5 x 5 convolutional kernels of 64 groups of 32 channels S2, then added with bias terms, activated with Re-L u function to obtain convolutional layer C3;
a third convolutional layer, deconvoluting S4 by using 128 groups of 5-by-5 convolutional kernels of 64 channels, adding a bias term, and activating by using a Re-L u function to obtain a convolutional layer C5;
fully-connected layers, considering the 128 4 x 4 signatures of S6 as a 32 x 32 matrix, fully connected to S6 with 1024 sets of single-channel 32 x 32 neurons, like a classical neural network, compute the dot product between the input vector and the weight vector, plus a bias term, and then input it to the Re-L u activation function to produce the corresponding output F7;
the output layer is a multi-classification Softmax classifier; n groups of single-channel 1024 neurons are fully connected with F7, the n groups of single-channel 1024 neurons are converted into n characteristic graphs of 1 x 1, namely an n-dimensional characteristic vector, an n-dimensional prediction array Y is calculated by using a Softmax function, and the n-dimensional prediction array Y is output by the convolutional neuron network and corresponds to the prediction probability identified by the sample protocol.
Preferably, in the network traffic identification result obtained by the DFI identifying unit in step 5, the traffic identification control module controls the DFI identifying unit to obtain the DFI identification result when the DFI identifying unit detects and identifies the network traffic according to the traffic identification control policy.
Preferably, in step 5, the DFI recognition unit includes a DFI classification training module, the DFI classification training module is in signal connection with a traffic recognition control module, and the DFI traffic detection module is in signal connection with the traffic recognition control module and the data exchange module, respectively.
Advantageous effects
The invention provides a VPN tunnel flow identification method based on a deep learning method and DFI. The method has the following beneficial effects:
1. the method can automatically extract the features beneficial to the classification task without spending energy on the extraction and selection of the protocol features; the method has learning and expansion capabilities.
2. The mobile terminal VPN is accessed, the representation information between the application program and the VPN client can be identified, the application program is further verified, and the security of VPN screenshot is improved.
Drawings
Fig. 1 is a flow chart of a network flow management and control method of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a VPN tunnel flow identification method based on a deep learning method and DFI, which comprises the following steps:
step 1, identifying connection identification information between an application program and a VPN client;
step 2, verifying the identification information and the corresponding program, establishing a network interface on a verification passing side, and disconnecting the application program from the VPN client if the verification fails; the verification of the application program corresponding to the identification information comprises the following steps: extracting fingerprint information of the App; comparing the App fingerprint information with App fingerprint information in an App fingerprint database; if the App fingerprint information exists in the App fingerprint database, the verification is passed; and if the App fingerprint information does not exist in the App fingerprint database, the verification is not passed.
Step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol;
step 4, constructing a convolutional neural network, wherein the convolutional neural network comprises an input layer, a first convolutional layer, a second convolutional layer, a third convolutional layer, a full-connection layer and an output layer;
step 5, a flow identification module acquires service identification information of flow, a sample module is prepared according to a control strategy, a DFI identification unit is controlled to identify network flow according to a flow control strategy, an identification result is stored in a data exchange module, the network flow identification result obtained by the DFI identification unit in the step 5 is controlled by the flow identification control module according to the flow identification control strategy, the DFI identification result obtained by the DFI identification unit is obtained when the DFI identification unit detects and identifies the network flow, the flow identification control module needs to control the DFI identification unit to detect and identify the network flow according to the flow identification control strategy, and then the obtained network flow identification result is the DFI identification result.
The convolutional neural network construction method in the step 4 comprises the following steps:
the input layer takes the original characteristic array of the flow as input, and the input is an array X with 1024 bits;
the first convolutional layer, regarding 1024-bit original feature array X as 32X 32 matrix, using 32 single-channel 5X 5 convolutional kernels to convolute the input original feature array, then adding bias terms, and using Re-L u function to activate and obtain convolutional layer C1;
a second convolutional layer, deconvoluted with 5 x 5 convolutional kernels of 64 groups of 32 channels S2, then added with bias terms, activated with Re-L u function to obtain convolutional layer C3;
a third convolutional layer, deconvoluting S4 by using 128 groups of 5-by-5 convolutional kernels of 64 channels, adding a bias term, and activating by using a Re-L u function to obtain a convolutional layer C5;
fully-connected layers, considering the 128 4 x 4 signatures of S6 as a 32 x 32 matrix, fully connected to S6 with 1024 sets of single-channel 32 x 32 neurons, like a classical neural network, compute the dot product between the input vector and the weight vector, plus a bias term, and then input it to the Re-L u activation function to produce the corresponding output F7;
the output layer is a multi-classification Softmax classifier; n groups of single-channel 1024 neurons are fully connected with F7, the single-channel 1024 neurons are converted into n characteristic graphs of 1 x 1, namely an n-dimensional characteristic vector, an n-dimensional prediction array Y is calculated by using a Softmax function, and the n-dimensional prediction array Y is output by a convolutional neuron network and corresponds to the prediction probability identified by a sample protocol; in step 5, the DFI recognition unit comprises a DFI classification training module, the DFI classification training module is in signal connection with a traffic recognition control module, and the DFI traffic detection module is in signal connection with the traffic recognition control module and the data exchange module respectively. In order to make the convolutional neural network capable of converging, during training, 100 samples in each batch are taken as input, the training times are mmod100, a gradient descent algorithm is adopted to minimize cross entropy at a learning rate of 0.0001, the direction of continuously reducing loss values is updated, neural network parameters are stored after training is completed, and finally, the labeled test set data is input into the stored neural network, and the accuracy of protocol identification is recorded.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (4)

1. A VPN tunnel flow identification method based on a deep learning method and DFI is characterized by comprising the following steps:
step 1, identifying connection identification information between an application program and a VPN client;
step 2, verifying the identification information and the corresponding program, if the verification is passed, establishing a network interface, and if the verification is not passed, disconnecting the application program from the VPN client;
step 3, extracting and selecting proper data packet characteristic values, such as data packet header information and statistical information, based on a network flow protocol;
step 4, constructing a convolutional neural network, wherein the convolutional neural network comprises an input layer, a first convolutional layer, a second convolutional layer, a third convolutional layer, a full-connection layer and an output layer;
and 5, the flow identification module acquires the service identification information of the flow, a sample module is prepared according to the control strategy, the DFI identification unit is controlled to identify the network flow according to the flow control strategy, the identification result is stored in the data exchange module, and the data exchange module feeds the result back to the flow identification module.
2. The VPN tunnel traffic identification method based on the deep learning method and DFI as claimed in claim 1, wherein the convolutional neural network construction method in step 4 is as follows:
the input layer takes the original characteristic array of the flow as input, and the input is an array X with 1024 bits;
the first convolutional layer, regarding 1024-bit original feature array X as 32X 32 matrix, using 32 single-channel 5X 5 convolutional kernels to convolute the input original feature array, then adding bias terms, and using Re-L u function to activate and obtain convolutional layer C1;
a second convolutional layer, deconvoluted with 5 x 5 convolutional kernels of 64 groups of 32 channels S2, then added with bias terms, activated with Re-L u function to obtain convolutional layer C3;
a third convolutional layer, deconvoluting S4 by using 128 groups of 5-by-5 convolutional kernels of 64 channels, adding a bias term, and activating by using a Re-L u function to obtain a convolutional layer C5;
fully-connected layers, considering the 128 4 x 4 signatures of S6 as a 32 x 32 matrix, fully connected to S6 with 1024 sets of single-channel 32 x 32 neurons, like a classical neural network, compute the dot product between the input vector and the weight vector, plus a bias term, and then input it to the Re-L u activation function to produce the corresponding output F7;
the output layer is a multi-classification Softmax classifier; n groups of single-channel 1024 neurons are fully connected with F7, the n groups of single-channel 1024 neurons are converted into n characteristic graphs of 1 x 1, namely an n-dimensional characteristic vector, an n-dimensional prediction array Y is calculated by using a Softmax function, and the n-dimensional prediction array Y is output by the convolutional neuron network and corresponds to the prediction probability identified by the sample protocol.
3. The method according to claim 1, wherein in step 5, the traffic identification control module controls the DFI recognition unit to obtain the DFI recognition result when the DFI recognition unit detects and recognizes the network traffic according to the traffic identification control policy based on the network traffic recognition result obtained by the DFI recognition unit based on the deep learning method and the DFI.
4. The method according to claim 1, wherein the DFI recognition unit in step 5 comprises a DFI classification training module, the DFI classification training module is in signal connection with a traffic recognition control module, and the DFI traffic detection module is in signal connection with the traffic recognition control module and the data exchange module, respectively.
CN201910087208.4A 2019-01-29 2019-01-29 VPN tunnel flow identification method based on deep learning method and DFI Pending CN111490945A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910087208.4A CN111490945A (en) 2019-01-29 2019-01-29 VPN tunnel flow identification method based on deep learning method and DFI

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910087208.4A CN111490945A (en) 2019-01-29 2019-01-29 VPN tunnel flow identification method based on deep learning method and DFI

Publications (1)

Publication Number Publication Date
CN111490945A true CN111490945A (en) 2020-08-04

Family

ID=71797151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910087208.4A Pending CN111490945A (en) 2019-01-29 2019-01-29 VPN tunnel flow identification method based on deep learning method and DFI

Country Status (1)

Country Link
CN (1) CN111490945A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726561A (en) * 2021-08-18 2021-11-30 西安电子科技大学 Business type recognition method for training convolutional neural network by using federal learning
CN113949672A (en) * 2021-10-18 2022-01-18 南京中孚信息技术有限公司 Novel VPN identification universal technology and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101764754A (en) * 2009-12-28 2010-06-30 东南大学 Sample acquiring method in business identifying system based on DPI and DFI
CN106790019A (en) * 2016-12-14 2017-05-31 北京天融信网络安全技术有限公司 The encryption method for recognizing flux and device of feature based self study
CN107682216A (en) * 2017-09-01 2018-02-09 南京南瑞集团公司 A kind of network traffics protocol recognition method based on deep learning
CN108183834A (en) * 2017-12-04 2018-06-19 中国联合网络通信集团有限公司 A kind of network flow management-control method and managing and control system based on DFI and DPI

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101764754A (en) * 2009-12-28 2010-06-30 东南大学 Sample acquiring method in business identifying system based on DPI and DFI
CN106790019A (en) * 2016-12-14 2017-05-31 北京天融信网络安全技术有限公司 The encryption method for recognizing flux and device of feature based self study
CN107682216A (en) * 2017-09-01 2018-02-09 南京南瑞集团公司 A kind of network traffics protocol recognition method based on deep learning
CN108183834A (en) * 2017-12-04 2018-06-19 中国联合网络通信集团有限公司 A kind of network flow management-control method and managing and control system based on DFI and DPI

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张路煜;廖鹏;赵俊峰;郭靓;: "基于卷积神经网络的未知协议识别方法", 微电子学与计算机, no. 07 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726561A (en) * 2021-08-18 2021-11-30 西安电子科技大学 Business type recognition method for training convolutional neural network by using federal learning
CN113949672A (en) * 2021-10-18 2022-01-18 南京中孚信息技术有限公司 Novel VPN identification universal technology and device

Similar Documents

Publication Publication Date Title
CN112564974B (en) Deep learning-based fingerprint identification method for Internet of things equipment
CN109299741B (en) Network attack type identification method based on multi-layer detection
CN111783442A (en) Intrusion detection method, device, server and storage medium
Agrawal et al. Grape leaf disease detection and classification using multi-class support vector machine
CN113011357B (en) Depth fake face video positioning method based on space-time fusion
CN113076994B (en) Open-set domain self-adaptive image classification method and system
CN111783534B (en) Sleep stage method based on deep learning
CN112766355B (en) Electroencephalogram signal emotion recognition method under label noise
CN111767707A (en) Method, device, equipment and storage medium for detecting Rayleigh case
CN109977980A (en) A kind of method for recognizing verification code and device
US11615166B2 (en) System and method for classifying image data
CN114615093A (en) Anonymous network traffic identification method and device based on traffic reconstruction and inheritance learning
CN113269647B (en) Graph-based transaction abnormity associated user detection method
WO2021037280A2 (en) Rnn-based anti-money laundering model training method, apparatus and device, and medium
CN111490945A (en) VPN tunnel flow identification method based on deep learning method and DFI
CN111382783A (en) Malicious software identification method and device and storage medium
CN114513367B (en) Cellular network anomaly detection method based on graph neural network
CN115913691A (en) Network flow abnormity detection method and system
CN111224998A (en) Botnet identification method based on extreme learning machine
CN117155706B (en) Network abnormal behavior detection method and system
US11397868B2 (en) Fungal identification by pattern recognition
CN111832540B (en) Identity verification method based on unsteady-state iris video stream bionic neural network
CN116416486A (en) Image recognition method and system
CN111639718A (en) Classifier application method and device
CN111915437B (en) Training method, device, equipment and medium of money backwashing model based on RNN

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination