CN111711545A - Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network - Google Patents

Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network Download PDF

Info

Publication number
CN111711545A
CN111711545A CN202010472081.0A CN202010472081A CN111711545A CN 111711545 A CN111711545 A CN 111711545A CN 202010472081 A CN202010472081 A CN 202010472081A CN 111711545 A CN111711545 A CN 111711545A
Authority
CN
China
Prior art keywords
flow
encrypted
network
traffic
intelligent
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010472081.0A
Other languages
Chinese (zh)
Inventor
朱丹红
林凯祺
李洪
张栋
林为伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fuzhou University
Original Assignee
Fuzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fuzhou University filed Critical Fuzhou University
Priority to CN202010472081.0A priority Critical patent/CN111711545A/en
Publication of CN111711545A publication Critical patent/CN111711545A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/243Classification techniques relating to the number of classes
    • G06F18/24323Tree-organised classifiers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Probability & Statistics with Applications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an intelligent identification method of encrypted flow based on a deep packet inspection technology in a software defined network, which comprises the steps of firstly collecting network flow through a controller of the software defined network, removing a packet header of OpenFlow protocol data, and generating original network flow; then, the original network flow is sent to a deep packet detection module deployed in an application layer, and the application type of the unencrypted network flow is identified; then, storing the rest encrypted network flow in the local by adopting a pcap format; then, extracting stream-level statistical characteristics from the pacp file through a CICFlowMeter tool to form a CSV format file; then, using a random forest as an intelligent classifier for encrypting the flow, analyzing the CSV local offline data set and establishing an intelligent classification initial model; and finally, adjusting the model parameters, and further applying the model parameters to online identification of the encrypted network flow. The invention is beneficial to reporting the network flow type identified on line to the controller, and is convenient for the controller to make more reasonable flow management and control strategies in time.

Description

Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network
Technical Field
The invention relates to the field of software defined network research, in particular to an intelligent encrypted flow identification method based on a deep packet inspection technology in a software defined network.
Background
In the network service application layer, traffic is generally identified more finely, and more traffic characteristic information is acquired, so that a finer-grained flow control forwarding rule can be created, and more types of network services are provided. Software-Defined Networking (SDN) breaks the vertical integration of the OSI model by separating the control logic from the data plane, resulting in significant improvements in network flexibility, visibility, and performance. In an SDN network architecture, an OpenFlow protocol is matched with information from layer 1 to layer 4 in an OSI model, and the information comprises an inlet port, an IP address, TCP/UDP and the like, so that flexible scheduling of data flow can be realized. But it is difficult to manage network traffic through application layer protocols since information above layer 5 is not visible. Deep Packet Inspection (DPI) technology can read the payload of a network data Packet, analyze the characteristics of the content of the data Packet, identify the content of an application layer protocol and the like of the data Packet, and further formulate a finer-grained flow control strategy.
Disclosure of Invention
In view of this, an object of the present invention is to provide an intelligent identification method for encrypted traffic based on deep packet inspection technology in a software defined network, which is helpful for reporting online identified network traffic types to a controller, and facilitates the controller to make more reasonable traffic management and control strategies in time.
The invention is realized by adopting the following scheme: an intelligent identification method for encrypted flow based on deep packet inspection technology in a software defined network comprises the following steps:
step S1: a Software-defined Network (SDN) controller collects Network flow, removes an OpenFlow protocol data packet header and generates original Network flow;
step S2: sending original network flow to a deep packet inspection module deployed in an application layer through a software defined network northbound interface, and identifying the application type of the unencrypted network flow, wherein the deep packet inspection module is deployed to the application layer through an open source deep packet analysis library (nDPI) and a northbound Restful Application Programming Interface (API) of a software defined network controller;
step S3: storing other encrypted network flows in a pcap format locally;
step S4: extracting stream-level statistical characteristics from the pacp file by a bidirectional flow characteristic extraction tool CICFlowMeter to form a CSV format file;
step S5: using a random forest method as an intelligent classifier for encrypting flow, analyzing the CSV local offline data set and establishing an intelligent classification initial model;
step S6: adjusting parameters of the encrypted flow intelligent classification initial model, and further verifying the classification effect; therefore, the intelligent classification model of the encrypted traffic is obtained and applied to online identification of the encrypted network traffic.
Further, the specific content of step S1 is: when a switch of the software defined network data plane receives a new network flow, the flow is uploaded to a controller, the controller analyzes the flow, and the OpenFlow protocol data packet header is removed to generate an original network flow.
Further, the specific content of the network stream application type identified in step S2 as being unencrypted is: and (2) adopting an open-source nDPI library as a core of a Deep Packet Inspection (DPI) functional module, sending the original network traffic generated in the step S1 to the deep packet inspection module deployed by an application layer through a northbound interface, and identifying whether the network flow is encrypted and identifying the application type of the unencrypted network flow by the nDPI.
Further, in step S4, a bidirectional network traffic feature extraction tool CIC cflowmeter developed by CIC is used to count 30 main stream level features from the pcap file of the encrypted network stream data set, so as to form a report file in the CSV format; each flow in the report file uses six elements as unique identifiers, namely FlowID, SourceIP, DestinationIP, SourcePort, DestinationPort and Protocol.
Further, the step S5 specifically includes the following steps:
step S51: randomly extracting 70% of data in an encrypted network flow data set as a training data set D of the encrypted flow intelligent identification method, and 30% of data in the encrypted network flow data set as a test data set T; each piece of data comprises 30 flow statistical characteristics and is marked with types of Chat, Video, Mail, VoIP, SNS and P2P;
step S52: cleaning the training data set in the step S51 by using a K-means clustering method, and removing noise data;
step S53: d number of input network data training samples is N, N samples are selected in a Bagging sampling mode to construct a new training set D, and a decision tree is generated according to the new training set D, wherein N is less than or equal to N;
step S54: randomly selecting features to split the decision tree; when a sample has Z attributes, selecting Z attributes from the unreplaced random as a candidate characteristic set C, selecting the best characteristic in Z as a measurement standard by using a Gini coefficient or information entropy as a measurement standard, and splitting the node, wherein Z is less than or equal to Z;
step S55: and all the decision trees are split according to the step S54, and are not pruned until the decision trees cannot be split, and the construction of the initial model which uses the random forest method as the intelligent classification of the encrypted traffic is completed.
Further, the step S6 specifically includes the following steps: by utilizing the 30% test data set in the step S5, adjusting the tree number, (n _ estimators), the maximum depth (max _ depth) of the encrypted traffic intelligent classification model, the maximum feature number (max _ features) included in the parameters considered during decision tree division, the minimum sample number (min _ samples _ leaf) of leaf nodes and the minimum sample number (min _ samples _ split) required by internal node subdivision through four evaluation indexes of accuracy (accuracy), precision (precision), recall (call) and F1-Measure, verifying the classification effect of the model, and further obtaining the intelligent classification model of the encrypted network traffic; when new network traffic arrives at the switch, the steps S1 and S2 are executed, if the traffic is unencrypted, the traffic is directly identified, and if the traffic is encrypted, the steps S3 and S4 are further executed, the traffic is transmitted to the constructed intelligent classification model of the encrypted traffic, and the application type of the encrypted traffic is identified.
Compared with the prior art, the invention has the following beneficial effects:
(1) the invention can identify various network mainstream protocols by the deep packet inspection function module taking the open-source nDPI library as the core, has better transportability and expandability and is superior to other tools in performance, speed and accuracy.
(2) Because the encryption technology only encrypts the load information and does not process the flow statistical characteristics, the nDPI further adopts a machine learning method to learn the statistical characteristics of the network flow after identifying the application type of the unencrypted network flow, thereby realizing the effective classification and identification of the encrypted flow.
(3) Compared with other machine learning algorithms, the random forest algorithm can effectively process high-dimensional data. And, because its characteristic subset is chosen at random, therefore the characteristic is chosen the high efficiency. And after the training is finished, the importance ranking of the features can be obtained, so that a basis is provided for adjusting the feature weight. More importantly, the training speed of the random forest is high, a parallelization method is easy to make, and the real-time requirement on network flow control can be met.
Drawings
Fig. 1 is a schematic flow chart of the embodiment of the present invention.
Detailed Description
The invention is further explained below with reference to the drawings and the embodiments.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
As shown in fig. 1, an intelligent identification method for encrypted traffic based on deep packet inspection technology in a software defined network includes the following steps:
step S1: a Software-defined Network (SDN) controller collects Network flow, removes an OpenFlow protocol data packet header and generates original Network flow;
step S2: sending original network flow to a deep packet inspection module deployed in an application layer through a software defined network northbound interface, and identifying the application type of the unencrypted network flow, wherein the deep packet inspection module is deployed to the application layer through an open source deep packet analysis library (nDPI) and a northbound Restful Application Programming Interface (API) of a software defined network controller;
step S3: storing other encrypted network flows in a pcap format locally;
step S4: extracting stream-level statistical characteristics from the pacp file by a bidirectional flow characteristic extraction tool CICFlowMeter to form a CSV format file;
step S5: using a random forest method as an intelligent classifier for encrypting flow, analyzing the CSV local offline data set and establishing an intelligent classification initial model;
step S6: adjusting parameters of the encrypted flow intelligent classification initial model, and further verifying the classification effect; therefore, the intelligent classification model of the encrypted traffic is obtained and applied to online identification of the encrypted network traffic.
In this embodiment, the specific content of step S1 is: the SDN-based three-layer architecture comprises a data plane, a control plane and an application layer. When the switch of the software defined network data plane receives a new network flow, the flow is uploaded to a controller through OpenFlow, the controller analyzes the flow, a data packet header of an OpenFlow protocol is removed, and the original network flow is generated.
In this embodiment, in step S2, the controller sends the original network traffic to the deep packet inspection module deployed at the application layer via the northbound interface. And extracting information such as IP addresses, ports and the like through a core library of the open source nDPI, and sending the information to a resolver to resolve the application protocol of the unencrypted network flow.
In this embodiment, the specific content of the network stream application type identified in step S2 as being unencrypted is: and (2) adopting an open-source nDPI library as a core of a Deep Packet Inspection (DPI) functional module, sending the original network traffic generated in the step S1 to the deep packet inspection module deployed in an application layer through a northbound interface, and identifying whether the network flow is encrypted or not and identifying the application type of the unencrypted network flow by the nDPI.
In this embodiment, in step S3, the ndip identifies the TLS protocol encrypted network traffic and saves it as a local offline data set in pcap format.
In this embodiment, in step S4, a bidirectional network traffic feature extraction tool CIC cflowmeter developed by CIC is used to count 30 main traffic features, such as forward Duration, reverse Duration, number of Packets, number of Bytes, length of Packets, Flow Duration, number of Packets per second, and the like, from a pcap file of an encrypted network traffic set, so as to form a report file in CSV format; each flow in the report file uses six elements as unique identifiers, namely FlowID, SourceIP, DestinationIP, SourcePort, DestinationPort and Protocol.
In this embodiment, the step S5 specifically includes the following steps:
step S51: randomly extracting 70% of data in an encrypted network flow data set as a training data set D of the encrypted flow intelligent identification method, and 30% of data in the encrypted network flow data set as a test data set T; each piece of data comprises 30 flow statistical characteristics and is marked with types of Chat, Video, Mail, VoIP and the like;
step S52: cleaning the training data set in the step S51 by using a K-means clustering method, and removing noise data;
step S53: d number of input network data training samples is N, N samples are selected in a Bagging sampling mode to construct a new training set D, and a decision tree is generated according to the new training set D, wherein N is less than or equal to N;
step S54: randomly selecting features to split the decision tree; when a sample has Z attributes, selecting Z attributes from the unreplaced random as a candidate characteristic set C, selecting the best characteristic in Z as a measurement standard by using a Gini coefficient or information entropy as a measurement standard, and splitting the node, wherein Z is less than or equal to Z;
step S55: and all the decision trees are split according to the step S54, and are not pruned until the decision trees cannot be split, and the construction of the initial model which uses the random forest method as the intelligent classification of the encrypted traffic is completed.
In this embodiment, the step S6 specifically includes the following steps: by utilizing the 30% test data set in the step S5, adjusting parameters such as the number of trees (n _ estimators), the maximum depth of trees (max _ depth), the maximum feature number considered during decision tree division (max _ features), the minimum sample number of leaf nodes (min _ samples _ leaf) and the minimum sample number required by internal node subdivision (min _ samples _ split) of the intelligent classification model of the encrypted traffic through four evaluation indexes such as accuracy (accuracy), precision (precision), recall (call) and F1-Measure, verifying the classification effect of the model, and further obtaining the intelligent classification model of the encrypted network traffic; when new network traffic arrives at the switch, the steps S1 and S2 are executed, if the traffic is unencrypted, the traffic is directly identified, and if the traffic is encrypted, the steps S3 and S4 are further executed, the traffic is transmitted to the constructed intelligent classification model of the encrypted traffic, and the application type of the encrypted traffic is identified.
In this embodiment, in step S5, if sample x in test set T ═ { T1, …, T2} reaches a certain leaf node, then the probability that x belongs to category v is:
Figure RE-GDA0002637532070000091
wherein M is the number of decision trees in the random forest, pm(v | x) is the category distribution of leaf nodes, and the final classification decision of x is that v is argmax p (v | x), v ∈ {1 …, Nv }. Nv takes 4 to represent the types of Chat, Video, Mail and VoIP.
In this embodiment, in step S6, observing a learning curve through a cross-validation method, adjusting random forest model parameters, determining that the number of trees n _ estimators ranges from 150 to 220, max _ depth =25, the maximum feature number max _ features =1, the minimum sample number of leaf nodes min _ samples _ leaf =2, and the internal node subdivides the required minimum sample number min _ samples _ split = 14. And further applying the random forest model to online intelligent identification of encrypted network traffic.
The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.

Claims (6)

1. An intelligent identification method for encrypted flow based on deep packet inspection technology in software defined network is characterized in that: the method comprises the following steps:
step S1: the software-defined network controller collects network flow, removes an OpenFlow protocol data packet header and generates original network flow;
step S2: sending original network flow to a deep packet inspection module deployed in an application layer through a software defined network northbound interface, and identifying the application type of the unencrypted network flow, wherein the deep packet inspection module is deployed to the application layer through an open source deep packet analysis library (nDPI) and a northbound Restful Application Programming Interface (API) of a software defined network controller;
step S3: storing other encrypted network flows in a pcap format locally;
step S4: extracting stream-level statistical characteristics from the pacp file by a bidirectional flow characteristic extraction tool CICFlowMeter to form a CSV format file;
step S5: using a random forest method as an intelligent classifier for encrypting flow, analyzing the CSV local offline data set and establishing an intelligent classification initial model;
step S6: adjusting parameters of the encrypted flow intelligent classification initial model, and further verifying the classification effect; therefore, the intelligent classification model of the encrypted traffic is obtained and applied to online identification of the encrypted network traffic.
2. The intelligent encrypted traffic identification method based on the deep packet inspection technology in the software defined network according to claim 1, characterized in that: the specific content of step S1 is: when a switch of the software defined network data plane receives a new network flow, the flow is uploaded to a controller, the controller analyzes the flow, and the OpenFlow protocol data packet header is removed to generate an original network flow.
3. The intelligent encrypted traffic identification method based on the deep packet inspection technology in the software defined network according to claim 1, characterized in that: the specific content of the network stream application type identified in step S2 as being unencrypted is: and (3) adopting an open-source nDPI library as the core of the deep packet inspection function module, sending the original network flow generated in the step (S1) to the deep packet inspection module deployed in the application layer through a northbound interface, and identifying whether the network flow is encrypted or not and identifying the application type of the unencrypted network flow by the nDPI.
4. The intelligent encrypted traffic identification method based on the deep packet inspection technology in the software defined network according to claim 1, characterized in that: step S4, using a bidirectional network traffic feature extraction tool CIC cflowmeter developed by CIC, to count 30 main stream level features from an encrypted network stream data set pcap file, to form a report file in CSV format; each flow in the report file uses six elements as unique identifiers, namely FlowID, SourceIP, DestinationIP, SourcePort, DestinationPort and Protocol.
5. The intelligent identification method for encrypted traffic based on the deep packet inspection technology in the software defined network according to claim 4, characterized in that: the step S5 specifically includes the following steps:
step S51: randomly extracting 70% of data in an encrypted network flow data set as a training data set D of the encrypted flow intelligent identification method, and 30% of data in the encrypted network flow data set as a test data set T; each piece of data comprises 30 flow statistical characteristics and is marked with types of Chat, Video, Mail, VoIP, SNS and P2P;
step S52: cleaning the training data set in the step S51 by using a K-means clustering method, and removing noise data;
step S53: d number of input network data training samples is N, N samples are selected in a Bagging sampling mode to construct a new training set D, and a decision tree is generated according to the new training set D, wherein N is less than or equal to N;
step S54: randomly selecting features to split the decision tree; when a sample has Z attributes, selecting Z attributes from the unreplaced random as a candidate characteristic set C, selecting the best characteristic in Z as a measurement standard by using a Gini coefficient or information entropy as a measurement standard, and splitting the node, wherein Z is less than or equal to Z;
step S55: and all the decision trees are split according to the step S54, and are not pruned until the decision trees cannot be split, and the construction of the initial model which uses the random forest method as the intelligent classification of the encrypted traffic is completed.
6. The intelligent identification method for encrypted traffic based on the deep packet inspection technology in the software defined network according to claim 5, characterized in that: the step S6 specifically includes the following steps: by utilizing the 30% test data set in the step S5, adjusting the tree number, the maximum depth of the tree, the maximum feature number included in the considered parameters during decision tree division, the minimum sample number of leaf nodes and the minimum sample number required by internal node subdivision by using the four evaluation indexes of accuracy, precision, recall and F1-Measure of the encrypted flow intelligent classification model, verifying the classification effect of the model and further obtaining the intelligent classification model of the encrypted network flow; when new network traffic arrives at the switch, the steps S1 and S2 are executed, if the traffic is unencrypted, the traffic is directly identified, and if the traffic is encrypted, the steps S3 and S4 are further executed, the traffic is transmitted to the constructed intelligent classification model of the encrypted traffic, and the application type of the encrypted traffic is identified.
CN202010472081.0A 2020-05-29 2020-05-29 Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network Pending CN111711545A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010472081.0A CN111711545A (en) 2020-05-29 2020-05-29 Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010472081.0A CN111711545A (en) 2020-05-29 2020-05-29 Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network

Publications (1)

Publication Number Publication Date
CN111711545A true CN111711545A (en) 2020-09-25

Family

ID=72538671

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010472081.0A Pending CN111711545A (en) 2020-05-29 2020-05-29 Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network

Country Status (1)

Country Link
CN (1) CN111711545A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839055A (en) * 2021-02-04 2021-05-25 北京六方云信息技术有限公司 Network application identification method and device for TLS encrypted traffic
CN112966261A (en) * 2021-03-08 2021-06-15 中电积至(海南)信息技术有限公司 Lightweight scalable network traffic feature extraction tool and method
CN112995063A (en) * 2021-04-19 2021-06-18 北京智源人工智能研究院 Flow monitoring method, device, equipment and medium
CN113329023A (en) * 2021-05-31 2021-08-31 西北大学 Encrypted flow malice detection model establishing and detecting method and system
CN114492623A (en) * 2022-01-25 2022-05-13 电子科技大学 Method and device for classifying Android malicious software

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104572786A (en) * 2013-10-29 2015-04-29 华为技术有限公司 Visualized optimization processing method and device for random forest classification model
CN107241359A (en) * 2017-08-03 2017-10-10 安捷光通科技成都有限公司 A kind of software-oriented defines the lightweight network flow abnormal detecting method of network
US20170364794A1 (en) * 2016-06-20 2017-12-21 Telefonaktiebolaget Lm Ericsson (Publ) Method for classifying the payload of encrypted traffic flows
US20180248905A1 (en) * 2017-02-24 2018-08-30 Ciena Corporation Systems and methods to detect abnormal behavior in networks
CN109450740A (en) * 2018-12-21 2019-03-08 青岛理工大学 A kind of SDN controller carrying out traffic classification based on DPI and machine learning algorithm
CN110138766A (en) * 2019-05-10 2019-08-16 福州大学 Longicorn must be in conjunction with the network inbreak detection method of random forest
WO2020094276A1 (en) * 2018-11-09 2020-05-14 NEC Laboratories Europe GmbH Method and system for adaptive network intrusion detection

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104572786A (en) * 2013-10-29 2015-04-29 华为技术有限公司 Visualized optimization processing method and device for random forest classification model
US20170364794A1 (en) * 2016-06-20 2017-12-21 Telefonaktiebolaget Lm Ericsson (Publ) Method for classifying the payload of encrypted traffic flows
US20180248905A1 (en) * 2017-02-24 2018-08-30 Ciena Corporation Systems and methods to detect abnormal behavior in networks
CN107241359A (en) * 2017-08-03 2017-10-10 安捷光通科技成都有限公司 A kind of software-oriented defines the lightweight network flow abnormal detecting method of network
WO2020094276A1 (en) * 2018-11-09 2020-05-14 NEC Laboratories Europe GmbH Method and system for adaptive network intrusion detection
CN109450740A (en) * 2018-12-21 2019-03-08 青岛理工大学 A kind of SDN controller carrying out traffic classification based on DPI and machine learning algorithm
CN110138766A (en) * 2019-05-10 2019-08-16 福州大学 Longicorn must be in conjunction with the network inbreak detection method of random forest

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
李兆斌等: "SDN中基于机器学习的网络流量分类方法研究", 《计算机应用与软件》 *
程光: "《僵尸网络检测技术[M]》", 1 October 2014 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112839055A (en) * 2021-02-04 2021-05-25 北京六方云信息技术有限公司 Network application identification method and device for TLS encrypted traffic
CN112839055B (en) * 2021-02-04 2022-08-23 北京六方云信息技术有限公司 Network application identification method and device for TLS encrypted traffic and electronic equipment
CN112966261A (en) * 2021-03-08 2021-06-15 中电积至(海南)信息技术有限公司 Lightweight scalable network traffic feature extraction tool and method
CN112995063A (en) * 2021-04-19 2021-06-18 北京智源人工智能研究院 Flow monitoring method, device, equipment and medium
CN113329023A (en) * 2021-05-31 2021-08-31 西北大学 Encrypted flow malice detection model establishing and detecting method and system
CN114492623A (en) * 2022-01-25 2022-05-13 电子科技大学 Method and device for classifying Android malicious software

Similar Documents

Publication Publication Date Title
CN111711545A (en) Intelligent encrypted flow identification method based on deep packet inspection technology in software defined network
CN105871832B (en) A kind of network application encryption method for recognizing flux and its device based on protocol attribute
CN102271090B (en) Transport-layer-characteristic-based traffic classification method and device
Alshammari et al. A flow based approach for SSH traffic detection
Singh Performance analysis of unsupervised machine learning techniques for network traffic classification
CN102739457B (en) Network flow recognition system and method based on DPI (Deep Packet Inspection) and SVM (Support Vector Machine) technology
CN108900432A (en) A kind of perception of content method based on network Flow Behavior
CN111953669B (en) Tor flow tracing and application type identification method and system suitable for SDN
WO2011130957A1 (en) Method and apparatus for online distinguishing transmission control protocol traffic by using data flow head characteristics
CN111953552B (en) Data flow classification method and message forwarding equipment
Liu et al. Semi-supervised encrypted traffic classification using composite features set
CN111586075B (en) Hidden channel detection method based on multi-scale stream analysis technology
CN115118653A (en) Real-time service traffic classification method and system based on multi-task learning
CN108141377B (en) Early classification of network flows
CN111416779A (en) Internet service queue scheduling method based on time limit
Zhang et al. Network traffic clustering with QoS-awareness
Jenefa et al. An Upgraded C5. 0 Algorithm for Network Application Identification
WO2014148613A1 (en) Network statistical information providing system, network statistical information providing method, and program
Zhenxiang et al. Research of P2P traffic comprehensive identification method
CN113726809A (en) Internet of things equipment identification method based on flow data
Pradhan Network traffic classification using support vector machine and artificial neural network
Wang et al. Study on process of network traffic classification using machine learning
CN113794653A (en) High-speed network traffic classification method based on sampling data flow
Menuka et al. Network traffic classification using machine learning for software defined networks
Li et al. Programmable network traffic classification with OpenFlow extensions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200925

RJ01 Rejection of invention patent application after publication