CN113542195B - Method, system and equipment for detecting malicious encrypted traffic - Google Patents

Method, system and equipment for detecting malicious encrypted traffic Download PDF

Info

Publication number
CN113542195B
CN113542195B CN202010300818.0A CN202010300818A CN113542195B CN 113542195 B CN113542195 B CN 113542195B CN 202010300818 A CN202010300818 A CN 202010300818A CN 113542195 B CN113542195 B CN 113542195B
Authority
CN
China
Prior art keywords
time
traffic
malicious
encrypted traffic
similarity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010300818.0A
Other languages
Chinese (zh)
Other versions
CN113542195A (en
Inventor
常亚东
李滢滢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guancheng Technology Co ltd
Shenzhen Polytechnic
Original Assignee
Beijing Guancheng Technology Co ltd
Shenzhen Polytechnic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guancheng Technology Co ltd, Shenzhen Polytechnic filed Critical Beijing Guancheng Technology Co ltd
Priority to CN202010300818.0A priority Critical patent/CN113542195B/en
Publication of CN113542195A publication Critical patent/CN113542195A/en
Application granted granted Critical
Publication of CN113542195B publication Critical patent/CN113542195B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses a method, a system and equipment for detecting malicious encrypted traffic, which comprises the following steps: extracting protocol characteristics and statistical characteristics of data flow in the encrypted flow to be detected; grouping the encrypted traffic to be detected; respectively calculating time and/or space characteristic parameters of the groups, and comparing the time and/or space characteristic parameters with a preset time and/or space characteristic parameter standard threshold value; and obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic or not according to the comparison result. According to the method, the characteristics of the data flow are analyzed to calculate the time and/or space characteristic parameters of the encrypted flow, so that the malicious encrypted flow is detected, and the method is faster and more practical. The invention can identify malicious encrypted traffic without decrypting network traffic and occupies less hardware resources without deep analysis of traffic and only by statistics and operation based on protocol features and statistical features of data stream, so the invention is suitable for various devices and has better overall performance of the devices.

Description

Method, system and equipment for detecting malicious encrypted traffic
Technical Field
The invention relates to the field of encrypted traffic analysis in information security, in particular to a method, a system and equipment for detecting malicious encrypted traffic.
Background
With the high-speed development of the internet and the wide application of encryption technology, the proportion of encrypted traffic is continuously increased with the improvement of people's safety consciousness. Statistics show that the current network encryption traffic has broken through 70%, and this number is expected to continue to grow.
From a positive perspective, the growth of encrypted traffic is a good thing for information security, but higher encryption rates also present serious challenges for traffic analysis and threat detection.
Existing malicious traffic detection products are generally unable to detect encrypted traffic. Some methods for detecting encrypted traffic use metadata of the data stream (including unencrypted TLS handshake information in the interaction process, DNS response information related to a destination IP address in the TLS stream, header information of the HTTP stream, etc.), select feature sets with obvious distinction, and train a detection model based on the feature sets, so as to achieve the purpose of identifying encrypted malicious traffic. However, such detection methods often have high requirements on the performance of the device, and occupy a large amount of hardware resources, thereby affecting the performance of the device.
Disclosure of Invention
The invention aims to provide a detection method, a system and equipment capable of rapidly identifying malicious encrypted traffic through the characteristics of data flow, so as to solve the problems that the detection of the malicious encrypted traffic has high requirements on the performance of the equipment and occupies a large amount of hardware resources, thereby influencing the performance of the equipment.
In order to solve the technical problems, the invention provides a method for detecting malicious encrypted traffic, which comprises the following steps:
extracting protocol characteristics and statistical characteristics of data flow in the encrypted flow to be detected;
grouping the encrypted traffic to be detected according to the protocol characteristics;
calculating time and/or space characteristic parameters of the groups according to the statistical characteristics of each group respectively, and comparing the time and/or space characteristic parameters with a preset time and/or space characteristic parameter standard threshold;
obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic or not according to a comparison result of the time and/or space characteristic parameters and the standard threshold value;
the protocol features are field values of each protocol layer obtained by analyzing data packets in the data stream, and the statistical features are features for popularity, which are summarized by the features of the data packets in the statistical data stream.
Optionally, the grouping the encrypted traffic to be detected according to the protocol feature includes:
grouping the encrypted traffic to be detected according to the protocol characteristics, wherein the protocol characteristics comprise: the source IP, the destination port and the TLS fingerprint are the same packet, and the data flows of which the source IP, the destination port and the TLS fingerprint are identical are the same.
Optionally, the temporal and/or spatial feature parameters include any one or any combination of the following:
spatial similarity, temporal monotonicity, and temporal periodicity, and comparing with a preset spatial similarity, temporal monotonicity, or temporal periodicity standard threshold;
the spatial similarity is a characteristic parameter which indicates that the data stream shows repeatability in the spatial dimension, the time similarity is a characteristic parameter which indicates that the data stream shows repeatability in the transmission frequency, the time monotonicity is a characteristic parameter which indicates that the data stream shows monotonic increasing or monotonic decreasing in the transmission interval, and the time periodicity mark is a characteristic parameter which indicates that the data stream shows periodic regular repetition in the transmission interval.
Optionally, the obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic according to the comparison result of the time and/or space feature parameter and the standard threshold includes:
when the spatial similarity and the time similarity exceed the spatial similarity standard threshold and the time similarity standard threshold simultaneously, the group is a malicious traffic suspected group;
when the time monotonicity exceeds a time monotonicity threshold, the packet is a malicious traffic suspected group;
And when the time periodicity exceeds a time periodicity threshold, the packet is a malicious traffic suspected group.
Optionally, after obtaining the detection result of whether the encrypted traffic to be detected is malicious traffic according to the comparison result of the time and/or space feature parameter and the standard threshold, the method further includes:
and (3) carrying out comprehensive judgment on the detected malicious traffic suspected group by TLS fingerprint library matching, rule matching or threat information detection, and judging whether the malicious traffic suspected group is malicious encrypted traffic or not.
Optionally, calculating the spatial similarity of the groups according to the statistical features of the respective groups includes:
define the set of stream lengths as l= { L 0 ,l 1 ,...,l n "wherein l i ≠l j I, j=0, 1,.. defining the total number of streams as C;
statistics l n The number of repeated occurrences is
Figure BDA0002453920140000031
According to the spatial similarity
Figure BDA0002453920140000032
And determining the spatial similarity.
Optionally, calculating the temporal similarity of the packets based on the statistical characteristics of the respective packets includes:
define the set of stream intervals as g= { G 0 ,g 1 ,...,g n Defining the total number of streams as C;
defining a flow interval g n Is z n =[0.9*g n ,1.1*g n ]The set of available judgment spaces is
Figure BDA0002453920140000033
The statistical flow interval is within the judgment interval z n The number of the inner parts is defined as
Figure BDA0002453920140000034
The set of the number of available flows is
Figure BDA0002453920140000035
Taking the maximum value in the set A as c max
According to the time similarity t=c max and/C, determining the time similarity.
Optionally, calculating the temporal monotonicity of the packets based on the statistical characteristics of the respective packets comprises:
when the number of the continuous streams with monotonically increasing intervals or monotonically decreasing intervals is larger than a preset monotonic threshold, counting the number of the streams as c n The set of the number of streams which are obtained by continuous monotonically increasing intervals or monotonically decreasing intervals is A= { c 0 ,c 1 ,...,c n };
Defining the total number of streams as C;
according to time monotonicity
Figure BDA0002453920140000036
Time monotonicity is determined.
Optionally, calculating the time periodicity of the packet based on the statistics of the respective packet includes:
the middle section of stream interval data is randomly taken as a filter F= { F 0 ,f 1 ,...,f N Defining coefficient y= { f 0 ,f 1 ,…,f N };
Define the stream interval array as g= { G 0 ,g 1 ,...,g N Definition of coefficient x= { g i ,g i+1 ,...,g i+N I=0, 1, N;
according to the correlation coefficient
Figure BDA0002453920140000041
Determining a correlation coefficient ρ of a time periodicity X,Y
Statistical correlation coefficient ρ X,Y The number of streams greater than a preset correlation coefficient threshold value is used as a judgment coefficient of time periodicity.
Optionally, the extracting protocol features and statistical features of the data stream in the encrypted traffic to be detected includes:
extracting protocol characteristics in the encrypted traffic to be detected, wherein the protocol characteristics comprise any one or any combination of the following: source IP, destination port, and TLS fingerprint;
Extracting statistical characteristics in the encrypted traffic to be detected, wherein the statistical characteristics comprise any one or any combination of the following: the total number of uplink packets, the total number of downlink packets, the total number of uplink load bytes, the total number of downlink load bytes, the starting time and the ending time.
The invention also provides a system for detecting malicious encrypted traffic, which comprises:
the extraction module is used for extracting protocol characteristics and statistical characteristics of the data flow in the encrypted flow to be detected;
the grouping module is used for grouping the encrypted traffic to be detected according to the protocol characteristics;
the parameter calculation module is used for calculating time and/or space characteristic parameters of the groups according to the statistical characteristics of the groups respectively and comparing the time and/or space characteristic parameters with a preset time and/or space characteristic parameter standard threshold value;
the judging module is used for obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic or not according to a comparison result of the time and/or space characteristic parameters and the standard threshold value;
the protocol features are field values of each protocol layer obtained by analyzing data packets in the data stream, and the statistical features are features for popularity, which are summarized by the features of the data packets in the statistical data stream.
The invention also provides a computer device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the method for detecting the malicious encrypted traffic when executing the computer program.
According to the method, the system and the equipment for detecting the malicious encrypted flow, disclosed by the invention, the time and/or space characteristic parameters of the encrypted flow are calculated by analyzing the characteristics of the data flow, so that the detection of the malicious encrypted flow is realized, and the method, the system and the equipment are quicker and more practical. The invention can identify malicious encrypted traffic without decrypting network traffic and occupies less hardware resources without deep analysis of traffic and only by statistics and operation based on protocol features and statistical features of data stream, so the invention is suitable for various devices and has better overall performance of the devices.
Drawings
For a clearer description of embodiments of the invention or of the prior art, the drawings that are used in the description of the embodiments or of the prior art will be briefly described, it being apparent that the drawings in the description below are only some embodiments of the invention, and that other drawings can be obtained from them without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a method for detecting malicious encrypted traffic in a first embodiment of the present invention;
FIG. 2 is a flow chart of a method for detecting malicious encrypted traffic in a first embodiment of the invention;
FIG. 3 is a flow chart of feature parameter selection of a method for detecting malicious encrypted traffic in a first embodiment of the invention;
FIG. 4 is a flowchart of the detection result and the comprehensive determination of the method for detecting malicious encrypted traffic in the first embodiment of the present invention;
FIG. 5 is a flow chart of calculating the spatial similarity of the method for detecting malicious encrypted traffic in the first embodiment of the invention;
FIG. 6 is a flow length bar chart of a method for detecting malicious encrypted traffic in a first embodiment of the invention;
fig. 7 is a flowchart of calculating time similarity of a method for detecting malicious encrypted traffic in the first embodiment of the invention;
FIG. 8 is a flow interval bar chart of a method for detecting malicious encrypted traffic in a first embodiment of the invention;
FIG. 9 is a flowchart of a method for detecting malicious encrypted traffic according to an embodiment of the present invention;
FIG. 10 is a monotonically increasing flow interval bar graph of a method for detecting malicious encrypted traffic in accordance with a first embodiment of the present invention;
FIG. 11 is a flow chart of a time-periodic calculation of a method for detecting malicious encrypted traffic in a first embodiment of the invention;
FIG. 12 is a bar chart of the filter-containing flow intervals of the method for detecting malicious encrypted traffic in accordance with the first embodiment of the present invention;
FIG. 13 is a post-filter flow interval bar chart of a method for detecting malicious encrypted traffic in accordance with a first embodiment of the invention;
fig. 14 is a flow chart of extracting protocol features and statistical features of a method for detecting malicious encrypted traffic in the first embodiment of the invention;
FIG. 15 is a block diagram of a system for detecting malicious encrypted traffic in a second embodiment of the invention;
fig. 16 is a block diagram of a computer device in a third embodiment of the present invention.
Detailed Description
The invention provides a detection method, a system and equipment capable of rapidly identifying malicious encrypted traffic through the characteristics of data flow, so as to solve the problems that the detection of the malicious encrypted traffic has higher requirements on the performance of the equipment and occupies a large amount of hardware resources, thereby influencing the performance of the equipment.
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that the description of "first", "second", etc. in this disclosure is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implying an indication of the number of technical features being indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present invention.
In order to solve the above technical problems, a first embodiment of the present invention provides a method for detecting malicious encrypted traffic, as shown in fig. 1, including the following steps:
s100: and extracting protocol characteristics and statistical characteristics of the data flow in the encrypted flow to be detected.
The protocol features are field values of each protocol layer obtained by analyzing data packets in the data stream, and the statistical features are features for popularity, which are summarized by the features of the data packets in the statistical data stream.
Specifically, the features to be extracted include protocol features and statistical features, where the protocol features are field values of each protocol layer, such as a source IP address, a destination IP address, a source port, a destination port, and a TLS fingerprint, obtained by parsing a data packet in a data stream; the statistical features are features aiming at popularity, such as the number of uplink and downlink packets, the number of uplink and downlink load bytes, time intervals and the like, in the whole stream data, which are obtained by summarizing features of different data packets in the same data stream. The implementation of this step is explained in detail in the following description.
S300: and grouping the encrypted traffic to be detected according to the protocol characteristics.
Specifically, the protocol feature is used for grouping the encrypted traffic to be detected, detecting the multi-stream grouping taking the protocol feature as the grouping standard has practical detection meaning, and if feature calculation is performed on all the encrypted traffic to be detected, the obtained result has too low accuracy or too high false alarm rate. The implementation of this step is explained in detail in the following description.
S500: and calculating time and/or space characteristic parameters of the groups according to the statistical characteristics of the groups respectively, and comparing the time and/or space characteristic parameters with preset time and/or space characteristic parameter standard thresholds.
Specifically, the statistical features are used for analyzing time or space features of the encrypted traffic to be detected after grouping, the method is obtained by analyzing a large number of samples of malicious traffic and normal traffic, the malicious traffic is more prone to certain repeatability in space and time features, and the malicious traffic can be identified by setting a threshold value and reasonably comparing the similarity of the space and time features. The implementation of this step is explained in detail in the following description.
S700: and obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic or not according to a comparison result of the time and/or space characteristic parameters and the standard threshold value.
Specifically, when the temporal and/or spatial characteristic parameters indicate that the overall repeatability of the data flow of the encrypted traffic to be detected is too high, the encrypted traffic to be detected may be malicious traffic. The implementation of this step is explained in detail in the following description.
According to the method for detecting the malicious encrypted flow, disclosed by the invention, the time and/or space characteristic parameters of the encrypted flow are calculated by analyzing the characteristics of the data flow, so that the detection of the malicious encrypted flow is realized, and the method is quicker and more practical. The invention can identify malicious encrypted traffic without decrypting network traffic and occupies less hardware resources without deep analysis of traffic and only by statistics and operation based on protocol features and statistical features of data stream, so the invention is suitable for various devices and has better overall performance of the devices.
Optionally, as shown in fig. 2, the S300 includes:
s310: grouping the encrypted traffic to be detected according to the protocol characteristics, wherein the protocol characteristics comprise: the source IP, the destination port and the TLS fingerprint are the same packet, and the data flows of which the source IP, the destination port and the TLS fingerprint are identical are the same.
Specifically, detecting the multi-stream data of the quad, TLS fingerprint of a source IP to a destination IP, a port is used, and the calculation of the spatial and temporal characteristics represented by the port is more accurate.
The method for detecting malicious encrypted traffic of the embodiment is more specific and accurate for data stream packets with completely identical source IP, destination port and TLS fingerprints of protocol features.
Optionally, as shown in fig. 3, the temporal and/or spatial characteristic parameters in S500 include any one or any combination of the following:
s510: spatial similarity, temporal monotonicity, and temporal periodicity, and compared to a preset spatial similarity, temporal monotonicity, or temporal periodicity criteria threshold.
The spatial similarity is a characteristic parameter which indicates that the data stream shows repeatability in the spatial dimension, the time similarity is a characteristic parameter which indicates that the data stream shows repeatability in the transmission frequency, the time monotonicity is a characteristic parameter which indicates that the data stream shows monotonic increasing or monotonic decreasing in the transmission interval, and the time periodicity mark is a characteristic parameter which indicates that the data stream shows periodic regular repetition in the transmission interval. The calculation and implementation of spatial similarity, temporal monotonicity and temporal periodicity in this step are explained in detail in the following description.
In particular, the present invention derives from sample analysis of a large number of malicious and normal traffic, which is more prone to some repeatability in time and space, including: the embodiment defines parameters of spatial similarity, time monotonicity and time periodicity according to the characteristics, and compared with preset standard thresholds of spatial similarity, time monotonicity or time periodicity, so as to judge whether the encrypted traffic to be detected is malicious traffic.
The method for detecting the malicious encrypted traffic of the embodiment is more specific and accurate for selecting time and/or space characteristic parameters.
Optionally, as shown in fig. 4, the step S700 includes:
s710: and when the spatial similarity and the time similarity exceed the spatial similarity standard threshold and the time similarity standard threshold simultaneously, the group is a malicious traffic suspected group.
Specifically, when the spatial similarity and the temporal similarity exceed the spatial similarity standard threshold and the temporal similarity standard threshold at the same time, the flow length and the transmission frequency of the packet are too similar, and the probability that the packet is malicious traffic is high.
S720: and when the time monotonicity exceeds a time monotonicity threshold, the packet is a malicious traffic suspected group.
Specifically, when the time monotonicity exceeds the time monotonicity threshold, the time interval of the packet is indicated to be in a monotonically increasing or monotonically decreasing regularity, and the packet is deliberately disguised on the sending frequency and is more likely to be malicious traffic.
S730: and when the time periodicity exceeds a time periodicity threshold, the packet is a malicious traffic suspected group.
Specifically, when the time periodicity exceeds the time periodicity threshold, it is indicated that the time interval of the packet is regularly repeated according to a certain period, and the packet is intentionally disguised on the sending frequency, so that the probability that the packet is malicious traffic is high.
The method for detecting malicious encrypted traffic in this embodiment is more specific and accurate, and specifically aims at a determination process for determining whether a packet is malicious traffic according to time and/or space feature parameters.
Optionally, as shown in fig. 4, after S710, S720, S730, further includes:
s800: and (3) carrying out comprehensive judgment on the detected malicious traffic suspected group by TLS fingerprint library matching, rule matching or threat information detection, and judging whether the malicious traffic suspected group is malicious encrypted traffic or not.
Specifically, the packets with abnormal time and/or space characteristic parameters may be malicious traffic, and then comprehensive judgment is performed through TLS fingerprint database matching, rule matching or threat information detection, so that a more accurate malicious encryption traffic judgment conclusion can be obtained.
The method for detecting malicious encrypted traffic in the embodiment is more practical and accurate, and specifically aims at the further judging process of the malicious traffic suspected group.
Optionally, as shown in fig. 5, calculating the spatial similarity of the packets according to the statistical characteristics of the respective packets in S510 includes:
s511: define the set of stream lengths as l= { L 0 ,l 1 ,...,l n "wherein l i ≠l j I, j=0, 1,.. the total number of streams is defined as C.
S512: statistics l n The number of repeated occurrences is
Figure BDA0002453920140000111
S513: according to the spatial similarity
Figure BDA0002453920140000112
And determining the spatial similarity.
In particular, the invention derives from sample analysis of a large number of malicious and normal traffic, which is spatially more prone to some repeatability, while spatial similarity in spatial dimensions can characterize this law of malicious traffic to some extent. When a malicious program connects back to a server, a large amount of data with repeated stream length is often transmitted, and the spatial similarity calculation method of the embodiment is defined based on the above characteristics.
Specifically, the stream lengths of a plurality of streams in the packet are counted, and the set of the stream lengths is defined as l= { L 0 ,l 1 ,...,l n "wherein l i ≠l j I, j=0, 1..n, defining the total number of streams as C, counting the number of repeated occurrences of the same stream length
Figure BDA0002453920140000113
I.e. < ->
Figure BDA0002453920140000114
Greater than 1, the stream length occurring only once does not need to be counted in +.>
Figure BDA0002453920140000115
Then accumulate the number of repeated occurrences of different stream lengths +.>
Figure BDA0002453920140000116
And finally dividing the accumulated value by the total number C of the counted stream samples to obtain the spatial similarity s. And setting a reasonable spatial similarity threshold, preferably the spatial similarity threshold is 0.9, and indicating that the spatial similarity of the group is abnormal when the spatial similarity s is larger than the spatial similarity threshold.
More specifically, as shown in the flow length example chart of the flow rate in fig. 6, in this embodiment, the number of flows with a flow length of 1000 is 4, the number of flows with a flow length of 400 is 3, the total number of flows is 7, and the spatial similarity threshold is 0.9, so that the spatial similarity in this embodiment is:
Figure BDA0002453920140000121
Figure BDA0002453920140000122
the spatial similarity s in this embodiment is too high, and the spatial similarity is abnormal.
The method for detecting the malicious encrypted traffic of the embodiment is more specific and accurate aiming at the space similarity calculation process in the time and/or space characteristic parameters.
Optionally, as shown in fig. 7, calculating the temporal similarity of the packets according to the statistical characteristics of the respective packets in S510 includes:
s511': define the set of stream intervals as g= { G 0 ,g 1 ,...,g n And defining the total number of streams as C.
S512': defining a flow interval g n Is a judgment region of (2)Z is the interval n =[0.9*g n ,1.1*g n ]The set of available judgment spaces is
Figure BDA0002453920140000123
S513': the statistical flow interval is within the judgment interval z n The number of the inner parts is defined as
Figure BDA0002453920140000124
The set of the number of available flows is
Figure BDA0002453920140000125
Taking the maximum value in the set A as c max
S514': according to the time similarity t=c max and/C, determining the time similarity.
In particular, malicious traffic, in addition to spatial similarities, also exposes time-repeated features over time. Malicious programs often have time-similar or similar characteristics in the frequency of transmissions in order to maintain a connection with the server. A large number of suspicious traffic with heartbeat features can be identified by calculating the temporal similarity, and the temporal similarity calculation method of the embodiment is defined based on the above characteristics.
Specifically, the flow intervals of a plurality of flows in the packet are counted, and the set of the flow intervals is defined as g= { G 0 ,g 1 ,...,g n Defining the total number of streams as C and defining the stream interval g n Is z n =[0.9*g n ,1.1*g n ]Obtaining the set of judgment spaces as
Figure BDA0002453920140000126
Counting the number of streams in the judgment section per stream interval +.>
Figure BDA0002453920140000127
Then comparing to obtain maximum value c max Finally, using the maximum value c of the number of the streams obtained after statistics max Dividing the total number C of the counted stream samples to obtain the time similarity t. Setting upA reasonable time similarity threshold, preferably 0.9, indicates that the time similarity of the packet is abnormal when the time similarity is greater than the time similarity threshold.
More specifically, as shown in the flow interval example diagram of the flow rate in fig. 8, in the present embodiment, the number of flows in the judgment section when the flow interval=600
Figure BDA0002453920140000131
At most 4, then c max Time similarity t=c, available =4 max The time similarity t in this embodiment is too high and the time similarity is abnormal, i.e./c=4/6=0.667.
The method for detecting the malicious encrypted traffic of the embodiment is more specific and accurate aiming at the time similarity calculation process in the time and/or space characteristic parameters.
Optionally, as shown in fig. 9, calculating the temporal monotonicity of the packets according to the statistical characteristics of the respective packets includes:
s511": when the number of the continuous streams with monotonically increasing intervals or monotonically decreasing intervals is larger than a preset monotonic threshold, counting the number of the streams as c n The set of the number of streams which are obtained by continuous monotonically increasing intervals or monotonically decreasing intervals is A= { c 0 ,c 1 ,...,c n }。
S512": the total number of streams is defined as C.
S513": according to time monotonicity
Figure BDA0002453920140000132
Time monotonicity is determined.
In particular, malicious traffic often creates a deliberate masquerading in the frequency of transmission while maintaining a connection with the server while attempting to circumvent behavior detection. Some malicious traffic may exhibit a feature of time monotonicity, which is specifically expressed in that the communication time interval of two adjacent flows is monotonically increasing or monotonically decreasing.
Specifically, a monotonic threshold value, such as 5 or more, for the number of streams with monotonically increasing or monotonically decreasing intervals is preset, and when the number of streams with monotonically increasing or monotonically decreasing intervals of 5 or more is counted as c n Then the number of the obtained streams is counted and accumulated to obtain
Figure BDA0002453920140000133
And finally dividing the accumulated value by the total number C of the stream samples of the statistical group to obtain the time monotonicity m. A reasonable time monotonicity threshold is set, preferably a time monotonicity threshold of 0.5, indicating a grouping of time monotonicity anomalies when time monotonicity m is greater than the time monotonicity threshold.
More specifically, as shown in the flow interval exemplary diagram of the flow rate of fig. 10, in the present embodiment, the flow interval continuously monotonically increases, and then the time monotonicity is obtained
Figure BDA0002453920140000141
The temporal monotonicity m of this embodiment is too high and is abnormal.
The method for detecting the malicious encrypted traffic in the embodiment is more specific and accurate for the time monotonicity calculation process in the time and/or space characteristic parameters.
Alternatively, as shown in fig. 11, calculating the time periodicity of the packets based on the statistical characteristics of the respective packets includes:
s511' ": the middle section of stream interval data is randomly taken as a filter F= { F 0 ,f 1 ,...,f N Defining coefficient y= { f 0 ,f 1 ,…,f N }。
S512' ": define the stream interval array as g= { G 0 ,g 1 ,...,g N Definition of coefficient x= { g i ,g i+1 ,...,g i+N I=0, 1,..n.
S513' ": according to the correlation coefficient
Figure BDA0002453920140000142
Determining a correlation coefficient ρ of a time periodicity X,Y
S514' ": statistical correlation coefficient ρ X,Y The number of streams greater than a preset correlation coefficient threshold value is used as a judgment coefficient of time periodicity.
Specifically, in order to better avoid behavior detection, malicious traffic can be camouflaged more highly on a time interval, and the method is characterized in that the time interval is regularly repeated according to a certain period. The malicious traffic conforming to the rule can be detected through the calculation of the correlation between the malicious traffic change rule and the time, and the time periodicity calculation method of the embodiment is defined based on the characteristics.
Specifically, a middle section of stream interval data is randomly taken as a filter f= { F 0 ,f 1 ,...,f N Defining coefficient y= { f 0 ,f 1 ,…,f N Defining the stream interval array as g= { G } 0 ,g 1 ,...,g N Definition of coefficient x= { g i ,g i+1 ,...,g i+N I=0, 1,..n, determining the degree of correlation of the filter with the stream interval, coefficients X and Y being based on the correlation coefficients
Figure BDA0002453920140000151
Determining a correlation coefficient ρ of a time periodicity X,Y Statistical correlation coefficient ρ X,Y The number of streams greater than a preset correlation coefficient threshold value is used as a judgment coefficient of time periodicity. Setting a reasonable correlation coefficient threshold, preferably a correlation coefficient threshold of 0.9, and counting the correlation coefficient ρ when the correlation coefficient is larger than the correlation coefficient threshold X,Y The number of streams greater than a preset correlation coefficient threshold is used as a judgment coefficient of the time periodicity, and the judgment coefficient exceeds the time periodicity threshold to indicate that the time periodicity is abnormal.
More specifically, as shown in fig. 12, in the flow interval diagram of the flow rate reconnection service end in this embodiment, interval data of the frame taking position is taken as a filter F, as shown in fig. 13, the flow interval of the flow rate shows a periodicity rule similar to that of the filter, and the frame position will appear after correlation operation according to the correlation coefficientCoefficient of closure ρ X,Y >And (3) counting peak values of 0.9, namely counting the number of the peak values, namely counting the number of the streams exceeding a correlation coefficient threshold, and indicating that the time periodicity of the packet is abnormal when the number of the streams exceeds a time periodicity threshold.
The method for detecting the malicious encrypted traffic in the embodiment is more specific and accurate for the time periodic calculation process in the time and/or space characteristic parameters.
Optionally, as shown in fig. 14, the S100 includes:
s110: extracting protocol characteristics in the encrypted traffic to be detected, wherein the protocol characteristics comprise any one or any combination of the following: source IP, destination port, and TLS fingerprint.
In particular, it is more practical to detect the computation of spatial and temporal characteristics represented by a port used by a protocol of a source IP to a destination IP, which is multi-stream data after packets. If the feature calculation is performed on all the encrypted traffic to be detected, the obtained result has too low accuracy or too high false alarm rate.
S120: extracting statistical characteristics in the encrypted traffic to be detected, wherein the statistical characteristics comprise any one or any combination of the following: the total number of uplink packets, the total number of downlink packets, the total number of uplink load bytes, the total number of downlink load bytes, the starting time and the ending time.
Specifically, according to calculation aiming at different time and/or space characteristic parameters, different flow statistical characteristics can be used, and the method is different from the traditional method for detecting the highly dependent rule and expertise, deep analysis of a data packet is not needed, and whether the encrypted flow is malicious or not can be judged efficiently only by carrying out statistics and operation on the flow characteristics.
The method for detecting the malicious encrypted traffic of the embodiment is more specific and practical for selecting protocol features and statistical features.
Optionally, before the step S100, the method further includes:
and carrying out flow identification on the network flow, and separating out the encrypted flow to be detected.
The method for detecting the malicious encrypted traffic of the embodiment is more practical and more accurate particularly for the separation process of the encrypted traffic to be detected.
The second embodiment of the present invention further provides a system for detecting malicious encrypted traffic, as shown in fig. 15, including:
the extracting module 10 is configured to extract protocol features and statistical features of the data stream in the encrypted traffic to be detected.
And the grouping module 20 is used for grouping the encrypted traffic to be detected according to the protocol characteristics.
The parameter calculation module 30 is configured to calculate the temporal and/or spatial feature parameters of the packets according to the statistical features of the respective packets, and compare the temporal and/or spatial feature parameters with preset temporal and/or spatial feature parameter standard thresholds.
And the judging module 40 is configured to obtain a detection result of whether the encrypted traffic to be detected is malicious traffic according to a comparison result of the time and/or space feature parameters and the standard threshold.
The protocol features are field values of each protocol layer obtained by analyzing data packets in the data stream, and the statistical features are features for popularity, which are summarized by the features of the data packets in the statistical data stream.
The malicious encrypted traffic detection system of the second embodiment operates the above method for detecting malicious encrypted traffic.
Optionally, the grouping module 20 includes:
the grouping sub-module groups the encrypted traffic to be detected according to the protocol characteristics, wherein the protocol characteristics comprise: the source IP, the destination port and the TLS fingerprint are the same packet, and the data flows of which the source IP, the destination port and the TLS fingerprint are identical are the same.
Optionally, the parameter calculation module 30 includes:
a parameter calculation sub-module, configured to calculate a temporal and/or spatial feature parameter of each packet, where the temporal and/or spatial feature parameter includes any one or any combination of the following: spatial similarity, temporal monotonicity, and temporal periodicity, and compared to a preset spatial similarity, temporal monotonicity, or temporal periodicity criteria threshold.
The spatial similarity is a characteristic parameter which indicates that the data stream shows repeatability in the spatial dimension, the time similarity is a characteristic parameter which indicates that the data stream shows repeatability in the transmission frequency, the time monotonicity is a characteristic parameter which indicates that the data stream shows monotonic increasing or monotonic decreasing in the transmission interval, and the time periodicity mark is a characteristic parameter which indicates that the data stream shows periodic regular repetition in the transmission interval.
Optionally, the judging module 40 includes:
and the similarity abnormality sub-module is used for judging the grouping as a malicious traffic suspected group when the spatial similarity and the time similarity exceed the spatial similarity standard threshold and the time similarity standard threshold at the same time.
And the monotonic anomaly sub-module is used for judging the grouping as a malicious traffic suspected group when the time monotonicity exceeds a time monotonicity threshold.
And the period abnormality sub-module is used for judging that the packet is a malicious traffic suspected group when the time periodicity exceeds a time periodicity threshold.
Optionally, the system for detecting malicious encrypted traffic further includes:
the comprehensive judging module is used for comprehensively judging whether the detected malicious traffic suspected group is malicious encrypted traffic or not through TLS fingerprint database matching, rule matching or threat information detection.
Optionally, the parameter calculation submodule includes:
a spatial similarity calculation unit for defining a set of stream lengths as l= { L 0 ,l 1 ,...,l n "wherein l i ≠l j I, j=0, 1,.. defining the total number of streams as C; statistics l n The number of repeated occurrences is
Figure BDA0002453920140000181
According to spatial similarity->
Figure BDA0002453920140000182
And determining the spatial similarity.
Optionally, the parameter calculation submodule includes:
A time similarity calculation unit for defining a set of stream intervals as g= { G 0 ,g 1 ,...,g n Defining the total number of streams as C; defining a flow interval g n Is z n =[0.9*g n ,1.1*g n ]The set of available judgment spaces is
Figure BDA0002453920140000183
The statistical flow interval is within the judgment interval z n The number of the inner parts is defined as +.>
Figure BDA0002453920140000184
The set of the number of available streams is +.>
Figure BDA0002453920140000185
Taking the maximum value in the set A as c max The method comprises the steps of carrying out a first treatment on the surface of the According to the time similarity t=c max and/C, determining the time similarity.
Optionally, the parameter calculation submodule includes:
a time monotonicity calculating unit for counting the number of streams as c when the number of streams with continuous monotonic increasing interval or monotonic decreasing interval is larger than a preset monotonic threshold n The set of the number of streams which are obtained by continuous monotonically increasing intervals or monotonically decreasing intervals is A= { c 0 ,c 1 ,...,c n -a }; defining the total number of streams as C; according to time monotonicity
Figure BDA0002453920140000186
Time monotonicity is determined.
Optionally, the parameter calculation submodule includes:
a time periodicity calculating unit for randomly taking the middle section of stream interval data as a filter f= { F 0 ,f 1 ,...,f N Defining coefficient y= { f 0 ,f 1 ,…,f N -a }; define the stream interval array as g= { G 0 ,g 1 ,...,g N Definition of coefficient x= { g i ,g i+1 ,...,g i+N I=0, 1, N; according to the correlation coefficient
Figure BDA0002453920140000187
Determining a correlation coefficient ρ of a time periodicity X,Y The method comprises the steps of carrying out a first treatment on the surface of the Statistical correlation coefficient ρ X,Y The number of streams greater than a preset correlation coefficient threshold value is used as a judgment coefficient of time periodicity.
Optionally, the extraction module 10 includes:
the protocol feature extraction submodule is used for extracting protocol features in the encrypted traffic to be detected, and the protocol features comprise any one or any combination of the following: source IP, destination port, and TLS fingerprint.
The statistical feature extraction sub-module is used for extracting statistical features in the encrypted traffic to be detected, and the statistical features comprise any one or any combination of the following: the total number of uplink packets, the total number of downlink packets, the total number of uplink load bytes, the total number of downlink load bytes, the starting time and the ending time.
The detection system provided by the application can quickly identify malicious encryption traffic through the characteristics of the data flow, so that the problem that the detection of the malicious encryption traffic has higher requirements on the performance of equipment and occupies a large amount of hardware resources, thereby influencing the performance of the equipment is solved. Thereby helping the user to detect malicious flow more conveniently, and greatly improving the safety of the encrypted flow in the use process.
The third embodiment of the present invention further provides a computer device, as shown in fig. 16, including a memory 1 and a processor 2, where the memory 1 stores a computer program, and the processor 2 implements the method for detecting malicious encrypted traffic according to any one of the above methods when executing the computer program.
The memory 1 includes at least one type of readable storage medium including flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a magnetic memory, a magnetic disk, an optical disk, etc. The memory 1 may in some embodiments be an internal storage unit of a detection system for malicious encrypted traffic, such as a hard disk. The memory 1 may in other embodiments also be an external storage device of a malicious encrypted traffic detection system, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like. Further, the memory 1 may also include both an internal storage unit and an external storage device of the detection system of malicious encrypted traffic. The memory 1 may be used not only for storing application software installed in a detection system of malicious encrypted traffic and various types of data, such as codes of a detection program of a brute force attack, etc., but also for temporarily storing data that has been output or is to be output.
The processor 2 may in some embodiments be a central processing unit (Central Processing Unit, CPU), controller, microcontroller, microprocessor or other data processing chip for running program code or processing data stored in the memory 1, e.g. executing a malicious encrypted traffic detection program or the like.
The computer equipment provided by the application can quickly identify malicious encryption traffic through the characteristics of the data flow, so that the problem that the detection of the malicious encryption traffic has higher requirements on the performance of the equipment and occupies a large amount of hardware resources, thereby influencing the performance of the equipment is solved. Thereby helping the user to detect malicious flow more conveniently, and greatly improving the safety of the encrypted flow in the use process.
A fourth embodiment of the present invention further provides a computer-readable storage medium having a computer program stored thereon, which when executed by a processor, implements the method for detecting malicious encrypted traffic as described in any one of the above.
The detection system, the computer equipment and the computer readable storage medium for malicious encrypted traffic provided by the application correspond to the method. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the system, apparatus and computer readable storage medium described above may refer to corresponding procedures in the first embodiment of the method described above, and will not be described in detail herein.
According to the method, the system and the equipment for detecting the malicious encrypted flow, disclosed by the invention, the time and/or space characteristic parameters of the encrypted flow are calculated by analyzing the characteristics of the data flow, so that the detection of the malicious encrypted flow is realized, and the method, the system and the equipment are faster and more practical. The invention can identify malicious encrypted traffic without decrypting network traffic and occupies less hardware resources without deep analysis of traffic and only by statistics and operation based on protocol features and statistical features of data stream, so the invention is suitable for various devices and has better overall performance of the devices.
The method and the device can be used for encrypting the traffic identification scene, in particular to malicious traffic identification in the encrypted traffic identification. The encrypted traffic related to the embodiment of the present invention may be PCAP and real-time traffic containing encrypted communication content, or may be encrypted traffic in other scenarios, which is not limited in the embodiment of the present invention.
The detection method of malicious encrypted traffic provided by the invention has the following working procedures:
the object is: malicious traffic detection is achieved based on multi-stream feature analysis;
input: encrypted network traffic;
and (3) outputting: intelligent identification of malicious encrypted traffic.
The invention groups the flow through the protocol characteristics, builds the multi-flow-based grouping to analyze the time and space characteristics of the flow, and has higher and more reliable detection accuracy of malicious encrypted flow compared with the single-flow analysis mode. The method eliminates the traditional method of highly-dependent rule detection and expert experience, does not need to deeply analyze the data packet, and can efficiently judge whether the encrypted traffic is malicious traffic or not only by carrying out statistics and operation on the protocol characteristics and the statistical characteristics of the data flow.
The key innovation point of the method, the system and the equipment for detecting the malicious encrypted traffic is that the characteristics of the data flow, namely the flow characteristics, are detected, and a systematic method for detecting the malicious traffic based on the behavior parameters of the flow characteristics of multiple flows is adopted aiming at the problem that the traditional traffic detection products can not identify the encrypted malicious traffic.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The method, the system and the equipment for detecting the malicious encrypted traffic provided by the invention are described in detail. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.

Claims (11)

1. The method for detecting the malicious encrypted traffic is characterized by comprising the following steps:
extracting protocol characteristics and statistical characteristics of data flow in the encrypted flow to be detected;
grouping the encrypted traffic to be detected according to the protocol characteristics;
calculating time and/or space characteristic parameters of the groups according to the statistical characteristics of each group respectively, and comparing the time and/or space characteristic parameters with a preset time and/or space characteristic parameter standard threshold;
obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic or not according to a comparison result of the time and/or space characteristic parameters and the standard threshold value; when the spatial similarity and the time similarity exceed the spatial similarity standard threshold and the time similarity standard threshold simultaneously, the group is a malicious traffic suspected group;
The detected malicious traffic suspected group is further comprehensively judged through TLS fingerprint library matching, rule matching or threat information detection, and whether the malicious traffic suspected group is malicious encrypted traffic is judged;
the protocol features are field values of each protocol layer obtained by analyzing data packets in the data stream, and the statistical features are features for popularity, which are summarized by the features of the data packets in the statistical data stream.
2. The method for detecting malicious encrypted traffic according to claim 1, wherein said grouping encrypted traffic to be detected according to said protocol characteristics comprises:
grouping the encrypted traffic to be detected according to the protocol characteristics, wherein the protocol characteristics comprise: the source IP, the destination port and the TLS fingerprint are the same packet, and the data flows of which the source IP, the destination port and the TLS fingerprint are identical are the same.
3. The method of claim 1, wherein the temporal and/or spatial characteristic parameters comprise any one or any combination of the following:
spatial similarity, temporal monotonicity, and temporal periodicity, and comparing with a preset spatial similarity, temporal monotonicity, or temporal periodicity standard threshold;
The spatial similarity is a characteristic parameter which indicates that the data stream shows repeatability in the spatial dimension, the time similarity is a characteristic parameter which indicates that the data stream shows repeatability in the transmission frequency, the time monotonicity is a characteristic parameter which indicates that the data stream shows monotonic increasing or monotonic decreasing in the transmission interval, and the time periodicity mark is a characteristic parameter which indicates that the data stream shows periodic regular repetition in the transmission interval.
4. The method for detecting malicious encrypted traffic according to claim 3, wherein the obtaining the detection result of whether the encrypted traffic to be detected is malicious traffic according to the comparison result between the temporal and/or spatial feature parameter and the standard threshold comprises:
when the spatial similarity and the time similarity exceed the spatial similarity standard threshold and the time similarity standard threshold simultaneously, the group is a malicious traffic suspected group;
when the time monotonicity exceeds a time monotonicity threshold, the packet is a malicious traffic suspected group;
and when the time periodicity exceeds a time periodicity threshold, the packet is a malicious traffic suspected group.
5. The method of detecting malicious encrypted traffic of claim 3, wherein calculating spatial similarity of packets based on statistical characteristics of each packet comprises:
Defining the flow lengthThe set of degrees is
Figure QLYQS_1
Wherein->
Figure QLYQS_2
,/>
Figure QLYQS_3
The total number of defined streams is +.>
Figure QLYQS_4
Statistics of->
Figure QLYQS_5
The number of repeated occurrences is->
Figure QLYQS_6
,/>
Figure QLYQS_7
According to the spatial similarity
Figure QLYQS_8
And determining the spatial similarity.
6. The method of detecting malicious encrypted traffic of claim 3, wherein calculating a temporal similarity of packets based on statistical characteristics of the respective packets comprises:
defining a set of stream intervals as
Figure QLYQS_9
Define the total number of streams as +.>
Figure QLYQS_10
Defining a flow interval
Figure QLYQS_11
The judgment interval of (2) is->
Figure QLYQS_12
The set of available judgment spaces is
Figure QLYQS_13
The statistical flow interval is within the judgment interval
Figure QLYQS_14
The number of the inner parts is defined as +.>
Figure QLYQS_15
The set of the number of the obtained streams is
Figure QLYQS_16
Get the collection->
Figure QLYQS_17
The internal maximum value is->
Figure QLYQS_18
According to the time similarity t =
Figure QLYQS_19
and/C, determining the time similarity.
7. A method of detecting malicious encrypted traffic as claimed in claim 3, wherein calculating the temporal monotonicity of packets based on the statistical characteristics of each packet comprises:
when the number of the continuous streams with monotonically increasing intervals or monotonically decreasing intervals is larger than a preset monotonic threshold value, counting the number of the streams as
Figure QLYQS_20
The set of stream numbers which can obtain continuous interval monotonically increasing or interval monotonically decreasing is +.>
Figure QLYQS_21
Define the total number of streams as +.>
Figure QLYQS_22
According to time monotonicity
Figure QLYQS_23
Time monotonicity is determined.
8. A method of detecting malicious encrypted traffic according to claim 3, wherein calculating the time periodicity of the packets based on the statistical characteristics of the respective packets comprises:
randomly taking the middle section of stream interval data as a filter
Figure QLYQS_24
Defining a coefficient Y;
defining a stream interval array as
Figure QLYQS_25
Defining coefficients->
Figure QLYQS_26
Wherein->
Figure QLYQS_27
According to the correlation coefficient
Figure QLYQS_28
Determining a correlation coefficient of the time periodicity +.>
Figure QLYQS_29
Statistical correlation coefficient
Figure QLYQS_30
The number of streams greater than a preset correlation coefficient threshold value is used as a judgment coefficient of time periodicity.
9. The method for detecting malicious encrypted traffic according to any one of claims 1-8, wherein the extracting protocol features and statistical features of the data stream in the encrypted traffic to be detected comprises:
extracting protocol characteristics in the encrypted traffic to be detected, wherein the protocol characteristics comprise any one or any combination of the following: source IP, destination port, and TLS fingerprint;
extracting statistical characteristics in the encrypted traffic to be detected, wherein the statistical characteristics comprise any one or any combination of the following: the total number of uplink packets, the total number of downlink packets, the total number of uplink load bytes, the total number of downlink load bytes, the starting time and the ending time.
10. A system for detecting malicious encrypted traffic, comprising:
The extraction module is used for extracting protocol characteristics and statistical characteristics of the data flow in the encrypted flow to be detected;
the grouping module is used for grouping the encrypted traffic to be detected according to the protocol characteristics;
the parameter calculation module is used for calculating time and/or space characteristic parameters of the groups according to the statistical characteristics of the groups respectively and comparing the time and/or space characteristic parameters with a preset time and/or space characteristic parameter standard threshold value;
the judging module is used for obtaining a detection result of whether the encrypted traffic to be detected is malicious traffic or not according to a comparison result of the time and/or space characteristic parameters and the standard threshold value; when the spatial similarity and the time similarity exceed the spatial similarity standard threshold and the time similarity standard threshold simultaneously, the group is a malicious traffic suspected group; the detected malicious traffic suspected group is further comprehensively judged through TLS fingerprint library matching, rule matching or threat information detection, and whether the malicious traffic suspected group is malicious encrypted traffic is judged;
the protocol features are field values of each protocol layer obtained by analyzing data packets in the data stream, and the statistical features are features for popularity, which are summarized by the features of the data packets in the statistical data stream.
11. A computer device comprising a memory and a processor, wherein the memory stores a computer program, the processor implementing the method of detecting malicious encrypted traffic as claimed in any one of claims 1 to 9 when the computer program is executed.
CN202010300818.0A 2020-04-16 2020-04-16 Method, system and equipment for detecting malicious encrypted traffic Active CN113542195B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010300818.0A CN113542195B (en) 2020-04-16 2020-04-16 Method, system and equipment for detecting malicious encrypted traffic

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010300818.0A CN113542195B (en) 2020-04-16 2020-04-16 Method, system and equipment for detecting malicious encrypted traffic

Publications (2)

Publication Number Publication Date
CN113542195A CN113542195A (en) 2021-10-22
CN113542195B true CN113542195B (en) 2023-05-05

Family

ID=78120240

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010300818.0A Active CN113542195B (en) 2020-04-16 2020-04-16 Method, system and equipment for detecting malicious encrypted traffic

Country Status (1)

Country Link
CN (1) CN113542195B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114679307A (en) * 2022-03-18 2022-06-28 深圳市纽创信安科技开发有限公司 TLS encryption threat detection method and system
CN115378850B (en) * 2022-08-31 2023-10-31 济南大学 Encryption traffic online analysis method and system based on Sketch
CN116668182B (en) * 2023-07-10 2023-11-10 哈尔滨工业大学 Encryption application behavior flow detection method based on multi-stream context relation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164049A (en) * 2011-04-28 2011-08-24 中国人民解放军信息工程大学 Universal identification method for encrypted flow
CN106850344A (en) * 2017-01-22 2017-06-13 中国人民解放军信息工程大学 Based on the encryption method for recognizing flux that stream gradient is oriented to
CN107637041A (en) * 2015-03-17 2018-01-26 英国电讯有限公司 The overview of the acquistion of malice refined net flow identification
CN107749859A (en) * 2017-11-08 2018-03-02 南京邮电大学 A kind of malice Mobile solution detection method of network-oriented encryption flow
CN111010409A (en) * 2020-01-07 2020-04-14 南京林业大学 Encryption attack network flow detection method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10397274B2 (en) * 2017-01-27 2019-08-27 Salesforce.Com, Inc. Packet inspection and forensics in an encrypted network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102164049A (en) * 2011-04-28 2011-08-24 中国人民解放军信息工程大学 Universal identification method for encrypted flow
CN107637041A (en) * 2015-03-17 2018-01-26 英国电讯有限公司 The overview of the acquistion of malice refined net flow identification
CN106850344A (en) * 2017-01-22 2017-06-13 中国人民解放军信息工程大学 Based on the encryption method for recognizing flux that stream gradient is oriented to
CN107749859A (en) * 2017-11-08 2018-03-02 南京邮电大学 A kind of malice Mobile solution detection method of network-oriented encryption flow
CN111010409A (en) * 2020-01-07 2020-04-14 南京林业大学 Encryption attack network flow detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种加密流量行为分析系统的设计研究;程永新等;《通信技术》;20200410(第04期);全文 *

Also Published As

Publication number Publication date
CN113542195A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
CN113542195B (en) Method, system and equipment for detecting malicious encrypted traffic
CN109951500B (en) Network attack detection method and device
CN107302547B (en) Web service anomaly detection method and device
CN113676464B (en) Network security log alarm processing method based on big data analysis technology
US11316878B2 (en) System and method for malware detection
CN111277570A (en) Data security monitoring method and device, electronic equipment and readable medium
US10148540B2 (en) System and method for anomaly detection in information technology operations
CN111277587A (en) Malicious encrypted traffic detection method and system based on behavior analysis
Celenk et al. Predictive network anomaly detection and visualization
CN110213227B (en) Network data flow detection method and device
Kim et al. Statistical techniques for detecting traffic anomalies through packet header data
JP2008545343A (en) Method and apparatus for all network anomaly diagnosis and method for detecting and classifying network anomalies using traffic feature distribution
US7903657B2 (en) Method for classifying applications and detecting network abnormality by statistical information of packets and apparatus therefor
CN112769633B (en) Proxy traffic detection method and device, electronic equipment and readable storage medium
CN110611640A (en) DNS protocol hidden channel detection method based on random forest
CN111262849A (en) Method for identifying and blocking network abnormal flow behaviors based on flow table information
CN115134250A (en) Network attack source tracing evidence obtaining method
CN110266726B (en) Method and device for identifying DDOS attack data stream
CN113497789B (en) Method, system and equipment for detecting violent cracking attack
CN113839925A (en) IPv6 network intrusion detection method and system based on data mining technology
CN113037748A (en) C and C channel hybrid detection method and system
CN109257384B (en) Application layer DDoS attack identification method based on access rhythm matrix
CN110912895B (en) Network data flow tracing method based on perceptual hash
CN110958163B (en) Method and device for detecting stolen shooting equipment based on network frame transmission characteristics, electronic equipment and computer readable medium
CN109246157A (en) A kind of HTTP requests at a slow speed the association detection method of dos attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant