CN113824729A - Encrypted flow detection method, system and related device - Google Patents
Encrypted flow detection method, system and related device Download PDFInfo
- Publication number
- CN113824729A CN113824729A CN202111137959.6A CN202111137959A CN113824729A CN 113824729 A CN113824729 A CN 113824729A CN 202111137959 A CN202111137959 A CN 202111137959A CN 113824729 A CN113824729 A CN 113824729A
- Authority
- CN
- China
- Prior art keywords
- flow
- encrypted
- data
- traffic
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The application provides an encrypted flow detection method, which comprises the following steps: collecting encrypted flow; analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow; processing the data type according to the flow characteristics by adopting the characteristics of the corresponding type to obtain input data; extracting characteristic data of input data by using a CNN model; taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model; and performing correlation analysis on the encrypted flow and the known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow. The method and the device automatically extract the characteristic data, strengthen the automatic processing of the data, and establish the encrypted flow detection model by utilizing deep learning, thereby realizing the intelligent detection of the encrypted flow, and performing the correlation analysis with the known malicious flow, thereby improving the accuracy of the encrypted flow detection result. The application also provides an encrypted flow detection system, a computer readable storage medium and a server, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network data security, and in particular, to a method, a system, and a related device for detecting encrypted traffic.
Background
In recent years, detection of encrypted malicious traffic has been the focus of attention in the field of network security, and currently, two main attack detection means are available: and detecting after decryption and detecting without decryption. The gateway device in the industry mainly uses a method for decrypting traffic to detect attack behavior, but the method consumes a large amount of resources and is high in cost, the original purpose of encryption is violated, and the decryption process is strictly limited by relevant laws and regulations for privacy protection. In view of protecting user privacy, the method of detecting traffic without decryption is gradually focused on by researchers in the industry, and this scheme is generally only allowed to observe encrypted communication traffic (443 port) at the network outlet, but does not need to decrypt the encrypted communication traffic, and judges the encrypted traffic by using the already grasped data resources.
However, it is difficult to acquire features and information in network traffic without decryption, which makes it difficult to perform empirical analysis in conjunction with researchers and to detect encrypted malicious traffic.
Disclosure of Invention
The application aims to provide an encrypted flow detection method, an encrypted flow detection system and a related device, and the accuracy and efficiency of detection and identification are enhanced by adopting deep learning.
In order to solve the technical problem, the application provides an encrypted flow detection method, which has the following specific technical scheme:
collecting encrypted flow;
analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data;
extracting characteristic data of the input data by using a CNN model;
taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model;
and performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
Optionally, before performing association analysis on the encrypted traffic and known malicious traffic data by using the encrypted traffic detection model, the method further includes:
establishing a knowledge graph of known malicious traffic, and acquiring the known malicious traffic data from the knowledge graph.
Optionally, establishing a knowledge graph of known malicious traffic comprises:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
Optionally, the processing of the features of the corresponding type according to the data type included in the traffic feature includes:
carrying out normalization processing and standardization processing on the flow characteristics of the numerical data;
processing the flow characteristics of the character data by adopting onehot coding;
performing word segmentation processing on the flow characteristics containing the character string description;
and processing the flow characteristics of the Boolean type by adopting one-hot coding.
Optionally, the collecting and analyzing known malicious traffic data to obtain the feature information further includes:
and storing the known malicious traffic data containing the characteristics to a preset storage center.
Optionally, after the knowledge graph is established according to the malicious traffic characteristics, the method further includes:
when new malicious traffic is received, performing feature analysis on the new malicious traffic to obtain new malicious features;
and constructing a node corresponding to the new malicious traffic in the knowledge graph, and updating the knowledge graph.
Optionally, the detection result includes similar content and similarity of the encrypted traffic and known malicious traffic.
The present application further provides an encrypted flow detection system, including:
the acquisition module is used for acquiring the encrypted flow;
the analysis module is used for analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
the characteristic processing module is used for adopting the characteristic processing of the corresponding type according to the data type contained in the flow characteristic to obtain input data;
the characteristic extraction module is used for extracting characteristic data of the input data by utilizing a CNN model;
the model training module is used for training the characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model;
and the flow detection module is used for performing correlation analysis on the encrypted flow and the known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method as set forth above.
The present application further provides a server comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method described above when calling the computer program in the memory.
The application provides an encrypted flow detection method, which comprises the following steps: collecting encrypted flow; analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow; processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data; extracting characteristic data of the input data by using a CNN model; taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model; and performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
The method and the device for detecting the encrypted flow are used for configuring the CNN model based on deep learning and further training to obtain the encrypted flow detection model, feature data can be automatically extracted by means of encrypted flow detection, automatic data processing is enhanced, the encrypted flow detection model is established by means of deep learning, so that intelligent detection of the encrypted flow is achieved, correlation analysis can be performed on the encrypted flow and known malicious flow, and accuracy of encrypted flow detection results is improved.
The application also provides an encrypted flow detection system, a computer readable storage medium and a server, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an encrypted traffic detection method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an encrypted traffic detection system according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a method, a system and a related device for detecting encrypted flow
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The current encrypted flow detection mainly comprises the following steps and defects:
1. if based on decryption: the decryption difficulty is large, the time and the manpower and financial resources are consumed, and the initial purpose of encryption is violated.
2. Expert-based analysis: the encryption is performed, the content is difficult to obtain for analysis, only flow, data packets, session connection and handshake information can be analyzed, the flow is difficult to be screened from massive data, and the flow change strength is large.
3. Convert pcap to picture: the method is basically used for detecting and predicting the black box, and is difficult to provide decisions for later period, when the effect is not good, the next optimization and research are difficult to carry out, and the effect is not good on other data sets.
Due to the problems, the detection efficiency is low, the false alarm and missing rate is high, the financial and manpower consumption is high, and the real-time performance and the data security of the attack early warning are lacked.
To solve the above problem, please refer to fig. 1, where fig. 1 is a flowchart of an encrypted traffic detection method according to an embodiment of the present application, and the encrypted traffic detection method includes:
s101: collecting encrypted flow;
s102: analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
this step aims at parsing the encrypted traffic to obtain traffic characteristics. The content and type of the included traffic characteristics are not particularly limited, and may include stream characteristics, packet characteristics, certificate characteristics, time characteristics, and the like. In addition, data element statistics, TLS, and context data features may be included. Data element statistics refer to packet size, arrival time sequence, and byte distribution. TLS features refer to client provided encryption suite and TLS extension, client public key length, server selected encryption suite, certificate information (whether non-CA self-signed, number in SAN x.509 extension, validity period, etc.). The contextual data features can be subdivided into DNS data flow and HTTP data flow features. The DNS features concern the domain name length in DNS response, the length ratio of digital to non-digital characters in the domain name, the TTL value, the number of IP addresses returned by DMS response and the ranking condition of the domain name in an Alexa website; the HTTP feature focuses on a number of fields (Set-Cookie, Location, Expires, Content-Type, Server, etc.) of the inbound and outbound HTTP, as well as HTTP response codes, among others. And may be further divided into basic features, contents features, time features, additional features, and the like from other points of view. For example Dur and sbytes are basic features and Dtcpb and Stcpb are content features.
S103: processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data;
this step is intended for feature processing. It should be noted that different types of data cannot be treated in a single way regardless of the type of data. Specifically, the following types and processing methods thereof may be included:
and carrying out normalization processing and standardization processing on the flow characteristics of the numerical data.
And processing the flow characteristics of the character data by adopting onehot coding.
And performing Word segmentation processing on the flow characteristics including the character string description, and generally obtaining Word vector data by using TF-IDF and Word2 vec.
And processing the flow characteristics of the Boolean type by adopting one-hot coding.
Of course, for the traffic characteristics of other data types, other corresponding manners may also be adopted for processing, which is not illustrated here.
S104: extracting characteristic data of the input data by using a CNN model;
and taking the data obtained in the step S103 as input of the CNN model, extracting effective feature data by using the convolution layer and the pooling layer, and finishing the extraction and selection of features.
S105: taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model;
and training the selected characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model for detecting malicious flow.
S106: and performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
The method comprises the following steps of carrying out correlation analysis on encrypted flow and known malicious flow data by using an encrypted flow detection model so as to obtain a detection result of the encrypted flow. It is readily understood that this step requires the prior determination of the characteristics of known malicious traffic data, thereby facilitating the direct execution of the correlation analysis of this step.
In order to facilitate performing the correlation analysis of this step, a knowledge graph of known malicious traffic may be established and known malicious traffic data may be obtained from the knowledge graph before performing this step. How to establish the knowledge graph of the known malicious traffic is not particularly limited, and the knowledge graph needs to perform data collection and data processing and can be directly obtained from a large data center. However, it should be noted that in the data processing process, since data loss, insufficient data correlation (invalid data, entropy), high data acquisition cost, and the like occur when data is collected, techniques such as manual work, statistics, algorithms, and the like are involved. Manual processing typically selects deletion, special value filling, no processing, etc. empirically. Statistics need to be filled according to the average value, the mode, the median, the similarity sample and the like.
The detection result obtained in the step can comprise similar content and similarity of the encrypted flow and the known malicious flow, so that manual judgment can be conveniently carried out according to the similar content and the similarity, and the method is favorable for recognizing the encrypted flow.
According to the embodiment of the application, the CNN model is configured based on deep learning, the encrypted flow detection model is obtained through further training, the feature data can be automatically extracted by means of encrypted flow detection, the data automation processing is enhanced, the encrypted flow detection model is established by means of deep learning, so that the encrypted flow can be intelligently detected, correlation analysis can be performed on the encrypted flow and known malicious flow, and the accuracy of the encrypted flow detection result is improved.
Based on the above embodiments, as a preferred embodiment, establishing a knowledge graph of known malicious traffic includes:
s201: collecting and analyzing known malicious flow data to obtain characteristic information;
the characteristic information includes at least one of a flow characteristic, a packet characteristic, a certificate characteristic, and a time characteristic. Of course, various features described in the above embodiment may be included, and will not be described repeatedly.
S202: carrying out encryption traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
s203: and establishing a knowledge graph according to the malicious flow characteristics.
After the characteristic information is obtained, the purpose is to perform encrypted traffic classification on malicious traffic data to obtain malicious traffic characteristics. The method comprises the steps of establishing a knowledge graph based on malicious flow data and corresponding malicious flow characteristics, wherein the knowledge graph mainly comprises the malicious flow data and the corresponding malicious flow characteristics, but analysis and statistics can be carried out on specific flow characteristics among different malicious flows.
Specifically, it can be associated with an existing entity in the knowledge graph for analysis and similarity analysis. Adding attributes and relations to the existing entities, performing association and content prediction on the entities with high similarity, and reconstructing nodes and other processing modes for the new entities.
In addition, known malicious traffic data are collected and analyzed, and after characteristic information is obtained, the known malicious traffic data containing characteristics can be stored in a preset storage center. The preset storage center is not particularly limited, and a multi-level storage structure such as HBASE, hive, mysql and the like can be adopted to accelerate the response efficiency of the system.
After the knowledge graph is established according to the malicious traffic characteristics, the knowledge graph can be updated. When new malicious traffic is received, performing feature analysis on the new malicious traffic to obtain new malicious features, and then constructing nodes corresponding to the new malicious traffic in the knowledge graph for updating the knowledge graph.
The encrypted traffic detection system provided in the embodiment of the present application is introduced below, and the encrypted traffic detection system described below and the encrypted traffic detection method described above may be referred to correspondingly.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an encrypted traffic detection system provided in an embodiment of the present application, and the present application further provides an encrypted traffic detection system, including:
the acquisition module is used for acquiring the encrypted flow;
the analysis module is used for analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
the characteristic processing module is used for adopting the characteristic processing of the corresponding type according to the data type contained in the flow characteristic to obtain input data;
the characteristic extraction module is used for extracting characteristic data of the input data by utilizing a CNN model;
the model training module is used for training the characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model;
a flow detection module for performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the map establishing module is used for establishing a knowledge map of the known malicious flow and acquiring the known malicious flow data from the knowledge map.
Based on the above embodiment, as a preferred embodiment, the map building module is a module for performing the following steps:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
Based on the above embodiment, as a preferred embodiment, the feature processing module includes:
the first processing unit is used for carrying out normalization processing and standardization processing on the flow characteristics of the numerical data;
the second processing unit is used for processing the flow characteristics of the character data by adopting onehot coding;
the third processing unit is used for performing word segmentation processing on the flow characteristics containing the character string description;
and the fourth processing unit is used for processing the Boolean flow characteristics by adopting one-hot coding.
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the storage module is used for storing the known malicious traffic data containing the characteristics to a preset storage center.
Based on the foregoing embodiment, as a preferred embodiment, after the establishing the knowledge graph according to the malicious traffic characteristics, the method further includes:
the updating module is used for carrying out feature analysis on the new malicious traffic to obtain new malicious features when the new malicious traffic is received; and constructing a node corresponding to the new malicious traffic in the knowledge graph, and updating the knowledge graph.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application also provides a server, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the server may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (10)
1. An encrypted traffic detection method, comprising:
collecting encrypted flow;
analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data;
extracting characteristic data of the input data by using a CNN model;
taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model;
and performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
2. The encrypted traffic detection method according to claim 1, wherein before performing association analysis on the encrypted traffic and known malicious traffic data by using the encrypted traffic detection model, the method further comprises:
establishing a knowledge graph of known malicious traffic, and acquiring the known malicious traffic data from the knowledge graph.
3. The encrypted traffic detection method of claim 2, wherein establishing a knowledge graph of known malicious traffic comprises:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
4. The encrypted traffic detection method according to claim 1, wherein the processing of the corresponding type of feature according to the type of data included in the traffic feature includes:
carrying out normalization processing and standardization processing on the flow characteristics of the numerical data;
processing the flow characteristics of the character data by adopting onehot coding;
performing word segmentation processing on the flow characteristics containing the character string description;
and processing the flow characteristics of the Boolean type by adopting one-hot coding.
5. The encrypted traffic detection method according to claim 1, wherein after acquiring and analyzing known malicious traffic data and obtaining the feature information, the method further comprises:
and storing the known malicious traffic data containing the characteristics to a preset storage center.
6. The encrypted traffic detection method according to claim 1, further comprising, after establishing the knowledge-graph according to the malicious traffic characteristics:
when new malicious traffic is received, performing feature analysis on the new malicious traffic to obtain new malicious features;
and constructing a node corresponding to the new malicious traffic in the knowledge graph, and updating the knowledge graph.
7. The encrypted traffic detection method according to claim 1, wherein the detection result includes content and similarity of the encrypted traffic to known malicious traffic.
8. An encrypted traffic detection system, comprising:
the acquisition module is used for acquiring the encrypted flow;
the analysis module is used for analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
the characteristic processing module is used for adopting the characteristic processing of the corresponding type according to the data type contained in the flow characteristic to obtain input data;
the characteristic extraction module is used for extracting characteristic data of the input data by utilizing a CNN model;
the model training module is used for training the characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model;
and the flow detection module is used for performing correlation analysis on the encrypted flow and the known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the encrypted traffic detection method according to any one of claims 1 to 7.
10. A server, characterized by comprising a memory in which a computer program is stored and a processor which, when calling the computer program in the memory, implements the steps of the encrypted traffic detection method according to any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111137959.6A CN113824729B (en) | 2021-09-27 | 2021-09-27 | Encrypted flow detection method, system and related device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111137959.6A CN113824729B (en) | 2021-09-27 | 2021-09-27 | Encrypted flow detection method, system and related device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113824729A true CN113824729A (en) | 2021-12-21 |
CN113824729B CN113824729B (en) | 2023-01-06 |
Family
ID=78921354
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111137959.6A Active CN113824729B (en) | 2021-09-27 | 2021-09-27 | Encrypted flow detection method, system and related device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113824729B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116405330A (en) * | 2023-06-08 | 2023-07-07 | 北京金睛云华科技有限公司 | Network abnormal traffic identification method, device and equipment based on transfer learning |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109104441A (en) * | 2018-10-24 | 2018-12-28 | 上海交通大学 | A kind of detection system and method for the encryption malicious traffic stream based on deep learning |
US20200186547A1 (en) * | 2018-12-11 | 2020-06-11 | Cisco Technology, Inc. | Detecting encrypted malware with splt-based deep networks |
CN111277578A (en) * | 2020-01-14 | 2020-06-12 | 西安电子科技大学 | Encrypted flow analysis feature extraction method, system, storage medium and security device |
CN111431939A (en) * | 2020-04-24 | 2020-07-17 | 郑州大学体育学院 | CTI-based SDN malicious traffic defense method and system |
CN112163594A (en) * | 2020-08-28 | 2021-01-01 | 南京邮电大学 | Network encryption traffic identification method and device |
CN112968872A (en) * | 2021-01-29 | 2021-06-15 | 成都信息工程大学 | Malicious flow detection method, system and terminal based on natural language processing |
-
2021
- 2021-09-27 CN CN202111137959.6A patent/CN113824729B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109104441A (en) * | 2018-10-24 | 2018-12-28 | 上海交通大学 | A kind of detection system and method for the encryption malicious traffic stream based on deep learning |
US20200186547A1 (en) * | 2018-12-11 | 2020-06-11 | Cisco Technology, Inc. | Detecting encrypted malware with splt-based deep networks |
CN111277578A (en) * | 2020-01-14 | 2020-06-12 | 西安电子科技大学 | Encrypted flow analysis feature extraction method, system, storage medium and security device |
CN111431939A (en) * | 2020-04-24 | 2020-07-17 | 郑州大学体育学院 | CTI-based SDN malicious traffic defense method and system |
CN112163594A (en) * | 2020-08-28 | 2021-01-01 | 南京邮电大学 | Network encryption traffic identification method and device |
CN112968872A (en) * | 2021-01-29 | 2021-06-15 | 成都信息工程大学 | Malicious flow detection method, system and terminal based on natural language processing |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN116405330A (en) * | 2023-06-08 | 2023-07-07 | 北京金睛云华科技有限公司 | Network abnormal traffic identification method, device and equipment based on transfer learning |
CN116405330B (en) * | 2023-06-08 | 2023-08-22 | 北京金睛云华科技有限公司 | Network abnormal traffic identification method, device and equipment based on transfer learning |
Also Published As
Publication number | Publication date |
---|---|
CN113824729B (en) | 2023-01-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109960729B (en) | Method and system for detecting HTTP malicious traffic | |
CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
CN110768933A (en) | Network flow application identification method, system and equipment and storage medium | |
CN110198248B (en) | Method and device for detecting IP address | |
CN113542253B (en) | Network flow detection method, device, equipment and medium | |
CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
CN104639391A (en) | Method for generating network flow record and corresponding flow detection equipment | |
CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
CN111224946A (en) | TLS encrypted malicious traffic detection method and device based on supervised learning | |
CN113824729B (en) | Encrypted flow detection method, system and related device | |
CN109275045B (en) | DFI-based mobile terminal encrypted video advertisement traffic identification method | |
CN113407886A (en) | Network crime platform identification method, system, device and computer storage medium | |
CN111131070B (en) | Port time sequence-based network traffic classification method and device and storage medium | |
CN113225339A (en) | Network security monitoring method and device, computer equipment and storage medium | |
CN113111951A (en) | Data processing method and device | |
CN115514558A (en) | Intrusion detection method, device, equipment and medium | |
CN111447169B (en) | Method and system for identifying malicious webpage in real time on gateway | |
CN108880945B (en) | Cloud monitoring system and method | |
CN111859127A (en) | Subscription method and device of consumption data and storage medium | |
CN113965408B (en) | Method, device, medium and equipment for extracting HTTP (hyper text transport protocol) message | |
CN113132316A (en) | Web attack detection method and device, electronic equipment and storage medium | |
CN113965418B (en) | Attack success judgment method and device | |
CN116232696A (en) | Encryption traffic classification method based on deep neural network | |
CN113852625A (en) | Weak password monitoring method, device, equipment and storage medium | |
CN114205816A (en) | Information security architecture of power mobile Internet of things and use method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |