CN113824729B - Encrypted flow detection method, system and related device - Google Patents
Encrypted flow detection method, system and related device Download PDFInfo
- Publication number
- CN113824729B CN113824729B CN202111137959.6A CN202111137959A CN113824729B CN 113824729 B CN113824729 B CN 113824729B CN 202111137959 A CN202111137959 A CN 202111137959A CN 113824729 B CN113824729 B CN 113824729B
- Authority
- CN
- China
- Prior art keywords
- flow
- encrypted
- data
- traffic
- malicious
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
The application provides an encrypted flow detection method, which comprises the following steps: collecting encrypted flow; analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow; processing the data type according to the flow characteristics by adopting the characteristics of the corresponding type to obtain input data; extracting characteristic data of input data by using a CNN model; taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model; and performing correlation analysis on the encrypted flow and the known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow. The method and the device automatically extract the characteristic data, strengthen the automatic processing of the data, and establish the encrypted flow detection model by utilizing deep learning, thereby realizing the intelligent detection of the encrypted flow, and performing the correlation analysis with the known malicious flow, thereby improving the accuracy of the encrypted flow detection result. The application also provides an encrypted flow detection system, a computer readable storage medium and a server, which have the beneficial effects.
Description
Technical Field
The present application relates to the field of network data security, and in particular, to a method, a system, and a related device for detecting encrypted traffic.
Background
In recent years, detection of encrypted malicious traffic has been the focus of attention in the field of network security, and currently, two main attack detection means are available: and detecting after decryption and detecting without decryption. The gateway device in the industry mainly uses a method for decrypting traffic to detect attack behavior, but the method consumes a large amount of resources and is high in cost, the original purpose of encryption is violated, and the decryption process is strictly limited by relevant laws and regulations for privacy protection. In view of protecting user privacy, the method of detecting traffic without decryption is gradually focused on by researchers in the industry, and this scheme is generally only allowed to observe encrypted communication traffic (443 port) at the network outlet, but does not need to decrypt the encrypted communication traffic, and judges the encrypted traffic by using the already grasped data resources.
However, it is difficult to acquire features and information in network traffic without decryption, which makes it difficult to perform empirical analysis in conjunction with researchers and to detect encrypted malicious traffic.
Disclosure of Invention
The application aims to provide an encrypted flow detection method, an encrypted flow detection system and a related device, and the accuracy and efficiency of detection and identification are enhanced by adopting deep learning.
In order to solve the technical problem, the present application provides an encrypted traffic detection method, which has the following specific technical scheme:
collecting encrypted flow;
analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
processing the data type according to the flow characteristics by adopting the characteristics of the corresponding type to obtain input data;
extracting characteristic data of the input data by using a CNN model;
taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model;
and performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
Optionally, before performing association analysis on the encrypted traffic and known malicious traffic data by using the encrypted traffic detection model, the method further includes:
establishing a knowledge graph of known malicious traffic, and acquiring the known malicious traffic data from the knowledge graph.
Optionally, establishing a knowledge graph of known malicious traffic comprises:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
Optionally, the processing of the data type according to the traffic characteristic using the corresponding type includes:
carrying out normalization processing and standardization processing on the flow characteristics of the numerical data;
processing the flow characteristics of the character data by adopting onehot coding;
performing word segmentation processing on the flow characteristics containing the character string description;
and processing the flow characteristics of the Boolean type by adopting one-hot coding.
Optionally, the collecting and analyzing known malicious traffic data to obtain the feature information further includes:
and storing the known malicious traffic data containing the characteristics to a preset storage center.
Optionally, after the knowledge graph is established according to the malicious traffic characteristics, the method further includes:
when new malicious traffic is received, performing feature analysis on the new malicious traffic to obtain new malicious features;
and constructing a node corresponding to the new malicious traffic in the knowledge graph, and updating the knowledge graph.
Optionally, the detection result includes similar content and similarity of the encrypted traffic and known malicious traffic.
The present application further provides an encrypted flow detection system, including:
the acquisition module is used for acquiring the encrypted flow;
the analysis module is used for analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
the characteristic processing module is used for adopting the characteristic processing of the corresponding type according to the data type contained in the flow characteristic to obtain input data;
the characteristic extraction module is used for extracting characteristic data of the input data by utilizing a CNN model;
the model training module is used for training the characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model;
and the flow detection module is used for performing correlation analysis on the encrypted flow and the known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
The present application also provides a computer-readable storage medium having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method as set forth above.
The present application further provides a server comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method described above when calling the computer program in the memory.
The application provides an encrypted flow detection method, which comprises the following steps: collecting encrypted flow; analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow; processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data; extracting characteristic data of the input data by using a CNN model; taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model; and performing correlation analysis on the encrypted flow and known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
The method and the device for detecting the encrypted flow are used for configuring the CNN model based on deep learning and further training to obtain the encrypted flow detection model, feature data can be automatically extracted by means of encrypted flow detection, automatic data processing is enhanced, the encrypted flow detection model is established by means of deep learning, so that intelligent detection of the encrypted flow is achieved, correlation analysis can be performed on the encrypted flow and known malicious flow, and accuracy of encrypted flow detection results is improved.
The application also provides an encrypted flow detection system, a computer readable storage medium and a server, which have the beneficial effects and are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of an encrypted traffic detection method according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an encrypted traffic detection system according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a method, a system and a related device for detecting encrypted traffic.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The current encrypted flow detection mainly comprises the following steps and defects:
1. if based on decryption: the decryption difficulty is large, the time and the manpower and financial resources are consumed, and the initial purpose of encryption is violated.
2. Expert-based analysis: the encryption is performed, the content is difficult to obtain for analysis, only flow, data packets, session connection and handshake information can be analyzed, the flow is difficult to be screened from massive data, and the flow change strength is large.
3. Convert pcap to picture: the method is basically used for detecting and predicting the black box, and is difficult to provide decisions for later period, when the effect is not good, the next optimization and research are difficult to carry out, and the effect is not good on other data sets.
Due to the problems, the detection efficiency is low, the false alarm and missing rate is high, the financial and manpower consumption is high, and the real-time performance and the data security of the attack early warning are lacked.
To solve the above problem, please refer to fig. 1, where fig. 1 is a flowchart of an encrypted traffic detection method provided in an embodiment of the present application, where the encrypted traffic detection method includes:
s101: collecting encrypted flow;
s102: analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
this step is intended to parse the encrypted traffic to obtain traffic characteristics. The content and type of the included traffic characteristics are not particularly limited, and may include stream characteristics, packet characteristics, certificate characteristics, time characteristics, and the like. In addition, data element statistics, TLS, and context data features may be included. Data element statistics refer to packet size, arrival time sequence, and byte distribution. TLS features refer to client-provided encryption suite and TLS extension, client public key length, server-selected encryption suite, certificate information (whether non-CA self-signed, number in SAN x.509 extension, validity period, etc.). The contextual data features can be subdivided into DNS data flow and HTTP data flow features. The DNS features concern the domain name length in DNS response, the length ratio of digital to non-digital characters in the domain name, the TTL value, the number of IP addresses returned by DMS response and the ranking condition of the domain name in an Alexa website; HTTP feature Guan Zhuchu fields of inbound HTTP (Set-Cookie, location, expires, content-Type, server, etc.), HTTP response code, and so on. And can be divided into basic features, content features, time features, additional features and the like from other angles. For example Dur and sbytes are basic features and Dtcpb and Stcpb are content features.
S103: processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data;
this step is intended for feature processing. It should be noted that different types of data cannot be disregarded for the type of data being processed. Specifically, the following types and processing methods thereof may be included:
and carrying out normalization processing and standardization processing on the flow characteristics of the numerical data.
And processing the flow characteristics of the character data by adopting onehot coding.
And performing Word segmentation processing on the flow characteristics including the character string description, and generally obtaining Word vector data by using TF-IDF and Word2 vec.
And processing the flow characteristics of the Boolean type by adopting one-hot coding.
Of course, for the traffic characteristics of other data types, other corresponding manners may also be adopted for processing, which is not illustrated here.
S104: extracting characteristic data of the input data by using a CNN model;
and taking the data obtained in the step S103 as input of the CNN model, extracting effective feature data by using the convolution layer and the pooling layer, and finishing the extraction and selection of features.
S105: taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model;
and training the selected characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model for detecting malicious flow.
S106: and performing correlation analysis on the encrypted traffic and known malicious traffic data by using the encrypted traffic detection model to obtain a detection result of the encrypted traffic.
The method comprises the following steps of carrying out correlation analysis on encrypted flow and known malicious flow data by using an encrypted flow detection model so as to obtain a detection result of the encrypted flow. It is readily understood that this step requires the prior determination of the characteristics of known malicious traffic data, thereby facilitating the direct execution of the correlation analysis of this step.
In order to facilitate performing the correlation analysis of this step, a knowledge graph of known malicious traffic may be established and known malicious traffic data may be obtained from the knowledge graph before performing this step. How to build the knowledge graph of the known malicious traffic is not particularly limited, and the knowledge graph needs to perform data collection and data processing, and can be directly obtained from a large data center. However, it should be noted that in the data processing process, since data loss, insufficient data correlation (invalid data, information entropy), high data acquisition cost, and the like occur when data is collected, techniques such as manual work, statistics, algorithms, and the like are involved. Manual processing typically selects deletion, special value filling, no processing, etc. empirically. Statistics need to be filled according to the average value, the mode, the median, the similarity sample and the like.
The detection result obtained in the step can comprise similar content and similarity of the encrypted flow and the known malicious flow, so that manual judgment can be conveniently carried out according to the similar content and the similarity, and the method is favorable for recognizing the encrypted flow.
According to the embodiment of the application, the CNN model is configured based on deep learning, the encrypted flow detection model is obtained through further training, the feature data can be automatically extracted by means of encrypted flow detection, the data automation processing is enhanced, the encrypted flow detection model is established by means of deep learning, so that the encrypted flow can be intelligently detected, correlation analysis can be performed on the encrypted flow and known malicious flow, and the accuracy of the encrypted flow detection result is improved.
Based on the above embodiments, as a preferred embodiment, establishing a knowledge graph of known malicious traffic includes:
s201: collecting and analyzing known malicious flow data to obtain characteristic information;
the characteristic information includes at least one of a flow characteristic, a packet characteristic, a certificate characteristic, and a time characteristic. Of course, various features described in the previous embodiment may be included, and will not be described repeatedly.
S202: carrying out encryption traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
s203: and establishing a knowledge graph according to the malicious flow characteristics.
After the characteristic information is obtained, the purpose is to perform encrypted traffic classification on malicious traffic data to obtain malicious traffic characteristics. The method comprises the steps of establishing a knowledge graph based on malicious flow data and corresponding malicious flow characteristics, wherein the knowledge graph mainly comprises the malicious flow data and the corresponding malicious flow characteristics, but analysis and statistics can be carried out on specific flow characteristics among different malicious flows.
Specifically, it can be associated with an existing entity in the knowledge graph for analysis and similarity analysis. Adding attributes and relations to the existing entities, performing association and content prediction on the entities with high similarity, and reconstructing new entities into processing modes such as nodes.
In addition, known malicious traffic data are collected and analyzed, and after characteristic information is obtained, the known malicious traffic data containing characteristics can be stored in a preset storage center. The preset storage center is not particularly limited, and a multi-level storage structure such as HBASE, hive, mysql and the like can be adopted to accelerate the response efficiency of the system.
After the knowledge graph is established according to the malicious traffic characteristics, the knowledge graph can be updated. When new malicious traffic is received, performing feature analysis on the new malicious traffic to obtain new malicious features, and then constructing nodes corresponding to the new malicious traffic in the knowledge graph for updating the knowledge graph.
The encrypted traffic detection system provided in the embodiment of the present application is introduced below, and the encrypted traffic detection system described below and the encrypted traffic detection method described above may be referred to correspondingly.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an encrypted traffic detection system provided in an embodiment of the present application, and the present application further provides an encrypted traffic detection system, including:
the acquisition module is used for acquiring the encrypted flow;
the analysis module is used for analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
the characteristic processing module is used for adopting the characteristic processing of the corresponding type according to the data type contained in the flow characteristic to obtain input data;
the characteristic extraction module is used for extracting characteristic data of the input data by utilizing a CNN model;
the model training module is used for taking the characteristic data as the input of an LSTM algorithm and training to obtain an encrypted flow detection model;
and the flow detection module is used for performing correlation analysis on the encrypted flow and the known malicious flow data by using the encrypted flow detection model to obtain a detection result of the encrypted flow.
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the map establishing module is used for establishing a knowledge map of the known malicious flow and acquiring the known malicious flow data from the knowledge map.
Based on the above embodiment, as a preferred embodiment, the map building module is a module for performing the following steps:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
Based on the above embodiment, as a preferred embodiment, the feature processing module includes:
the first processing unit is used for carrying out normalization processing and standardization processing on the flow characteristics of the numerical data;
the second processing unit is used for processing the flow characteristics of the character data by adopting onehot coding;
the third processing unit is used for performing word segmentation processing on the flow characteristics containing the character string description;
and the fourth processing unit is used for processing the Boolean flow characteristics by adopting one-hot coding.
Based on the above embodiment, as a preferred embodiment, the method further includes:
and the storage module is used for storing the known malicious traffic data containing the characteristics to a preset storage center.
Based on the foregoing embodiment, as a preferred embodiment, after the establishing the knowledge graph according to the malicious traffic characteristics, the method further includes:
the updating module is used for carrying out feature analysis on the new malicious traffic to obtain new malicious features when the new malicious traffic is received; and constructing a node corresponding to the new malicious traffic in the knowledge graph, and updating the knowledge graph.
The present application also provides a computer readable storage medium having stored thereon a computer program which, when executed, may implement the steps provided by the above-described embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The application also provides a server, which may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the server may also include various network interfaces, power supplies, and the like.
The embodiments are described in a progressive manner in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system provided by the embodiment, the description is relatively simple because the system corresponds to the method provided by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It should also be noted that, in this specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
Claims (8)
1. An encrypted traffic detection method, comprising:
collecting encrypted flow;
analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
processing the data type contained in the flow characteristic by adopting a corresponding type of characteristic to obtain input data;
extracting characteristic data of the input data by using a CNN model;
taking the characteristic data as the input of an LSTM algorithm, and training to obtain an encrypted flow detection model;
performing correlation analysis on the encrypted traffic and known malicious traffic data by using the encrypted traffic detection model to obtain a detection result of the encrypted traffic;
before the encrypted traffic detection model is used to perform correlation analysis on the encrypted traffic and known malicious traffic data, the method further includes:
establishing a knowledge graph of known malicious flow, and acquiring the known malicious flow data from the knowledge graph;
wherein establishing a knowledge graph of known malicious traffic comprises:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
2. The encrypted traffic detection method according to claim 1, wherein the processing of the corresponding type of feature according to the type of data included in the traffic feature includes:
carrying out normalization processing and standardization processing on the flow characteristics of the numerical data;
processing the flow characteristics of the character data by adopting onehot coding;
performing word segmentation processing on the flow characteristics containing the character string description;
and processing the flow characteristics of the Boolean type by adopting one-hot coding.
3. The encrypted traffic detection method according to claim 1, wherein after acquiring and analyzing known malicious traffic data and obtaining the feature information, the method further comprises:
and storing the known malicious traffic data containing the characteristic information to a preset storage center.
4. The encrypted traffic detection method according to claim 1, further comprising, after establishing the knowledge-graph according to the malicious traffic characteristics:
when new malicious traffic is received, performing feature analysis on the new malicious traffic to obtain new malicious traffic features;
and constructing a node corresponding to the new malicious traffic in the knowledge graph, and updating the knowledge graph.
5. The encrypted traffic detection method according to claim 1, wherein the detection result includes content and similarity of the encrypted traffic to known malicious traffic.
6. An encrypted traffic detection system, comprising:
the acquisition module is used for acquiring the encrypted flow;
the analysis module is used for analyzing the encrypted flow to obtain the flow characteristics of the encrypted flow;
the characteristic processing module is used for adopting the characteristic processing of the corresponding type according to the data type contained in the flow characteristic to obtain input data;
the characteristic extraction module is used for extracting characteristic data of the input data by utilizing a CNN model;
the model training module is used for training the characteristic data as the input of an LSTM algorithm to obtain an encrypted flow detection model;
the traffic detection module is used for performing correlation analysis on the encrypted traffic and known malicious traffic data by using the encrypted traffic detection model to obtain a detection result of the encrypted traffic;
the map building module is used for building a knowledge map of known malicious flow and acquiring the known malicious flow data from the knowledge map;
the map building module is used for executing the following steps:
collecting and analyzing known malicious flow data to obtain characteristic information; the characteristic information comprises at least one of flow characteristics, packet characteristics, certificate characteristics and time characteristics;
carrying out encrypted traffic classification on malicious traffic data containing the feature information to obtain malicious traffic features;
and establishing the knowledge graph according to the malicious flow characteristics.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the encrypted traffic detection method according to any one of claims 1 to 5.
8. A server, characterized by comprising a memory in which a computer program is stored and a processor which, when calling the computer program in the memory, implements the steps of the encrypted traffic detection method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111137959.6A CN113824729B (en) | 2021-09-27 | 2021-09-27 | Encrypted flow detection method, system and related device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111137959.6A CN113824729B (en) | 2021-09-27 | 2021-09-27 | Encrypted flow detection method, system and related device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113824729A CN113824729A (en) | 2021-12-21 |
| CN113824729B true CN113824729B (en) | 2023-01-06 |
Family
ID=78921354
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111137959.6A Active CN113824729B (en) | 2021-09-27 | 2021-09-27 | Encrypted flow detection method, system and related device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113824729B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116405330B (en) * | 2023-06-08 | 2023-08-22 | 北京金睛云华科技有限公司 | Network abnormal traffic identification method, device and equipment based on transfer learning |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109104441A (en) * | 2018-10-24 | 2018-12-28 | 上海交通大学 | A kind of detection system and method for the encryption malicious traffic stream based on deep learning |
| CN111277578A (en) * | 2020-01-14 | 2020-06-12 | 西安电子科技大学 | Encrypted flow analysis feature extraction method, system, storage medium and security device |
| CN111431939A (en) * | 2020-04-24 | 2020-07-17 | 郑州大学体育学院 | CTI-based SDN malicious traffic defense method and system |
| CN112163594A (en) * | 2020-08-28 | 2021-01-01 | 南京邮电大学 | Network encryption traffic identification method and device |
| CN112968872A (en) * | 2021-01-29 | 2021-06-15 | 成都信息工程大学 | Malicious flow detection method, system and terminal based on natural language processing |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11201877B2 (en) * | 2018-12-11 | 2021-12-14 | Cisco Technology, Inc. | Detecting encrypted malware with SPLT-based deep networks |
-
2021
- 2021-09-27 CN CN202111137959.6A patent/CN113824729B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109104441A (en) * | 2018-10-24 | 2018-12-28 | 上海交通大学 | A kind of detection system and method for the encryption malicious traffic stream based on deep learning |
| CN111277578A (en) * | 2020-01-14 | 2020-06-12 | 西安电子科技大学 | Encrypted flow analysis feature extraction method, system, storage medium and security device |
| CN111431939A (en) * | 2020-04-24 | 2020-07-17 | 郑州大学体育学院 | CTI-based SDN malicious traffic defense method and system |
| CN112163594A (en) * | 2020-08-28 | 2021-01-01 | 南京邮电大学 | Network encryption traffic identification method and device |
| CN112968872A (en) * | 2021-01-29 | 2021-06-15 | 成都信息工程大学 | Malicious flow detection method, system and terminal based on natural language processing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113824729A (en) | 2021-12-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109960729B (en) | Method and system for detecting HTTP malicious traffic | |
| CN111935170B (en) | Network abnormal flow detection method, device and equipment | |
| CN111382623B (en) | Live broadcast auditing method, device, server and storage medium | |
| CN104506484A (en) | Proprietary protocol analysis and identification method | |
| CN110198248B (en) | Method and device for detecting IP address | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| CN113542253B (en) | Network flow detection method, device, equipment and medium | |
| CN104639391A (en) | Method for generating network flow record and corresponding flow detection equipment | |
| CN109275045B (en) | DFI-based mobile terminal encrypted video advertisement traffic identification method | |
| CN111245784A (en) | Method for multi-dimensional detection of malicious domain name | |
| CN113824729B (en) | Encrypted flow detection method, system and related device | |
| CN113407886A (en) | Network crime platform identification method, system, device and computer storage medium | |
| CN113225339A (en) | Network security monitoring method and device, computer equipment and storage medium | |
| CN111131070B (en) | Port time sequence-based network traffic classification method and device and storage medium | |
| CN113111951A (en) | Data processing method and device | |
| CN115514558A (en) | Intrusion detection method, device, equipment and medium | |
| CN111447169B (en) | Method and system for identifying malicious webpage in real time on gateway | |
| CN111859127A (en) | Subscription method and device of consumption data and storage medium | |
| CN111080362A (en) | Advertisement monitoring system and method | |
| CN113965408B (en) | Method, device, medium and equipment for extracting HTTP (hyper text transport protocol) message | |
| CN116232696A (en) | Encryption traffic classification method based on deep neural network | |
| CN115037632A (en) | Network security situation perception analysis system | |
| CN114205816A (en) | Information security architecture of power mobile Internet of things and use method thereof | |
| CN113076355A (en) | Method for sensing data security flow situation | |
| CN112468509A (en) | Deep learning technology-based automatic flow data detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |