CN115589314A - Encrypted malicious traffic detection and attack identification method based on deep learning - Google Patents
Encrypted malicious traffic detection and attack identification method based on deep learning Download PDFInfo
- Publication number
- CN115589314A CN115589314A CN202211189345.7A CN202211189345A CN115589314A CN 115589314 A CN115589314 A CN 115589314A CN 202211189345 A CN202211189345 A CN 202211189345A CN 115589314 A CN115589314 A CN 115589314A
- Authority
- CN
- China
- Prior art keywords
- malicious
- encrypted
- traffic
- network
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Biophysics (AREA)
- General Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Molecular Biology (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an encrypted malicious flow detection and attack identification method based on deep learning, which comprises the following steps: s1: the method comprises the steps that an Internet of things threat sensing terminal collects network traffic generated by Internet of things equipment in an industrial Internet of things in real time; s2: the method comprises the steps that network traffic collected by an Internet of things threat sensing terminal is sent to an Internet of things threat sensing analysis center, network traffic is identified through a malicious encrypted traffic detection model and a malicious encrypted traffic attack identification model, and an identification result is sent to an Internet of things security management platform; s3: the Internet of things safety management platform forms a network attack surface through the identification result and the network flow information, and visually displays the influence of an attack source on a network. The invention has high detection efficiency and high accuracy.
Description
Technical Field
The invention relates to the field of malicious traffic detection, in particular to an encrypted malicious traffic detection and attack identification method based on deep learning.
Background
With the development of information technology, internet of things equipment is widely popularized, but on the basis of consideration of factors such as cost and practicability, the network security problem of the internet of things equipment is often ignored by manufacturers. Hackers are good at infecting a large number of internet of things devices by using security holes to build a botnet, and launch Distributed Denial of Service (DDoS) attacks by taking the botnet as a springboard. Therefore, the security problem in the field of internet of things needs to be solved urgently, and the network attack traffic detection algorithm as a branch of the field of network security needs to be updated urgently. In addition, under the trend of network traffic encryption, the encryption technology and the protocol are widely applied, the network faces massive encrypted traffic, the encrypted traffic has the characteristics of complexity and diversification, and the difficulty of traffic identification of an intrusion detection system in the Internet of things is increased. Because the characteristics of the encrypted traffic are changed, the traditional traffic detection mode is difficult to reproduce in an encryption environment, and methods such as deep packet detection or pattern matching are not good for encrypting traffic tie. Therefore, how to effectively identify malicious traffic on encrypted traffic without decryption has become an important challenge in the field of network security.
Analyzing the current research situation of the classification of the malicious encrypted traffic, combining a networking application scene and combining the existing detection technical scheme of the encrypted malicious traffic, still has the following problems to be improved, namely 1) the characteristics of large attack amount and diversified forms due to network attacks such as botnets, denial of service attacks, malicious encrypted traffic and the like, and needs to deeply research the data characteristics of malicious encrypted traffic data; 2) In the aspect of feature extraction, under the application of the internet of things, the current feature method is difficult to deal with mass internet of things data, the extracted features have hysteresis, and the data features need to be accurately extracted in consideration of ensuring the stability of feature extraction; 3) And in the aspect of detecting the model classification, the application scene of the detection model is single, the generalization force is weak, and the stability of the model detection accuracy is poor. Therefore, a malicious encrypted traffic detection method with high detection efficiency, high accuracy and strong robustness is needed.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides the encrypted malicious flow detection and attack identification method based on deep learning, which has high detection efficiency and high accuracy.
The technical scheme adopted by the invention for solving the technical problem is as follows:
the encrypted malicious traffic detection and attack identification method based on deep learning comprises the following steps:
s1: the method comprises the steps that an Internet of things threat sensing terminal collects network traffic generated by Internet of things equipment in an industrial Internet of things in real time;
s2: the method comprises the steps that network traffic collected by an Internet of things threat sensing terminal is sent to an Internet of things threat sensing analysis center, network traffic is identified through a malicious encrypted traffic detection model and a malicious encrypted traffic attack identification model, and an identification result is sent to an Internet of things security management platform;
firstly, performing single-classifier training on an encrypted normal data set through a malicious encrypted flow detection model, then putting the encrypted malicious data set into a single-class classifier for identification, identifying abnormal encrypted flow, judging the abnormal encrypted flow as encrypted malicious data again, then forming a new data set by the identified encrypted malicious data set and the encrypted normal data set, and performing two-class training;
the malicious encrypted traffic attack identification model selects a normal traffic data set and a malicious traffic data set, filters out unencrypted network traffic in the data sets, extracts time sequence characteristics of data packets of encrypted network traffic, and establishes a malicious encrypted traffic attack fingerprint database; dividing the data set into a test data set and a training data set, inputting the training data set into a GRU-DNN neural network model, then performing matching optimization on a model training result and a known recognition result, and adjusting model parameters;
s3: the Internet of things security management platform forms a network attack surface through the identification result and the network flow information, and visually displays the influence of an attack source on a network.
Further, the single classifier is an One-Class-SVM algorithm.
Further, the two classifiers are Xgboost algorithm.
Further, in step S2, if the detection result of the malicious encrypted traffic detection model is consistent with the detection result of the malicious encrypted traffic attack recognition model, it may be determined that the network traffic is malicious encrypted traffic;
if the two results are not consistent, wherein the result of the malicious encrypted flow detection model is malicious flow, and the malicious encrypted flow attack identification model is normal flow, the network flow is judged to be malicious flow of unknown attack type, and the malicious flow is stored in a malicious flow sample library; and if the malicious encrypted traffic attack identification model result is malicious encrypted traffic and the malicious encrypted traffic detection model result is normal, judging the malicious encrypted traffic.
The invention has the beneficial effects that: the invention designs a malicious encrypted traffic detection model and a malicious encrypted traffic attack identification model, realizes the detection of malicious encrypted traffic, and further detects the malicious attack type. The test result shows that the malicious encrypted traffic detection method can achieve more than 98% of accuracy and more than 99.8% of recall rate, and has better robustness and applicability on the basis of ensuring the accuracy of model classification. Finally, the malicious encrypted traffic detection system designed by the invention can not only shorten the detection time, but also obtain a more accurate detection result, predict unknown threats and realize the network security situation awareness of the Internet of things. The invention also designs an Internet of things threat sensing terminal, an Internet of things threat sensing analysis center and an Internet of things safety control platform, so that real-time and rapid detection and visual network threat sensing of the Internet of things equipment are realized, a malicious flow sample database for self-increment learning is established, and the harm brought by unknown malicious encrypted flow is better reduced.
Drawings
FIG. 1 is a flow chart of a malicious encrypted network traffic detection method of the present invention;
FIG. 2 is a malicious encrypted traffic detection model of the present invention;
FIG. 3 is a malicious encrypted traffic attack recognition model of the present invention;
FIG. 4 is a diagram of a GRU + DNN neural network model architecture according to the present invention;
FIG. 5 is a diagram of a GRU layer structure according to the present invention;
FIG. 6 is a system architecture diagram of the present invention;
FIG. 7 is a network attack analysis visualization interface of the present invention;
Detailed Description
For a better understanding of the present invention, embodiments of the present invention are explained in detail below with reference to fig. 1 to 7.
The invention provides a system and a method for detecting and identifying encrypted malicious traffic based on deep learning, and particularly relates to a system and a method for detecting and identifying the encrypted malicious traffic based on deep learning, wherein a system framework for detecting and identifying the encrypted malicious traffic based on deep learning is shown in fig. 6 and comprises an internet of things threat sensing terminal, an internet of things threat analysis center and an internet of things security management control platform. The internet of things threat sensing terminal collects network traffic generated by internet of things equipment in the industrial internet of things in real time. The method comprises the steps of establishing an Internet of things threat perception analysis center consisting of a malicious encrypted network flow detection model and a malicious network flow attack identification model, identifying malicious encrypted network flow under the condition that the network flow is not decrypted by utilizing SSL/TLS network protocol characteristics, time sequence characteristics of a data packet and DGA domain name characteristics, and then establishing a malicious network attack database according to the malicious attack network flow data characteristics, wherein the network attacks comprise password attack, denial of service attack (DoS), botnet and the like, so that the network threat behaviors existing in Internet of things equipment in the industrial Internet of things are effectively detected, and a real-time, automatic and visual malicious encrypted flow detection system is established.
The internet of things threat analysis center carries out deep analysis on network traffic generated by internet of things equipment in an industrial internet of things, deploys a plurality of detection model working units based on machine learning, deep learning and the like by analyzing network protocols such as a TCP (transmission control protocol), an SSL (secure socket layer) protocol, a UDP (user datagram protocol) protocol and the like, thereby identifying malicious encrypted network traffic, further identifying encrypted malicious network traffic formed by export command attack, SQL (structured query language) injection, denial of service attack, distributed denial of service attack and botnet attack, and sending the identified network traffic and detection model results to an internet of things security control platform, realizing displaying the influence of an attack source on a network, constructing a malicious sample database suitable for self-increment learning, continuously updating a malicious encrypted network traffic detection model and an attack identification model, and enhancing the robustness and applicability of a malicious encrypted traffic detection model, thereby forming a real-time, automatic and visual malicious encrypted traffic detection system.
The detection and attack identification method of the invention is as follows:
in a data acquisition and monitoring control system of the Internet of things, network flow generated by Internet of things equipment is acquired in real time by deploying an Internet of things threat sensing terminal;
the network traffic collected by the Internet of things threat sensing terminal is sent to an Internet of things threat sensing analysis center, a multi-thread working mode is adopted, a plurality of working units are started, the working units comprise a malicious encrypted traffic detection model and a malicious encrypted traffic attack recognition model, the network traffic is recognized, and a recognition result is sent to an Internet of things safety management platform.
And detecting malicious encrypted flow, namely preprocessing the network flow after the malicious encrypted flow attack recognition model receives the network flow, respectively extracting the characteristics of the network flow data according to TLS protocol characteristics, server certificate characteristics, DNS domain name characteristics and data packet time sequence characteristics, finally detecting through a detection model, and sending a detection result to an Internet of things threat perception analysis center.
Sending the detection result of each detection model to an Internet of things threat perception analysis center, judging by the center according to the classification results of a plurality of classifiers, identifying malicious encrypted network flow information (a source IP address, a destination port and a source port) and sending the judgment result to an Internet of things safety management platform;
the Internet of things safety management control platform forms a network attack surface through the identification result and the network flow information, visually displays the influence of an attack source on a network, continuously collects malicious encrypted network flow, establishes a malicious sample database suitable for self-increment learning, is used for updating a detection model, and enhances the robustness and the universality of the model.
As shown in fig. 1 and fig. 2, in the method for detecting the malicious encrypted network traffic, effective characteristic values are extracted from handshake phase information, server certificate information, network data packet statistical characteristics, and DNS domain name information of the TLS protocol, and in combination with a machine learning and deep learning model framework, malicious encrypted traffic and normal encrypted traffic in the network, and malicious traffic and normal traffic are distinguished from each other by using learning ability and generalization ability of the model from the perspective of the network data packet, data stream, and DNS domain name information, so as to construct a malicious traffic sample database suitable for self-increment learning, ensure accuracy of the malicious encrypted traffic detection method, and enable the model to have incremental learning ability.
By deeply researching the characteristics of malicious encrypted traffic under the condition of not decrypting encrypted network traffic, effective characteristic values are extracted from handshake phase information, certificate information, HTTP header information and DNS response information of a TLS protocol, and then the characteristics of the malicious encrypted traffic and normal traffic are effectively distinguished by combining an anomaly detection method and a binary detection method. And finally, establishing a malicious encrypted flow detection model, deploying the malicious encrypted flow detection model to the threat sensing terminal of the Internet of things, dynamically distinguishing malicious and benign flows in the network in real time, and detecting malicious threats received by the equipment of the Internet of things.
The malicious encrypted traffic detection model is used for distinguishing malicious encrypted traffic from normal encrypted traffic and establishing a two-classification malicious encrypted traffic detection model. In the model, firstly, the data characteristics are determined, and according to deep analysis on malicious encrypted flow characteristics, 12 representative data characteristics with strong real-time performance are determined by combining TLS handshake characteristics, certificate characteristics and domain name characteristics, as shown in table 1 below:
TABLE 1
Secondly, after the data characteristics are determined, selecting a proper model for training and parameter tuning, and selecting a two-classification xgboost model for training parameter tuning by the model:
firstly, selecting a data set, wherein the data set consists of an encrypted malicious data set and an encrypted normal data set, the encrypted malicious data set is network flow generated by malicious software attacking an equipment end of the Internet of things in a sandbox environment, and the encrypted normal data set is network flow which is generated by the fact that the equipment of the Internet of things is not attacked by the malicious software and consists of pcap files;
and secondly, data feature extraction, namely filtering data message information in the pcap file, extracting handshake stage information of a TLS protocol, extracting data features of the network traffic pcap file by combining protocol features of a TLS encryption suite, a certificate, domain name information and the like in a handshake stage, and finally storing the extracted data features as a csv file.
And thirdly, selecting a definite normal data set in the data set as the encrypted network flow which is not generated by the attack of malicious software on the Internet of things equipment, so that the malicious encrypted flow detection model firstly carries out single-classifier training on the encrypted normal data set, then puts the encrypted malicious data set into a single-class classifier for recognition, recognizes abnormal encrypted flow and judges the abnormal encrypted flow as encrypted malicious data again. The purpose of this is that not only a more representative malicious encrypted traffic sample can be obtained, but also the robustness of the malicious encrypted traffic detection model can be enhanced. And finally, forming a new data set by the identified encrypted malicious data set and the encrypted normal data set, and performing two-classification training. The single classifier is an One-Class-SVM algorithm, the two classifiers are Xgboost algorithms, accuracy of malicious encryption flow detection is improved, and robustness and applicability are better on the basis of keeping classification accuracy.
And fourthly, dividing the data set into a training data set and a testing data set according to the selected data characteristic file, wherein the training data set accounts for 80 percent, and the testing data set accounts for 20 percent. And inputting the training data set into the model by using the model in the third step, and then performing matching optimization on the model training result and the known recognition result, adjusting the model parameters and improving the model detection accuracy.
The malicious network traffic attack identification model and the attack identification method based on deep learning are described in detail below.
According to the method, under the HTTP and HTTPS environments, malicious network flow data of known malicious attack types such as password attack, SQL injection, denial of service attack, distributed denial of service attack and botnet attack are analyzed, a plurality of network data packet statistical characteristics such as network data packet duration, message number, byte number and message length are utilized to construct a networked network threat attack sample fingerprint database, the characteristic difference between normal flow and malicious flow is distinguished by combining the characteristic of automatic learning data characteristics of a deep learning neural network model, and the difference between malicious encrypted flow and non-encrypted malicious flow is effectively recognized, so that a detection model with high accuracy and robustness is established, the model is deployed to an Internet of things network threat analysis center, and the equipment is dynamically detected in real time and is attacked by encryption.
The malicious encrypted traffic attack identification method learns the data characteristics of different attack types of the malicious encrypted traffic based on a deep learning method, wherein the attack types comprise botnet attack, denial of service attack, sql injection attack, malicious encrypted traffic attack and the like, so that the malicious encrypted traffic characteristics are deeply analyzed, and the accuracy of detecting the malicious encrypted traffic is improved.
The malicious encrypted traffic attack identification method is shown in fig. 3:
the method comprises the steps that firstly, a data set is selected, wherein the data set is composed of a normal flow data set and a malicious flow data set, the malicious flow data set is network flow generated after a known malicious software family attacks the Internet of things equipment in a sandbox environment, and the normal flow is the network flow generated when the Internet of things equipment is not attacked by the malicious software;
and secondly, selecting data characteristics, namely filtering out unencrypted network traffic in a data set and only remaining encrypted network traffic. Secondly, according to the TCP protocol characteristics, extracting the time sequence characteristics of the data packet of the encrypted network flow, extracting a plurality of network flow statistical characteristics such as duration, message number, byte number, message length and the like, and establishing an n 80 matrix type malicious encrypted flow attack fingerprint library. Where n is the number of network packets and 80 is the packet data characteristics of the network packets. The feature extraction method can enable the detection model to fully analyze the data features of each data packet, and has no hidden danger of delay detection.
Data characteristics of the data packet are as in table 2:
TABLE 2
And thirdly, constructing a malicious encrypted traffic attack recognition model based on deep learning, wherein data characteristics are extracted according to a time sequence, so that a time sequence classification model based on deep learning is provided, and more useful characteristics are learned by constructing a multi-layer learning model, so that a deep learning model based on a gated recurrent neural network (GRU) and a Deep Neural Network (DNN) is selected, and the network traffic attack type can be effectively recognized. As shown in fig. 4 and 5, the model consists of two GRU layers, four dropout layers, two sense layers and a full connection layer, and an activation function. The GRU neural network layer is only provided with two neural network structures of an updating gate and a resetting gate, and has less parameter quantity, so that the time cost can be saved and the model training efficiency can be improved under the condition that the hardware computing capacity is limited by using the GRU neural network layer.
And fourthly, dividing the data set into a test data set and a training data set, wherein the training data set accounts for 80 percent, and the test data set accounts for 20 percent. And inputting the training data set into the model by using the model in the third step, and then performing matching optimization on the model training result and the known recognition result, adjusting the model parameters and improving the model detection accuracy.
The invention designs an Internet of things threat sensing terminal, an Internet of things threat sensing center and an Internet of things safety control platform. The internet of things threat sensing center acquires network traffic generated by the internet of things equipment in real time, inputs the acquired network traffic into the internet of things threat sensing analysis center, automatically identifies the network traffic, sends the detected network traffic and the detection result to the internet of things safety control platform, forms a network attack surface through the detection result and network traffic information, and visually displays the influence of the attack source on the network.
According to the invention, two detection models, namely a malicious encryption detection model and a malicious encryption traffic attack identification model, are designed in an Internet of things threat perception analysis center, wherein the malicious encryption traffic detection model is an anomaly detector and can distinguish normal encryption traffic from malicious encryption traffic. The malicious encryption attack identification model can further identify the attack type of the malicious encryption traffic. Comparing the identification result of the malicious encrypted flow attack identification model on the network flow with the detection and identification result of the malicious encrypted flow, and integrating the detection results of the two models to judge whether the network flow is the malicious encrypted flow. The judgment process is as follows: if the result detected by the malicious encrypted flow is consistent with the result of the attack model, the network flow can be judged to be the malicious encrypted flow; if the two results are inconsistent, wherein the malicious encrypted flow detection result is malicious flow, and the attack model result is normal flow, the network flow is judged to be malicious flow of unknown attack type, and the malicious flow is stored in a malicious flow sample library; and if the attack model result is malicious encrypted traffic and the malicious encrypted traffic detection result is normal, judging the malicious encrypted traffic by taking the attack model result as a standard.
Claims (4)
1. The encrypted malicious traffic detection and attack identification method based on deep learning is characterized by comprising the following steps of:
s1: the method comprises the steps that an Internet of things threat sensing terminal collects network traffic generated by Internet of things equipment in an industrial Internet of things in real time;
s2: the method comprises the steps that network traffic collected by an Internet of things threat sensing terminal is sent to an Internet of things threat sensing analysis center, network traffic is identified through a malicious encrypted traffic detection model and a malicious encrypted traffic attack identification model, and an identification result is sent to an Internet of things security management platform;
firstly, performing single classifier training on an encrypted normal data set through a malicious encrypted flow detection model, then putting the encrypted malicious data set into a single classifier for identification, identifying abnormal encrypted flow, judging the abnormal encrypted flow as encrypted malicious data again, then forming a new data set by the identified encrypted malicious data set and the encrypted normal data set, and performing two-classification training;
the malicious encrypted traffic attack identification model selects a normal traffic data set and a malicious traffic data set, filters out unencrypted network traffic in the data sets, extracts time sequence characteristics of data packets of encrypted network traffic, and establishes a malicious encrypted traffic attack fingerprint database; dividing a data set into a test data set and a training data set, inputting the training data set into a GRU-DNN neural network model, then performing matching optimization on a model training result and a known recognition result, and adjusting model parameters;
s3: the Internet of things safety management platform forms a network attack surface through the identification result and the network flow information, and visually displays the influence of an attack source on a network.
2. The deep learning-based encrypted malicious traffic detection and attack recognition method according to claim 1, wherein the single classifier is One-Class-SVM algorithm.
3. The deep learning-based encrypted malicious traffic detection and attack recognition method according to claim 1, wherein the two classifiers are Xgboost algorithms.
4. The encryption malicious traffic detection and attack recognition method based on deep learning of claim 1, wherein in step S2, if the detection results of the malicious encryption traffic detection model and the malicious encryption traffic attack recognition model are consistent, it can be determined that the network traffic is malicious encryption traffic;
if the two results are not consistent, wherein the result of the malicious encrypted flow detection model is malicious flow, and the malicious encrypted flow attack identification model is normal flow, the network flow is judged to be malicious flow of unknown attack type, and the malicious flow is stored in a malicious flow sample library; and if the malicious encrypted traffic attack identification model result is malicious encrypted traffic and the malicious encrypted traffic detection model result is normal, judging the malicious encrypted traffic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211189345.7A CN115589314A (en) | 2022-09-28 | 2022-09-28 | Encrypted malicious traffic detection and attack identification method based on deep learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211189345.7A CN115589314A (en) | 2022-09-28 | 2022-09-28 | Encrypted malicious traffic detection and attack identification method based on deep learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115589314A true CN115589314A (en) | 2023-01-10 |
Family
ID=84778155
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211189345.7A Pending CN115589314A (en) | 2022-09-28 | 2022-09-28 | Encrypted malicious traffic detection and attack identification method based on deep learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115589314A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116506216A (en) * | 2023-06-19 | 2023-07-28 | 国网上海能源互联网研究院有限公司 | Lightweight malicious flow detection and evidence-storage method, device, equipment and medium |
-
2022
- 2022-09-28 CN CN202211189345.7A patent/CN115589314A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116506216A (en) * | 2023-06-19 | 2023-07-28 | 国网上海能源互联网研究院有限公司 | Lightweight malicious flow detection and evidence-storage method, device, equipment and medium |
| CN116506216B (en) * | 2023-06-19 | 2023-09-12 | 国网上海能源互联网研究院有限公司 | Lightweight malicious flow detection and evidence-storage method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106909847B (en) | Malicious code detection method, device and system | |
| Bernaille et al. | Early recognition of encrypted applications | |
| US8205259B2 (en) | Adaptive behavioral intrusion detection systems and methods | |
| US8015605B2 (en) | Scalable monitor of malicious network traffic | |
| Indre et al. | Detection and prevention system against cyber attacks and botnet malware for information systems and Internet of Things | |
| KS et al. | An artificial neural network based intrusion detection system and classification of attacks | |
| CN104135474B (en) | Intrusion Detection based on host goes out the Network anomalous behaviors detection method of in-degree | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| Amoli et al. | A real time unsupervised NIDS for detecting unknown and encrypted network attacks in high speed network | |
| CN111385145A (en) | Encryption flow identification method based on ensemble learning | |
| Zhang et al. | A real-time DDoS attack detection and prevention system based on per-IP traffic behavioral analysis | |
| Aiello et al. | A similarity based approach for application DoS attacks detection | |
| CN110113348A (en) | A method of Internet of Things threat detection is carried out based on machine learning | |
| CN115589314A (en) | Encrypted malicious traffic detection and attack identification method based on deep learning | |
| u Nisa et al. | Detection of slow port scanning attacks | |
| CN106911665A (en) | A kind of method and system for recognizing malicious code weak passwurd intrusion behavior | |
| Asha et al. | Analysis on botnet detection techniques | |
| JP2004312083A (en) | Learning data generating apparatus, intrusion detection system, and its program | |
| Meidan et al. | Privacy-preserving detection of iot devices connected behind a nat in a smart home setup | |
| Jakić | The overview of intrusion detection system methods and techniques | |
| Phutane et al. | A survey of intrusion detection system using different data mining techniques | |
| CN113923021B (en) | Sandbox-based encrypted traffic processing method, system, equipment and medium | |
| Nie et al. | Intrusion detection using a graphical fingerprint model | |
| Satria et al. | The investigation on cowrie honeypot logs in establishing rule signature snort | |
| CN114978663A (en) | Internet security service system based on behavior camouflage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information |
Inventor after: Wang Yongqi Inventor after: Wu Zhaolong Inventor after: Zhang Wenshuai Inventor after: Sun Jianshan Inventor before: Wang Yongqi Inventor before: Wu Zhaolong Inventor before: Zhang Wenshuai |
|
| CB03 | Change of inventor or designer information |