CN116418754A - Method and device for identifying encryption application and electronic equipment - Google Patents

Method and device for identifying encryption application and electronic equipment Download PDF

Info

Publication number
CN116418754A
CN116418754A CN202111676389.8A CN202111676389A CN116418754A CN 116418754 A CN116418754 A CN 116418754A CN 202111676389 A CN202111676389 A CN 202111676389A CN 116418754 A CN116418754 A CN 116418754A
Authority
CN
China
Prior art keywords
sample
encryption
traffic
related information
attribute information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111676389.8A
Other languages
Chinese (zh)
Inventor
任玉坤
刘燚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guancheng Technology Co ltd
Original Assignee
Beijing Guancheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guancheng Technology Co ltd filed Critical Beijing Guancheng Technology Co ltd
Priority to CN202111676389.8A priority Critical patent/CN116418754A/en
Publication of CN116418754A publication Critical patent/CN116418754A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2475Traffic characterised by specific attributes, e.g. priority or QoS for supporting traffic characterised by the type of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2441Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method, a device and electronic equipment for identifying encryption application, wherein the method comprises the following steps: acquiring a plurality of sample encrypted traffic, and determining the category of each sample encrypted traffic; extracting sample attribute information from a plurality of sample encryption flows, and preprocessing the sample attribute information to obtain sample characteristics; and inputting the sample characteristics into a preset model for training, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs. According to the method, the device and the electronic equipment for identifying the encryption application, provided by the embodiment of the invention, the sample attribute information of the sample encryption flow is preprocessed, particularly the sample communication duration and the sample communication data packet information are subjected to derivative processing, so that more abundant sample characteristics are obtained, and the accuracy of an identification model obtained based on the sample characteristics is further improved; and a large amount of data can be processed rapidly, the waste of manual resources is reduced, the false alarm problem caused by manual rule writing is avoided, and the recognition efficiency is high.

Description

Method and device for identifying encryption application and electronic equipment
Technical Field
The present invention relates to the field of network security and encrypted traffic detection technologies, and in particular, to a method, an apparatus, an electronic device, and a computer readable storage medium for identifying an encrypted application.
Background
In order to protect personal privacy, more and more network application programs adopt an encryption protocol for transmission, network traffic processed by the encryption protocol is called encryption traffic, and the encryption traffic also brings great challenges to network traffic security detection while protecting the privacy of common users.
Currently, when the category of the encryption application needs to be identified, the identification is generally performed by manually writing rules and performing rule matching. However, the manual rule writing mode is only suitable for encrypted traffic with a relatively regular structure and strong regularity, and false alarm is easy to occur for irregular and irregular encrypted traffic, so that the type of the encrypted application cannot be accurately identified; moreover, the mode needs to write a one-to-one rule for each application, so that the quick identification cannot be realized when the types of various encryption applications need to be identified, and the efficiency is low; in addition, the manual rule writing mode also depends on manual experience, so that the workload of a developer is increased to a certain extent, and the recognition result is easily influenced by the technology and experience of the developer and is not objective and accurate enough.
Disclosure of Invention
In order to solve the existing technical problems, embodiments of the present invention provide a method, an apparatus, an electronic device, and a computer readable storage medium for identifying an encryption application.
In a first aspect, an embodiment of the present invention provides a method for identifying an encryption application, including: obtaining a plurality of sample encryption traffic, and determining the category of each sample encryption traffic, wherein the category of the sample encryption traffic is the category of encryption application to which the sample encryption traffic belongs; extracting sample attribute information from a plurality of sample encryption flows, and preprocessing the sample attribute information to obtain sample characteristics; the sample attribute information comprises sample communication duration and sample communication data packet information in the sample communication duration, and the preprocessing of the sample attribute information comprises the derivatization of the sample communication duration and the sample communication data packet information; and inputting the sample characteristics into a preset model for training, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs, wherein the identification model is used for determining the type of the encryption application to which the encryption traffic to be identified belongs.
Optionally, the deriving the sample communication duration and the sample communication data packet information includes: and counting the sample communication data packet information in the sample communication time length according to a plurality of communication time periods to obtain sample communication data packet characteristics, and taking the sample communication data packet characteristics as sample characteristics, wherein the sample communication data packet characteristics represent the sample communication data packet information in each communication time period.
Optionally, the sample attribute information further includes: at least one of sample encryption protocol related information, sample client related information, sample certificate related information, and sample communication traffic related information; preprocessing the sample attribute information, including: and carrying out missing value processing and/or standardization processing on at least one of the sample encryption protocol related information, the sample client related information, the sample certificate related information and the sample communication traffic related information.
Optionally, inputting the sample feature to a preset model for training, and generating an identification model capable of identifying the category of the encryption application to which the encrypted traffic belongs, including: determining algorithm parameters of a preset algorithm based on the sample characteristics and the preset algorithm, and obtaining a preset model, wherein the algorithm parameters are parameters for determining the preset model; and inputting the sample characteristics into the preset model for training to obtain model parameters of the preset model, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs based on the model parameters.
Optionally, after the generating the identification model capable of identifying the class of the encryption application to which the encrypted traffic belongs, the method further includes: acquiring target encrypted traffic to be identified, extracting target attribute information of the target encrypted traffic, and preprocessing the target attribute information to obtain target characteristics; and inputting the target characteristics into the identification model, and determining the category of the target encryption application to which the target encryption traffic belongs based on the output result of the identification model.
In a second aspect, an embodiment of the present invention provides an apparatus for identifying an encryption application, including: the device comprises an acquisition module, a processing module and a training module.
The acquisition module is used for acquiring a plurality of sample encryption traffic and determining the category of each sample encryption traffic, wherein the category of the sample encryption traffic is the category of the encryption application to which the sample encryption traffic belongs.
The processing module is used for extracting sample attribute information from a plurality of sample encryption flow rates and preprocessing the sample attribute information to obtain sample characteristics; the sample attribute information comprises sample communication duration and sample communication data packet information in the sample communication duration, and the preprocessing of the sample attribute information comprises the derivatization of the sample communication duration and the sample communication data packet information.
The training module is used for inputting the sample characteristics into a preset model for training, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs, wherein the identification model is used for determining the type of the encryption application to which the encryption traffic to be identified belongs.
Optionally, the processing module includes: and (3) derivatizing the processing unit.
And the derivative processing unit is used for counting the sample communication data packet information in the sample communication duration according to a plurality of communication time periods to obtain sample communication data packet characteristics, and taking the sample communication data packet characteristics as sample characteristics, wherein the sample communication data packet characteristics represent the sample communication data packet information in each communication time period.
Optionally, the sample attribute information further includes: at least one of sample encryption protocol related information, sample client related information, sample certificate related information, and sample traffic related information.
The processing module further includes: other processing units.
The other processing units are used for carrying out missing value processing and/or standardization processing on at least one of the sample encryption protocol related information, the sample client related information, the sample certificate related information and the sample communication traffic related information.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a bus, a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor; the transceiver, the memory and the processor are connected by the bus, the computer program when executed by the processor implementing the steps in the method of identifying cryptographic applications as described above.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium comprising: a computer program stored on a readable storage medium; the computer program, when executed by a processor, implements the steps in the method of identifying cryptographic applications as described above.
The method, the device, the electronic equipment and the computer readable storage medium for identifying the encryption application are different from the traditional method for identifying the encryption application by manually writing rules and performing rule matching, but can obtain more abundant sample characteristics by preprocessing sample attribute information of sample encryption traffic, particularly deriving sample communication duration and sample communication data packet information, so that the accuracy of an identification model obtained based on the sample characteristics is improved, and the category of the encryption application to which a certain encryption traffic belongs can be identified more accurately; and the scheme can realize accurate identification on irregular and irregular encryption flow, can rapidly process a large amount of data, reduce the waste of manual resources, effectively avoid the false alarm problem caused by manual writing rules, and has low cost and high identification efficiency.
Drawings
In order to more clearly describe the embodiments of the present invention or the technical solutions in the background art, the following description will describe the drawings that are required to be used in the embodiments of the present invention or the background art.
FIG. 1 is a flow chart of a method for identifying an encrypted application according to an embodiment of the present invention;
FIG. 2 is a flowchart of a specific method for identifying an encryption application according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an apparatus for identifying an encryption application according to an embodiment of the present invention;
fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.
Fig. 1 shows a flowchart of a method for identifying an encryption application according to an embodiment of the present invention. As shown in fig. 1, the method comprises the following steps 101-103.
Step 101: and obtaining a plurality of sample encryption traffic, and determining the category of each sample encryption traffic, wherein the category of the sample encryption traffic is the category of the encryption application to which the sample encryption traffic belongs.
The encryption application is an application capable of conducting encryption processing on traffic transmitted by the encryption application, for example, an application for video browsing (such as you ku video), an application for receiving and sending mail (such as QQ mailbox), an application for e-commerce shopping (such as Taobao) and the like can conduct encryption processing when the traffic is transmitted, the application can be used as an encryption application, and the traffic transmitted by the encryption application after encryption processing is encryption traffic; while the encryption applications may be divided into different categories, one category for each encryption application, based on the functionality provided by each encryption application. For example, the application for browsing video may provide a function of browsing video, and the category corresponding to the application for browsing video may be a video category; the application for sending and receiving the mails can provide the function of sending the emails, and the corresponding category of the application for sending and receiving the mails can be a mail category; the application of the e-commerce shopping can provide the function of performing online shopping on the e-commerce platform, and the category corresponding to the application of the e-commerce shopping can be an online shopping category.
In the embodiment of the invention, the encrypted traffic of each encrypted application is acquired for a plurality of encrypted applications, and the encrypted traffic of each encrypted application can be one traffic or a plurality of traffic. The encrypted traffic is used as a sample encrypted traffic, and the category corresponding to the encrypted traffic extracted by each encrypted application can be determined based on the category of the encrypted application. The capturing of the sample encrypted traffic may be performed using a packet capturing tool such as Tcpdump (a packet analysis tool that captures a data packet on the network according to a user definition), wireshark (network packet analysis software), sniffer (Sniffer, a software device that monitors the operation of network data), and the like.
Step 102: extracting sample attribute information from a plurality of sample encryption flows, and preprocessing the sample attribute information to obtain sample characteristics; the sample attribute information comprises sample communication duration and sample communication data packet information in the sample communication duration, and the preprocessing of the sample attribute information comprises the derivatization of the sample communication duration and the sample communication data packet information.
In the embodiment of the invention, respective attribute information can be extracted from each sample encrypted flow, and the attribute information is called sample attribute information, and the sample attribute information is information capable of representing the related attribute of the sample encrypted flow. The sample attribute information may include a sample communication duration and sample communication packet information within the sample communication duration, wherein the sample communication duration represents a duration of a transmission process of the sample encrypted traffic; sample communication data packet information within the sample communication duration indicates: the number of sample communication packets acquired during the transmission of the sample encrypted traffic, or the number of bytes of the communication packets transmitted during the transmission of the sample encrypted traffic, may also be expressed. The embodiment of the invention can carry out derivative processing on the sample communication duration and the sample communication data packet information so as to obtain sample characteristics. The deriving process belongs to one of the preprocessing modes adopted in the embodiment, and the sample feature is a feature obtained by preprocessing (such as deriving process) sample attribute information, and the sample feature is a feature capable of representing the sample encrypted traffic. For example, by counting the number of sample communication data packets transmitted in different time intervals in the sample communication duration, a feature of the number of sample communication data packets transmitted in different time intervals may be derived, and this feature may be used as a sample feature.
Step 103: the sample characteristics are input into a preset model for training, an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs is generated, and the identification model is used for determining the type of the encryption application to which the encryption traffic to be identified belongs.
The sample characteristics obtained after pretreatment (such as derivative treatment) can be input into a preset model for training, so that a required identification model is generated, and the identification model is a model capable of identifying the type of encryption application to which the encrypted traffic belongs. When the type of the encryption application to which a certain encryption traffic belongs needs to be identified, the encryption traffic is input into the identification model, and the type of the encryption application to which the encryption traffic belongs can be determined according to the output result of the identification model.
The embodiment of the invention is different from the traditional method which relies on manual writing rules and performs rule matching to identify encryption application, but carries out pretreatment on sample attribute information of sample encryption traffic, in particular carries out derivative treatment on sample communication duration and sample communication data packet information, so that richer sample characteristics can be obtained, the accuracy of an identification model obtained based on the sample characteristics is further improved, and the category of encryption application to which a certain encryption traffic belongs can be more accurately identified; and the scheme can realize accurate identification on irregular and irregular encryption flow, can rapidly process a large amount of data, reduce the waste of manual resources, effectively avoid the false alarm problem caused by manual writing rules, and has low cost and high identification efficiency.
Alternatively, deriving the sample communication duration and the sample communication packet information may include step a.
Step A: and counting the sample communication data packet information in the sample communication time length according to a plurality of communication time periods to obtain sample communication data packet characteristics, and taking the sample communication data packet characteristics as sample characteristics, wherein the sample communication data packet characteristics represent the sample communication data packet information in each communication time period.
The deriving process may be performed on the extracted sample attribute information when the sample communication duration and the sample communication packet information within the sample communication duration are included in the extracted sample attribute information. The process of the derivatization treatment can be as follows: the sample communication data packet information (such as the number of sample communication data packets) acquired in the sample communication duration (i.e. the duration of the process of transmitting the sample encrypted traffic) is counted according to a plurality of communication time periods, wherein the communication time periods may be time periods smaller than the sample communication duration, such as 1000ms, and the communication time periods may be 1ms, 5ms, …, 30ms, etc. In the embodiment of the invention, the average value of the sample communication data packet information (such as the number of the sample communication data packets) transmitted in a certain communication time period can be counted, so that a more diversified statistical result can be obtained, the statistical result can represent the characteristics corresponding to the sample communication data packet information in different communication time periods, the statistical result can be called as the sample communication data packet characteristics, and the sample communication data packet characteristics can be used as a sample characteristic.
For example, the sample communication data packet is represented as sample communication data packet information; if the sample is communicated with the duration is of the order of 1000ms, the number of sample communication packets transmitted within 1ms, the number of sample communication packets transmitted within 5ms, the number of sample communication packets transmitted within 10ms, the number of sample communication packets transmitted within 20ms, the number of sample communication packets transmitted within 30ms, etc. among these 1000ms may be counted, respectively; by such a derivatization process, the following statistical results can be obtained, respectively: the number of sample communication packets obtained in 1ms is 10, the number of sample communication packets obtained in 5ms is 100, the number of sample communication packets obtained in 10ms is 200, the number of sample communication packets obtained in 20ms is 250, the number of sample communication packets obtained in 30ms is 300, etc.; these statistics may be characterized as sample communication packets and the sample communication packets may be characterized as sample.
Aiming at the problem of few characteristics of sample encryption traffic, the embodiment of the invention carries out derivative processing on the sample communication duration and the sample communication data packet information in the extracted sample attribute information, thereby enriching the sample characteristics which can be used for identifying the category of encryption application to which the encryption traffic belongs.
Optionally, the sample attribute information further includes: at least one of sample encryption protocol related information, sample client related information, sample certificate related information, and sample traffic related information.
Besides the sample communication duration and the sample communication data packet information in the sample communication duration, the embodiment of the invention can also use at least one other information which can be extracted from the sample encryption traffic as sample attribute information, for example, sample encryption protocol related information, sample client related information, sample certificate related information and sample communication traffic related information can be respectively used as sample attribute information.
The sample encryption protocol related information refers to cipher suite information or version number information corresponding to an encryption protocol used by the sample encryption flow. It is empirically known that if two different encryption applications have different corresponding categories (e.g., a vacation video and a QQ mailbox correspond to a video class and a mail class, respectively), the encryption protocol used by each encryption application is also different, the class of the encryption application to which the sample encryption traffic belongs can thus be determined by extracting the sample encryption protocol related information as sample attribute information and further processing.
The sample client related information refers to related information of a sample client transmitting sample encrypted traffic, such as sample client port information, sample client browser information, and the like. Sample client-side related information is extracted as sample attribute information because the sample client-side related information can be processed to analyze the difference of clients, the encryption applications corresponding to different clients are different, and the types of the encryption applications can be different.
The sample certificate related information refers to certificate authority information, certificate name information and the like corresponding to the sample encryption traffic. Since the certificate issuing authorities and certificate names of different types of encryption applications are different, extracting the sample certificate related information as sample attribute information and further processing have an important influence on the determination of the type.
The sample communication traffic related information refers to information related to sample encrypted traffic, such as uplink packet related information, downlink packet related information, communication packet information of a removal protocol (or communication byte number information of a removal protocol), and the like. Wherein, the uplink data packet related information may include: at least one of the number of uplink packets, the total number of uplink payload data packets, the total amount of uplink load, the average value of uplink load, the minimum amount of uplink load, the maximum amount of uplink load and the variance of uplink load. The downstream packet related information may include: at least one of the number of downlink packets, the total number of downlink payload data packets, the total amount of downlink load, the average value of downlink load, the minimum amount of downlink load, the maximum amount of downlink load and the variance of downlink load.
And, preprocessing the sample attribute information may include step B.
And (B) step (B): and carrying out missing value processing and/or standardization processing on at least one of the sample encryption protocol related information, the sample client related information, the sample certificate related information and the sample communication traffic related information.
Wherein, at the extracted sample attribute information, including: in the case of one or more of the sample encryption protocol related information, the sample client related information, the sample certificate related information, and the sample traffic related information, the preprocessing performed on the sample attribute information may be one of a missing value processing and a normalization processing, or the missing value processing and the normalization processing may be performed on the sample attribute information, which is not limited in the present invention.
In the embodiment of the invention, a pandas library (a data analysis package of a computer programming language, which provides a function and a method for quickly and conveniently processing data) can be used to check a missing value of data (such as sample attribute information), wherein the missing value is a certain sample attribute information missing in the sample encrypted traffic, for example, a certain sample encrypted traffic does not have sample certificate related information, or a certain sample client related information of the sample encrypted traffic is lost, and the like. The data (sample attribute information) with the missing value greater than 60% can be removed, and the remaining data (sample attribute information) is subjected to missing value processing, wherein the missing value processing is to fill the missing value of each sample encryption flow according to the data distribution condition, such as mean filling, zero resetting filling and other methods. The missing value processing can complement the sample attribute information of the missing sample encrypted flow, and the processed sample attribute information is used as a sample characteristic.
The normalization processing can screen abnormal values, and meanwhile, the extracted sample attribute information is normalized to eliminate the dimensional relationship among variables aiming at the situation that the data amplitude difference among different sample attribute information is overlarge, so that the data has comparability. The abnormal value refers to data different from other sample attribute information in certain sample attribute information, for example, data in sample certificate related information is data composed of pinyin or numerals, but the sample certificate related information of certain data is composed of special symbols or messy codes, the abnormal data is called an abnormal value, and the sample attribute information after normalization processing is also used as sample characteristics.
The embodiment of the invention can screen out more specific characteristics at the selection level of the sample attribute information, and can further process the sample attribute information except the sample communication duration and the sample communication data packet information by a missing value processing or standardized processing method to obtain the required sample characteristics. The method can provide more accurate and effective sample characteristics for the subsequent generation of the identification model.
Optionally, the sample features are input into a preset model for training, and an identification model capable of identifying the category of the encryption application to which the encrypted traffic belongs is generated, and the method comprises the steps C1-C2.
Step C1: based on the sample characteristics and a preset algorithm, determining algorithm parameters of the preset algorithm, and obtaining a preset model, wherein the algorithm parameters are parameters for determining the preset model.
In general, the algorithms that can implement the recognition classification can be random forest algorithm, bagging, an algorithm for improving accuracy of learning algorithm, adaBoost (an iterative algorithm for training different classifiers with the same training set), GBDT (Gradient Boosting Decision Tree, gradient descent tree), XGBoost (eXtreme Gradient Boosting, extreme gradient elevation), etc. The embodiment of the invention can select the XGBoost algorithm as the preset algorithm, and the objective function Obj of the preset algorithm (s) The method comprises the following steps:
Figure BDA0003452083540000101
wherein s represents the number of iterations; i represents the ith sample feature; n represents the number of sample features; j represents the j-th decision tree; />
Figure BDA0003452083540000102
A weight vector representing the leaf node of the j-th decision tree; g i A first derivative representing a loss function; h is a i A second derivative representing the loss function; f (f) s (x i ) The model representing the s-th tree is a new sub-model trained in the s-th round; / >
Figure BDA0003452083540000103
Representing the structure of a decision tree in the model; gamma represents the weight coefficient of the leaf node value; t represents the number of leaves of the decision tree; λ represents the weight coefficient of the decision tree leaf node. According to the embodiment of the invention, the algorithm parameters of the preset algorithm can be determined according to the sample characteristics obtained after pretreatment and the preset algorithm, wherein the algorithm parameters are parameters which can determine which condition the required preset model specifically meets, such as the depth of a decision tree, the number of decision trees, the number of selected maximum leaf node samples, the learning rate and the like.
Step C2: and inputting the sample characteristics into a preset model for training to obtain model parameters of the preset model, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs based on the model parameters.
After determining the conditions met by the preset model, obtaining the preset model with algorithm parameters, inputting sample characteristics into the preset model for training, obtaining model parameters of the preset model, and generating a final required identification model based on the model parameters, wherein the identification model is an identification model capable of identifying the type of encryption application to which the encryption flow belongs.
According to the embodiment of the invention, the XGBoost algorithm is adopted as a preset algorithm, and more reasonable and optimal algorithm parameters can be determined by combining sample characteristics when the preset model is established, so that the conditions met by the preset model are determined, and the model which meets the requirements most and is optimal, namely the preset model, is obtained; and then, inputting the sample characteristics into the preset model with the algorithm parameters for training, and determining the model parameters of the preset model so as to obtain a more accurate recognition model of the recognition result. The method not only has obvious improvement on the model training speed and precision, but also greatly improves the accuracy of the recognition result.
Optionally, after generating the identification model capable of identifying the class of the encryption application to which the encrypted traffic belongs, the method further comprises the steps D1-D2.
Step D1: and acquiring target encrypted traffic to be identified, extracting target attribute information of the target encrypted traffic, and preprocessing the target attribute information to obtain target characteristics.
When the type of the encryption application to which a certain encryption traffic belongs needs to be identified, the encryption traffic is used as a target encryption traffic to be identified, various attribute information, namely target attribute information, is extracted from the target encryption traffic, and the target attribute information comprises target communication duration and target communication data packet information in the target communication duration, and can also comprise target encryption protocol related information, target client related information, target certificate related information, target communication traffic related information and the like. In the embodiment of the invention, the extracted target attribute information can be preprocessed, for example, the obtained target communication duration and target communication data packet information can be subjected to derivative processing, and the target encryption protocol related information, the target client related information, the target certificate related information, the target communication traffic related information and the like can be subjected to missing value processing and/or standardization processing, so that the target communication data packet characteristics obtained by the derivative processing and the target attribute information obtained by the missing value processing and/or standardization processing are used as target characteristics.
Step D2: and inputting the target characteristics into the recognition model, and determining the category of the target encryption application to which the target encryption traffic belongs based on the output result of the recognition model.
The target characteristics obtained after preprocessing are input into an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs, the target characteristics can be identified to obtain an output result of the identification model, and the type of the target encryption application to which the target encryption traffic belongs can be determined according to the output result of the identification model.
According to the embodiment of the invention, the method of extracting certain specific target attribute information from the target encrypted flow to be identified and preprocessing the target attribute information is adopted, so that the identification basis with more identification value, namely the target characteristics, can be obtained; based on the recognition model which is trained and has the optimal algorithm parameters, the category of the target encryption application to which the target encryption flow belongs can be accurately recognized in the actual application scene, and the recognition process is rapid and accurate.
The method flow of identifying an encrypted application is described in detail below by way of one embodiment. Referring to fig. 2, the method includes the following steps 201-207.
Step 201: sample encryption traffic is acquired, and sample attribute information is extracted from the sample encryption traffic.
Wherein the sample attribute information includes: sample communication duration, sample communication data packet information within the sample communication duration, sample encryption protocol related information, sample client related information, sample certificate related information, and sample communication traffic related information.
Step 202: and performing derivative processing on the sample communication duration and the sample communication data packet information in the sample communication duration to obtain sample communication data packet characteristics, and taking the sample communication data packet characteristics as sample characteristics.
The derivatization may be performed according to the method described in the step a, which is not described herein.
Step 203: for sample encryption protocol related information, sample client related information, sample certificate related information and sample traffic related information, the missing value processing and the normalization processing are carried out, and the processed sample attribute information is used as sample characteristics.
The missing value processing and the normalization processing may be performed according to the method described in the step B, which is not described herein.
Step 204: inputting the sample characteristics into a preset algorithm to obtain algorithm parameters, and determining a preset model based on the algorithm parameters; and inputting the sample characteristics into the preset model for training to obtain model parameters, and further generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs.
Wherein, the recognition model may be generated according to the method described in the above steps C1-C2, which is not described herein.
Step 205: and acquiring target encrypted traffic to be identified, and extracting target attribute information of the target encrypted traffic.
Step 206: the target attribute information is preprocessed to be processed, and obtaining target characteristics.
The method for preprocessing the target attribute information is the same as the method for preprocessing the sample attribute information, and will not be described herein.
Step 207: inputting the target feature into the recognition model is used for carrying out recognition, and determining the category of the target encryption application to which the target encryption traffic belongs based on the output result of the identification model.
The method for identifying the encryption application provided by the embodiment of the invention is described in detail above, the method can also be realized by a corresponding device, and the device for identifying the encryption application provided by the embodiment of the invention is described in detail below.
An embodiment of the present invention provides an apparatus for identifying an encryption application, as shown in fig. 3, where the apparatus includes: an acquisition module 31 the processing module 32 and the training module 33.
The obtaining module 31 is configured to obtain a plurality of sample encrypted traffic, and determine a class of each sample encrypted traffic, where the class of the sample encrypted traffic is a class of an encryption application to which the sample encrypted traffic belongs.
The processing module 32 is configured to extract sample attribute information from a plurality of the sample encrypted traffic, and perform preprocessing on the sample attribute information to obtain sample features; the sample attribute information comprises sample communication duration and sample communication data packet information in the sample communication duration, and the preprocessing of the sample attribute information comprises the derivatization of the sample communication duration and the sample communication data packet information.
The training module 33 is configured to input the sample feature to a preset model for training, and generate an identification model capable of identifying a class of an encryption application to which the encrypted traffic belongs, where the identification model is used for determining a class of the encryption application to which the encrypted traffic to be identified belongs.
Optionally, the processing module 32 includes: and (3) derivatizing the processing unit.
And the derivative processing unit is used for counting the sample communication data packet information in the sample communication duration according to a plurality of communication time periods to obtain sample communication data packet characteristics, and taking the sample communication data packet characteristics as sample characteristics, wherein the sample communication data packet characteristics represent the sample communication data packet information in each communication time period.
Optionally, the sample attribute information further includes: at least one of sample encryption protocol related information, sample client related information, sample certificate related information, and sample traffic related information.
And, the processing module 32 further includes: other processing units.
The other processing units are used for carrying out missing value processing and/or standardization processing on at least one of the sample encryption protocol related information, the sample client related information, the sample certificate related information and the sample communication traffic related information.
Optionally, the training module 33 includes: a determining unit and a generating unit.
The determining unit is used for determining algorithm parameters of a preset algorithm based on the sample characteristics and the preset algorithm, and obtaining a preset model, wherein the algorithm parameters are parameters for determining the preset model.
The generation unit is used for inputting the sample characteristics into the preset model for training to obtain model parameters of the preset model, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs based on the model parameters.
Optionally, the apparatus further comprises: an extraction module and an identification module.
The extraction module is used for obtaining target encrypted traffic to be identified, extracting target attribute information of the target encrypted traffic, and preprocessing the target attribute information to obtain target characteristics.
The identification module is used for inputting the target characteristics into the identification model, and determining the category of the target encryption application to which the target encryption traffic belongs based on the output result of the identification model.
The device for identifying the encryption application provided by the embodiment of the invention is different from the device which is used in the prior art and relies on manual writing rules to perform rule matching to identify the encryption application, but can obtain more abundant sample characteristics by preprocessing sample attribute information of sample encryption flow, especially derivatization processing of sample communication duration and sample communication data packet information, so that the accuracy of an identification model obtained based on the sample characteristics is improved, and the category of the encryption application to which a certain encryption flow belongs can be identified more accurately; and the scheme can realize accurate identification on irregular and irregular encryption flow, can rapidly process a large amount of data, reduce the waste of manual resources, effectively avoid the false alarm problem caused by manual writing rules, and has low cost and high identification efficiency.
In addition, the embodiment of the invention also provides an electronic device, which comprises a bus, a transceiver, a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the transceiver, the memory and the processor are respectively connected through the bus, and when the computer program is executed by the processor, the processes of the method embodiment for identifying the encryption application are realized, and the same technical effects can be achieved, so that repetition is avoided and redundant description is omitted.
Specifically, referring to fig. 4, the embodiment of the invention further provides an electronic device, the electronic device includes a bus 1110, a processor 1120, a transceiver 1130, a bus interface 1140, a memory 1150, and a user interface 1160.
In an embodiment of the present invention, the electronic device further includes: a computer program stored on the memory 1150 and executable on the processor 1120, the computer programs, when executed by the processor 1120, implement the various processes of the method embodiments described above for identifying cryptographic applications.
The transceiver 1130 is configured to transmit a signal to the host, for receiving and transmitting data under the control of a processor 1120.
In an embodiment of the invention, represented by bus 1110, bus 1110 may include any number of interconnected buses and bridges, with bus 1110 connecting various circuits, including one or more processors, represented by processor 1120, and memory, represented by memory 1150.
Bus 1110 represents one or more of any of several types of bus structures, including a memory bus and a memory controller, a peripheral bus, an accelerated graphics port (Accelerate Graphical Port, AGP), a processor, or a local bus using any of a variety of bus architectures. By way of example and not limitation, such an architecture comprises: industry standard architecture (Industry Standard Architecture, ISA) bus, micro channel architecture (Micro Channel Architecture, MCA) bus, enhanced ISA (EISA) bus, video electronics standards association (Video Electronics Standards Association, VESA) bus, peripheral component interconnect (Peripheral Component Interconnect, PCI) bus.
Processor 1120 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by instructions in the form of integrated logic circuits in hardware or software in a processor. The processor includes: general purpose processors, central processing units (Central Processing Unit, CPU), network processors (Network Processor, NP), digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field Programmable Gate Array, FPGA), complex programmable logic devices (Complex Programmable Logic Device, CPLD), programmable logic arrays (Programmable Logic Array, PLA), micro control units (Microcontroller Unit, MCU) or other programmable logic devices, discrete gates, transistor logic devices, discrete hardware components. The methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. For example, the processor may be a single-core processor or a multi-core processor, and the processor may be integrated on a single chip or located on multiple different chips.
The processor 1120 may be a microprocessor or any conventional processor. The steps of the method disclosed in connection with the embodiments of the present invention may be performed directly by a hardware decoding processor, or by a combination of hardware and software modules in the decoding processor. The software modules may be located in a random access Memory (Random Access Memory, RAM), flash Memory (Flash Memory), read-Only Memory (ROM), programmable ROM (PROM), erasable Programmable ROM (EPROM), registers, and so forth, as are known in the art. The readable storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
Bus 1110 may also connect together various other circuits such as peripheral devices, voltage regulators, or power management circuits, bus interface 1140 providing an interface between bus 1110 and transceiver 1130, all of which are well known in the art. Accordingly, the embodiments of the present invention will not be further described.
The transceiver 1130 may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. For example: the transceiver 1130 receives external data from other devices, and the transceiver 1130 is configured to transmit the data processed by the processor 1120 to the other devices. Depending on the nature of the computer system, a user interface 1160 may also be provided, for example: touch screen, physical keyboard, display, mouse, speaker, microphone, trackball, joystick, stylus.
It should be appreciated that in embodiments of the present invention, the memory 1150 may further comprise memory located remotely from the processor 1120, such remotely located memory being connectable to a server through a network. One or more portions of the above-described networks may be an ad hoc network (ad hoc network), an intranet, an extranet (extranet), a Virtual Private Network (VPN), a Local Area Network (LAN), a Wireless Local Area Network (WLAN), a Wide Area Network (WAN), a Wireless Wide Area Network (WWAN), a Metropolitan Area Network (MAN), the Internet (Internet), a Public Switched Telephone Network (PSTN), a plain old telephone service network (POTS), a cellular telephone network, a wireless fidelity (Wi-Fi) network, and a combination of two or more of the above-described networks. For example, the cellular telephone network and wireless network may be a global system for mobile communications (GSM) system, a Code Division Multiple Access (CDMA) system, a Worldwide Interoperability for Microwave Access (WiMAX) system, a General Packet Radio Service (GPRS) system, a Wideband Code Division Multiple Access (WCDMA) system, a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a long term evolution-advanced (LTE-a) system, a Universal Mobile Telecommunications (UMTS) system, an enhanced mobile broadband (Enhance Mobile Broadband, embbb) system, a mass machine type communication (massive Machine Type of Communication, mctc) system, an ultra reliable low latency communication (Ultra Reliable Low Latency Communications, uirllc) system, and the like.
It should be appreciated that the memory 1150 in embodiments of the present invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. Wherein the nonvolatile memory includes: read-Only Memory (ROM), programmable ROM (PROM), erasable Programmable EPROM (EPROM), electrically Erasable EPROM (EEPROM), or Flash Memory (Flash Memory).
The volatile memory includes: random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as: static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (ddr SDRAM), enhanced SDRAM (Enhanced SDRAM), synchronous DRAM (SLDRAM), and Direct RAM (DRAM). The memory 1150 of the electronic device described in embodiments of the present invention includes, but is not limited to, the above and any other suitable types of memory.
In an embodiment of the invention, memory 1150 stores the following elements of operating system 1151 and application programs 1152: an executable module, a data structure, or a subset thereof, or an extended set thereof.
Specifically, the operating system 1151 includes various system programs, such as: a framework layer, a core library layer, a driving layer and the like, which are used for realizing various basic services and processing tasks based on hardware. The applications 1152 include various applications such as: a Media Player (Media Player), a Browser (Browser) for implementing various application services. A program for implementing the method of the embodiment of the present invention may be included in the application 1152. The application 1152 includes: applet, object, component, logic data structures and other executions specific tasks or implementation-specific computer system executable instructions that abstract data types.
In addition, the embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, where the computer program when executed by a processor implements each process of the above-mentioned method embodiment for identifying an encryption application, and the same technical effects can be achieved, and for avoiding repetition, a detailed description is omitted herein.
The computer-readable storage medium includes: persistent and non-persistent, removable and non-removable media are tangible devices that may retain and store instructions for use by an instruction execution device. The computer-readable storage medium includes: electronic storage, magnetic storage, optical storage, electromagnetic storage, semiconductor storage, and any suitable combination of the foregoing. The computer-readable storage medium includes: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), non-volatile random access memory (NVRAM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassette storage, magnetic tape disk storage or other magnetic storage devices, memory sticks, mechanical coding (e.g., punch cards or bump structures in grooves with instructions recorded thereon), or any other non-transmission medium that may be used to store information that may be accessed by a computing device. In accordance with the definition in the present embodiments, the computer-readable storage medium does not include a transitory signal itself, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or other transmission medium (e.g., a pulse of light passing through a fiber optic cable), or an electrical signal transmitted through a wire.
In several embodiments provided herein, it should be understood that the disclosed apparatus, electronic device, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one position, or may be distributed over a plurality of network units. Some or all of the units can be selected according to actual needs to solve the problem to be solved by the scheme of the embodiment of the invention.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present invention is essentially or partly contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (including: a personal computer, a server, a data center or other network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the storage medium includes various media as exemplified above that can store program codes.
In the description of the embodiments of the present invention, those skilled in the art will appreciate that the embodiments of the present invention may be implemented as a method, an apparatus, an electronic device, and a computer-readable storage medium. Thus, embodiments of the present invention may be embodied in the following forms: complete hardware, complete software (including firmware, resident software, micro-code, etc.), a combination of hardware and software. Furthermore, in some embodiments, embodiments of the invention may also be implemented in the form of a computer program product in one or more computer-readable storage media having computer program code embodied therein.
Any combination of one or more computer-readable storage media may be employed by the computer-readable storage media described above. The computer-readable storage medium includes: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer readable storage medium include the following: portable computer diskette, hard disk, random Access Memory (RAM), read-only Memory (ROM), erasable programmable read-only Memory (EPROM), computer system Flash Memory (Flash Memory), optical fiber, compact disk read only Memory (CD-ROM), optical storage device, magnetic storage device, or any combination thereof. In embodiments of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, device.
The computer program code embodied in the computer readable storage medium may be transmitted using any appropriate medium, including: wireless, wire, fiber optic cable, radio Frequency (RF), or any suitable combination thereof.
Computer program code for carrying out operations of embodiments of the present invention may be written in assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, integrated circuit configuration data, or in one or more programming languages, including an object oriented programming language such as: java, smalltalk, C ++, also include conventional procedural programming languages, such as: c language or similar programming language. The computer program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of remote computers, the remote computers may be connected via any sort of network, including: a Local Area Network (LAN) or a Wide Area Network (WAN), which may be connected to the user's computer or to an external computer.
The embodiment of the invention describes a method, a device and electronic equipment through flowcharts and/or block diagrams.
It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions. These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer readable program instructions may also be stored in a computer readable storage medium that can cause a computer or other programmable data processing apparatus to function in a particular manner. Thus, instructions stored in a computer-readable storage medium produce an instruction means which implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The foregoing is merely a specific implementation of the embodiment of the present invention, but the protection scope of the embodiment of the present invention is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the embodiment of the present invention, and the changes or substitutions are covered by the protection scope of the embodiment of the present invention. Therefore, the protection scope of the embodiments of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A method of identifying an encrypted application, comprising:
obtaining a plurality of sample encryption traffic, and determining the category of each sample encryption traffic, wherein the category of the sample encryption traffic is the category of encryption application to which the sample encryption traffic belongs;
extracting sample attribute information from a plurality of sample encryption flows, and preprocessing the sample attribute information to obtain sample characteristics; the sample attribute information comprises sample communication duration and sample communication data packet information in the sample communication duration, and the preprocessing of the sample attribute information comprises the derivatization of the sample communication duration and the sample communication data packet information;
and inputting the sample characteristics into a preset model for training, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs, wherein the identification model is used for determining the type of the encryption application to which the encryption traffic to be identified belongs.
2. The method of claim 1, wherein the deriving the sample communication duration and the sample communication packet information comprises:
and counting the sample communication data packet information in the sample communication time length according to a plurality of communication time periods to obtain sample communication data packet characteristics, and taking the sample communication data packet characteristics as sample characteristics, wherein the sample communication data packet characteristics represent the sample communication data packet information in each communication time period.
3. The method of claim 1, wherein the sample attribute information further comprises: at least one of sample encryption protocol related information, sample client related information, sample certificate related information, and sample communication traffic related information;
the preprocessing the sample attribute information comprises the following steps: and carrying out missing value processing and/or standardization processing on at least one of the sample encryption protocol related information, the sample client related information, the sample certificate related information and the sample communication traffic related information.
4. The method according to claim 1, wherein the inputting the sample feature into a preset model for training, and generating an identification model capable of identifying a class of an encryption application to which the encrypted traffic belongs, includes:
Determining algorithm parameters of a preset algorithm based on the sample characteristics and the preset algorithm, and obtaining a preset model, wherein the algorithm parameters are parameters for determining the preset model;
and inputting the sample characteristics into the preset model for training to obtain model parameters of the preset model, and generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs based on the model parameters.
5. The method according to any one of claims 1-4, further comprising, after said generating an identification model capable of identifying a class of an encryption application to which the encrypted traffic belongs:
acquiring target encrypted traffic to be identified, extracting target attribute information of the target encrypted traffic, and preprocessing the target attribute information to obtain target characteristics;
and inputting the target characteristics into the identification model, and determining the category of the target encryption application to which the target encryption traffic belongs based on the output result of the identification model.
6. An apparatus for identifying an encrypted application, comprising: the device comprises an acquisition module, a processing module and a training module;
the acquisition module is used for acquiring a plurality of sample encryption traffic and determining the category of each sample encryption traffic, wherein the category of the sample encryption traffic is the category of the encryption application to which the sample encryption traffic belongs;
The processing module is used for extracting sample attribute information from a plurality of sample encrypted flows and preprocessing the sample attribute information to obtain sample characteristics; the sample attribute information comprises sample communication duration and sample communication data packet information in the sample communication duration, and the preprocessing of the sample attribute information comprises the derivatization of the sample communication duration and the sample communication data packet information;
the training module is used for inputting the sample characteristics into a preset model for training, generating an identification model capable of identifying the type of the encryption application to which the encryption traffic belongs, and determining the type of the encryption application to which the encryption traffic to be identified belongs.
7. The apparatus of claim 6, wherein the processing module comprises: a derivatization processing unit;
the deriving processing unit is configured to count the sample communication data packet information in the sample communication duration according to a plurality of communication time periods, obtain a sample communication data packet feature, and use the sample communication data packet feature as a sample feature, where the sample communication data packet feature represents the sample communication data packet information in each communication time period.
8. The apparatus of claim 6, wherein the sample attribute information further comprises: at least one of sample encryption protocol related information, sample client related information, sample certificate related information, and sample communication traffic related information;
the processing module further includes: other processing units;
the other processing unit is configured to perform missing value processing and/or normalization processing on at least one of the sample encryption protocol related information, the sample client related information, the sample certificate related information, and the sample communication traffic related information.
9. An electronic device comprising a bus, a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, the transceiver, the memory and the processor being connected by the bus, characterized in that the computer program when executed by the processor implements the steps of the method of identifying cryptographic applications as claimed in any one of claims 1 to 5.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps in the method of identifying cryptographic applications as claimed in any one of claims 1 to 5.
CN202111676389.8A 2021-12-31 2021-12-31 Method and device for identifying encryption application and electronic equipment Pending CN116418754A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111676389.8A CN116418754A (en) 2021-12-31 2021-12-31 Method and device for identifying encryption application and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111676389.8A CN116418754A (en) 2021-12-31 2021-12-31 Method and device for identifying encryption application and electronic equipment

Publications (1)

Publication Number Publication Date
CN116418754A true CN116418754A (en) 2023-07-11

Family

ID=87053587

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111676389.8A Pending CN116418754A (en) 2021-12-31 2021-12-31 Method and device for identifying encryption application and electronic equipment

Country Status (1)

Country Link
CN (1) CN116418754A (en)

Similar Documents

Publication Publication Date Title
CN112003870B (en) Network encryption traffic identification method and device based on deep learning
CN109831465B (en) Website intrusion detection method based on big data log analysis
WO2021243663A1 (en) Session detection method and apparatus, and detection device and computer storage medium
EP3471007A1 (en) Methods and apparatus for analyzing sequences of application programming interface traffic to identify potential malicious actions
US11381599B2 (en) Cyber chaff using spatial voting
CN105939350B (en) Network access control method and system
CN113162794A (en) Next-step attack event prediction method and related equipment
CN115314268B (en) Malicious encryption traffic detection method and system based on traffic fingerprint and behavior
EP4195077A1 (en) Identifying a phishing attempt
CN112887329A (en) Hidden service tracing method and device and electronic equipment
CN116915442A (en) Vulnerability testing method, device, equipment and medium
CN110955890B (en) Method and device for detecting malicious batch access behaviors and computer storage medium
CN113282920B (en) Log abnormality detection method, device, computer equipment and storage medium
CN114022711A (en) Industrial identification data caching method and device, medium and electronic equipment
CN116418754A (en) Method and device for identifying encryption application and electronic equipment
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
CN110717182A (en) Webpage Trojan horse detection method, device and equipment and readable storage medium
CN116647349A (en) Method, device and electronic equipment for realizing encrypted traffic identification
CN113095426B (en) Encrypted traffic classification method, system, equipment and readable storage medium
CN114925365A (en) File processing method and device, electronic equipment and storage medium
US10516743B1 (en) Systems and methods for facilitating portable user sessions
Lee et al. Malicious traffic compression and classification technique for secure internet of things
EP4088208A1 (en) Crypto-jacking detection
CN116436622A (en) Encryption traffic identification method and device and electronic equipment
CN116647348A (en) Method and device for identifying encrypted traffic and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination