CN116436622A - Encryption traffic identification method and device and electronic equipment - Google Patents

Encryption traffic identification method and device and electronic equipment Download PDF

Info

Publication number
CN116436622A
CN116436622A CN202111676373.7A CN202111676373A CN116436622A CN 116436622 A CN116436622 A CN 116436622A CN 202111676373 A CN202111676373 A CN 202111676373A CN 116436622 A CN116436622 A CN 116436622A
Authority
CN
China
Prior art keywords
sample
target
traffic
encryption
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111676373.7A
Other languages
Chinese (zh)
Inventor
任玉坤
徐静宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Guancheng Technology Co ltd
Original Assignee
Beijing Guancheng Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Guancheng Technology Co ltd filed Critical Beijing Guancheng Technology Co ltd
Priority to CN202111676373.7A priority Critical patent/CN116436622A/en
Publication of CN116436622A publication Critical patent/CN116436622A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Artificial Intelligence (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an encryption traffic identification method, an encryption traffic identification device and electronic equipment, wherein the method comprises the following steps: acquiring a plurality of sample encrypted traffic, and determining the service type of each sample encrypted traffic; determining sample characteristics of sample encrypted traffic, wherein the sample characteristics comprise sample memory characteristics and sample generalization characteristics; according to the sample memory characteristics and the sample generalization characteristics, respectively training a memory part and a generalization part of the deep learning model to obtain an identification model, determining a service type corresponding to the target encryption traffic based on the identification model, and determining the service type of the target encryption application to which the target encryption traffic belongs. According to the encryption flow identification method, the encryption flow identification device and the electronic equipment provided by the embodiment of the invention, more targeted characteristics can be screened out in the characteristic selection layer, and the deep learning model is subjected to combined training, so that the identification precision and accuracy of the finally obtained identification model are obviously improved, and the identification efficiency is high, and the method is superior to that of the traditional manual identification method.

Description

Encryption traffic identification method and device and electronic equipment
Technical Field
The present invention relates to the field of network security and encrypted traffic detection technologies, and in particular, to an encrypted traffic identification method, an apparatus, an electronic device, and a computer readable storage medium.
Background
In order to protect personal privacy, more and more network application programs adopt an encryption protocol for transmission, network traffic processed by the encryption protocol is called encryption traffic, and the encryption traffic also brings great challenges to network traffic security detection while protecting the privacy of common users.
At present, when the service type of the encryption application needs to be identified, the identification is generally carried out by manually writing rules and carrying out a rule matching mode; or using DPI (Deep Packet Inspection ) techniques. However, the manual identification mode has low identification efficiency and poor accuracy; the DPI technology can only rely on the application protocol characteristic field, and can not identify the encrypted data and the private protocol in the protocol interaction stage, if an application program adopts an encryption mode to carry out data transmission, the DPI technology can not analyze the encrypted data in the encrypted flow, false alarm occurs, and the service type of the encrypted application can not be identified.
Disclosure of Invention
In order to solve the existing technical problems, the embodiment of the invention provides an encryption traffic identification method, an encryption traffic identification device, electronic equipment and a computer readable storage medium.
In a first aspect, an embodiment of the present invention provides an encrypted traffic identification method, including: acquiring a plurality of sample encryption traffic, and determining the service type of each sample encryption traffic, wherein the service type of the sample encryption traffic is the service type of an encryption application to which the sample encryption traffic belongs; determining sample characteristics of the sample encrypted traffic, wherein the sample characteristics comprise sample memory characteristics and sample generalization characteristics; and respectively training a memory part and a generalization part of a deep learning model according to the sample memory characteristics and the sample generalization characteristics to obtain an identification model, determining a service type corresponding to a target encryption flow based on the identification model, and determining a service type of a target encryption application to which the target encryption flow belongs.
Optionally, determining the service type corresponding to the target encrypted traffic based on the identification model, and determining the service type of the target encrypted application to which the target encrypted traffic belongs, including: acquiring the target encrypted traffic and determining target characteristics of the target encrypted traffic; the target features comprise target memory features and target generalization features; and obtaining an output result of the identification model according to the target memory characteristic and the target generalization characteristic, determining a service type corresponding to the target encryption traffic based on the output result of the identification model, and determining a service type of a target encryption application to which the target encryption traffic belongs.
Optionally, the sample memory features comprise discrete features, the sample generalization features comprising embedded vectors and/or continuous features; wherein the discrete features comprise: at least one of byte distribution characteristics, packet length characteristics, and stream negotiation mechanism characteristics; the embedded vector is a real vector obtained by converting category characteristics, and the category characteristics comprise: at least one of certificate information features, client-side related information features and encryption protocol related information features; the continuous feature includes: at least one of a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, and a traffic information feature.
Optionally, after the obtaining the plurality of sample encrypted traffic, the method further comprises: and preprocessing the sample encrypted traffic, wherein the preprocessing comprises at least one of missing value processing, oversampling processing and standardization processing.
In a second aspect, an embodiment of the present invention provides an encrypted traffic identification apparatus, including: the device comprises an acquisition module, a determination module and a processing module.
The acquisition module is used for acquiring a plurality of sample encryption traffic and determining the service type of each sample encryption traffic, wherein the service type of the sample encryption traffic is the service type of an encryption application to which the sample encryption traffic belongs.
The determining module is used for determining sample characteristics of the sample encryption traffic, wherein the sample characteristics comprise sample memory characteristics and sample generalization characteristics.
The processing module is used for respectively training the memory part and the generalization part of the deep learning model according to the sample memory characteristics and the sample generalization characteristics to obtain an identification model, determining the service type corresponding to the target encryption traffic based on the identification model, and determining the service type of the target encryption application to which the target encryption traffic belongs.
Optionally, the processing module includes: a determining unit and an identifying unit.
The determining unit is used for obtaining the target encrypted flow and determining target characteristics of the target encrypted flow; the target features include a target memory feature and a target generalization feature.
The identification unit is used for obtaining an output result of the identification model according to the target memory characteristic and the target generalization characteristic, determining a service type corresponding to the target encryption traffic based on the output result of the identification model, and determining a service type of a target encryption application to which the target encryption traffic belongs.
Optionally, the sample memory features comprise discrete features, the sample generalization features comprising embedded vectors and/or continuous features; wherein the discrete features comprise: at least one of byte distribution characteristics, packet length characteristics, and stream negotiation mechanism characteristics; the embedded vector is a real vector obtained by converting category characteristics, and the category characteristics comprise: at least one of certificate information features, client-side related information features and encryption protocol related information features; the continuous feature includes: at least one of a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, and a traffic information feature.
Optionally, the apparatus further comprises: and a preprocessing unit.
The preprocessing unit is used for preprocessing the sample encrypted traffic, and the preprocessing comprises at least one of missing value processing, oversampling processing and standardization processing.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a bus, a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor; the transceiver, the memory and the processor are connected by the bus, and the computer program when executed by the processor implements the steps in the encrypted traffic identification method as described above.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium comprising: a computer program stored on a readable storage medium; the computer program when executed by a processor implements the steps in the encrypted traffic identification method as described above.
The encrypted traffic identification method, the device, the electronic equipment and the computer readable storage medium provided by the embodiment of the invention are different from the traditional DPI technology, do not need to rely on application protocol feature fields, train different parts of the deep learning model based on different features by extracting the features of the encrypted traffic, optimize the memory capacity and the generalization capacity of the deep learning model, and enable the deep learning model to more accurately identify the service type corresponding to the encrypted traffic, and further more accurately determine the service type of the encrypted application to which the encrypted traffic belongs. In addition, as the method carries out consideration analysis on the deep learning model, more targeted features can be screened out on the feature selection level, and the deep learning model is subjected to combined training, so that the recognition precision and accuracy of the finally obtained recognition model are obviously improved, and the recognition efficiency is high, and the recognition method is superior to the traditional manual recognition method.
Drawings
In order to more clearly describe the embodiments of the present invention or the technical solutions in the background art, the following description will describe the drawings that are required to be used in the embodiments of the present invention or the background art.
FIG. 1 shows a flow chart of an encrypted traffic identification method provided by an embodiment of the present invention;
fig. 2 is a flowchart of a specific method for determining a service type corresponding to a target encrypted traffic and determining a service type of a target encrypted application to which the target encrypted traffic belongs based on an identification model in the encrypted traffic identification method according to the embodiment of the present invention;
fig. 3 is a schematic structural diagram of an encrypted traffic identification device according to an embodiment of the present invention;
fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention.
Fig. 1 shows a flowchart of an encrypted traffic identification method according to an embodiment of the present invention. As shown in fig. 1, the method comprises steps 101-103.
Step 101: and acquiring a plurality of sample encryption traffic, and determining the service type of each sample encryption traffic, wherein the service type of the sample encryption traffic is the service type of the encryption application to which the sample encryption traffic belongs.
The encryption application is an application capable of conducting encryption processing on traffic transmitted by the encryption application, for example, video playing application (such as a you ku video), search engine application (such as a hundred degree engine), downloading file application (such as a thunder downloading) and the like can conduct encryption processing when the traffic is transmitted, the application can be used as the encryption application, and the traffic transmitted by the encryption application after encryption processing is the encryption traffic; each encryption application may be divided into different service types based on the primary service content provided by each encryption application, i.e., each encryption application corresponds to at least one service type. For example, if the main service content provided by the video playing application is video browsing, the service type corresponding to the video playing application is video service; the service content provided by the search engine application is web page browsing, and the service type corresponding to the search engine application is web page service; and if the service content provided by the download file application is a download file, the service type corresponding to the download file application is a download service.
In the embodiment of the invention, the encrypted traffic of each encrypted application is acquired for a plurality of encrypted applications, and the encrypted traffic of each encrypted application can be one traffic or a plurality of traffic. And taking the encrypted traffic as a sample encrypted traffic, and determining the service type corresponding to the encrypted traffic extracted by each encryption application based on the service type of the encryption application. The capturing of the sample encrypted traffic may be performed using a packet capturing tool such as Tcpdump (a packet analysis tool that captures a data packet on the network according to a user definition), wireshark (network packet analysis software), sniffer (Sniffer, a software device that monitors the operation of network data), and the like.
Step 102: sample characteristics of the sample encrypted traffic are determined, the sample characteristics including sample memory characteristics and sample generalization characteristics.
Wherein, the respective characteristics, namely sample characteristics, can be extracted from each sample encryption flow. Based on experience accumulation and analysis of sample encrypted traffic, the sample features can be separated into sample memory features and sample generalization features. The sample memory features are input sets for training a memory part of the deep learning model, so that the correlation among the features can be found from historical data, and the deep learning model has stronger memory capacity; the sample generalization feature is an input set for training a generalization part of the deep learning model, so that the input set can find new feature combinations with little or no quantity in historical data, and the deep learning model has stronger generalization capability.
Step 103: according to the sample memory characteristics and the sample generalization characteristics, respectively training a memory part and a generalization part of the deep learning model to obtain an identification model, determining a service type corresponding to the target encryption traffic based on the identification model, and determining the service type of the target encryption application to which the target encryption traffic belongs.
In the embodiment of the invention, the sample memory characteristics of the sample encrypted flow are input into the memory part of the deep learning model, the memory part of the deep learning model is trained, the memory part is a generalized linear model, and the training process can be to perform cross product conversion processing on the sample memory characteristics; the sample encrypted flow sample generalization feature is input into a generalization part of the deep learning model, and the generalization part of the deep learning model is trained, wherein the generalization part is a feedforward neural network, and the training process can be that the sample generalization feature is subjected to layer-by-layer activation treatment, namely the sample generalization feature is input into a hidden layer of the feedforward neural networkBy the formula a (l+1) =f(W (l) a (l) +b (l) ) Calculating to obtain an activation function a of the current hidden layer l+1 layer (l+1) Inputting the output result of the current hidden layer to the next hidden layer to perform the same calculation until each hidden layer is calculated to obtain a final required processing result; where l is the number of hidden layers and f () represents the generic term for an activation function, which may typically be a Relu (Rectified Linear Units, linear correction unit) activation function; a, a (l) Representing an activation function of the first layer; b (l) A bias term representing a first layer; w (W) (l) Representing the weight of the first layer. In the embodiment of the invention, the training processes of the two parts can be performed simultaneously, or the training can be performed by staggering after the first one. After the memory part and the generalization part of the deep learning model are trained, the weighted sum of the log probabilities output by the two parts can be used as a preliminary prediction result, and then the preliminary prediction results of the two parts are input into a common logic prediction function for joint training, wherein the logic prediction function can be a sigmoid function:
Figure BDA0003452080360000061
Figure BDA0003452080360000062
where Y represents the type of service, X represents the sample encrypted traffic, T represents the matrix transpose,
Figure BDA0003452080360000063
representing sample memory features and cross features, b being bias term, W wide Weight vector representing memory model, +.>
Figure BDA0003452080360000064
An activation function representing the generalization part, W deep Represents a generalized model weight vector, σ () represents a sigmoid function. Calculating the logical prediction function by using the prediction results of the memory part and the generalization part, the method can obtain the method capable of identifying the encrypted traffic of the sampleAn identification model of the type of service that should be.
When the service type of the encryption application to which a certain encryption traffic belongs needs to be identified, the encryption traffic is used as a target encryption traffic, the target encryption traffic is input into the identification model, the service type corresponding to the target encryption traffic can be determined according to the output result of the identification model, and the service type of the target encryption application to which the target encryption traffic belongs can be determined. The target encrypted traffic may be any encrypted traffic to be identified in the network communication process.
The embodiment of the invention is different from the traditional DPI technology, does not need to rely on an application protocol feature field, can train different parts of the deep learning model based on different features by extracting the features of the encrypted traffic, optimizes the memory capacity and the generalization capacity of the deep learning model, and ensures that the deep learning model can more accurately identify the service type corresponding to the encrypted traffic and further can more accurately determine the service type of the encrypted application to which the encrypted traffic belongs. In addition, as the method carries out consideration analysis on the deep learning model, more targeted features can be screened out on the feature selection level, and the deep learning model is subjected to combined training, so that the recognition precision and accuracy of the finally obtained recognition model are obviously improved, and the recognition efficiency is high, and the recognition method is superior to the traditional manual recognition method.
Optionally, referring to fig. 2, determining a service type corresponding to the target encrypted traffic based on the identification model, and determining a service type of the target encryption application to which the target encrypted traffic belongs, includes the following steps 201-202.
Step 201: acquiring a target encrypted flow, and determining target characteristics of the target encrypted flow; the target features include a target memory feature and a target generalization feature.
When the service type of the encryption application to which a certain encryption traffic belongs needs to be identified, the encryption traffic is taken as a target encryption traffic, and various features, namely target features, are extracted from the target encryption traffic, wherein the target features can comprise target memory features and target generalization features.
Step 202: and obtaining an output result of the identification model according to the target memory characteristic and the target generalization characteristic, determining a service type corresponding to the target encryption traffic based on the output result of the identification model, and determining the service type of the target encryption application to which the target encryption traffic belongs.
In the embodiment of the invention, the target memory feature and the target generalization feature are input into the identification model which can identify the service type corresponding to the target encryption traffic, the target memory feature and the target generalization feature can be comprehensively processed to obtain the output result of the identification model, the service type corresponding to the target encryption traffic can be determined according to the output result of the identification model, and then the service type of the target encryption application to which the target encryption traffic belongs can be determined.
The embodiment of the invention adopts the method for extracting the specific target characteristics from the target encryption traffic, and based on the trained recognition model with stronger memory capacity and generalization capacity, the service type of the target encryption application to which the target encryption traffic belongs can be accurately recognized in an actual application scene, and the recognition process is quick and accurate.
Optionally, the sample memory features comprise discrete features, and the sample generalization features comprise embedded vectors and/or continuous features; wherein the discrete features comprise: at least one of byte distribution characteristics, packet length characteristics, and stream negotiation mechanism characteristics; the embedded vector is a real vector obtained by converting category characteristics, and the category characteristics comprise: at least one of certificate information features, client-side related information features and encryption protocol related information features; the continuous features include: at least one of a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, and a traffic information feature.
In the embodiment of the invention, the sample memory feature comprises a discrete feature, and the discrete feature can comprise a byte distribution feature extracted from the sample encrypted traffic, wherein the byte distribution feature is a byte distribution feature of data carried in the sample encrypted traffic, and can be adapted to a memory part of the deep learning model, that is, the memory part is better than a memory part which processes a large number of sparse byte distribution features, so that the byte distribution feature is selected to be beneficial to optimizing the memory part of the deep learning model; similarly, a packet length feature or a stream negotiation mechanism feature extracted from the sample encrypted traffic, which is defined as a specific threshold value that should be satisfied by a packet length (i.e., a packet payload length), a packet length sequence, a packet length set, or a packet length statistic at a packet position specified in the stream for a sampled data packet sequence with a payload, may also be used as a discrete feature and used in the memory portion of the deep learning model, where the stream negotiation mechanism feature mainly includes a negotiation encryption suite, a negotiation cipher suite, and a negotiation key exchange algorithm.
In an embodiment of the present invention, the sample generalization feature may comprise an embedded vector. The embedded vector is a real vector obtained by conversion according to category features extracted from the sample encrypted traffic, and the category features can comprise certificate information features, client related information features, encryption protocol related information features and the like. Since these class features are presented in the form of character strings and cannot be better applied to the generalization part of the deep learning model, it is necessary to convert these class features into embedded vectors, which are represented in the form of real vectors and are applied to the generalization part of the deep learning model, and then feed the embedded vectors into a neural network hidden layer performing forward transfer processing for layer-by-layer processing. The generalization part can utilize the characteristic of strong expression capability of the feedforward neural network to perform deep feature intersection on the embedded vector after class feature conversion and excavate data information hidden behind the class features.
The certificate issuing institutions and certificate names of different service types are different, so that the extraction of the certificate information characteristics has important influence on the judgment of the service types; the method is characterized in that the relevant information characteristics of the clients are extracted for further processing, so that the differences of the clients can be analyzed according to the characteristics, the encryption applications corresponding to different clients are different, and the service categories of the encryption applications can be different; according to the collected data, it can be known that even if two different encryption applications have the same corresponding service types (for example, the Tech video and the Extra video correspond to video services), the encryption protocol used by each encryption application is different, so that the service type corresponding to the sample encryption traffic can be determined through further processing by extracting the relevant information characteristics of the encryption protocol, and further the service type of the encryption application to which the sample encryption traffic belongs can be determined.
In embodiments of the present invention, the sample generalization feature may also include a continuous feature. The continuous feature may be a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, a traffic information feature, etc. extracted from the sample encrypted traffic. The session duration feature is a feature for representing the transmission time length of the sample encrypted traffic data, and the byte and the packet size in the unit time of the sample encrypted traffic can be calculated by extracting the session duration feature; the feature of the data packet sequence is extracted because the data packet sequence is different due to the fact that different service types are found, and the extraction of the feature is beneficial to increasing the final classification effect of the deep learning model; the data packet size characteristic is extracted to calculate the number of data packets transmitted in the unit time of the sample encryption flow; the frame arrival time characteristic represents the time of receiving certain frame data carried by the sample encrypted traffic, and the generalization part of the deep learning model can be enhanced through the characteristic; the generalization part of the deep learning model can automatically mine the information which has more value for identifying the service type corresponding to the sample encrypted traffic in the communication traffic information characteristics, so that the communication traffic information characteristics can be selected and input into the generalization part of the deep learning model.
Based on experience accumulation and training data analysis, the embodiment of the invention converts the class features extracted from the sample encrypted flow to form an embedded vector, processes the continuous features extracted from the sample encrypted flow, uses the characteristics of the multi-layer processing of the generalization part of the deep learning model to perform deep feature intersection on the embedded vector after class feature conversion, and mines the data information hidden behind the class features, thereby being beneficial to identifying the service type corresponding to the sample encrypted flow; meanwhile, by utilizing the characteristic that a large number of sparse discrete features can be rapidly processed by the memory part of the single layer, the discrete features extracted from the sample encrypted flow are processed, and data information which is favorable for identifying the service type corresponding to the sample encrypted flow is provided; finally, combining the memory part and the generalization part at the output layer by utilizing a logic prediction function, and training to obtain an identification model with higher accuracy for identifying the service type of the encryption application to which the encrypted traffic belongs.
Optionally, after obtaining the plurality of sample encrypted traffic, the method further comprises: the sample encrypted traffic is preprocessed, and the preprocessing comprises at least one of missing value processing, oversampling processing and standardization processing.
The sample encryption flow needed by the part can be preprocessed before training the deep learning model, and the preprocessing aims at optimizing the sample encryption flow and sample characteristics thereof, so that the sample characteristics input into the deep learning model are finer. The preprocessing may include one or more of a missing value processing, an oversampling processing, and a normalization processing. The missing value processing is to fill the missing value of each sample encryption flow according to the data distribution condition, such as average filling, zero resetting filling and other methods. The missing value is a feature missing in the sample encrypted traffic, for example, a feature missing in the sample encrypted traffic, such as that a certificate information feature is not included in the sample encrypted traffic, or that a client-side related information feature of the sample encrypted traffic is missing, and the missing feature of the sample encrypted traffic can be complemented by the missing value processing.
The oversampling process aims at the problem of data unbalance, and adopts a mode of a Borderline-SMOTE (boundary synthesis minority class oversampling technology, a processing method facing an unbalanced data set) to carry out oversampling operation. For example, among the sample encrypted traffic extracted for training of the deep learning model, 1 ten thousand sample encrypted traffic with a service type of video service, 4 thousand sample encrypted traffic with a service type of web service, and 2 thousand sample encrypted traffic with a service type of download service belong to data imbalance. Because the number of training samples of each service type is large, the model can learn too many samples excessively, the sample model with small number is difficult to learn, and finally the accuracy rate is reduced when the model is identified. Therefore, the method can use an oversampling technology after obtaining the sample encryption flow, and adjust different types of samples to training numbers which are as different as possible, so as to ensure that training of a deep learning model can be covered to each service type, and ensure that the service types which can be identified by a final identification model are richer and more comprehensive.
The normalization processing can screen abnormal values, and meanwhile, the extracted sample features are normalized to eliminate the dimensional relation among variables in order to make the data have comparability under the condition that the data amplitude difference among different sample features is overlarge. The abnormal value refers to data different from other characteristics in certain characteristic data, for example, data in certificate information characteristics are all composed of pinyin or numerals, but certificate information characteristics of certain data are composed of special symbols or messy codes, and the abnormal data is called as an abnormal value.
The embodiment of the invention also provides an encrypted traffic identification device, which is shown in fig. 3, and comprises: an acquisition module 31, a determination module 32 and a processing module 33.
The obtaining module 31 is configured to obtain a plurality of sample encrypted traffic, and determine a service type of each sample encrypted traffic, where the service type of the sample encrypted traffic is a service type of an encryption application to which the sample encrypted traffic belongs.
The determination module 32 is configured to determine sample characteristics of the sample encrypted traffic, including sample memory characteristics and sample generalization characteristics.
The processing module 33 is configured to train the memory part and the generalization part of the deep learning model to obtain an identification model according to the sample memory feature and the sample generalization feature, determine a service type corresponding to the target encrypted traffic based on the identification model, and determine a service type of the target encrypted application to which the target encrypted traffic belongs.
Optionally, the processing module 33 includes: a determining unit and an identifying unit.
The determining unit is used for obtaining the target encrypted flow and determining target characteristics of the target encrypted flow; the target features include a target memory feature and a target generalization feature.
The identification unit is used for obtaining an output result of the identification model according to the target memory characteristic and the target generalization characteristic, determining a service type corresponding to the target encryption traffic based on the output result of the identification model, and determining a service type of a target encryption application to which the target encryption traffic belongs.
Optionally, the sample memory features comprise discrete features, the sample generalization features comprising embedded vectors and/or continuous features; wherein the discrete features comprise: at least one of byte distribution characteristics, packet length characteristics, and stream negotiation mechanism characteristics; the embedded vector is a real vector obtained by converting category characteristics, and the category characteristics comprise: at least one of certificate information features, client-side related information features and encryption protocol related information features; the continuous feature includes: at least one of a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, and a traffic information feature.
Optionally, the apparatus further comprises: and a preprocessing unit.
The preprocessing unit is used for preprocessing the sample encrypted traffic, and the preprocessing comprises at least one of missing value processing, oversampling processing and standardization processing.
The encrypted traffic identification device provided by the embodiment of the invention is different from the traditional DPI technology, does not need to rely on application protocol feature fields, can train different parts of the deep learning model based on different features by extracting the features of the encrypted traffic, optimizes the memory capacity and generalization capacity of the deep learning model, and enables the deep learning model to more accurately identify the service type corresponding to the encrypted traffic, thereby more accurately determining the service type of the encrypted application to which the encrypted traffic belongs. In addition, as the device performs consideration analysis on the deep learning model, more targeted features can be screened out on the feature selection level, and the deep learning model is subjected to combined training, so that the recognition precision and accuracy of the finally obtained recognition model are obviously improved, and the recognition efficiency is high, and the recognition device is superior to that of the traditional manual recognition device.
In addition, the embodiment of the invention also provides an electronic device, which comprises a bus, a transceiver, a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the transceiver, the memory and the processor are respectively connected through the bus, and when the computer program is executed by the processor, the processes of the embodiment of the encryption flow identification method can be realized, and the same technical effect can be achieved, so that repetition is avoided and redundant description is omitted.
In particular, referring to FIG. 4, an embodiment of the invention also provides an electronic device comprising a bus 1110, a processor 1120, a transceiver 1130, a bus interface 1140, a memory 1150, and a user interface 1160.
In an embodiment of the present invention, the electronic device further includes: computer programs stored on the memory 1150 and executable on the processor 1120, which when executed by the processor 1120, implement the processes of the encrypted traffic identification method embodiments described above.
A transceiver 1130 for receiving and transmitting data under the control of the processor 1120.
In an embodiment of the invention, represented by bus 1110, bus 1110 may include any number of interconnected buses and bridges, with bus 1110 connecting various circuits, including one or more processors, represented by processor 1120, and memory, represented by memory 1150.
Bus 1110 represents one or more of any of several types of bus structures, including a memory bus and a memory controller, a peripheral bus, an accelerated graphics port (Accelerate Graphical Port, AGP), a processor, or a local bus using any of a variety of bus architectures. By way of example, and not limitation, such an architecture includes: industry standard architecture (Industry Standard Architecture, ISA) bus, micro channel architecture (Micro Channel Architecture, MCA) bus, enhanced ISA (EISA) bus, video electronics standards association (Video Electronics Standards Association, VESA) bus, peripheral component interconnect (Peripheral Component Interconnect, PCI) bus.
Processor 1120 may be an integrated circuit chip with signal processing capabilities. In implementation, the steps of the above method embodiments may be implemented by instructions in the form of integrated logic circuits in hardware or software in a processor. The processor includes: general purpose processors, central processing units (Central Processing Unit, CPU), network processors (Network Processor, NP), digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field Programmable Gate Array, FPGA), complex programmable logic devices (Complex Programmable Logic Device, CPLD), programmable logic arrays (Programmable Logic Array, PLA), micro control units (Microcontroller Unit, MCU) or other programmable logic devices, discrete gates, transistor logic devices, discrete hardware components. The methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. For example, the processor may be a single-core processor or a multi-core processor, and the processor may be integrated on a single chip or located on multiple different chips.
The processor 1120 may be a microprocessor or any conventional processor. The steps of the method disclosed in connection with the embodiments of the present invention may be performed directly by a hardware decoding processor, or by a combination of hardware and software modules in the decoding processor. The software modules may be located in a random access Memory (Random Access Memory, RAM), flash Memory (Flash Memory), read-Only Memory (ROM), programmable ROM (PROM), erasable Programmable ROM (EPROM), registers, and so forth, as are known in the art. The readable storage medium is located in a memory, and the processor reads the information in the memory and, in combination with its hardware, performs the steps of the above method.
Bus 1110 may also connect together various other circuits such as peripheral devices, voltage regulators, or power management circuits, bus interface 1140 providing an interface between bus 1110 and transceiver 1130, all of which are well known in the art. Accordingly, the embodiments of the present invention will not be further described.
The transceiver 1130 may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. For example: the transceiver 1130 receives external data from other devices, and the transceiver 1130 is configured to transmit the data processed by the processor 1120 to the other devices. Depending on the nature of the computer system, a user interface 1160 may also be provided, for example: touch screen, physical keyboard, display, mouse, speaker, microphone, trackball, joystick, stylus.
It should be appreciated that in embodiments of the present invention, the memory 1150 may further comprise memory located remotely from the processor 1120, such remotely located memory being connectable to a server through a network. One or more portions of the above-described networks may be an ad hoc network (ad hoc network), an intranet, an extranet (extranet), a Virtual Private Network (VPN), a Local Area Network (LAN), a Wireless Local Area Network (WLAN), a Wide Area Network (WAN), a Wireless Wide Area Network (WWAN), a Metropolitan Area Network (MAN), the Internet (Internet), a Public Switched Telephone Network (PSTN), a plain old telephone service network (POTS), a cellular telephone network, a wireless fidelity (Wi-Fi) network, and a combination of two or more of the above-described networks. For example, the cellular telephone network and wireless network may be a global system for mobile communications (GSM) system, a Code Division Multiple Access (CDMA) system, a Worldwide Interoperability for Microwave Access (WiMAX) system, a General Packet Radio Service (GPRS) system, a Wideband Code Division Multiple Access (WCDMA) system, a Long Term Evolution (LTE) system, an LTE Frequency Division Duplex (FDD) system, an LTE Time Division Duplex (TDD) system, a long term evolution-advanced (LTE-a) system, a Universal Mobile Telecommunications (UMTS) system, an enhanced mobile broadband (Enhance Mobile Broadband, embbb) system, a mass machine type communication (massive Machine Type of Communication, mctc) system, an ultra reliable low latency communication (Ultra Reliable Low Latency Communications, uirllc) system, and the like.
It should be appreciated that the memory 1150 in embodiments of the present invention may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. Wherein the nonvolatile memory includes: read-Only Memory (ROM), programmable ROM (PROM), erasable Programmable EPROM (EPROM), electrically Erasable EPROM (EEPROM), or Flash Memory (Flash Memory).
The volatile memory includes: random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as: static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (ddr SDRAM), enhanced SDRAM (Enhanced SDRAM), synchronous DRAM (SLDRAM), and Direct RAM (DRAM). The memory 1150 of the electronic device described in embodiments of the present invention includes, but is not limited to, the above and any other suitable types of memory.
In an embodiment of the invention, memory 1150 stores the following elements of operating system 1151 and application programs 1152: an executable module, a data structure, or a subset thereof, or an extended set thereof.
Specifically, the operating system 1151 includes various system programs, such as: a framework layer, a core library layer, a driving layer and the like, which are used for realizing various basic services and processing tasks based on hardware. The applications 1152 include various applications such as: a Media Player (Media Player), a Browser (Browser) for implementing various application services. A program for implementing the method of the embodiment of the present invention may be included in the application 1152. The application 1152 includes: applets, objects, components, logic, data structures, and other computer system executable instructions that perform particular tasks or implement particular abstract data types.
In addition, the embodiment of the present invention further provides a computer readable storage medium, on which a computer program is stored, where the computer program when executed by a processor implements each process of the above embodiment of the encrypted traffic identification method, and the same technical effects can be achieved, so that repetition is avoided, and no further description is given here.
The computer-readable storage medium includes: persistent and non-persistent, removable and non-removable media are tangible devices that may retain and store instructions for use by an instruction execution device. The computer-readable storage medium includes: electronic storage, magnetic storage, optical storage, electromagnetic storage, semiconductor storage, and any suitable combination of the foregoing. The computer-readable storage medium includes: phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), non-volatile random access memory (NVRAM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassette storage, magnetic tape disk storage or other magnetic storage devices, memory sticks, mechanical coding (e.g., punch cards or bump structures in grooves with instructions recorded thereon), or any other non-transmission medium that may be used to store information that may be accessed by a computing device. In accordance with the definition in the present embodiments, the computer-readable storage medium does not include a transitory signal itself, such as a radio wave or other freely propagating electromagnetic wave, an electromagnetic wave propagating through a waveguide or other transmission medium (e.g., a pulse of light passing through a fiber optic cable), or an electrical signal transmitted through a wire.
In several embodiments provided herein, it should be understood that the disclosed apparatus, electronic device, and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, e.g., the division of the modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one position, or may be distributed over a plurality of network units. Some or all of the units can be selected according to actual needs to solve the problem to be solved by the scheme of the embodiment of the invention.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present invention is essentially or partly contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (including: a personal computer, a server, a data center or other network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the storage medium includes various media as exemplified above that can store program codes.
In the description of the embodiments of the present invention, those skilled in the art will appreciate that the embodiments of the present invention may be implemented as a method, an apparatus, an electronic device, and a computer-readable storage medium. Thus, embodiments of the present invention may be embodied in the following forms: complete hardware, complete software (including firmware, resident software, micro-code, etc.), a combination of hardware and software. Furthermore, in some embodiments, embodiments of the invention may also be implemented in the form of a computer program product in one or more computer-readable storage media having computer program code embodied therein.
Any combination of one or more computer-readable storage media may be employed by the computer-readable storage media described above. The computer-readable storage medium includes: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer readable storage medium include the following: portable computer diskette, hard disk, random Access Memory (RAM), read-only Memory (ROM), erasable programmable read-only Memory (EPROM), flash Memory (Flash Memory), optical fiber, compact disc read-only Memory (CD-ROM), optical storage device, magnetic storage device, or any combination thereof. In embodiments of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, device.
The computer program code embodied in the computer readable storage medium may be transmitted using any appropriate medium, including: wireless, wire, fiber optic cable, radio Frequency (RF), or any suitable combination thereof.
Computer program code for carrying out operations of embodiments of the present invention may be written in assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, integrated circuit configuration data, or in one or more programming languages, including an object oriented programming language such as: java, smalltalk, C ++, also include conventional procedural programming languages, such as: c language or similar programming language. The computer program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of remote computers, the remote computers may be connected via any sort of network, including: a Local Area Network (LAN) or a Wide Area Network (WAN), which may be connected to the user's computer or to an external computer.
The embodiment of the invention describes a method, a device and electronic equipment through flowcharts and/or block diagrams.
It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions. These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer readable program instructions may also be stored in a computer readable storage medium that can cause a computer or other programmable data processing apparatus to function in a particular manner. Thus, instructions stored in a computer-readable storage medium produce an instruction means which implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The foregoing is merely a specific implementation of the embodiment of the present invention, but the protection scope of the embodiment of the present invention is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the embodiment of the present invention, and the changes or substitutions are covered by the protection scope of the embodiment of the present invention. Therefore, the protection scope of the embodiments of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. An encrypted traffic identification method, comprising:
acquiring a plurality of sample encryption traffic, and determining the service type of each sample encryption traffic, wherein the service type of the sample encryption traffic is the service type of an encryption application to which the sample encryption traffic belongs;
determining sample characteristics of the sample encrypted traffic, wherein the sample characteristics comprise sample memory characteristics and sample generalization characteristics;
and respectively training a memory part and a generalization part of a deep learning model according to the sample memory characteristics and the sample generalization characteristics to obtain an identification model, determining a service type corresponding to a target encryption flow based on the identification model, and determining a service type of a target encryption application to which the target encryption flow belongs.
2. The method according to claim 1, wherein determining the service type corresponding to the target encrypted traffic based on the identification model and determining the service type of the target encrypted application to which the target encrypted traffic belongs includes:
acquiring the target encrypted traffic and determining target characteristics of the target encrypted traffic; the target features comprise target memory features and target generalization features;
and obtaining an output result of the identification model according to the target memory characteristic and the target generalization characteristic, determining a service type corresponding to the target encryption traffic based on the output result of the identification model, and determining a service type of a target encryption application to which the target encryption traffic belongs.
3. The method of claim 1, wherein the sample memory features comprise discrete features, the sample generalization features comprise embedded vectors and/or continuous features;
wherein the discrete features comprise: at least one of byte distribution characteristics, packet length characteristics, and stream negotiation mechanism characteristics;
the embedded vector is a real vector obtained by converting category characteristics, and the category characteristics comprise: at least one of certificate information features, client-side related information features and encryption protocol related information features;
The continuous feature includes: at least one of a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, and a traffic information feature.
4. The method of claim 1, further comprising, after the obtaining the plurality of sample encrypted traffic: and preprocessing the sample encrypted traffic, wherein the preprocessing comprises at least one of missing value processing, oversampling processing and standardization processing.
5. An encrypted traffic identification device, comprising: the device comprises an acquisition module, a determination module and a processing module;
the acquisition module is used for acquiring a plurality of sample encryption traffic and determining the service type of each sample encryption traffic, wherein the service type of the sample encryption traffic is the service type of an encryption application to which the sample encryption traffic belongs;
the determining module is used for determining sample characteristics of the sample encryption flow, wherein the sample characteristics comprise sample memory characteristics and sample generalization characteristics;
the processing module is used for respectively training the memory part and the generalization part of the deep learning model according to the sample memory characteristics and the sample generalization characteristics to obtain an identification model, determining the service type corresponding to the target encryption traffic based on the identification model, and determining the service type of the target encryption application to which the target encryption traffic belongs.
6. The apparatus of claim 5, wherein the processing module comprises: a determination unit and an identification unit;
the determining unit is used for obtaining the target encrypted flow and determining target characteristics of the target encrypted flow; the target features comprise target memory features and target generalization features;
the identification unit is used for obtaining an output result of the identification model according to the target memory characteristic and the target generalization characteristic, determining a service type corresponding to the target encryption traffic based on the output result of the identification model, and determining a service type of a target encryption application to which the target encryption traffic belongs.
7. The apparatus of claim 5, wherein the sample memory features comprise discrete features, the sample generalization features comprise embedded vectors and/or continuous features;
wherein the discrete features comprise: at least one of byte distribution characteristics, packet length characteristics, and stream negotiation mechanism characteristics;
the embedded vector is a real vector obtained by converting category characteristics, and the category characteristics comprise: at least one of certificate information features, client-side related information features and encryption protocol related information features;
The continuous feature includes: at least one of a session duration feature, a packet sequence feature, a packet size feature, a frame arrival time feature, and a traffic information feature.
8. The apparatus of claim 5, wherein the apparatus further comprises: a preprocessing unit;
the preprocessing unit is used for preprocessing the sample encrypted traffic, and the preprocessing comprises at least one of missing value processing, oversampling processing and standardization processing.
9. An electronic device comprising a bus, a transceiver, a memory, a processor and a computer program stored on the memory and executable on the processor, the transceiver, the memory and the processor being connected by the bus, characterized in that the computer program when executed by the processor implements the steps in the encrypted traffic identification method according to any one of claims 1 to 4.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps in the encrypted traffic identification method according to any one of claims 1 to 4.
CN202111676373.7A 2021-12-31 2021-12-31 Encryption traffic identification method and device and electronic equipment Pending CN116436622A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111676373.7A CN116436622A (en) 2021-12-31 2021-12-31 Encryption traffic identification method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111676373.7A CN116436622A (en) 2021-12-31 2021-12-31 Encryption traffic identification method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN116436622A true CN116436622A (en) 2023-07-14

Family

ID=87093038

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111676373.7A Pending CN116436622A (en) 2021-12-31 2021-12-31 Encryption traffic identification method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116436622A (en)

Similar Documents

Publication Publication Date Title
Chen et al. Automatic mobile application traffic identification by convolutional neural networks
CN113347210B (en) DNS tunnel detection method and device and electronic equipment
CN112165484B (en) Network encryption traffic identification method and device based on deep learning and side channel analysis
CN111866024A (en) Network encryption traffic identification method and device
CN112887329A (en) Hidden service tracing method and device and electronic equipment
CN116915442A (en) Vulnerability testing method, device, equipment and medium
Yujie et al. End-to-end android malware classification based on pure traffic images
CN116723058A (en) Network attack detection and protection method and device
CN115051874B (en) Multi-feature CS malicious encrypted traffic detection method and system
CN116436622A (en) Encryption traffic identification method and device and electronic equipment
CN117082118A (en) Network connection method based on data derivation and port prediction
CN110717182A (en) Webpage Trojan horse detection method, device and equipment and readable storage medium
CN115622787A (en) Abnormal flow detection method and device, electronic equipment and storage medium
CN115632801A (en) Method and device for detecting malicious traffic and electronic equipment
CN116418754A (en) Method and device for identifying encryption application and electronic equipment
CN116827562A (en) Method and device for identifying attack based on graph data structure and electronic equipment
CN115622810B (en) Business application identification system and method based on machine learning algorithm
CN116647349A (en) Method, device and electronic equipment for realizing encrypted traffic identification
KR102624325B1 (en) System and method for anomaly detection using siamese network and class activation map with discretization and computer program for the same
CN116915720B (en) Internet of things equipment flow identification method and system, electronic equipment and storage medium
CN114765634B (en) Network protocol identification method, device, electronic equipment and readable storage medium
CN116743399A (en) Malicious single-stream detection method and device and electronic equipment
CN117240483A (en) Flow detection method, device, equipment and storage medium
CN115545087A (en) Method and device for identifying encrypted application and electronic equipment
Fu et al. Accurate compressed traffic detection via traffic analysis using Graph Convolutional Network based on graph structure feature

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination