CN116827873A - Encryption application flow classification method and system based on local-global feature attention - Google Patents
Encryption application flow classification method and system based on local-global feature attention Download PDFInfo
- Publication number
- CN116827873A CN116827873A CN202310199298.2A CN202310199298A CN116827873A CN 116827873 A CN116827873 A CN 116827873A CN 202310199298 A CN202310199298 A CN 202310199298A CN 116827873 A CN116827873 A CN 116827873A
- Authority
- CN
- China
- Prior art keywords
- encryption application
- classification
- encryption
- flow
- byte stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000012549 training Methods 0.000 claims abstract description 43
- 238000013145 classification model Methods 0.000 claims abstract description 36
- 238000013528 artificial neural network Methods 0.000 claims abstract description 19
- 238000000605 extraction Methods 0.000 claims abstract description 3
- 239000013598 vector Substances 0.000 claims description 16
- 230000006870 function Effects 0.000 claims description 13
- 238000010276 construction Methods 0.000 claims description 12
- 238000007781 pre-processing Methods 0.000 claims description 12
- 238000013473 artificial intelligence Methods 0.000 claims description 7
- 238000001914 filtration Methods 0.000 claims description 7
- 230000004913 activation Effects 0.000 claims description 6
- 230000000694 effects Effects 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 6
- 238000013135 deep learning Methods 0.000 claims description 5
- 210000002569 neuron Anatomy 0.000 claims description 5
- 230000009466 transformation Effects 0.000 claims description 5
- 230000002457 bidirectional effect Effects 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000003062 neural network model Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 238000013507 mapping Methods 0.000 claims description 2
- 230000007246 mechanism Effects 0.000 abstract description 4
- 238000001514 detection method Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 238000002474 experimental method Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- VYZAMTAEIAYCRO-UHFFFAOYSA-N Chromium Chemical compound [Cr] VYZAMTAEIAYCRO-UHFFFAOYSA-N 0.000 description 1
- 101100321817 Human parvovirus B19 (strain HV) 7.5K gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000011423 initialization method Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000010972 statistical evaluation Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an encryption application flow classification method and system based on local-global feature attention. In the artificial intelligent model training stage, the learnable parameters in the neural network are trained according to the encryption application byte stream sequence with the application class label, so that automatic encryption application flow characteristic extraction and encryption application flow classification are realized, and a trained encryption flow classification model is obtained. And in the encryption application flow classification stage, based on the trained encryption application flow model parameters, extracting features of the real network flow acquired in the network environment and completing encryption application flow classification. According to the invention, through the encryption application flow modeling method of the local-global feature attention mechanism, more robust classification features are established, and more accurate classification of application flow is realized.
Description
Technical Field
The invention relates to a method and a system for classifying encrypted application traffic based on local-global feature attention, which are used for automatically classifying mobile internet traffic mixed with various applications according to load information of a plurality of message packets of one application flow by using an artificial intelligence related technology.
Background
The present patent relates to the full automation classification of mobile internet traffic intermixed with multiple applications based on load information of multiple packets of one application flow and using artificial intelligence correlation techniques. The accurate definition of network traffic classification (networktraffic classification) refers to the task of one-to-one correspondence of network traffic (network traffic) to the specific application protocol (application protocols) or application (applications) that generated the traffic. The network traffic classification is critical to basic operations such as network management, network measurement and network security. Network management often needs to quickly and accurately classify TCP (Transmission Control Protocol) protocol or UDP (User Datagram Protocol) protocol traffic according to application categories, so that hierarchical and layered management of different types of network traffic is realized, and better service quality guarantee is provided for internet users. For network security, related research and engineering work on classification of network traffic is often the first step in developing filtering normal network traffic and thus discovering abnormal network traffic. For example, quality of service QoS (Quality ofService) and network anomaly detection require accurate network traffic classification.
With the rapid development of network communication technology, the field of network traffic classification faces new problems and challenges in practice. First, the advent of emerging network applications has greatly increased the traffic of network traffic, presenting a growing trend. In view of the rapid growth of network traffic, accurate classification of network traffic is a problem to be solved in the current network scenario. Secondly, in order to protect the information security and privacy of users, network data encryption technology is widely applied, so that more and more network traffic is caused by using the encryption technology. According to the related research report of google corporation of the united states, the proportion of network traffic of the Chrome browser encrypted by the transport layer security TLS (Transport Layer Security) and the proportion of traffic of the android system encrypted by TLS are continuously increasing, and by the end of 2019, ninety-five percent and eighty percent of the network traffic respectively are exceeded. Obviously, encryption technology has been widely used in the current network data transmission process, so the classification of encrypted traffic is a leading edge and hot spot problem in the current network traffic classification field.
The patent designs and realizes a novel application flow classification method and system based on the related technology of artificial intelligence, and the method and system realize an accurate network flow classification method and system by extracting load information in a plurality of message groups in an application flow and establishing a time sequence relation for each message group according to time sequence information.
Disclosure of Invention
The invention aims to design and realize an encryption application flow classification method and system based on local-global characteristic attention, so that in the process of developing network flow classification of encryption application, each local information (namely each message) in one stream and global information (namely time sequence relation among each message) of one stream can be comprehensively considered simultaneously, and more accurate encryption application flow classification can be realized. In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
the encryption application flow classification method and system based on local-global feature attention comprises an artificial intelligent model training stage and an encryption application flow classification stage;
the main part of the artificial intelligence model training stage is encryption application flow classification model construction, and the method comprises the following steps:
1) And preprocessing known encryption application flow which is generated by a group of internet of things equipment and has a sufficient number of samples serving as input to obtain an encryption application byte stream sample training set.
2) And (3) taking the encrypted application byte stream sample training set obtained in the step (1) as input, training by adopting a deep learning neural network model based on local-global feature attention, and constructing an encrypted application flow classification model.
The encryption traffic classification stage comprises the following steps:
3) Taking network flow data to be detected as input, obtaining a byte stream sequence of the network flow to be detected, and converting the byte stream sequence to be detected into a byte stream sample identical to that in the step 1);
4) And (3) judging the network traffic to be classified according to the encryption application traffic model obtained in the step (2) in the training stage by using the encryption application traffic sample, and outputting a judging result.
The encryption application flow classification system based on the local-global feature attention is characterized by comprising an encryption application flow preprocessing module and an encryption application flow classification model construction module used for a training stage, and an encryption application flow preprocessing module and an encryption application flow classification module used for a classification stage; wherein, the liquid crystal display device comprises a liquid crystal display device,
the encryption application flow preprocessing module is responsible for extracting byte streams from input original network flow data and processing the byte streams into unified data message numbers, and each data message unifies byte stream sequences with byte stream lengths;
the encryption application flow classification model construction module of the artificial intelligent model stage is responsible for adjusting network parameters in the encryption application classification model according to the byte stream sequence set known by the application so as to enable the network parameters to meet training termination conditions for use in the classification stage;
the encryption application flow classification module of the encryption application flow stage is responsible for judging the type of the encryption application flow to be classified according to the encryption application flow classification model generated in the training stage, and outputting a judging result.
The key technical points of the invention are as follows:
1. the characteristic codes of the message level are constructed in a multi-level convolution mode, and the structure can extract key and important information in each message.
2. The stream feature coding layer is designed, and the structure is a bidirectional double-layer cyclic neural network structure, and the structure can connect the local features of each message in an application stream in series to form a global feature for the application stream, so that better feature expression for the application stream is formed.
3. A local-global attention mechanism is designed that can autonomously calculate in a data-driven manner which messages are and are important in a stream, and which fields are and are important in each message.
The method can solve the problem of poor classification performance caused by directly training the classifier under the condition of insufficient flow of the equipment of the Internet of things. Compared with the disclosed related art, the method has the following advantages:
1. the patent designs an encryption application flow modeling method of a local-global characteristic attention mechanism. For one stream, the mechanism can comprehensively consider each local information (i.e. information of each message) of the stream and global information (i.e. time sequence relation of each message) of the stream at the same time, thereby establishing more robust classification characteristics and realizing more accurate classification of application flow.
2. For the application flow to be tested, the application flow classification work can be carried out only by adopting byte information of the first few messages of each application flow, namely the application flow classification work does not need to reassemble a plurality of IP messages of one flow into higher-level application-level messages. Therefore, the technical method provided by the patent can be directly applied to early classification work of encryption application traffic, so that the detection efficiency (namely detection timeliness) of traffic classification is greatly improved.
Drawings
FIG. 1 is a training phase flow diagram of an encryption application traffic method based on local-global feature attention.
Fig. 2 is a block diagram of a neural network constructed by an encryption application classification model.
Fig. 3 is a classification phase flow diagram of an encryption application flow method based on local-global feature attention.
Fig. 4 is a diagram of an encryption application traffic classification system architecture based on local-global feature attention.
Detailed Description
The workflow of the invention can be divided into an artificial intelligent model training stage and an encryption application flow classification stage. In the artificial intelligent model training stage, the learnable parameters in the neural network are trained according to the encryption application byte stream sequence with the application class label, so that automatic encryption application flow characteristic extraction and encryption application flow classification are realized. And in the encryption application flow classification stage, based on the model parameters after training, extracting the characteristics of the real network flow acquired in the network environment and completing encryption application flow classification.
In the artificial intelligence model training stage, the key technology part of the invention is the construction of an encryption application flow classification model, and the encryption application flow classification model construction flow is shown in figure 1. The input to the encryption application traffic classification model building process is the first N data messages of the encryption application byte stream with application type tags, each data message comprising a set of first B byte sequences. The neural network structure constructed by the encryption application flow classification model is shown in fig. 2, and the termination condition of the construction process is L. The output of the encryption application traffic classification model construction process is an encryption application classification model meeting encryption application traffic classification requirements.
The encryption application flow classification model is constructed based on a training method of a deep neural network model, and the specific implementation steps are as follows:
1. given internet of things device traffic byte stream sequence set(the set contains M encryption application byte streams, where w (m,n,i) Representing the ith byte of the nth data message in the mth byte stream, N representing the first N data messages to be considered of the mth byte stream, and B representing the first B byte number to be considered of the nth data message; w (w) (m,n,i) The value range of (2) is 0, 255]An integer of (a) and the maximum number of data messages per byte stream N allowed by the model m And a maximum byte length B of each data message m . First, a byte stream sequence set needs to be preprocessed to be (MXN) m ×B m ) Vector representation of dimensions.
The specific description of the byte stream sequence is as follows: firstly, the byte sequence length of the data message is adjusted, and the nth data message of the mth byte stream in the set D is processedIf the byte sequence length B of the data message is greater than or equal to B m Then reserve the front B of the data message m A number of bytes; if the byte sequence length B of the data message is less than B m Then supplement B at the end of the sequence m -B0, extending the sequence length to B m . The original set D is changed into a new data message fixed-length byte stream sequence set +.>And then, adjusting the number of the data messages. All data messages for the mth byte stream sequence in set D +.>If the number N of the data messages of the byte stream is not less than N m Then the first N of the byte stream is reserved m A data message; if the number N of the data messages of the byte stream is less than N m Then complement at the end of the sequence0, i.e. extend the data message length to N m . After the length adjustment, the original set D is changed into a new fixed-length data message and the fixed-length byte stream sequence set +.>The subsequent network takes D' as input data to extract and divide flow characteristicsClass.
2. Before training of the neural network structure is started, trainable parameters in the neural network need to be initialized according to the super-parameter setting. The neural network parameter initialization can be performed by using methods of loading the existing model parameters, random initialization, custom initialization and the like, and in the method, the trainable parameters in the neural network are given initial values by using the random initialization method.
If the learnable parameters of the neural network are required to be finely adjusted after the neural network is used, the step can be skipped, the original parameters are directly loaded instead of parameter initialization, and the model effect is adjusted on the basis of the original parameters.
3. Given a set of pre-processed byte stream sequencesAs input data, message feature coding performs feature coding at message level on the input data, and for easy understanding, firstly, byte sequence of single data message of single byte stream is->As a discussion object, the message level feature encoding operations of the present invention are presented.
In the invention, four continuous 1D convolution operations are used to complete the dimension transformation and form transformation of the message. Input data of this stepThe dimension of (1 XBm); the convolution kernel of the convolution layer used for the first time has a size of k1 and the number of channels (i.e., the number of convolution kernels) is C 1 The method comprises the steps of carrying out a first treatment on the surface of the The dimension of the output data after the convolution operation is (C 1 ×B m ). The convolution kernel of the convolution layer used for the second time has a size k 2 The channel number is C 2 The method comprises the steps of carrying out a first treatment on the surface of the The dimension of the output data after the convolution operation is (C 2 ×B m ). The convolution kernel of the convolution layer used for the third time has a size k 3 The channel number is C 3 The method comprises the steps of carrying out a first treatment on the surface of the The dimension of the output data after the convolution operation is (C 3 ×B m ). The convolution kernel k of the convolution layer used for the fourth time 4 The size of (2) is 1, and the channel number is C 4 The method comprises the steps of carrying out a first treatment on the surface of the The dimension of the output data after the convolution operation is (C 4 ×B m )。
After each convolution operation is completed, a nonlinear activation function and data normalization are needed to optimize data distribution, speed up the overall training speed of the neural network and improve the training effect. The nonlinear activation function used in the invention is a ReLU function (Rectified Linear Unit), the data normalization mode is batch normalization (batch normalization), and other methods can be used in all steps requiring nonlinear activation and normalization in a network structure.
After the byte sequence feature coding of the single data message is completed, the invention splices the feature codes of all data message levels of the byte stream together to obtain dimension (N m ×C 4 ×B m ) Is provided.
4. After finishing the feature coding of the data message level, the invention takes the data message level as input to carry out the feature coding of the byte stream level. For ease of understanding, a single byte is streamedAs a discussion object, the byte stream level feature encoding operations of the present invention are presented.
In the invention, the dimension conversion and the form conversion of byte streams are completed by using a bidirectional gating loop network GRU. Input data of this stepIs (Nm×C4×Bm). For GRU, the invention sets the GRU layer number as N h The output dimension of each layer is h. Finally, splicing the forward and backward outputs of the hidden layers of each GRU layer to obtain the characteristic coding vector of the stream level of the final whole byte stream, wherein the data dimension is (2 XN) h ×h)。
5. After completion of stream-level feature encoding, the encrypted application byte stream is converted into corresponding feature vectors, which are replaced by feature vector valuesThe semantic information of the table corresponds to the encryption application, and the present invention uses three full-connected layers (full-connected) for mapping inferred from feature vectors to encryption application types. In the present invention, the number of neurons of the first and second full-connection layers is set to (2 XN) h X h) and (h), other integers can be set according to actual scene requirements; the number of the neurons of the third layer of the full-connection layer is equal to the number of the classified encryption application types, and if the classified application number of the invention is lambda, the number of the neurons of the third layer of the full-connection layer is lambda. After the first and second full connection layers, nonlinear activated ReLU functions are added. For a single byte stream sequence, in the output result of the third layer full connection layer, the dimension with the largest value represents the inference of the encryption application type of the byte stream sequence by the operation. By summarizing the set of output results of all byte stream sequences participating in the current iteration, a loss function can be calculated to evaluate the degree of fit of the current calculation result to the actual data. The loss function used in the method is a Cross Entropy function (Cross Entropy).
6. After encryption application flow classification is completed, judging whether a neural network calculation result meets an ending condition L: (a) If the calculation result meets the end condition L, stopping the training process of the neural network, and outputting an encryption application classification model containing the neural network parameter value as a final result of a training stage so as to be used for carrying out encryption application flow classification in the classification stage; (b) If the calculation result does not meet the end condition, calculating a loss function value according to the network classification result, updating the neural network parameters by using back propagation, returning to the initial feature transformation of the step (3), and repeating the processes of (3) - (5). The setting of the ending condition L may include, but is not limited to, the following conditions: reaching the maximum iteration period, reaching the expected loss function value, reaching the expected statistical evaluation index and the like.
The workflow of the encryption application traffic classification stage is shown in fig. 3, and the stage uses the network traffic as input based on the encryption application classification model parameters obtained in the training stage to perform application classification discrimination on the captured network traffic.
1. The encryption application flow acquisition processing module is responsible for capturingAnd obtaining network traffic and uniformly processing all byte stream sequences to be classified. Firstly, according to the preset maximum allowed data message number N m And maximum byte sequence length B allowed by each data message m The sequence is truncated or zero padded. The unified length sequence set is then used as input to the encryption application classification module.
2. The encryption application classification module takes the preprocessed formatted data as input according to the encryption application classification model generated in the training stage, and obtains the corresponding application class probability for each input encryption application flow. And after feature coding of the data message level and the stream level, finally obtaining the encryption application category represented by the input encryption traffic byte stream sequence through feature classification.
3. In order to improve the openness recognition capability of the present invention, a filtering operation of unknown application traffic is performed next. And judging the flow corresponding to the single byte stream as unknown encryption application flow and filtering if the maximum value of the probability distribution value of each application output by the single byte stream in the encryption application flow classification model is smaller than a set threshold value T.
In the practical application process, the training stage can be restarted according to the classification effect of the method on different data sets, the variation of the classification encryption application types of the families, and the like, and the neural network can be adjusted and retrained. The neural network parameters used by the invention are updated through multiple iterations of the training stage and the classifying stage, so that the performance of the invention is ensured to meet the requirements of encryption application classification.
In combination with the encryption application flow classification method based on the local-global feature attention, the patent also discloses an encryption application flow classification system based on the local-global feature attention. The system mainly comprises two important stages of an artificial intelligent model training stage and an encryption flow classification stage, and a system diagram architecture is shown in fig. 4.
1. Artificial intelligence model training phase: firstly, taking an encrypted application flow set with a label as input, and extracting header bytes of the first few messages of each encrypted application flow by using an encrypted application flow preprocessing module (1) to form a message byte sequence; (1) The encryption application flow preprocessing module cuts or zero-fills all byte stream sequences to make the lengths the same, and converts all the sequences into a single-heat coding form to be used as a training data set of a target encryption application. The neural network model for local-global feature attention designed by the invention needs to be trained firstly to carry out subsequent encryption flow classification. The encryption application flow classification model construction module (2) uses the processed training data set (comprising the application sample and the application label) to integrally train and tune the encryption application flow classification model designed by the invention, so that the encryption application flow classification model can be optimized. (2) The output result of the encryption application classification model construction module is an encryption application flow classification model which is trained and optimized.
2. An encryption traffic classification stage: the encryption application flow to be classified is used as input in the classification stage, the encryption application flow to be classified is processed by the encryption application flow preprocessing module (1), and a sample to be detected containing header bytes of the first few messages of each application flow to be classified is formed. (3) The encryption application flow classification module takes the preprocessed sample to be detected as specific input, and uses (2) the encryption application flow classification model formed by the encryption application classification model construction module to judge the category of the application type to which the sample to be detected belongs. The output result of the classification stage is the specific application class to which the flow to be measured belongs.
The present invention develops a number of example verifications on two open encrypted application traffic data sets, new south wilfordii university encrypted application traffic data set and Mon (IoT) r encrypted application traffic data set, respectively. First, the two data sets are respectively divided into different bidirectional streams according to five-tuple information (i.e., [ source ip, destination ip, source port, destination port, transport layer protocol ]). The ethernet layer in each packet is then removed from the datagram and a randomized IP address operation is performed. For the new south wilford university encryption application flow data set, which contains network flows generated by 21 encryption application devices, 14 categories are selected from the data set to form a first experimental data set, which is named as AppTrace-I. Similarly, for Mon (IoT) r encryption application dataset, it contains encryption application traffic captured from laboratories in both UK and US countries, with the same 26 encryption applications. From this same 26 classes 13 were selected, constituting a second experimental dataset, named AppTrace-II. The specific encryption application traffic information used for the two data sets is shown in tables 1 and 2, respectively. Wherein the invention randomly selects samples of three thousand streams for each encryption application class. In addition, in order to ensure the reliability of verification, the invention carries out five-fold cross verification on two data sets, wherein the proportion of the training set, the verification set and the test set is three: and (3) a step of: a kind of electronic device is disclosed.
Table 1: each encrypted application class name in AppTrace-I and its corresponding byte stream number, wherein K represents 10 3
Table 2: each encrypted application class name in AppTrace-II and its corresponding byte stream number, wherein K represents 10 3
| Encrypting application class names | Number of streams |
| Nest Thermostat | 3.2K |
| Echo Plus | 2.7K |
| Samsung TV | 3.2K |
| Smartthings Hub | 2.6K |
| TP-Link Bulb | 2.4K |
| WeMo Plug | 5.2K |
| Echo Spot | 3.6K |
| Philips Hue | 7.5K |
| TP-Link Plug | 1.1K |
| Echo Dot | 1.0K |
| Insteon Hub | 1.3K |
| Sengled Hub | 1.0K |
| Magic home Strip | 1.0K |
Experiments show the classification effect of different classifiers formed by two super-parameters, wherein the super-parameters comprise: (1) Message length differenceTake the value (with N m To represent); (2) The number of bytes of the message being different (B m To represent); for super parameter N m The value range is set as {4,8}. For super parameter B m The value range is set to be {64,128,256}. Experiments are respectively carried out under the condition of different super-parameter settings, and the method is respectively compared with the existing encryption application flow classification method based on deep learning under the condition of insufficient network flow data.
First, some evaluation indexes are defined. For a piece of traffic generated by the encryption application d, the classifier classifies the piece of traffic as follows:
(1) True Positive (True Positive): classified as class d by the classifier and indeed generated by the encryption application d;
(2) False Positive (False Positive): classified by the classifier as class d, but not generated by encryption application d;
(3) True Negative (True Negative): classified by the classifier as not belonging to class d and indeed not generated by encryption application d;
(4) The False positive) is classified by the classifier as not belonging to class d, but indeed generated by the encryption application d.
According to the four conditions, the invention can define three indexes for evaluating the classification quality of the flow generated by the encryption application d by a classifier, namely Recall (Recall), precision (Precision) and F value (F-Measure), and the formulas are as follows:
the experimental results of the invention under the two data sets AppTrace-I and AppTrace-II are shown in Table 3 and Table 4 respectively.
Table 3: experimental results of the invention on AppTrace-I
Table 4: experimental results of the invention on AppTrace-II
As a result of the experiment, for AppTrace-I, the classifier was found to be in all N m 、B m Under the values, the recall rate, the precision rate and the F1 value all vary within the range of 96.91% -99.69%. The best parameter is N m =4,B m At=256, the corresponding recall, precision, and F1 values were 99.65% (±0.06), 99.69% (±0.04), and 99.67% (±0.06), respectively. For AppDataset-II, the classifier is in all N m 、B m Under the values, the recall rate, the precision rate and the F1 value all vary within the range of 97.01% -99.63%. The best parameter is N m =4,B m At=256, the corresponding recall, precision, and F1 values were 99.54% (±0.15), 99.61% (±0.10), and 99.63% (±0.12), respectively.
Table 5: the existing encryption application flow classification method based on deep learning compares experimental results
From table 5, it can be observed that: the classification effect of the invention on two experimental data sets is better than that of the existing classification method and system (EBSNN, deepPacket) based on deep learning: the results of the invention in three evaluation indexes are higher than those of other two methods.
In addition, by adding an unknown flow detection module based on a confidence threshold, the flow with smaller confidence is classified as an unknown equipment type, and the method can be suitable for an unknown flow detection task. In experiments, the present invention sets two scenarios a and B. And the scene A takes all the device categories in AppTrace-I as known device categories, and takes all the device categories in AppTrace-II as unknown categories. Similarly, scene B takes all device classes belonging to AppTrace-II as known device classes and all device classes belonging to AppTrace-I as unknown classes. For the threshold, the invention is tentative to 0.999. The results are shown in Table 6.
Table 6: experimental results of unknown flow detection of the present invention
| Scene(s) | Recall rate (unknown) | Accuracy rate (unknown) | F value (unknown) |
| A | 91.69(±1.45) | 98.65(±1.12) | 95.04(±1.25) |
| B | 96.80(±1.01) | 77.69(±2.56) | 86.20(±1.87) |
For scenario a, the precision and F1 values were 91.69 (+ -1.45)%, 98 (+ -1.12)%, and 95.04 (+ -1.25)%, respectively. For scenario B, the recall, precision and F1 values were 96.80 (+ -1.01)%, 77.69 (+ -2.56)%, and 86.20 (+ -1.87)%, respectively. Therefore, the invention has good detection capability on unknown flow. In a real-time deployment, the present invention will reject these detected unknown streams.
Claims (9)
1. The encryption application flow classification method based on local-global feature attention is characterized by comprising an artificial intelligent model training stage and an encryption flow classification stage;
the artificial intelligence model training stage comprises the following steps:
1) Taking known encryption application flow which is generated by a group of internet of things equipment and has the number of samples as input, and preprocessing the known encryption application flow to obtain an encryption application byte stream sample training set;
2) Taking the encrypted application byte stream sample training set obtained in the step 1) as input, training by adopting a deep learning neural network model based on local-global feature attention, and constructing an encrypted application flow classification model;
the encryption traffic classification stage comprises the following steps:
3) Taking network flow data to be detected as input, obtaining a byte stream sequence of the network flow of the encryption application to be detected, and converting the byte stream sequence to be detected into a byte stream sample identical to that in the step 1);
4) And (3) judging each flow by taking the encrypted application flow preprocessed in the step (3) as input according to the encrypted application flow classification model obtained in the step (2) in the training stage, so as to obtain a corresponding application type, and outputting a judging result.
2. The encryption application traffic classification method based on local-global feature attention according to claim 1, wherein the specific operation method of preprocessing in step 1) is:
1-1) extracting byte stream sequences of each data message of each flow for the input network flow;
1-2) adjusting the length of the extracted byte stream sequence according to the given maximum data message number and the maximum byte number; discarding data messages exceeding the number of the specified maximum data messages or byte sequences exceeding the number of the maximum bytes, filling the byte stream sequences with the number less than the maximum data messages with the overhead data messages, and filling zero at the tail of the number less than the maximum bytes.
3. The encryption application traffic classification method based on local-global feature attention as set forth in claim 1, wherein the specific operation method for constructing the encryption application traffic classification model in step 2) is:
2-1) taking the encrypted application network traffic byte stream sample training set obtained in the step 1) as input, and coding the data message level to obtain the feature code of each data message;
2-2) taking the feature code of each data message obtained in the step 2-1) as input, and carrying out integral stream level coding on the whole byte stream to obtain a feature vector of stream level coding;
2-3) taking the stream level coding feature vector set obtained in the step 2-2) as input, obtaining a final feature classification vector through a classification layer and an activation function, and corresponding semantic information represented by a feature vector value to the encryption application to obtain the encryption application category represented by the feature vector;
2-4) taking the encryption application type of the sample in the prediction result set obtained in the step 2-3) and the real encryption application type of the sample in the step 2-1) as inputs, calculating indexes such as classification accuracy, loss function value and the like, stopping the model construction flow if the indexes meet the ending conditions, and outputting an encryption application flow classification model; if the index does not meet the ending condition, repeating the steps 2-1) to 2-4).
4. The method of claim 1, wherein the step 4) of classifying the sequence of encrypted application traffic byte streams is performed by:
4-1) taking the byte stream sequence of the encrypted application flow processed in the step 3) as input, carrying out application classification by the encrypted application flow classification model constructed in the step 2), and obtaining the corresponding application class probability of each input encrypted application flow;
4-2) to improve the openness recognition capability, filtering the unknown traffic, and filtering the traffic which does not belong to the known application by taking the class probability of the step 4-1) as input to obtain a classification result of the final encrypted application traffic.
5. The encryption application traffic classification method based on local-global feature attention as set forth in claim 3, wherein the specific operation method of data packet level encoding in step 2-1) is:
2-2-1) for a single byte stream sequence, grouping the data messages, and performing feature coding operation on each data message;
2-2-2) using four successive one-dimensional convolution operations to complete the dimensional transformation and form transformation of the message; the convolution kernel of the convolution layer used for the first time has a size k 1 The channel number is C 1 The method comprises the steps of carrying out a first treatment on the surface of the The convolution kernel of the convolution layer used for the second time has a size k 2 The channel number is C 2 The method comprises the steps of carrying out a first treatment on the surface of the The convolution kernel of the convolution layer used for the third time has a size k 3 The channel number is C 3 The method comprises the steps of carrying out a first treatment on the surface of the The convolution kernel k of the convolution layer used for the fourth time 4 The size of (2) is 1, and the channel number is C 4 ;
2-2-3) after each convolution operation is completed, nonlinear activation functions and data normalization are needed to optimize data distribution, accelerate the overall training speed of the neural network and improve the training effect;
2-2-4) after finishing the feature coding of the byte sequence of the single data message, the invention carries out unified feature coding on all the other data messages of the byte stream according to the steps of 2-2-2) and 2-2-3), shares the parameters of the convolution kernel in 2-2), and finally, splices the feature codes of all the data messages together to obtain the feature code vector of the data message level of the whole byte stream.
6. The encryption application traffic classification method based on local-global feature attention as set forth in claim 3, wherein the specific operation method of feature extraction in step 2-2) is:
the dimension conversion and the form conversion of byte streams are completed by using a bidirectional gating loop network GRU; setting the GRU layer number as N h The output dimension of each layer is h; and finally, splicing the forward output and the backward output of the hidden layer of each GRU layer together to obtain the characteristic coding vector of the stream level of the final whole byte stream.
7. The encryption application traffic classification method based on local-global feature attention as set forth in claim 3, wherein the specific operation method of step 2-3) is:
2-3-1) flattening the feature encoding vector of the stream level of the input byte stream into one dimension;
2-3-2) mapping from feature vectors to encrypted application type inference using a full connection layer with the feature vectors obtained in step 2-3-1) as input; the number of layers of the full-connection layer and the number of neurons of each layer except the last layer are set according to the needs, and the number of neurons of the last layer is consistent with the number of encryption application types which are actually required to be classified;
2-3-3) taking the feature vector obtained in the step 2-3-2) as input, using a softmax activation function to control each value in the result within the range of [0,1], and the dimension with the largest value represents the inference of the encryption application type of the byte stream sequence in the operation.
8. The encryption application traffic classification method based on local-global feature attention as recited in claim 4, wherein the specific operation method of the unknown traffic filtering in step 4-2) is:
and judging the flow corresponding to the single byte stream as unknown encryption application flow and filtering if the maximum value of the probability distribution value of the single byte stream on each application output in the encryption application flow classification model is smaller than a set threshold value.
9. A local-global feature attention-based encryption application traffic classification system implementing the method of any of claims 1-8, characterized in that,
the system comprises an encryption application flow preprocessing module and an encryption application flow classification model building module used for a training stage, and an encryption application flow preprocessing module and an encryption application flow classification module used for a classification stage; the encryption application flow preprocessing module is responsible for extracting byte streams from input original network flow data and processing the byte streams into unified data message numbers, and each data message unifies byte stream sequences with byte stream lengths;
the encryption application flow classification model construction module of the artificial intelligent model stage is responsible for adjusting network parameters in the encryption application classification model according to the byte stream sequence set known by the application so as to enable the network parameters to meet training termination conditions for use in the classification stage;
the encryption application flow classification module of the encryption application flow stage is responsible for judging the type of the encryption application flow to be classified according to the encryption application flow classification model generated in the training stage, and outputting a judging result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310199298.2A CN116827873A (en) | 2023-03-03 | 2023-03-03 | Encryption application flow classification method and system based on local-global feature attention |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310199298.2A CN116827873A (en) | 2023-03-03 | 2023-03-03 | Encryption application flow classification method and system based on local-global feature attention |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116827873A true CN116827873A (en) | 2023-09-29 |
Family
ID=88115581
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310199298.2A Pending CN116827873A (en) | 2023-03-03 | 2023-03-03 | Encryption application flow classification method and system based on local-global feature attention |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827873A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117640252A (en) * | 2024-01-24 | 2024-03-01 | 北京邮电大学 | Encryption stream threat detection method and system based on context analysis |
-
2023
- 2023-03-03 CN CN202310199298.2A patent/CN116827873A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117640252A (en) * | 2024-01-24 | 2024-03-01 | 北京邮电大学 | Encryption stream threat detection method and system based on context analysis |
| CN117640252B (en) * | 2024-01-24 | 2024-03-26 | 北京邮电大学 | Encryption stream threat detection method and system based on context analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109698836B (en) | Wireless local area network intrusion detection method and system based on deep learning | |
| CN112163594B (en) | Network encryption traffic identification method and device | |
| CN112839024B (en) | Network traffic classification method and system based on multi-scale feature attention | |
| CN113162908B (en) | Encrypted flow detection method and system based on deep learning | |
| Song et al. | Encrypted traffic classification based on text convolution neural networks | |
| Ahn et al. | Explaining deep learning-based traffic classification using a genetic algorithm | |
| CN111565156A (en) | Method for identifying and classifying network traffic | |
| CN113723440A (en) | Encrypted TLS application traffic classification method and system on cloud platform | |
| CN115277888B (en) | Method and system for analyzing message type of mobile application encryption protocol | |
| CN116827873A (en) | Encryption application flow classification method and system based on local-global feature attention | |
| CN114330469A (en) | Rapid and accurate encrypted flow classification method and system | |
| CN111641598A (en) | Intrusion detection method based on width learning | |
| Tan et al. | Recognizing the content types of network traffic based on a hybrid DNN-HMM model | |
| Li et al. | Communication protocol classification based on LSTM and DBN | |
| CN117633627A (en) | Deep learning unknown network traffic classification method and system based on evidence uncertainty evaluation | |
| Ya et al. | Modulation recognition of digital signal based on deep auto-ancoder network | |
| Wang et al. | Adaptive compressed sensing architecture in wireless brain-computer interface | |
| CN114358177B (en) | Unknown network traffic classification method and system based on multidimensional feature compact decision boundary | |
| CN113556328B (en) | Encryption traffic classification method based on deep learning | |
| CN112367325B (en) | Unknown protocol message clustering method and system based on closed frequent item mining | |
| CN113852605A (en) | Protocol format automatic inference method and system based on relational reasoning | |
| CN113935398B (en) | Network traffic classification method and system based on small sample learning in Internet of things environment | |
| Zhang et al. | Semi-supervised deep learning based network intrusion detection | |
| Mao et al. | Semisupervised Encrypted Traffic Identification Based on Auxiliary Classification Generative Adversarial Network. | |
| CN113256507A (en) | Attention enhancement method for generating image aiming at binary flux data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |