CN116896469B - Encryption agent application identification method based on Burst sequence - Google Patents

Encryption agent application identification method based on Burst sequence Download PDF

Info

Publication number
CN116896469B
CN116896469B CN202310879927.6A CN202310879927A CN116896469B CN 116896469 B CN116896469 B CN 116896469B CN 202310879927 A CN202310879927 A CN 202310879927A CN 116896469 B CN116896469 B CN 116896469B
Authority
CN
China
Prior art keywords
burst
data packet
micro
time
macro
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310879927.6A
Other languages
Chinese (zh)
Other versions
CN116896469A (en
Inventor
余翔湛
葛蒙蒙
宋赟祖
刘立坤
史建焘
胡智超
孔德文
羿天阳
龚家兴
李竑杰
刘奉哲
程明明
郭一澄
张森
高展鹏
王钲皓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology
Original Assignee
Harbin Institute of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology filed Critical Harbin Institute of Technology
Priority to CN202310879927.6A priority Critical patent/CN116896469B/en
Publication of CN116896469A publication Critical patent/CN116896469A/en
Application granted granted Critical
Publication of CN116896469B publication Critical patent/CN116896469B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for identifying an encryption agent application based on a Burst sequence, and belongs to the technical field of encryption agent application identification. The problem that an encryption agent application identification method in the prior art is too dependent on the head field of an unencrypted data packet is solved; the invention firstly divides the network flow under the encryption agent tunnel to obtain application flow fragments, then extracts a Burst time sequence feature vector sequence from the application flow fragments for representing the difference information among application types, finally inputs the Burst time sequence feature vector sequence into a bidirectional LSTM network for learning, constructs a Burst-ATT-BiLST model which introduces an attention mechanism, and obtains the classification recognition result of the encryption agent application. The method and the device can effectively identify the encryption agent application flow, have better robustness in the identification of the encryption agent application flow, and are more suitable for identifying the encryption agent application flow.

Description

Encryption agent application identification method based on Burst sequence
Technical Field
The invention relates to a method for identifying an encryption agent application, in particular to a method for identifying the encryption agent application based on a Burst sequence, belonging to the technical field of encryption agent application identification.
Background
According to different usage technologies, the current encryption agent application identification methods can be divided into two types, namely a machine learning-based method and a deep learning-based method, wherein the machine learning-based method generally comprises three steps of feature selection, feature extraction and model training, and the deep learning-based method automatically learns effective network traffic features to complete the encryption agent application identification task without manually selecting the features. Although the machine learning-based method can obtain a better recognition effect in the encryption agent application recognition task, as the characteristics used by the method are required to be determined manually and cannot be utilized to the higher-level network flow characteristics, the recognition effect of the method is limited, the advanced network flow characteristics can be learned from the network flow data by the deep learning-based method, the recognition accuracy is generally superior to that of the machine learning-based method, the deep learning technology is widely used in the current encryption agent application recognition research, researchers apply deep learning models such as CNN, SAE and LSTM to the recognition of the encryption agent application, and the application under the encryption agent flow can be accurately classified by means of the function of automatically learning the advanced characteristics in the network flow by the deep learning model.
At present, a plurality of encryption agent application identification methods use a CNN model, the CNN model is mainly applied to the field of computer vision, such as image classification, face recognition and the like, and some researches using the CNN model are also carried out in the recent natural language processing field, in fact, the CNN model is suitable for data in a multi-dimensional array form, the data have stronger local correlation, in particular, 1D-CNN is suitable for data such as sequence data or language and the like, and 2D-CNN is suitable for data such as images and the like. Essentially, network traffic is serial data, which is a one-dimensional byte stream, byte, packet, conversation, and whole traffic structure made up of a hierarchy that is very similar to the structure of characters, words, sentences, and whole articles in the natural language processing domain. Whereas 1D-CNN is widely used in recent natural language processing research in fields such as emotion analysis, text classification, etc., researchers are inspired by this, and 1D-CNN and 2D-CNN are applied to the task of encrypting traffic classification.
The existing encryption agent application identification method mainly depends on the unencrypted packet head field of the data packet, and the existing encryption agent application identification method is widely applied to encryption traffic identification, but has the following problems when applied to encryption agent application identification research:
1. the encryption proxy network protocol performs data forwarding by establishing an encryption network traffic tunnel, so that analysis work of application traffic types in the proxy tunnel becomes more difficult, and the proxy protocol performs tunnel encapsulation forwarding on a plurality of network connections, so that the proxy protocol only can show one network connection characteristic, loses the connection information of the original traffic, and makes a method for identifying traffic from a network connection initialization part unavailable;
2. in the research of encryption agent application identification, a plurality of application traffic fragments of a plurality of or single application can continuously appear in an encryption agent tunnel, so that encryption agent protocol identification failure is carried out on a single network flow in the prior research, and the prior research lacks a method for dividing the application traffic fragments of the encryption agent tunnel traffic;
3. the existing encryption agent application identification method is more dependent on plaintext information in the initial encryption stage and space-time statistical characteristics of data packets in network flows, encryption protocols without key agreement cannot be effectively identified, and the encryption agent application cannot be effectively characterized only by the space-time statistical characteristics of the data packets.
Disclosure of Invention
The following presents a simplified summary of the invention in order to provide a basic understanding of some aspects of the invention. It should be understood that this summary is not an exhaustive overview of the invention. It is not intended to identify key or critical elements of the invention or to delineate the scope of the invention. Its purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is discussed later.
In view of this, in order to solve the problem that the encryption agent application identification method in the prior art too depends on the header field of the unencrypted data packet, the invention provides a method for encryption agent application identification based on the Burst sequence.
The technical proposal is as follows: a method for encrypting proxy application identification based on Burst sequence, comprising the following steps:
s1, constructing a time interval dividing algorithm, and dividing a network flow of an encryption agent tunnel into macro Burst representing an application flow fragment;
s2, constructing a Burst dividing algorithm based on space-time characteristics, and dividing an application flow segment of the encryption agent tunnel into micro bursts representing single actions in corresponding application flows;
s3, extracting time features, space features and statistical features of the encrypted proxy data packet from the encrypted proxy tunnel network flow as micro Burst feature vectors, setting the dimension of the micro Burst feature vectors to be 25, and integrating to obtain Burst time sequence feature vector sequences;
s4, inputting the Burst time sequence feature vector sequence into a bidirectional LSTM network for learning, and constructing a Burst-ATT-BiLST model which introduces an attention mechanism to obtain a classification recognition result of the encryption agent application.
Further, the method comprises the steps of,in the step S1, an ordered set of all data packets in a network flow is defined as P, and the data packets are defined as P i I represents the number of packets, i=1, 2,..n;
data packet p i Expressed as:
p i =(b i ,t i )
wherein b i For the data packet size, t i Is the arrival time of the data packet;
the ordered set P of all data packets is expressed as:
P={p 1 ,p 2 ,…,p {|P|} }
when dividing the network flow into macro Burst according to the time interval, setting the time division threshold of the macro Burst as T macro The current macro Burst is B M Duration is a function of the duration of the computation macro Burst, for each packet p i According to time t, calculating data packet p i Ratio function g within window b (p i );
Data packet p i Ratio function g within window b (p i ) Expressed as:
g t (p i )=t i -t i-1
set macro Burst duration threshold to be T f The resulting time interval partitioning algorithm is expressed as: when g t (p i )<T macro And duration (B) M )<T f At time p i ∈B M Otherwise, packet p i Dividing the boundary into two macros Burst;
applying a time interval dividing algorithm to the whole network flow, dividing the network flow into macro Burst sequences representing application traffic segments, and setting the network flow as F and macro Burst as
The network flow F is expressed as:
further, in the step S2, on each macro Burst after the network flow is divided, a micro Burst time division threshold is set as T micro Micro Burst time division threshold T micro Represents the maximum time delay between the arrival of two consecutive micro-Burst packets in the same macro-Burst and satisfies T micro <T macro
In judging the data packet p i When the micro Burst belongs to the packet, the maximum length of the data packet is set as B, and the current micro Burst is set as B m For the ith data packet in the network flow, the maximum length b of the data packet of the window containing N data packets is represented according to the number of the packets, and the maximum length b of the data packet of the window corresponding to the time range T is represented according to the time span;
the maximum length b of the data packet expressed by the number of packets is expressed as:
b=max{b k |max{i-N,0}≤k<i}
the maximum length b of a data packet represented by a time span is expressed as:
b=max{b k |max{t i -T,0}≤t k <t i }
where k is the packet index within a window or time span;
calculating the data packet p according to the maximum length b of the data packet obtained by the process i Ratio function g within window b (p i );
Data packet p i Ratio function g within window b (p i ) Expressed as:
let the space division threshold of data packet be T b The obtained Burst partitioning algorithm based on the space-time characteristics is expressed as: when g b (p i )>T b And g t (p i )<T micro At the time, packet p i Creating a network traffic burst as a starting pointNew micro Burst, otherwise, p i ∈B m
Dividing each macro Burst into micro Burst sequences by adopting a Burst dividing algorithm based on space-time characteristics, and setting the micro Burst as a micro Burst sequence
Macro BurstExpressed as:
further, in the step S3, features are extracted from the network flows in the forward direction, the backward direction and the bidirectional direction of the encryption agent tunnel, the difference of the network Burst in the network flow direction is captured, the encryption load part and the protocol header of the data packet are ignored in the process of extracting the features, and only the time, the space features and the statistical features of the encryption agent data packet are extracted as micro Burst feature vectors.
The beneficial effects of the invention are as follows: firstly, segmenting a network flow under an encryption agent tunnel to obtain application flow fragments, then extracting difference information between application types represented by a Burst time sequence feature vector sequence from the application flow fragments, and finally inputting the Burst time sequence feature vector sequence into a bidirectional LSTM network model combined with an attention mechanism to perform modeling to obtain a Burst-ATT-BiLST model, so as to finish classification tasks of the encryption agent application; the invention can effectively identify the encrypted proxy application flow, and compared with other machine learning and deep learning methods, the identification result is greatly improved, the Burst-ATT-BiLST model algorithm provided by the invention not only can effectively identify the encrypted proxy flow of short connection, but also can cut the encrypted flow identification of long connection proxy network flow under the condition of the same data volume, and has very good identification effect on long connection tunnel proxy protocol by dividing Burst time sequence feature vector sequences, so that the Burst-ATT-BiLST model provided by the invention has better robustness in the encrypted proxy application flow identification and is more suitable for identifying the encrypted proxy application flow.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a flow chart of a method for encrypting proxy application identification based on Burst sequence;
fig. 2 is a schematic diagram of an embodiment of a method for identifying an encryption agent application based on a Burst sequence.
Detailed Description
In order to make the technical solutions and advantages of the embodiments of the present invention more apparent, the following detailed description of exemplary embodiments of the present invention is provided in conjunction with the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention and not exhaustive of all embodiments. It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
Referring to fig. 1 and 2, the method for identifying the encryption agent application based on the Burst sequence in this embodiment is described in detail, and includes the following steps:
s1, inputting network traffic, constructing a time interval dividing algorithm, and dividing the network flow of an encryption agent tunnel into macro Burst representing an application traffic segment;
s2, constructing a time-space based Burst dividing algorithm, and dividing an application flow segment of the encryption agent tunnel into micro bursts representing single actions in corresponding application flows;
s3, extracting time features, space features and statistical features of the encrypted proxy data packet from the encrypted proxy tunnel network flow as micro Burst feature vectors, setting the dimension of the micro Burst feature vectors to be 25, and integrating to obtain Burst time sequence feature vector sequences;
s4, inputting the Burst time sequence feature vector sequence into a bidirectional LSTM network for learning, and constructing a Burst-ATT-BiLST model which introduces an attention mechanism to obtain a classification recognition result of the encryption agent application;
specifically, the encryption agent application identification under the encryption agent tunnel is a finer granularity encryption agent traffic identification study, wherein a network traffic Burst (Burst) refers to that the data traffic in the network is higher than the average level in a certain period of time, a plurality of tiny network traffic bursts are accompanied in the process of transmitting the application traffic, and the network traffic bursts reflect application actions or events, and in the encryption agent tunnel, the network bursts represented by the agent network flows are divided into two types: 1. macro Burst (macro-Burst), a network flow may contain a plurality of applied network traffic segments, and Burst time sequence feature vector sequences of a specific application cannot be directly extracted from the network flow, so that the acquired proxy network flow needs to be segmented to obtain network flow segments, wherein each application traffic segment corresponds to the traffic of a specific application, each application traffic segment is a macro Burst, the macro Burst describes a complete data packet sequence of the traffic of an encrypted proxy application, and a plurality of identical application traffic segments or different application traffic segments under a proxy tunnel can be divided through the macro Burst; 2. micro-Burst (micro-Burst), in which network traffic burstiness is associated with application actions or events, for example, in a web browsing process, requests and data pulls may generate network bursts, the number of network bursts and the time sequence relationship of the bursts may indirectly reflect actions or events of a browser, the number of network bursts reflects the number of files contained in a page, and the time sequence characteristics of the network bursts may represent the topology of file association in the page, so the network bursts generated by the requests and the data pulls are called micro-Burst, the micro-Burst describes a tight exchange of network data packets, corresponding to a single action or event in the application traffic, and may be used as a set of additional characteristics for distinguishing application types;
the Burst dividing algorithm based on the space-time characteristics not only considers the traffic Burst characteristics expressed by the time interval between the application actions or the events, but also considers the data volume Burst characteristics caused by the application actions or the events, and the application traffic fragments expressed by the macro Burst under the encryption agent tunnel are transmitted in the tunnel in a sequential manner, so that the Burst dividing algorithm based on the space-time characteristics is not used for dividing the encryption agent tunnel traffic into macro Burst fragments representing the application traffic fragments, but only the time interval is adopted for dividing;
the constructed Burst-ATT-BiLSTM model learns the Burst time sequence of the Burst time sequence through a bidirectional LSTM network, and can capture the relevance of network bursts of different application flows.
Further, in the step S1, an ordered set of all data packets in a network flow is defined as P, and the data packets are defined as P i I represents the number of packets, i=1, 2,..n;
data packet p i Expressed as:
p i =(b i ,t i )
wherein b i For the data packet size, t i Is the arrival time of the data packet;
the ordered set P of all data packets is expressed as:
P={p 1 ,p 2 ,…,p{ |P|} }
when dividing the network flow into macro Burst according to the time interval, setting the time division threshold of the macro Burst as T macro The current macro Burst is B M Duration is a function of the duration of the computation macro Burst, for each packet p i According to time t, calculating data packet p i Ratio function g within window b (p i );
Data packet p i Ratio function g within window b (p i ) Expressed as:
g t (p i )=t i -t i-1
set macro Burst duration threshold to be T f The resulting time interval partitioning algorithm is expressed as: when g t (p i )<T macro And duration (B) M )<T f At time p i ∈B M Otherwise, packet p i Dividing the boundary into two macros Burst;
applying a time interval dividing algorithm to the whole network flow, dividing the network flow into macro Burst sequences representing application traffic segments, and setting the network flow as F and macro Burst as
The network flow F is expressed as:
further, in the step S2, on each macro Burst after the network flow is divided, a micro Burst dividing algorithm with fine granularity is performed according to the burstiness of time and data volume, and a micro Burst time dividing threshold is set as T micro Micro Burst time division threshold T mtcro Represents the maximum time delay between the arrival of two consecutive micro-Burst packets in the same macro-Burst and satisfies T micro <T macro
In judging the data packet p i When the micro Burst belongs to the packet, the maximum length of the data packet is set as B, and the current micro Burst is set as B m For the ith data packet in the network flow, the maximum length b of the data packet of the window containing N data packets is represented according to the number of the packets, and the maximum length b of the data packet of the window corresponding to the time range T is represented according to the time span;
the maximum length b of the data packet expressed by the number of packets is expressed as:
b=max{b k |max{i-N,0}≤k<i}
the maximum length b of a data packet represented by a time span is expressed as:
b=max{b k |max{t i -T,0}≤t k <t i }
where k is the packet index within a window or time span;
calculating the data packet p according to the maximum length b of the data packet obtained by the process i Ratio function g within window b (p i );
Data packet p i Ratio function g within window b (p i ) Expressed as:
let the space division threshold of data packet be T b The obtained Burst partitioning algorithm based on the space-time characteristics is expressed as: when g b (p i )>T b And g t (p i )<T micro At the time, packet p i Creating a new micro Burst as a starting point of a network traffic Burst, otherwise, p i ∈B m
Dividing each macro Burst into micro Burst sequences by adopting a Burst dividing algorithm based on space-time characteristics, and setting the micro Burst as a micro Burst sequence
Macro BurstExpressed as:
further, in the step S3, features are extracted from the network flows in the forward direction, the backward direction and the bidirectional direction of the encryption agent tunnel, the difference of the network Burst in the network flow direction is captured, the encryption load part and the protocol header of the data packet are ignored in the feature extraction process, and only the time, the space and the statistical features of the encryption agent data packet are extracted as micro Burst feature vectors;
specifically, by extracting the features from each micro Burst, the features are converted into a micro Burst feature vector, and since each micro Burst is a bidirectional network stream composed of a plurality of encrypted proxy data packets, the encryption load part is not considered, and tunnel encapsulation protocols used by different proxy protocols are different, so that the protocol header of the data packets can be ignored.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of the above description, will appreciate that other embodiments are contemplated within the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is defined by the appended claims.

Claims (4)

1. A method for identifying an encryption agent application based on a Burst sequence, comprising the steps of:
s1, constructing a time interval dividing algorithm, and dividing a network flow of an encryption agent tunnel into macro Burst representing an application flow fragment;
s2, constructing a Burst dividing algorithm based on space-time characteristics, and dividing an application flow segment of the encryption agent tunnel into micro bursts representing single actions in corresponding application flows;
s3, extracting time features, space features and statistical features of the encrypted proxy data packet from the encrypted proxy tunnel network flow as micro Burst feature vectors, setting the dimension of the micro Burst feature vectors to be 25, and integrating to obtain Burst time sequence feature vector sequences;
s4, inputting the Burst time sequence feature vector sequence into a bidirectional LSTM network for learning, and constructing a Burst-ATT-BiLST model which introduces an attention mechanism to obtain a classification recognition result of the encryption agent application.
2. The method for identifying an encryption agent application based on a Burst sequence according to claim 1, wherein in S1, an ordered set of all packets in a network flow is defined as P, and packets are defined as P i I represents the number of packets, i=1, 2,..n;
data packet p i Expressed as:
p i =(b i ,t i )
wherein b i For the data packet size, t i Is the arrival time of the data packet;
the ordered set P of all data packets is expressed as:
P={p 1 ,p 2 ,…,p {|P|} }
when dividing the network flow into macro Burst according to the time interval, setting the time division threshold of the macro Burst as T macro The current macro Burst is B M Duration is a function of the duration of the computation macro Burst, for each packet p i According to time t, calculating data packet p i Ratio function g within window b (p i );
Data packet p i Ratio function g within window b (p i ) Expressed as:
g t (p i )=t i -t i-1
set macro Burst duration threshold to be T f The resulting time interval partitioning algorithm is expressed as: when g t (p i )<T macro And duration (B) M )<T f At time p i ∈B M Otherwise, packet p i Dividing the boundary into two macros Burst;
applying a time interval dividing algorithm to the whole network flow, dividing the network flow into macro Burst sequences representing application traffic segments, and setting the network flow as F and macro Burst as
The network flow F is expressed as:
3. the method for identifying an encryption agent application based on a Burst sequence according to claim 2, wherein in S2, on each macro Burst after network flow division, a micro Burst time division threshold is set as T micro Micro Burst time division threshold T micro Represents the maximum time delay between the arrival of two consecutive micro-Burst packets in the same macro-Burst and satisfies T micro <T macro
In judging the data packet p i When the micro Burst belongs to the packet, the maximum length of the data packet is set as B, and the current micro Burst is set as B m For the ith data packet in the network flow, the maximum length b of the data packet of the window containing N data packets is represented according to the number of the packets, and the maximum length b of the data packet of the window corresponding to the time range T is represented according to the time span;
the maximum length b of the data packet expressed by the number of packets is expressed as:
b=max{b k |max{i-N,0}≤k<i}
the maximum length b of a data packet represented by a time span is expressed as:
b=max{b k |max{t i -T,0}≤t k <t i }
where k is the packet index within a window or time span;
calculating the data packet p according to the maximum length b of the data packet obtained by the process i Ratio function g within window b (p i );
Data packet p i Ratio function g within window b (p i ) Expressed as:
let the space division threshold of data packet be T b The obtained Burst partitioning algorithm based on the space-time characteristics is expressed as: when g b (p i )>T b And g t (p i )<T micro At the time, packet p i Creating a new micro Burst as a starting point of a network traffic Burst, otherwise, p i ∈B m
Dividing each macro Burst into micro Burst sequences by adopting a Burst dividing algorithm based on space-time characteristics, and setting the micro Burst as a micro Burst sequence
Macro BurstExpressed as:
4. a method for identifying an encryption proxy application based on a Burst sequence according to claim 3, wherein in S3, features are extracted from network flows in three directions, i.e. forward, backward and bidirectional directions, of an encryption proxy tunnel, differences in network bursts in the network flow directions are captured, protocol headers of an encryption payload part and a data packet are ignored in the process of extracting features, and only time, space and statistical features of the encryption proxy data packet are extracted as micro Burst feature vectors.
CN202310879927.6A 2023-07-18 2023-07-18 Encryption agent application identification method based on Burst sequence Active CN116896469B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310879927.6A CN116896469B (en) 2023-07-18 2023-07-18 Encryption agent application identification method based on Burst sequence

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310879927.6A CN116896469B (en) 2023-07-18 2023-07-18 Encryption agent application identification method based on Burst sequence

Publications (2)

Publication Number Publication Date
CN116896469A CN116896469A (en) 2023-10-17
CN116896469B true CN116896469B (en) 2023-12-08

Family

ID=88313292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310879927.6A Active CN116896469B (en) 2023-07-18 2023-07-18 Encryption agent application identification method based on Burst sequence

Country Status (1)

Country Link
CN (1) CN116896469B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112149879A (en) * 2020-09-02 2020-12-29 上海电力大学 New energy medium-and-long-term electric quantity prediction method considering macroscopic volatility classification
CN112163594A (en) * 2020-08-28 2021-01-01 南京邮电大学 Network encryption traffic identification method and device
CN113919341A (en) * 2021-09-14 2022-01-11 国网新疆电力有限公司信息通信公司 Emergency identification method and device based on bidirectional LSTM
CN115983465A (en) * 2022-12-29 2023-04-18 中国矿业大学 Rock burst time sequence prediction model construction method based on small sample learning

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170339022A1 (en) * 2016-05-17 2017-11-23 Brocade Communications Systems, Inc. Anomaly detection and prediction in a packet broker

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112163594A (en) * 2020-08-28 2021-01-01 南京邮电大学 Network encryption traffic identification method and device
CN112149879A (en) * 2020-09-02 2020-12-29 上海电力大学 New energy medium-and-long-term electric quantity prediction method considering macroscopic volatility classification
CN113919341A (en) * 2021-09-14 2022-01-11 国网新疆电力有限公司信息通信公司 Emergency identification method and device based on bidirectional LSTM
CN115983465A (en) * 2022-12-29 2023-04-18 中国矿业大学 Rock burst time sequence prediction model construction method based on small sample learning

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
A Network Traffic Prediction Model Based on Wavelet Transformation and LSTM Network;Haipeng Lu等;2018 IEEE 9th International Conference on Software Engineering and Service Science (ICSESS);全文 *
一种面向加密流量的网络应用识别方法;孙中军;翟江涛;;计算机工程(04);全文 *
基于计算似然比的分布外网络流量数据检测方法;卓子寒等;无线电工程;全文 *

Also Published As

Publication number Publication date
CN116896469A (en) 2023-10-17

Similar Documents

Publication Publication Date Title
WO2022041394A1 (en) Method and apparatus for identifying network encrypted traffic
CN107665191B (en) Private protocol message format inference method based on extended prefix tree
CN113542259B (en) Encrypted malicious flow detection method and system based on multi-mode deep learning
CN113179223A (en) Network application identification method and system based on deep learning and serialization features
CN113469234A (en) Network flow abnormity detection method based on model-free federal meta-learning
WO2011050545A1 (en) Automatic analysis method for unknown application layer protocols
CN111245848B (en) Industrial control intrusion detection method for hierarchical dependency modeling
CN112949702B (en) Network malicious encryption traffic identification method and system
Yin et al. Network traffic classification via HMM under the guidance of syntactic structure
CN115277086B (en) Network background flow generation method based on generation of countermeasure network
CN112887291A (en) I2P traffic identification method and system based on deep learning
CN116896469B (en) Encryption agent application identification method based on Burst sequence
CN112187774B (en) Encrypted data length reduction method based on HTTP/2 transmission characteristics
CN110708341B (en) User behavior detection method and system based on remote desktop encryption network traffic mode difference
CN111211948B (en) Shodan flow identification method based on load characteristics and statistical characteristics
Zhang et al. Transfer learning for encrypted malicious traffic detection based on efficientnet
CN113542271B (en) Network background flow generation method based on generation of confrontation network GAN
Kumar et al. Deep Learning Based Optimal Traffic Classification Model for Modern Wireless Networks
CN116248530A (en) Encryption flow identification method based on long-short-time neural network
CN112714079B (en) Target service identification method under VPN environment
Hsieh et al. On the classification of mobile broadband applications
CN112367325B (en) Unknown protocol message clustering method and system based on closed frequent item mining
CN114205151A (en) HTTP/2 page access flow identification method based on multi-feature fusion learning
CN113449768A (en) Network traffic classification device and method based on short-time Fourier transform
CN113469275A (en) Refined classification method for ether house behavior traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant