CN117097577B - Method, system, electronic equipment and storage medium for classifying encrypted message data streams - Google Patents

Abstract

The embodiment of the application provides an encryption message data stream classification method, an encryption message data stream classification system, electronic equipment and a storage medium. The method comprises the following steps: obtaining an encrypted message data stream, wherein the encrypted message data stream comprises a plurality of continuous encrypted message data packets; dividing the encrypted message data stream into a plurality of message fragments according to time sequence, dividing the message fragments into a plurality of message groups according to message directions, wherein the message directions of encrypted message data packets in the message groups are consistent; in each message group, determining the height of a message group sub-image according to the message length of the encrypted message data packet, determining the width and the message direction of the message group sub-image according to the message quantity, determining the direction of the message group sub-image, and generating a fragment image according to a plurality of message group sub-images; extracting image characteristics of the fragment images, inputting a historical classification result of the image characteristics at the previous moment and the image characteristics at the current moment into a message classification network to classify the message behaviors, and obtaining a classification result of the message behaviors.

Description

Encrypted message data flow classification method, system, electronic equipment and storage medium

Technical field

The present application relates to the technical field of data flow classification, and in particular to an encrypted message data flow classification method, system, electronic equipment and storage medium.

Background technique

Virtual Private Network (VPN) traffic identification refers to the process of identifying and classifying data flows transmitted through VPN. Generally speaking, VPN traffic identification can be achieved by analyzing the header information, protocol type, port number, etc. of the data packet. VPN traffic identification can help network administrators monitor and manage VPN usage to ensure network security and performance. During the transmission of encrypted messages through VPN, preliminary analysis and identification can be performed based on the length and number of encrypted messages to determine the type and characteristics of the encrypted messages.

In related technologies, secure encrypted tunnel implementation is usually used to transmit encrypted message data streams, so that the encrypted message cannot intuitively count the five-tuple information such as the plaintext destination address, source address, port number, etc., making it impossible to directly Distinguish different flows or sessions from encrypted messages and protect the entire original Internet Protocol (IP) data packet. However, this encryption method also has shortcomings, that is, it only uses the statistical information of the data flow for classification, such as only analyzing the length and number of messages, while ignoring the information transmission path of the message and the encryption within a short period of time. Therefore, it is difficult to directly distinguish the fixed data packet format from the encrypted message, thereby reducing the efficiency of classifying the encrypted message data flow, and also leads to the final classification result of the encrypted message data flow. Inaccurate.

Contents of the invention

The main purpose of the embodiments of this application is to propose a method, system, electronic device and storage medium for classifying encrypted message data flows, which can solve the problems of low efficiency in classifying encrypted message data flows and inaccurate classification results.

In order to achieve the above purpose, the first aspect of the embodiment of the present application proposes a method for classifying encrypted message data streams. The method includes: obtaining an encrypted message data stream, wherein the encrypted message data stream includes multiple consecutive an encrypted message data packet; divide the encrypted message data stream into multiple message fragments according to the order of time, and divide each of the message fragments according to the message direction of the encrypted message data packet. Divided into multiple message groups; wherein the message directions of the encrypted message data packets in each of the message groups are consistent; for each of the message fragments, the message fragment corresponds to In each of the message groups, the height of the message group sub-image and the number of messages are determined according to the message length of the encrypted message data packet contained in each of the message groups. The width of the sub-image and the message direction determine the direction of the message group sub-image, and a segment image is generated based on a plurality of the message group sub-images; the image features of each of the segment images are extracted, and the previous ones are sequentially The historical classification results of the image features at a moment and the image features at the current moment are input into a preset message classification network to classify message behaviors, and a classification result of the message behavior of the encrypted message data stream is obtained.

According to some embodiments of the present application, the encrypted message data stream is divided into multiple message fragments in chronological order, and each of the encrypted message data packets is divided according to the message direction of the encrypted message data packet. Dividing the message fragments into multiple message groups includes: in each encrypted message data stream, arranging the encrypted message data packets in chronological order, and dividing the encrypted message packets according to a preset division number. Divide the message data packet to obtain multiple message fragments; within each of the message fragments, distinguish the message direction of each of the encrypted message data packets, and divide all messages with the same message direction into The encrypted message data packets are divided into the same message group to obtain multiple message groups.

According to some embodiments of the present application, determining the height of a message group sub-image includes: in each of the message groups, classifying the encrypted message data in the message group according to a preset exclusion ratio. Filter the packets; add the message lengths of each of the encrypted message data packets after screening and divide by the number of the encrypted message data packets in the message group to obtain the average message length; According to the reference length obtained by multiplying the average message length by the preset extraction ratio, the reference length is compared with the message length of each encrypted message data packet in the message group to obtain a comparison result; according to The comparison result determines the height of the message group sub-image.

According to some embodiments of the present application, determining the height of a message group sub-image based on the comparison result includes: if the comparison result indicates that there is no message in the message group with a length shorter than the reference length of the encrypted message data packet, then the reference length is used as the height of the message group sub-image; if the comparison result indicates that the message length in the message group is shorter than the reference The length of the encrypted message data packet is determined by taking the length of the corresponding encrypted message data packet as the height of the message group sub-image.

According to some embodiments of the present application, the method further includes: obtaining multiple message groups corresponding to each of the message fragments after filtering the encrypted message data packets; The encrypted message packet determines the color of the message group sub-image.

According to some embodiments of the present application, the message direction includes a sending direction and a receiving direction; in each of the message fragments, the message direction of each of the encrypted message data packets is distinguished, and Dividing the encrypted message data packets with the same message direction into the same message group to obtain multiple message groups includes: in each of the message fragments, dividing each encrypted message into The message direction of the data packet is divided into a sending direction or a receiving direction; the encrypted message data packets corresponding to the continuous sending direction or the encrypted message data packets corresponding to the continuous receiving direction are processed in chronological order. Divide to obtain multiple message groups arranged in chronological order.

According to some embodiments of the present application, extracting image features of each segment image includes: loading a pre-trained convolutional neural network; inputting each segment image into the convolutional neural network in chronological order. Feature extraction is performed to obtain the image features corresponding to the fragment image.

According to some embodiments of the present application, the historical classification results of the image features at the previous moment and the image features at the current moment are sequentially input into a preset message classification network to classify message behaviors, and the above-mentioned The classification results of the message behavior of the encrypted message data stream include: obtaining the historical classification results obtained after the image features of the previous moment are input to the message classification network; and sequentially comparing the image features of each current moment with The corresponding historical classification results are input into a preset message classification network for classifying message behavior until the last image feature of the encrypted message data stream is input to the message classification network to obtain the Classification results of encrypted message data flow message behavior.

According to some embodiments of the present application, the image features at each current moment and the corresponding historical classification results are sequentially input into a preset message classification network to classify message behavior until the message is sent to the message classification network. The text classification network inputs the last image feature of the encrypted message data stream to obtain a classification result of the message behavior of the encrypted message data stream, including: inputting the image features of each current moment into the The message classification network determines the first classification information to be retained from the image features through the input gate of the message classification network; inputs the first classification information and the historical classification results to the message The forgetting gate of the classification network, and determine the second classification information that needs to be retained from the first classification information and the historical classification results; weight the historical classification results and the second classification information to obtain weighted classification information ; Input the weighted classification information to the output gate for screening to obtain the current classification result of the encrypted message data flow message behavior at the current moment; continue to input the unclassified encrypted message data flow to the message classification network The image features until the last image feature of the encrypted message data stream is input to the message classification network, and the classification result of the message behavior of the encrypted message data stream is output.

According to some embodiments of the present application, the message classification network is trained through the following steps: obtaining multiple encrypted message data streams, and forming a training data set based on the multiple encrypted message data streams; Each of the encrypted message data streams in the collection is preprocessed to obtain multiple message fragments and fragment images corresponding to the message fragments; image features of each of the fragment images are extracted, and the information described at the previous moment is sequentially The historical classification results of image features and the image features at the current moment are input into the preset message classification network to classify the message behavior, and the first classification result of the message behavior of the encrypted message data stream is obtained; according to the preset The loss function calculates the loss value of the first classification result, and adjusts parameters of the message classification network according to the loss value to obtain a trained message classification network.

In order to achieve the above purpose, the second aspect of the embodiment of the present application proposes an encrypted message data flow classification system. The system includes: an encrypted message data flow acquisition module, used to obtain the encrypted message data flow, wherein, The encrypted message data stream includes multiple consecutive encrypted message data packets; the message group dividing module is used to divide the encrypted message data stream into multiple message fragments according to the order of time, and divide the encrypted message data stream into multiple message fragments according to the required order. The message direction of the encrypted message data packet divides each of the message fragments into multiple message groups; wherein, the message direction of the encrypted message data packet in each of the message groups Consistent; a fragment image generation module, configured for each of the message fragments, in each of the message groups corresponding to the message fragments, according to the encrypted message contained in each of the message groups. The message length of the message data packet determines the height of the message group sub-image, the number of messages determines the width of the message group sub-image, and the message direction determines the direction of the message group sub-image, and based on multiple The message group sub-image generates a fragment image; a classification result acquisition module is used to extract the image features of each of the fragment images, and sequentially compare the historical classification results of the image features at the previous moment with the image features at the current moment It is input into a preset message classification network to classify the message behavior, and obtains the classification result of the message behavior of the encrypted message data flow.

In order to achieve the above object, a third aspect of the embodiment of the present application proposes an electronic device. The electronic device includes a memory and a processor. The memory stores a computer program. When the processor executes the computer program, the present invention is implemented. Apply for the encrypted message data flow classification method described in any one of the embodiments of the first aspect.

In order to achieve the above object, the fourth aspect of the embodiment of the present application proposes a computer-readable storage medium. The storage medium stores a computer program. When the computer program is executed by a processor, any of the embodiments of the first aspect of the present application is implemented. The encrypted message data flow classification method described in one item.

The encrypted message data stream classification method, system, electronic device and storage medium proposed by this application divide the encrypted message data stream into multiple message fragments in chronological order, and divide each message fragment into multiple message fragments. Message groups can generate fragment images based on the message length, number of messages, and message direction of each message group, thereby converting the originally complex encrypted message data stream into a visual fragment image, and at the same time displaying the encryption more clearly. Information transfer path in the process to facilitate classification of images. After that, feature extraction is performed on the fragment image to obtain image features. The historical classification results of image features at the previous moment are input into the message classification network together with the image features at the current moment, so that the message classification network can fully consider the characteristics of the encrypted message data stream when classifying image features. The context association relationship enables the message classification network to identify fixed data packet formats based on the context association relationship, improve the efficiency of classifying encrypted message data flow, and obtain the classification results of the encrypted message data flow message behavior. accuracy.

Description of the drawings

Figure 1 is a schematic structural diagram of an encrypted message data flow classification system provided by an embodiment of the present application;

Figure 2 is a flow chart of an encrypted message data flow classification method provided by an embodiment of the present application;

Figure 3 is a fragment image corresponding to the user login behavior provided by the embodiment of the present application;

Figure 4 is a fragment image corresponding to the user's logout behavior provided by the embodiment of the present application;

Figure 5 is a fragment image corresponding to the user's voice request provided by the embodiment of the present application;

Figure 6 is a fragment image corresponding to the user's video request provided by the embodiment of the present application;

Figure 7 is a flow chart of step S102 in Figure 2;

Figure 8 is a flow chart for determining the height of a message sub-image provided by an embodiment of the present application;

Figure 9 is a flow chart of step S304 in Figure 8;

Figure 10 is another flow chart of the encrypted message data flow classification method provided by the embodiment of the present application;

Figure 11 is a flow chart of step S202 in Figure 8;

Figure 12 is a flow chart for extracting image features of each segment image provided by an embodiment of the present application;

Figure 13 is a flow chart of step S104 in Figure 2;

Figure 14 is a flow chart of step S802 in Figure 13;

Figure 15 is a training flow chart of the message classification network provided by the embodiment of the present application;

Figure 16 is another flow chart of the encrypted message data flow classification method provided by the embodiment of the present application;

Figure 17 is a schematic diagram of the functional modules of the encrypted message data flow classification system provided by the embodiment of the present application;

Figure 18 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present application more clear, the present application will be further described in detail below with reference to the drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application and are not used to limit the present application.

It should be noted that although the functional modules are divided in the device schematic diagram and the logical sequence is shown in the flow chart, in some cases, the modules can be divided into different modules in the device or the order in the flow chart can be executed. The steps shown or described. The terms "first", "second", etc. in the description, claims, and above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific sequence or sequence.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field to which this application belongs. The terms used herein are only for the purpose of describing the embodiments of the present application and are not intended to limit the present application.

WireGuard is a modern Virtual Private Network (VPN) protocol designed to be simple and efficient, aiming to provide secure and reliable network connections. WireGuard uses encryption technology to protect the privacy and security of communication data, and has lower latency and faster transfer speeds.

However, after using WireGuard or other encryption methods to encrypt communication data, the encrypted message cannot intuitively count the five-tuple information such as the plaintext destination address, source address, port number, etc., so it is impossible to directly distinguish different flows or sessions. . In related technologies, traffic features are generally extracted directly based on the statistical information of the data flow, and then the extracted traffic features are directly classified. In this process, the associated information of the context of the encrypted packets in a short period of time is ignored, and the encrypted packets are The correlation between the text packet context often helps to identify fixed packet formats and quickly identify the encrypted message data flow. Therefore, it will lead to low efficiency in classifying encrypted message packets and affect the final encrypted packet. The accuracy of the classification results of text data flow packet behavior.

Based on this, embodiments of the present application provide a method, system, electronic device and storage medium for classifying encrypted message data streams, which can fully consider the transmission direction of encrypted message data packets and the contextual relationship of the characteristics of encrypted message data streams. , identify the fixed data packet format, improve the efficiency of classifying the encrypted message data flow, and obtain the accuracy of the classification results of the encrypted message data flow message behavior.

The encrypted message data flow classification method, system, electronic device and storage medium provided by the embodiments of the present application are specifically described through the following embodiments. First, the encrypted message data flow classification system in the embodiment of the present application is described.

Please refer to Figure 1. In some embodiments, an encrypted message data flow classification system includes a sending end 101, a feature extraction network 102, a message classification network 103, a receiving end 104 and a controller 105.

By way of example, the controller 105 may be the nerve center and command center of the system. The controller 105 can generate operation control signals according to the instruction operation code and timing signals to complete the control of fetching and executing instructions. For example, the controller 105 can generate an operation control signal, obtain the encrypted message data stream from the sending end 101 and the receiving end 104, and generate a fragment image based on the encrypted message data stream, and then control the feature extraction network 102 to perform feature extraction on the fragment image, The message classification network 103 is then controlled to classify the extracted features to obtain a classification result of the encrypted message data flow.

The encrypted message data flow classification method in the embodiment of the present application can be explained through the following embodiment.

It should be noted that in each specific implementation of the present application, when it comes to relevant processing based on user information, user behavior data, user historical data, user location information and other data related to user identity or characteristics, the first step is to perform relevant processing. Obtain the user's permission or consent. In addition, when the embodiment of this application needs to obtain the user's sensitive personal information, it will obtain the user's separate permission or separate consent through a pop-up window or jump to a confirmation page. After clearly obtaining the user's separate permission or separate consent, it will then Obtain necessary user-related data for normal operation of the embodiment of the present application.

FIG. 2 is an optional flow chart of the encrypted message data flow classification method provided by the embodiment of the present application. The method in FIG. 2 may include steps S101 to S104.

Step S101: Obtain an encrypted message data stream, where the encrypted message data stream includes multiple consecutive encrypted message data packets.

It can be understood that the encrypted message data stream refers to the encrypted data stream during network transmission. Each encrypted message data stream is a continuous piece of data processed by the same encryption algorithm. Each encrypted message The data stream consists of multiple consecutive encrypted message packets. Generally speaking, the original data can be converted into encrypted data for network transmission through encryption algorithms to protect the security of the data. There are many ways to transmit encrypted message data streams, one of which is WireGuard VPN. WireGuard can be used to create secure, encrypted tunnels over public networks. WireGuard uses advanced encryption algorithms, such as Curve25519 algorithm, ChaCha20 algorithm and Poly1305 algorithm, to provide high-strength data protection.

Step S102: Divide the encrypted message data flow into multiple message fragments in time order, and divide each message fragment into multiple message groups according to the message direction of the encrypted message data packet; wherein, The encrypted message packets in each message group have the same message direction.

In some embodiments, since the encrypted message data stream may include multiple actions, such as user login, voice request, video request, chat, logout, etc., therefore, in order to identify different encrypted message data streams, it is necessary to Divide the encrypted message data stream into multiple message fragments and then classify them to obtain multiple message fragments.

In some embodiments, the encrypted message data stream can be divided according to the time of transmission to obtain multiple message fragments, so that the message can be reassembled in the correct order. Multiple message fragments can also be obtained by dividing according to the length of the encrypted message data stream. Generally speaking, the encrypted message data stream can be evenly divided, or multiple dividing ratios can be set according to the needs. This application implements There are no specific restrictions on this.

It can be understood that since encrypted message data packets in the same message direction are most likely to belong to the same category, encrypted message data packets in different message directions generally belong to different categories. Therefore, for each message fragment, you can Divide the message directions of each encrypted message packet to speed up the classification efficiency and improve the accuracy of the classification results. For example, if there are 6 encrypted message packets in a message fragment, the message directions of the encrypted message data packets in chronological order are as follows: sending direction 1, sending direction 2, sending direction 3, receiving direction 4, Receive direction 5, send direction 6. Then, encrypted message packets in the same direction are one group, which can be divided into three groups, that is, sending direction 1, sending direction 2, and sending direction 3 are one group, receiving direction 4 and receiving direction 5 are one group, and sending direction 6 as a group. Alternatively, you can also set an interception time for each message fragment. Every time the preset interception time is reached, the intercepted encrypted message data packets are used as a message group, and inconsistent message directions in the message group are processed. Exclude encrypted message packets. For example, if more than 60% of the encrypted message packets in a message group are sent in the sending direction, then in this message group, the message direction is the receiving direction. Exclude encrypted message packets, or specify the message direction of the message group to exclude data packets in other message directions, etc.

Step S103: For each message fragment, in each message group corresponding to the message fragment, determine the height and height of the message group sub-image according to the message length of the encrypted message data packet contained in each message group. The number of messages determines the width of the message group sub-image and the message direction determines the direction of the message group sub-image, and a fragment image is generated based on multiple message group sub-images.

It is understandable that since there may be some abnormal values or outliers at the head and tail of the packet group, in order to prevent these abnormal values or outliers from affecting the overall average, these outliers can be removed according to a certain percentage. , for example, after arranging the encrypted message data packets of each message group in order or in reverse order according to the message length of each encrypted message data packet, the header (the maximum value of the message length) and the tail (the message length The minimum value of the length) is removed according to a certain percentage, such as 5%, thereby removing outliers within the packet group and improving the accuracy of the calculated average packet length.

In some embodiments, since the average message length represents the average length of all encrypted message packets in the message group, and the header byte generally represents the main information of the encrypted message packet, the average message length can be Determine the extraction ratio of the header byte of each encrypted message packet, thereby extracting the header byte of each encrypted message packet, and the length of the extracted header byte is used as the height of the corresponding message group sub-image. In some embodiments, the header bytes may not be extracted, and the average value may be used as the height of the corresponding packet group sub-image. The embodiments of the present application do not specifically limit this.

In some embodiments, the number of encrypted message packets contained in each message group can be used as the width of the message group sub-image. For example, if there are 5 encrypted messages in a message group packet, then the width value of the packet group sub-image in the corresponding packet group is 5, and the unit corresponding to the width value is set according to the actual situation. It can be understood that since the number of encrypted message packets contained in each message group may be different, in the fragment image, the width of the image corresponding to each message group may also be different.

It can be understood that the color of the message group sub-image is generated from the encrypted message packets in the message group with outliers, or it is only based on the header bytes of the encrypted message packets in the message group. Different The bytes will correspond to different colors to form a visual image. It can be understood that bytes are bytes that have been encoded, and the color of the fragment image can be formed based on the mapping of the bytes to the pixel values of the image. For example, the encoding of the bytes can be converted into corresponding red, green and blue (Red, Green and Blue, RGB) color values RGB color values. It can be understood that since the header byte can generally represent the change mode or characteristics of the corresponding encrypted message packet, it is only necessary to extract the header byte of the encrypted message packet to draw the color of the fragment image, so that the drawing The fragment image is more accurate.

In some embodiments, the orientation of the image may be based on the message direction of each encrypted message data packet included in each message group. The forward and reverse direction of the message can be defined by yourself. For example, you can divide the encrypted message data flow into the sending direction and the receiving direction, and define the sending direction as positive and the receiving direction as negative, or define the sending direction as positive and the receiving direction. is negative, etc. In some embodiments, the sending direction can be defined as positive. Then, the graphical representation corresponding to the message group with positive message direction is in the positive direction of the coordinate axis, and the graphical representation corresponding to the message group with negative message direction is in the coordinate axis. The negative orientation of the axis.

It can be understood that in the fragment image, the graphical representation corresponding to each message group can be a columnar shape, a rectangular shape, etc., and this application does not specifically limit this. It can be understood that by generating fragment images based on the message length, number of messages, bytes of encrypted message packets and message direction of each message group, the originally complex encrypted message data stream can be transformed into a visual Fragment images to obtain an intuitive image representation.

Please refer to Figures 3 to 6. Figures 3 to 6 are fragment images under different message behaviors. Figure 3 is a fragment image corresponding to the user's login behavior. Figure 4 is a fragment image corresponding to the user's logout behavior. Figure 5 is the segment image corresponding to the user's voice request, and Figure 6 is the segment image corresponding to the user's video request. In Figures 3 to 6, it can be intuitively shown that the fragment images corresponding to different behaviors are also different. In Figures 3 to 6, the horizontal axis represents time, the vertical axis represents the length of the processed message, and the image The color representation is obtained by mapping the header byte. In order to easily distinguish different colors, different legend representations are selected. In practical applications, the color of the picture can be displayed. As can be seen from Figures 3 to 6, each message group is arranged in chronological order, and the orientation of the sub-image of each message group is determined according to the sending direction and receiving direction, which can visually display the different message groups in different time periods. Changes.

It can be understood that the encrypted message data flow classification method also includes aggregating multiple fragment images of the same type, thereby classifying the fragment images based on historical classification results. Since the representations of fragment images of the same type are very likely to be the same, it is possible to perform regular analysis on the classified images to obtain the image patterns of the fragment images of the corresponding category, thereby directly classifying the fragment images. For example, the image pattern of the fragment image corresponding to the user's video request can be analyzed. When subsequent fragment images show the same image pattern, the fragment image can be directly classified as the user's video request, thereby improving the classification of encrypted message data flow message behavior. efficiency.

Step S104, extract the image features of each fragment image, and sequentially input the historical classification results of the image features at the previous moment and the image features at the current moment into the preset message classification network to classify the message behavior, and obtain the encrypted message data. Classification results of flow packet behavior.

In some embodiments, since encrypted message data stream message behavior generally has a fixed data packet format, generally only by contacting historical classification results can the data packet format be analyzed and the message behavior classified. Therefore, the features of each fragment image can be extracted through the pre-prepared convolutional neural network, and then the extracted image features and the historical classification results of the last encrypted message data flow message behavior are input into the message classification network. Carry out message behavior classification, thereby combining the classification information of historical fragment images with the characteristics of this image, fully considering the context.

The encrypted message data stream classification method, system, electronic device and storage medium proposed by this application divide the encrypted message data stream into multiple message fragments in chronological order, and divide each message fragment into multiple message fragments. Message groups can generate fragment images based on the message length, number of messages, and message direction of each message group, thereby converting the originally complex encrypted message data stream into a visual fragment image, and at the same time displaying the encryption more clearly. Information transfer path in the process to facilitate classification of images. After that, feature extraction is performed on the fragment image to obtain image features. The historical classification results of image features at the previous moment are input into the message classification network together with the image features at the current moment, so that the message classification network can fully consider the characteristics of the encrypted message data stream when classifying image features. The context association relationship enables the message classification network to identify fixed data packet formats based on the context association relationship, improve the efficiency of classifying encrypted message data flow, and obtain the classification results of the encrypted message data flow message behavior. accuracy.

Referring to Figure 7, in some embodiments, step S102 includes steps S201 to S202:

Step S201: In each encrypted message data stream, the encrypted message data packets are arranged in chronological order, and the encrypted message data packets are divided according to the preset number of divisions to obtain multiple message fragments.

It can be understood that, in general, each message behavior can be formed by multiple consecutive encrypted message packets. At the same time, in order to more easily track and check the transmission and processing of the message, the encrypted message can be The data packets are continuously arranged in chronological order, and the arranged encrypted message data packets are divided according to the preset number of divisions to obtain multiple message fragments. In some embodiments, the preset number of divisions is a number set according to the actual situation. The preset number of divisions can be adjusted. For example, if the preset number of divisions is 10, then every 10 encrypted message packets constitute one message. fragment.

In some embodiments, the encrypted message data packet can be divided according to the preset dividing time. For example, the encrypted message data packet can be divided every 1 second to obtain corresponding message fragments, etc., the embodiments of the present application There are no specific restrictions on this.

Step S202: In each message fragment, distinguish the message direction of each encrypted message data packet, and divide the encrypted message data packets with the same message direction into the same message group to obtain multiple messages. Article group.

It is understandable that messages of the same type tend to have the same direction. Therefore, continuous encrypted message packets in the same direction can be divided into the same message group, thereby improving classification efficiency. Alternatively, you can also divide the message fragments according to the preset number of divisions to obtain multiple initial message groups, and determine the encrypted messages that need to be excluded for each initial message group based on the proportion of the message directions of the initial message group. For example, the number of encrypted message packets with forward message direction accounts for 60% of the message group, and the number of encrypted message data packets with negative message direction accounts for 40% of the message group. Since 60 % is greater than 40%, therefore, encrypted message packets with negative message direction are excluded from the corresponding message group.

In some embodiments, one message direction can be specified for a message group with two message directions, and encrypted message data packets whose message direction is different from the specified message direction can be filtered. Finally, each message The message directions of the encrypted message packets in the group are consistent.

Referring to Figure 8, in some embodiments, determining the height of the message group sub-image includes steps S301 to S304:

Step S301: In each message group, filter the encrypted message data packets in the message group according to a preset exclusion ratio.

In some embodiments, since WireGuard or other encryption methods are VPN protocols in tunnel encapsulation mode, the encapsulation part can be removed only after the message header is removed, and the remaining data is the encrypted version of the original traffic data. Encrypt message data. Therefore, according to the actual situation, a preset clipping ratio can be set to clip the message header of each encrypted message packet in the message group.

In some embodiments, a preset exclusion ratio can be set to filter encrypted message packets in the message group. For example, the preset exclusion ratio can be set to 5%, and there are 100 encrypted message packets in the message group. Then, the encrypted message data packets can be classified according to the message length in the message group. Sort from longest to shortest or from shortest to longest, and then remove 5% of the total number of encrypted message packets in the group from the head and tail respectively, that is, remove 5 encrypted message packets from the head and 5 from the tail. encrypted message packets to remove the maximum and minimum values and eliminate the possibility of outliers affecting the classification results.

Step S302: Add the message lengths of each encrypted message packet after filtering and divide by the number of encrypted message packets in the message group to obtain the average message length.

In some embodiments, after filtering each encrypted message data packet in each message group, all encrypted message data packets can be added up, and the obtained sum is divided by the encrypted message data packets in the corresponding message group. The number of message packets is calculated to obtain the average message length for subsequent drawing of fragment images. In some embodiments, the average message length can be directly used as the height of the message group sub-image.

Step S303: Compare the reference length obtained by multiplying the average message length by the preset extraction ratio with the message length of each encrypted message packet in the message group to obtain a comparison result.

In some embodiments, the preset extraction ratio is an adjustable ratio of extracting valid bytes of each encrypted message packet. It can be understood that in order to remove redundant parts of the drawn fragment image and directly generate the fragment image based on the effective part, a preset extraction ratio can be set to extract the effective bytes of the encrypted message packet. For example, the preset extraction ratio can be set to 60%. Then, the reference length obtained by multiplying the average message length by the preset extraction ratio can be compared with the message length of each encrypted message packet. This determines whether each encrypted message packet can be completely extracted based on the reference length.

Step S304: Determine the height of the message group sub-image according to the comparison result.

In some embodiments, if the comparison result indicates that the reference length is smaller than the message length of each encrypted message data packet, it means that each encrypted message data packet can be extracted according to the reference length. If the comparison result indicates that the reference length is greater than the message length of an encrypted message packet, it means that each encrypted message packet is extracted based on the reference length, and there will be a byte length of the extracted encrypted message packet. The reference length is insufficient, thus affecting the drawing of the fragment image. Therefore, the message length of the encrypted message packet with the shortest message length in the message group can be selected to compare with the reference length. The reference length is greater than a certain encrypted message data. If the message length of the packet is specified, the message length of the encrypted message packet with the shortest message length will be used as the height of the message group sub-image, thereby ensuring that the extracted length of each encrypted message packet in the message group is equal.

Referring to Figure 9, in some embodiments, step S304 includes steps S401 to S402:

Step S401: If the comparison result indicates that there is no encrypted message packet in the message group with a message length shorter than the reference length, then the reference length is used as the height of the message group sub-image.

Step S402: If the comparison result indicates that there are encrypted message packets in the message group whose message length is shorter than the reference length, the message length of the corresponding encrypted message data packet is used as the height of the message group sub-image.

In some embodiments, the average message length can be multiplied by the preset extraction ratio to calculate the length of the header byte of each encrypted message packet in the message group, and the length of the header byte is used as the message The height of the group subimage.

In some embodiments, the height calculation formula of the packet group sub-image is as follows:

Among them, M represents the height of the message group sub-image, Indicates the average message length,/> Represents the length of any encrypted message packet,/> Indicates the preset ratio, which can be set to 60% or other ratios.

It can be understood that in the above formula, if the reference length obtained after multiplying the average message length in the message group by the preset extraction ratio is less than the length of all encrypted message packets, it indicates that all encrypted messages in the message group can be The header bytes of the message data packet are extracted, and there will be no situation where the length of the message extracted from the encrypted message data packet is less than the reference length. If the reference length is greater than the shortest message length in the message group, the length of the encrypted message packet with the shortest length will be used as the height of the image to ensure that the byte length extracted from each encrypted message packet in the message group is Consistent, and each encrypted message packet in the message group can extract bytes of the same length. For example, if the average packet length multiplied by the preset ratio is equal to 7, but the lengths of encrypted packets in the packet group are 6 and 4, then the encrypted packet length of 4 cannot be obtained. Extract 7, then use 4 as the height of the image.

Referring to Figure 10, in some embodiments, the encrypted message data flow classification method further includes steps S501 to S502:

Step S501: Obtain multiple message groups corresponding to each message fragment after filtering and encrypting the message data packets.

In some embodiments, filtering the multiple message groups after encrypted message data packets are the message groups that exclude outliers according to a preset exclusion ratio. The preset exclusion ratio can be set to 5%, 10%, etc. Specifically, it can be arranged sequentially according to the length of the encrypted message packets. The header or tail or the header and the tail can be arranged according to the preset The exclusion ratio filters out encrypted message packets. For example, if there are 100 encrypted message packets in the message group and the preset exclusion ratio is 5%, then, after arranging the encrypted message packets in order, it is assumed that the header is the one with the shortest message length. Message data packets, the tail is the encrypted message data packet with the longest message length, then 5 encrypted message data packets can be trimmed at the head, and then 5 encrypted message data packets can be trimmed at the tail. Later, after all message groups included in the message fragment are cropped, the color of the message group sub-image can be determined based on the encrypted message data packets contained in the message group, so that the encryption within the message group can be displayed through the fragment image. Change information of message packets to facilitate subsequent feature extraction and classification. Or, after filtering the encrypted message packets, obtain the average message length of each message group, and then extract the header byte of the message based on the average message length multiplied by the preset extraction ratio. The header bytes of each encrypted message packet generate the color of the message group subimage.

Step S502: Determine the color of the message group sub-image based on the encrypted message data packets contained in each message group.

In some embodiments, the image color of the corresponding message group can be generated based on the extracted header bytes of each message group. In some embodiments, the header byte may be mapped to the value range of the RGB component. Specifically, the value of the header byte can be used as the value of the RGB component. For example, if the value of the header byte is 100, then the R, G, and B values can all be set to 100, resulting in a gray pixel. In some embodiments, the value of the header byte can be mapped to the value range of the RGB component according to certain rules. For example, you can divide the value of the header byte by 255 to get a decimal between 0 and 1, and then multiply this decimal by 255 to get a new value as the value of the RGB component, thereby ensuring that the generated color is consistent throughout the Evenly distributed in RGB color space.

Furthermore, the image colors generated by each encrypted message packet of each message group are added to obtain the color of each message group drawn in the fragment image, thereby clearly and accurately displaying the changes in the image corresponding to the message group. law.

Referring to Figure 11, in some embodiments, step S202 includes steps S601 to S602:

Step S601: In each message fragment, the message direction of each encrypted message data packet is divided into a sending direction or a receiving direction.

Step S602: Divide the encrypted message data packets corresponding to the continuous sending direction or the encrypted message data packets corresponding to the continuous receiving direction in time order to obtain multiple message groups arranged in time order.

In some embodiments, the message direction includes a sending direction and a receiving direction. The message direction of each encrypted message packet can be analyzed, and all encrypted message packets can be divided into the sending direction or the receiving direction.

For example, if the message directions of each encrypted message packet in the message fragments obtained in chronological order are encrypted message packet 1: sending direction, encrypted message packet 2: sending direction, encrypted message data Packet 3: receiving direction, encrypted message packet 4: receiving direction, encrypted message packet 4: receiving direction. Then, the division result is: encrypted message packet 1, encrypted message packet 2 is a message group, encrypted message packet 3, encrypted message packet 4, encrypted message packet 5 is a message group .

It can be understood that by processing consecutive encrypted message packets with the same message direction in chronological order, the final generated fragment image can represent the trend of message transmission, which is conducive to more accurate classification of message behavior.

Referring to Figure 12, in some embodiments, extracting image features of each segment image includes steps S701 to S702:

Step S701: Load the pre-trained convolutional neural network.

In some embodiments, a convolutional neural network can be used to extract the image features of each segment image, or other feature extraction networks can be used to extract the image features of each segment image. The convolutional neural network is trained in advance on a data set composed of a large number of fragment images, and has good feature extraction capabilities.

Step S702: Each segment image is input to the convolutional neural network in chronological order for feature extraction to obtain image features corresponding to the segment image.

In some embodiments, each segment image can be input to the convolutional neural network in chronological order for feature extraction, capturing the change information and important feature information of the segment image, and obtaining the image features of each segment image, thereby facilitating Subsequently, the image features are classified to improve the efficiency of classification.

Referring to Figure 13, in some embodiments, step S104 includes steps S801 to S802:

Step S801: Obtain the historical classification results obtained after the image features at the previous moment are input to the message classification network.

In some embodiments, the packet classification network may be a Long Short-Term Memory (LSTM) network, and the packet classification network may process sequence data to capture the temporal dependence of the input data. It is understandable that the historical classification results may have an important impact on the classification at the current moment. Therefore, in order to establish the contextual connection of the image features, the historical classification results of the image features at the previous moment can be obtained.

Step S802, sequentially input the image features and corresponding historical classification results of each current moment into the preset message classification network to classify the message behavior, until the last image of the encrypted message data stream is input to the message classification network. Features to obtain classification results of encrypted message data flow message behavior.

It is understandable that when processing encrypted message data streams, much information may not be directly accessible due to the encrypted nature of the data. However, using the relationship between historical classification results and image features at the current moment can fill in some missing information, thereby improving the accuracy of message behavior classification.

For example, if the encrypted message data stream has 5 message fragments, each message fragment corresponds to 1 image feature, and there are 5 image features in total, then according to the chronological order of the image features, the first image feature, that is, Image feature 1 is input into the message classification network, and classification result 1 is obtained; classification result 1 and image feature 2 are input into the message classification network, and classification result 2 is obtained; classification result 2 and image feature 3 are input into the message classification network, Obtain classification result 3; input classification result 3 and image feature 4 to the message classification network, and obtain classification result 4; input classification result 4 and image feature 5 to the message classification network, and obtain the classification result of the encrypted message data stream.

In some embodiments, the image features and historical classification results at the previous moment can be used as input through the message classification network to predict the classification results of the image features at the current moment, thereby making full use of the temporal relationship between the historical classification results and image features. Improve image classification accuracy.

It can be understood that the message classification network may include an input gate, a forget gate and an output gate. The input gate, forget gate and output gate are introduced below: the input gate determines how much information from the input data can enter the memory unit. The input gate controls the importance of the input data through an activation function. The output result of the input gate is the same as The input data are multiplied at the element level, thereby selectively inputting important information into the memory unit. The forgetting gate determines which historical memories need to be forgotten. The forgetting gate controls the importance of the previous memory through an activation function. The output of the forgetting gate is multiplied at the element level with the previous memory, thereby selectively forgetting some inappropriate memories. Important memories. The output gate determines the output of the information in the memory unit at the current time step. The output gate controls the importance of the information in the memory unit through an activation function and maps the information in the memory unit to an appropriate range. The output gate The output result is multiplied at the element level with the information in the memory unit, thereby selectively outputting the information in the memory unit.

Referring to Figure 14, in some embodiments, step S802 includes steps S901 to step S905:

Step S901: Input the image features of each current moment into the packet classification network in turn, and determine the first classification information to be retained from the image features through the input gate of the packet classification network.

In some embodiments, the packet classification network can control the impact of input information at the current moment on memory through input gates, thereby selectively remembering important image features. Input the image features of each current moment into the packet classification network, and determine the first classification information of the image features to be retained through the input gate. Information related to packet classification can be extracted from the image features of the current moment, so that subsequent classification processing.

Step S902: Input the first classification information and historical classification results to the forgetting gate of the message classification network, and determine the second classification information that needs to be retained from the first classification information and historical classification results.

In some embodiments, the forgetting gate is an important component of the Long Short-Term Memory network (Long Short-Term Memory, LSTM) and is used to decide what information needs to be retained at the current moment. By inputting the first classification information and historical classification results into the forgetting gate, the second classification information that needs to be retained can be determined based on the network's learning ability and gating mechanism. In the forgetting gate, calculations and decisions are made based on the input first classification information and historical classification results to determine the second classification information that needs to be retained. In this way, the second classification information will be passed to the next layer or next time step to continue the classification task. It can be understood that by inputting the first classification information and historical classification results into the forgetting gate of the message classification network, the first classification information at the current moment and the previous historical classification results can be combined to extract more comprehensive classification information, so as to Classify more accurately.

Step S903: Weight the historical classification results and the second classification information to obtain weighted classification information.

In some embodiments, the packet classification network can determine the output weight through an output gate, and perform weighting processing on historical classification results and current classification information to obtain more accurate classification information.

It can be understood that the packet classification network can automatically adjust the weighting based on the historical classification results and the contribution of the second classification information, or the weighting can also be adjusted by technical personnel as needed, and then, based on the adjusted weight The historical classification results and the second classification information are weighted to obtain more reasonable classification information. It can be understood that weighted classification information may refer to weights or labels used to distinguish different types of features.

Step S904: Input the weighted classification information to the output gate for screening, and obtain the current classification result of the message behavior of the encrypted message data flow at the current moment.

It can be understood that the output gate is a mechanism in a neural network used to filter and control input signals. By inputting weighted classification information to the output gate, different types of messages can be filtered. In the output gate, the encrypted message data flow can be filtered based on the input weighted classification information and gating mechanism, thereby obtaining the current classification results of the encrypted message data flow message behavior at the current moment.

Step S905, continue to input the unclassified image features of the encrypted message data stream to the message classification network until the last image feature of the encrypted message data stream is input to the message classification network, and output the classification of the message behavior of the encrypted message data stream. result.

It can be understood that unclassified image features can continue to be input to the packet classification network in chronological order. Each image feature and the historical classification result of the previous moment can be input to the packet classification network to obtain the current classification result. At the next moment, it is input to the message classification network together with the image features until the last image feature of the encrypted message data stream is input, and the classification result of the message behavior of the encrypted message data stream is output through the message classification network, thus ensuring that Each image feature is included in the classification process, and the contextual connection of the image features is considered, thereby improving the efficiency and accuracy of the message behavior classification results.

Referring to Figure 15, in some embodiments, the packet classification network is trained through the following steps S1001 to S1004:

Step S1001: Obtain multiple encrypted message data streams, and form a training data set based on the multiple encrypted message data streams.

In some embodiments, in order to improve the classification capability of the packet classification network, a large number of encrypted packet data streams can be obtained to form a training data set to train the packet classification network. For example, the encrypted message data stream can be divided into a training set, a verification set, and a test set to facilitate subsequent training and parameter adjustment of the message classification network.

Step S1002: Preprocess each encrypted message data stream in the training data set to obtain multiple message fragments and fragment images corresponding to the message fragments.

In some embodiments, each encrypted message data stream is preprocessed. Specifically, the encrypted message data stream can be divided into multiple message fragments in chronological order, and each message fragment can be divided into multiple message fragments. message group, and then, for each message fragment, according to the message length of each encrypted message packet contained in each message group as the height of the message group sub-image, according to the length of each message group contained The number of each encrypted message packet is used as the width of the message group sub-image, and the bytes of each encrypted message packet contained in each message group is used as the color of the message group sub-image. The message direction of each encrypted message data packet contained in the message group is used as the orientation of the sub-image of the message group to generate a fragment image corresponding to the message fragment. The embodiment of the detailed processing process has been unfolded above and will not be discussed here. Repeat.

Step S1003, extract the image features of each fragment image, and sequentially input the historical classification results of the image features at the previous moment and the image features at the current moment into the preset message classification network to classify the message behavior, and obtain the encrypted message data. The first classification result of flow packet behavior.

It can be understood that extracting image features can capture the spatial characteristics of the image and help distinguish different message behaviors. Inputting the historical classification results and the image features at the current moment into the packet classification network can take into account the contextual connections of each packet fragment, thereby identifying the fixed packet format based on the context information, which helps the packet classification network to quickly Classification.

Step S1004: Calculate the loss value of the first classification result according to the preset loss function, and adjust the parameters of the packet classification network based on the loss value to obtain a trained packet classification network.

In some embodiments, the first classification result can be compared with the correct classification result in the verification set, the loss value of the first classification result can be calculated through a preset loss function, and the parameters of the packet classification network can be adjusted based on the loss value. , and train the packet classification network again. During the training process, continuously adjust the parameters of the packet classification network until the packet classification network converges or reaches the preset training times, which indicates that the packet classification network has been trained. At this point, the trained packet classification network is obtained. It can be understood that the loss function is a general loss function and can be set as needed.

Please refer to Figure 16. In some embodiments, through Figure 16, the application's method for classifying encrypted message data flows is generally introduced.

For example, the encrypted message data stream can be obtained, and the encrypted message data stream can be divided into multiple message fragments according to time, and then the message group can be determined according to the message direction. In each message group, the number of encrypted message packets in the message group is used as the width of the graphic representation of the message group, and the average length of the encrypted message packets in the message group is calculated. For the average length Extract the main bytes, and use the extracted main bytes as the length of the message group sub-image representation. After that, extract the header bytes of the encrypted message packets in the message group, and use the extracted header bytes Convert to the color represented by the message group sub-image, and then use the message direction as the direction represented by the message group sub-image, so as to draw the fragment image of the corresponding message fragment based on multiple message group sub-images. Further, after extracting features from the fragment images, the extracted image features are sequentially input into the message classification network for classification. Furthermore, when classifying image features, the historical classification results and the current image features are input to the message classification network in chronological order to obtain the current classification results, and the last image feature and historical classification results of the encrypted message data stream are After being input into the packet classification network together, the classification results of the packet behavior of the encrypted packet data flow are obtained.

Please refer to Figure 17. This embodiment of the present application also provides an encrypted message data flow classification system, which can implement the above encrypted message data flow classification method. The encrypted message data flow classification system includes:

The encrypted message data stream acquisition module 1701 is used to obtain the encrypted message data stream, where the encrypted message data stream includes multiple consecutive encrypted message data packets;

The message group dividing module 1702 is used to divide the encrypted message data stream into multiple message fragments in time order, and divide each message fragment into multiple message fragments according to the message direction of the encrypted message data packet. Message group; where the encrypted message packets in each message group have the same message direction;

The fragment image generation module 1703 is used for each message fragment, in each message group corresponding to the message fragment, to determine the message group according to the message length of the encrypted message data packet contained in each message group. The height of the sub-image and the number of messages determine the width of the message group sub-image and the message direction determines the direction of the message group sub-image, and generates fragment images based on multiple message group sub-images;

The classification result acquisition module 1704 is used to extract the image features of each fragment image, and sequentially input the historical classification results of the image features at the previous moment and the image features at the current moment into the preset message classification network to classify the message behavior. Obtain the classification results of the encrypted message data flow message behavior.

The specific implementation of the encrypted message data flow classification system is basically the same as the specific embodiment of the above-mentioned encrypted message data flow classification method, and will not be described again here. On the premise of meeting the requirements of the embodiments of this application, the encrypted message data flow classification system can also be provided with other functional modules to implement the encrypted message data flow classification method in the above embodiment.

An embodiment of the present application also provides an electronic device. The electronic device includes a memory and a processor. The memory stores a computer program. When the processor executes the computer program, it implements the above encrypted message data flow classification method. The electronic device can be any smart terminal including a tablet computer, a vehicle-mounted computer, etc.

Please refer to Figure 18. Figure 18 illustrates the hardware structure of an electronic device according to another embodiment. The electronic device includes:

The processor 1801 can be implemented by a general-purpose CPU (Central Processing Unit, central processing unit), a microprocessor, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, and is used to execute relevant programs to implement The technical solutions provided by the embodiments of this application;

The memory 1802 can be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage device, dynamic storage device, or random access memory (RandomAccessMemory, RAM). The memory 1802 can store operating systems and other application programs. When implementing the technical solutions provided by the embodiments of this specification through software or firmware, the relevant program codes are stored in the memory 1802 and called by the processor 1801 to execute the implementation of this application. Example of encrypted message data flow classification method;

Input/output interface 1803, used to implement information input and output;

Communication interface 1804 is used to realize communication interaction between this device and other devices. Communication can be achieved through wired methods (such as USB, network cables, etc.) or wireless methods (such as mobile network, WIFI, Bluetooth, etc.);

Bus 1805, which transmits information between various components of the device (such as processor 1801, memory 1802, input/output interface 1803, and communication interface 1804);

The processor 1801, the memory 1802, the input/output interface 1803 and the communication interface 1804 implement communication connections between each other within the device through the bus 1805.

Embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the above encrypted message data flow classification method is implemented.

As a non-transitory computer-readable storage medium, memory can be used to store non-transitory software programs and non-transitory computer executable programs. In addition, the memory may include high-speed random access memory and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory may optionally include memory located remotely from the processor, and the remote memory may be connected to the processor via a network. Examples of the above-mentioned networks include but are not limited to the Internet, intranets, local area networks, mobile communication networks and combinations thereof.

The embodiments described in the embodiments of the present application are to more clearly illustrate the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application. Those skilled in the art will know that with the evolution of technology and new technologies, As application scenarios arise, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.

Those skilled in the art can understand that the technical solutions shown in the figures do not limit the embodiments of the present application, and may include more or fewer steps than those shown in the figures, or combine certain steps, or different steps.

The device embodiments described above are only illustrative, and the units described as separate components may or may not be physically separate, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art can understand that all or some steps, systems, and functional modules/units in the devices disclosed above can be implemented as software, firmware, hardware, and appropriate combinations thereof.

The terms "first", "second", "third", "fourth", etc. (if present) in the description of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe specific objects. Sequence or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.

It should be understood that in this application, "at least one (item)" and "several" refer to one or more, and "plurality" refers to two or more. "And/or" is used to describe the relationship between associated objects, indicating that there can be three relationships. For example, "A and/or B" can mean: only A exists, only B exists, and A and B exist simultaneously. , where A and B can be singular or plural. The character "/" generally indicates that the related objects are in an "or" relationship. “At least one of the following” or similar expressions thereof refers to any combination of these items, including any combination of a single item (items) or a plurality of items (items). For example, at least one item (item) of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c" ”, where a, b, c can be single or multiple.

In the several embodiments provided in this application, it should be understood that the disclosed systems and methods can be implemented in other ways. For example, the system embodiments described above are only illustrative. For example, the division of the above units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integrated into another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

The units described above as separate components may or may not be physically separated. The components shown as units may or may not be physical units, that is, they may be located in one place, or they may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, each unit can exist physically alone, or two or more units can be integrated into one unit. The above integrated units can be implemented in the form of hardware or software functional units.

Integrated units may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products. Based on this understanding, the technical solution of the present application is essentially or contributes to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including multiple instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods of various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk, etc. that can store programs. medium.

The preferred embodiments of the embodiments of the present application have been described above with reference to the accompanying drawings, but this does not limit the scope of rights of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and essence of the embodiments of the present application shall be within the scope of rights of the embodiments of the present application.

Claims (13)

1. An encrypted message data stream classification method, which is characterized by comprising the following steps:

obtaining an encrypted message data stream, wherein the encrypted message data stream comprises a plurality of continuous encrypted message data packets;

dividing the encrypted message data stream into a plurality of message fragments according to the time sequence, and dividing each message fragment into a plurality of message groups according to the message direction of the encrypted message data packet; wherein the message directions of the encrypted message data packets in each message group are consistent;

for each message Wen Pianduan, in each message group corresponding to the message segment, determining the height and the number of the sub-images of the message group according to the message length of the encrypted message data packet contained in each message group, determining the width of the sub-images of the message group and the direction of the message, determining the direction of the sub-images of the message group, and generating a segment image according to a plurality of sub-images of the message group;

Extracting image characteristics of each fragment image, and sequentially inputting a historical classification result of the image characteristics at the previous moment and the image characteristics at the current moment into a preset message classification network to classify message behaviors, so as to obtain a classification result of the message behaviors of the encrypted message data stream.

2. The method for classifying encrypted message data streams according to claim 1, wherein the dividing the encrypted message data streams into a plurality of message segments according to the time sequence, and dividing each of the message segments into a plurality of message groups according to the message direction of the encrypted message data packets, comprises:

in each encrypted message data stream, arranging the encrypted message data packets according to a time sequence, and dividing the encrypted message data packets according to a preset dividing number to obtain a plurality of message fragments;

and in each message Wen Pianduan, distinguishing the message direction of each encrypted message data packet, and dividing the encrypted message data packets with the same message direction into the same message group to obtain a plurality of message groups.

3. The method for classifying an encrypted packet data stream according to claim 1, wherein determining the height of the packet sub-image includes:

Screening the encrypted message data packets in the message groups according to a preset exclusion proportion in each message group;

dividing the message length of each encrypted message data packet after screening by the message number of the encrypted message data packets in the message group after adding to obtain an average message length;

the reference length obtained by multiplying the average message length by a preset extraction proportion is compared with the message length of each encrypted message data packet in the message group to obtain a comparison result;

and determining the height of the sub-images of the message group according to the comparison result.

4. The method for classifying an encrypted packet data stream according to claim 3, wherein determining the height of the packet sub-image according to the comparison result comprises:

if the comparison result indicates that the encrypted message data packet with the message length shorter than the reference length does not exist in the message group, the reference length is taken as the height of the sub-image of the message group;

and if the comparison result represents that the encrypted message data packet with the message length shorter than the reference length exists in the message group, taking the message length of the corresponding encrypted message data packet as the height of the sub-image of the message group.

5. A method of classifying an encrypted message data stream according to claim 3, wherein the method further comprises:

acquiring a plurality of message groups corresponding to each message segment after screening the encrypted message data packet;

and determining the color of the sub-images of the message group according to the encrypted message data packet contained in each message group.

6. The method for classifying an encrypted message data stream according to claim 2, wherein the message direction includes a transmission direction and a reception direction; the distinguishing the message direction of each encrypted message data packet in each message Wen Pianduan, and dividing the encrypted message data packets with the same message direction into the same message group, to obtain a plurality of message groups, includes:

dividing the message direction of each encrypted message data packet into a sending direction or a receiving direction in each message Wen Pianduan;

dividing the encrypted message data packets corresponding to the continuous sending directions or the encrypted message data packets corresponding to the continuous receiving directions according to the time sequence to obtain a plurality of message groups which are arranged according to the time sequence.

7. The method for classifying an encrypted message data stream according to claim 1, wherein the extracting image features of each of the segment images includes:

loading a pre-trained convolutional neural network;

and sequentially inputting the fragment images into the convolutional neural network according to a time sequence to perform feature extraction, so as to obtain image features corresponding to the fragment images.

8. The method for classifying encrypted message data streams according to claim 1, wherein the step of sequentially inputting the historical classification result of the image feature at the previous time and the image feature at the current time into a preset message classification network to classify the message behaviors to obtain the classification result of the message behaviors of the encrypted message data streams includes:

acquiring a history classification result obtained after the image characteristic at the previous moment is input to the message classification network;

and sequentially inputting the image characteristics at each current moment and the corresponding historical classification results into a preset message classification network to classify the message behaviors until the last image characteristic of the encrypted message data stream is input into the message classification network, so as to obtain the classification results of the message behaviors of the encrypted message data stream.

9. The method for classifying encrypted message data streams according to claim 8, wherein the sequentially inputting the image feature and the corresponding historical classification result at each current time into a preset message classification network to classify the message behaviors until the last image feature of the encrypted message data stream is input into the message classification network, to obtain the classification result of the message behaviors of the encrypted message data stream, includes:

sequentially inputting the image characteristics at each current moment into the message classification network, and determining first classification information to be reserved from the image characteristics through an input gate of the message classification network;

inputting the first classification information and the historical classification result to a forgetting gate of the message classification network, and determining second classification information to be reserved from the first classification information and the historical classification result;

weighting the historical classification result and the second classification information to obtain weighted classification information;

the weighted classification information is input to an output gate for screening, and a current classification result of the encrypted message data stream message behavior at the current moment is obtained;

And continuing to input the image features of the encrypted message data stream which are not classified into the message classification network until the last image feature of the encrypted message data stream is input into the message classification network, and outputting a classification result of the message behavior of the encrypted message data stream.

10. The method for classifying encrypted message data streams according to claim 9, characterized in that the message classification network is trained by the following steps:

acquiring a plurality of encrypted message data streams, and forming a training data set according to the encrypted message data streams;

preprocessing each encrypted message data stream in the training data set to obtain a plurality of message fragments and fragment images corresponding to the message fragments;

extracting image characteristics of each fragment image, and sequentially inputting a historical classification result of the image characteristics at the previous moment and the image characteristics at the current moment into a preset message classification network to classify message behaviors, so as to obtain a first classification result of the message behaviors of the encrypted message data stream;

and calculating a loss value of the first classification result according to a preset loss function, and carrying out parameter adjustment on the message classification network according to the loss value to obtain a trained message classification network.

11. An encrypted message data stream classification system, the system comprising:

the encrypted message data stream acquisition module is used for acquiring an encrypted message data stream, wherein the encrypted message data stream comprises a plurality of continuous encrypted message data packets;

the message group dividing module is used for dividing the encrypted message data stream into a plurality of message fragments according to the time sequence and dividing each message fragment into a plurality of message groups according to the message direction of the encrypted message data packet; wherein the message directions of the encrypted message data packets in each message group are consistent;

a segment image generating module, configured to determine, for each message Wen Pianduan, in each message group corresponding to the message segment, a height of a sub-image of the message group according to a message length of the encrypted message data packet included in each message group, determine a width of the sub-image of the message group according to a number of messages, and determine a direction of the sub-image of the message group according to the direction of the message, and generate a segment image according to a plurality of sub-images of the message group;

the classification result acquisition module is used for extracting the image characteristics of each fragment image, and sequentially inputting the historical classification result of the image characteristics at the previous moment and the image characteristics at the current moment into a preset message classification network to classify the message behaviors, so as to obtain the classification result of the message behaviors of the encrypted message data stream.

12. An electronic device comprising a memory storing a computer program and a processor implementing the method of classifying an encrypted message data stream according to any one of claims 1 to 10 when the computer program is executed by the processor.

13. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the encrypted message data stream classification method of any one of claims 1 to 10.