CN117896277A - Encrypted flow monitoring method and device based on feature extraction and storage medium - Google Patents

Encrypted flow monitoring method and device based on feature extraction and storage medium Download PDF

Info

Publication number
CN117896277A
CN117896277A CN202311604355.7A CN202311604355A CN117896277A CN 117896277 A CN117896277 A CN 117896277A CN 202311604355 A CN202311604355 A CN 202311604355A CN 117896277 A CN117896277 A CN 117896277A
Authority
CN
China
Prior art keywords
traffic
encrypted traffic
sequence
feature
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311604355.7A
Other languages
Chinese (zh)
Inventor
李林
秘蓉新
林绅文
史博轩
莫荻
毛洪亮
马秀娟
刘志丞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202311604355.7A priority Critical patent/CN117896277A/en
Publication of CN117896277A publication Critical patent/CN117896277A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an encryption traffic monitoring method, device and storage medium based on feature extraction. The method comprises the following steps: determining a flow source and a flow target as monitoring objects; generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to the network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet; generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between a traffic source and a traffic target, which is related to the behavior of obtaining the blockchain pass through calculation; and determining a second encrypted traffic from the encrypted traffic split vector.

Description

Encrypted flow monitoring method and device based on feature extraction and storage medium
Technical Field
The present invention relates to the field of traffic monitoring technologies, and in particular, to an encrypted traffic monitoring method and device based on feature extraction, and a storage medium.
Background
With the continuous hit and disposal of blockchain certificates acquired through calculation in China, the original way of acquiring blockchain certificates through calculation by utilizing plaintext has become less and less. However, the cloud network of each large device connected to obtain the pass is kept away from the plug, and various ways are adopted to avoid supervision. For example, DNS resolution by a supervisor can be prevented by means of DOH/DOT between the device for acquiring the pass and the cloud network connected to the device for acquiring the pass; the message content is prevented from being supervised by a supervision party by encrypting the message; and the supervision party is prevented from pertinently supervising the IP port in a proxy transfer mode.
In this case, in order to supervise and recognize the behavior of virtual currency in which blockchain certificates are acquired through calculation, a traffic analysis technique for encrypted traffic is applied. The scheme of obtaining the blockchain through certificate through calculation in the current mainstream adopts a rule protocol, the protocol is relatively simple, and the session mode is relatively fixed, so that the characteristics (such as time interval, the number of forward and backward packets, the number of forward and backward bytes, the length of forward and backward streams and the like) related to the encrypted traffic information are analyzed by establishing a traffic analysis model, and the encrypted traffic generated in the behavior of obtaining the blockchain through certificate through calculation can be monitored.
However, in order to combat monitoring, some devices for acquiring credentials and cloud networks connecting the devices for acquiring credentials combat traffic analysis in a manner that encrypts traffic confusion. Specifically, a cloud network proxy (i.e., a server) connected to the device for obtaining the pass establishes an HTTPS website, and the device for obtaining the pass can run a crawler to continuously access the website of the server, so that the encrypted traffic of the access website and the encrypted traffic of the obtaining of the blockchain pass through calculation are mixed, and therefore it is difficult to analyze and monitor the encrypted traffic of the obtaining of the blockchain pass through calculation by establishing a traffic analysis model.
Aiming at the technical problem that the encrypted traffic generated by adopting an encrypted traffic confusion mode in the prior art cannot be monitored by traffic analysis and the encrypted traffic generated by obtaining the blockchain universal certificate through calculation, no effective solution is proposed at present.
Disclosure of Invention
The embodiment of the disclosure provides an encrypted traffic monitoring method, an encrypted traffic monitoring device and a storage medium based on feature extraction, which at least solve the technical problem that encrypted traffic generated by adopting an encrypted traffic confusion mode cannot be monitored by traffic analysis through calculating to acquire blockchain pass.
According to an aspect of the disclosed embodiments, there is provided an encrypted traffic monitoring method based on feature extraction, including: determining a flow source and a flow target as monitoring objects; generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to the network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet; generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between a traffic source and a traffic target, which is related to the behavior of obtaining the blockchain pass through calculation; and determining a second encrypted traffic from the encrypted traffic split vector.
According to another aspect of the embodiments of the present disclosure, there is also provided a storage medium including a stored program, wherein the above method is performed by a processor when the program is run.
According to another aspect of the embodiments of the present disclosure, there is also provided an encrypted traffic monitoring device based on feature extraction, including: the monitoring object determining module is used for determining a flow source and a flow target serving as monitoring objects; the system comprises a feature vector sequence generation module, a flow source and a flow target, wherein the feature vector sequence generation module is used for generating a feature vector sequence related to first encrypted flow between the flow source and the flow target according to a network monitoring log, and each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted flow respectively and is used for indicating flow information of the corresponding data packet; the encryption flow dividing module is used for generating encryption flow dividing vectors corresponding to the characteristic vector sequences by utilizing the encryption flow dividing model, wherein the encryption flow dividing vectors are used for indicating second encryption flow between a flow source and a flow target and related to the behavior of obtaining the blockchain pass through calculation; and the determining module is used for determining the second encrypted traffic according to the encrypted traffic segmentation vector.
According to another aspect of the embodiments of the present disclosure, there is also provided an encrypted traffic monitoring apparatus based on feature extraction, including: a processor; and a memory, coupled to the processor, for providing instructions to the processor for processing the steps of: determining a flow source and a flow target as monitoring objects; generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to the network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet; generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between a traffic source and a traffic target, which is related to the behavior of obtaining the blockchain pass through calculation; and determining a second encrypted traffic from the encrypted traffic split vector.
In an embodiment of the present disclosure, in order to be able to extract an encrypted traffic corresponding to a behavior of obtaining a blockchain through calculation from the encrypted traffic, the present disclosure constructs an encrypted traffic segmentation model adapted to segment the encrypted traffic related to the behavior of obtaining the blockchain through calculation from the obfuscated encrypted traffic. The encryption traffic segmentation model adopts the architecture of an encoding network and a decoding network, and the convolution kernel of each convolution layer is modified according to the needs of encryption traffic segmentation. Firstly, the embodiment converts the eigenvector sequence of the encrypted traffic into the eigenvalue sequence through the convolution kernels distributed in columns, and then adjusts the convolution kernels in the encoding module and the decoding module into 1*3 convolution kernels suitable for dividing the eigenvalue sequence from the 3*3 convolution kernels suitable for dividing the image. In addition, the encryption traffic segmentation model fuses the feature code sequence output by the encoding module and the feature code sequence to be input by the decoding module in a jump connection and aggregation mode, so that the encryption traffic effect segmented from the mixed encryption traffic mixed with other encryption traffic can be more accurately segmented in the mode. Therefore, the technical problem that the encrypted traffic generated by adopting an encrypted traffic confusion mode in the prior art cannot be monitored by calculating and acquiring the encrypted traffic generated by the blockchain pass through traffic analysis is solved.
Thus, embodiments of the present disclosure further study the techniques of traffic injection, etc. by computing the acquisition blockchain pass, the fast positioning agent software background participates in service domain name, IP and port of traffic forwarding by computing the acquisition blockchain pass. The research analysis utilizes the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the main flow is obtained through calculation, such as the management software of the equipment for obtaining the pass through which the blockchain pass is obtained through calculation by using the plaintext, the monitoring software of the place of the equipment for obtaining the pass through which the ciphertext is used for obtaining the blockchain pass through which the equipment for obtaining the pass is used, the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the blockchain pass is obtained through calculation, including the characteristics of domain name, ip, package statistics, time and the like, so as to form the activity discovery technology of the blockchain pass through which can be obtained through calculation without depending on cloud network communication behavior data of the equipment connected for obtaining the pass through which is only depending on the self flow characteristics of the ecological software of the blockchain pass through calculation.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure and are incorporated in and constitute a part of this application, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and do not constitute an undue limitation on the disclosure. In the drawings:
FIG. 1 is a block diagram of a hardware architecture of a computing device for implementing a method according to embodiment 1 of the present disclosure;
FIG. 2 is an encrypted traffic monitoring system based on feature extraction according to embodiment 1 of the present disclosure;
FIG. 3 is a flow diagram of an encrypted traffic monitoring method based on feature extraction according to a first aspect of embodiment 1 of the present disclosure;
FIG. 4 is a schematic diagram of an encrypted traffic segmentation model according to embodiment 1 of the present disclosure;
FIG. 5 is a further schematic diagram of an encoding network and a decoding network in an encrypted traffic segmentation model according to embodiment 1 of the present disclosure;
FIG. 6 is a schematic diagram of an encrypted traffic monitoring device based on feature extraction according to embodiment 2 of the present disclosure; and
fig. 7 is a schematic diagram of an encrypted traffic monitoring device based on feature extraction according to embodiment 3 of the present disclosure.
Detailed Description
In order to better understand the technical solutions of the present disclosure, the following description will clearly and completely describe the technical solutions of the embodiments of the present disclosure with reference to the drawings in the embodiments of the present disclosure. It will be apparent that the described embodiments are merely embodiments of a portion, but not all, of the present disclosure. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure, shall fall within the scope of the present disclosure.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
According to the present embodiment, there is provided a method embodiment of an encryption monitoring method based on feature extraction, it should be noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order different from that herein.
The method embodiments provided by the present embodiments may be performed in a server or similar computing device. FIG. 1 illustrates a block diagram of a hardware architecture of a computing device for implementing a feature extraction-based encryption monitoring method. As shown in fig. 1, the computing device may include one or more processors (which may include, but are not limited to, a microprocessor MCU, a processing device such as a programmable logic device FPGA), memory for storing data, transmission means for communication functions, and input/output interfaces. Wherein the memory, the transmission device and the input/output interface are connected with the processor through a bus. In addition, the method may further include: a display connected to the input/output interface, a keyboard, and a cursor control device. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computing device may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computing device. As referred to in the embodiments of the present disclosure, the data processing circuit acts as a processor control (e.g., selection of the variable resistance termination path to interface with).
The memory may be used to store software programs and modules of application software, such as a program instruction/data storage device corresponding to the encryption monitoring method based on feature extraction in the embodiments of the present disclosure, and the processor executes the software programs and modules stored in the memory, thereby executing various functional applications and data processing, that is, implementing the encryption monitoring method based on feature extraction of the application program. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, the memory may further include memory remotely located with respect to the processor, which may be connected to the computing device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communications provider of the computing device. In one example, the transmission means comprises a network adapter (Network Interface Controller, NIC) connectable to other network devices via the base station to communicate with the internet. In one example, the transmission device may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computing device.
It should be noted herein that in some alternative embodiments, the computing device shown in FIG. 1 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 1 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computing devices described above.
Fig. 2 is a schematic diagram of an encrypted traffic monitoring system based on feature extraction according to the present embodiment. Referring to fig. 2, the system includes: flow monitoring platform 300. Referring to fig. 2, a traffic monitoring platform 300 is shown for monitoring traffic on a network. For example, the traffic monitoring platform 300 may collect traffic data related to a network through traffic monitoring programs deployed on network devices such as gateways, routers, and servers. Thus, through the network, the traffic monitoring platform 300 may monitor encrypted traffic between the device for acquiring credentials 100 and the cloud network 200 to which the device for acquiring credentials is connected. For example, the traffic monitoring platform 300 monitors the encrypted traffic for which the blockchain certification is acquired by calculation by analyzing the data packet of the encrypted traffic between the device for acquiring certification 100 and the cloud network 200 to which the device for acquiring certification is connected. It should be noted that, the flow monitoring platform 300 in the system may be applicable to the above-described hardware structure.
In the above-described operating environment, according to the first aspect of the present embodiment, there is provided an encrypted traffic monitoring method based on feature extraction, which is implemented by the traffic monitoring platform 300 shown in fig. 2. Fig. 3 shows a schematic flow chart of the method, and referring to fig. 3, the method includes:
s302: determining a flow source and a flow target as monitoring objects;
s304: generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to the network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet;
s306: generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between a traffic source and a traffic target, which is related to the behavior of obtaining the blockchain pass through calculation; and
s308: and determining a second encrypted traffic according to the encrypted traffic segmentation vector.
Specifically, referring to fig. 2, the traffic monitoring platform 300 may collect traffic data information related to network traffic through a traffic monitoring program deployed in a network device such as a gateway, a router, and a server. Wherein the flow data information collected by the flow monitoring platform 300 may include, for example, one or more of the following: source port, destination port, source IP, destination IP, protocol version number of each data packet; packet duration and packet arrival time of each data packet; and the number of forward/reverse packets, the number of forward/reverse bytes, the forward/reverse packet length, etc. of each packet.
So that the traffic monitoring platform 300 can record traffic data information collected from the respective network devices through the network monitoring log. The network monitoring log thus records traffic information associated with each data packet in the encrypted traffic in the order of the time stamps. Wherein the following table 1 shows the specific form of each data record in the network monitoring log:
TABLE 1
Then, to facilitate monitoring, the traffic monitoring platform 300 may divide the packets according to, for example, the source port of the source address and the destination port of the destination address of each packet, so as to group traffic information of each packet according to the same source address, source port, destination address and destination port. So that the source address, source port, destination address and destination port are all the same in the traffic information of the packets of each group.
When the flow monitoring platform 300 performs the monitoring analysis, the monitoring analysis may be performed on a group-by-group basis, so that the flow source and the flow target as the monitoring objects are first determined, and then the flow analysis is performed on the data packets in the corresponding packets (S302). The traffic source may be, for example, a certain source port of a certain source address and the traffic target may be, for example, a certain target port of a certain target address.
For example, referring to fig. 2, the traffic monitoring platform 300 may analyze traffic data information of a data packet between the device for acquiring a certification 100 and the cloud network 200 to which the device for acquiring a certification is connected, using a certain port of the device for acquiring a certification 100 as a traffic source and a certain port of the cloud network 200 to which the device for acquiring a certification is connected as a traffic target.
After determining the particular traffic source and traffic target, the traffic monitoring platform 300 may obtain traffic information between the traffic source and traffic target from the network monitoring log. The flow information describes information of each packet recorded in the form of table 1, for example. The traffic monitoring platform 300 then specifies parameters that are important to identify the behavior of computationally acquiring blockchain certificates in order to construct feature vectors corresponding to individual data packets. For example, table 2 below shows parameters acquired by the traffic monitoring platform 300 for identifying data packets that computationally acquire blockchain-enabled behavior:
TABLE 2
a 1 a 2 a 2 ... a n
Number of bytes of data packet Packet payload Packet duration ... Reverse packet byte count
As shown in Table 2 above, the present application employs the number of bytes of the packet (a 1 ) Packet payload (a) 2 ) Packet duration (a) 2 ) Reverse packet byte count (a n ) And constructing the feature vector corresponding to each data packet by using n parameters. Wherein the feature vector is the parameter listed in table 2 for the corresponding packet. Then, the flow monitoring platform 300 constructs a feature vector sequence based on feature vectors corresponding to the respective data packets of the flow source and the flow destination. Wherein the feature vector sequence is as follows: { S 1 ,S 2 ,....,S m }, wherein vector S i (i=1 to m) is represented as follows:
S i =[a i,1 ,a i,2 ,...,a i,n ] T
wherein a is i,j (i=1 to m, j=1 to n) for indicating the j-th parameter of the i-th feature vector, and the definition of the j-th parameter is shown in table 2 above. Thus, in the above manner, a sequence of feature vectors associated with encrypted traffic between a traffic source and a traffic destination can be generated from the network monitoring log.
Further, in order to better identify the data packet associated with the behavior of obtaining the blockchain through calculation, according to the technical scheme of the application, corresponding numbers are deployed at each moment in sequence according to the minimum time unit of the timestampAnd constructing the traffic vector sequence by the feature vector of the data packet. For example feature vector S 1 Corresponding to the data packet at the 1 st moment; feature vector S 2 Corresponding to the data packet at the time 2; and so on, sm corresponds to the packet at the mth time.
So that each feature vector corresponds to a parameter of the data packet corresponding to the respective time instant. If there is no corresponding packet at that time, the feature vector corresponding to that time is filled with zeros. For example, if there is no packet at time 3, S corresponding to time 3 3 Each element a of 3,1 ~a 3,m Are filled with "0".
The feature vector sequence constructed in the method can reflect the time distribution and the time interval of each data packet more truly, so that the data packets corresponding to the behavior of obtaining the blockchain pass through calculation can be identified more accurately.
Then, the flow monitoring platform 300 sequences the feature vector { S } 1 ,S 2 ,....,S m The data is used as a matrix and is input into a preset encryption flow dividing model, and a flow analysis vector F corresponding to the characteristic vector sequence is generated according to the encryption flow dividing model 1 And F 2
Specifically, fig. 4 shows an architecture diagram of an encrypted traffic segmentation model. Referring to fig. 4, the encrypted traffic segmentation model used in the present application includes three parts, namely a feature transformation module, an encoding network, and a decoding network.
The feature conversion network is used for performing convolution operation on the feature vector sequence through convolution check of the column distribution. The convolution kernel used by the feature conversion module forms a convolution layer, and the structure of the convolution layer is n 1 x 32. Here, the structure of the convolution layer is expressed in a manner of x×y×z, where x represents the number of rows of the convolution kernel, y represents the number of columns of the convolution kernel, and z represents the number of convolution kernels included in the convolution layer. The convolution layer of the feature conversion module thus comprises 32 convolution kernels exhibiting n-dimensional column vectors. Thus, after the convolution operation is performed on the eigenvector sequence through the convolution layer, an eigenvalue sequence (i.e., a first eigenvalue sequence) with a length of m is generated. And since the convolution layer of the feature conversion module comprises 32 convolution kernels, 32 feature value sequences of length m (i.e. the first feature value sequence) are generated, or the feature value sequences are feature value sequences with 32 channels.
Further, referring to fig. 4, the encrypted traffic segmentation model also includes an encoding network and a decoding network. The encoding network performs encoding operation on the first characteristic value sequence to generate a second characteristic value sequence. With further reference to fig. 4, the coding network includes a plurality of coding modules arranged in a cascade, wherein each coding module includes a respective convolution layer, and each convolution layer includes a plurality of convolution kernels. Where each convolution kernel is a convolution kernel of 1*3 (i.e., 1 row and 3 columns), but the number of convolution kernels included in each convolution layer varies from one coding module to another. The more the convolutional layer of the coding module, in which the depth is deeper, comprises a greater number of convolutional kernels, and thus a greater number of channels of the sequence of eigenvalues. In addition, referring to fig. 4, the encoding modules are connected in a downsampling manner, and in this application, are connected in a 1/2 downsampling manner, so that the characteristic value sequence output by one encoding module is input to the next encoding module after 1/2 downsampling. And generating a second eigenvalue sequence corresponding to the eigenvector sequence after the hierarchical convolutional coding and downsampling operations of the coding network, and inputting the second eigenvalue sequence into the decoding network. In the technical scheme of the application, a 1*2 pooling (max pool) mode can be utilized to realize 1/2 downsampling.
For example, referring to fig. 4, the encoding module 1 receives the converted first eigenvalue sequence of 32 channels, performs a convolution operation, and then inputs the generated eigenvalue sequence to the encoding module 2 after 1/2 downsampling. The coding module 2 carries out convolution operation on the characteristic value sequence output by the coding module 1, and then the generated characteristic value sequence is input to the coding module 3 after 1/2 downsampling. The coding module 3 carries out convolution operation on the characteristic value sequence output by the coding module 2, and then the generated characteristic value sequence is input to the coding module 4 after 1/2 downsampling. The encoding module 4 performs convolution operation on the eigenvalue sequence output by the encoding module 3, and then the generated eigenvalue sequence is input to the decoding network after being subjected to 2-time up convolution as a second eigenvalue sequence.
Further, referring to fig. 4, the decoding network includes a plurality of decoding modules 1 to 3 arranged in cascade and generates the encrypted traffic split vector F from the second eigenvalue sequence using the plurality of decoding modules 1 And F 2 . The decoding modules are connected with the corresponding encoding modules in a jumping manner, and are connected in an up convolution (up conv, for example, up convolution of 1*2) manner, wherein the decoding modules (for example, the decoding module 3) in the decoding modules perform up convolution on the second characteristic value sequence, then perform jumping connection with the characteristic value sequence output by the corresponding encoding module, perform aggregation, and perform convolution operation on the aggregated characteristic value sequence; or (for example, the decoding modules 1 and 2) perform jump connection and aggregation on the characteristic value sequence output by the upper-stage decoder module and the characteristic value sequence output by the corresponding encoding module, and perform convolution operation on the aggregated characteristic value sequence.
Specifically, referring to fig. 4, the decoding network includes decoding modules 1 to 3. The decoding module 1 is connected with the encoding module 1 in a jumping manner; the decoding module 2 is connected with the encoding module 2 in a jumping manner; the decoding module 3 is connected with the encoding module 3 in a jumping manner.
Thus, the decoding module 3 receives the second eigenvalue sequence convolved by 2 times from the encoding module 4 of the encoding network, and aggregates (concate) the eigenvalue sequence output by the encoding module 3 with the second eigenvalue sequence convolved by 2 times in a jump connection manner, and inputs the aggregated eigenvalue sequence to the decoding module 3 for convolution operation.
The decoding module 2 receives the characteristic value sequence which is output by the decoding module 3 and is subjected to 2 times of convolution from the decoding module 3, aggregates (concate) the characteristic value sequence which is received by the decoding module 3 and is subjected to 2 times of convolution with the characteristic value sequence which is output by the encoding module 2 in a jump connection mode, and inputs the aggregated characteristic value sequence to the decoding module 2 for convolution operation.
The decoding module 1 receives the characteristic value sequence which is output by the decoding module 2 and is subjected to 2 times convolution from the decoding module 2, and aggregates (concate) the characteristic value sequence which is received by the decoding module 2 and the characteristic value sequence which is output by the encoding module 1 in a jump connection mode, and inputs the aggregated characteristic value sequence to the decoding module 1 to carry out convolution operation, thereby outputting an encrypted traffic segmentation vector { F } 1 And F 2 }. Wherein the traffic split vector F is encrypted 1 For indicating encrypted traffic corresponding to the act of obtaining blockchain certificates by computation. Wherein the traffic split vector F is encrypted 2 For indicating encrypted traffic corresponding to a process other than the act of obtaining blockchain certificates by computation.
Thus, in generating the encrypted traffic segmentation vector corresponding to the feature vector sequence using the encrypted traffic segmentation model, the traffic monitoring platform 300 first generates the feature value corresponding to the feature vector using the feature conversion module of the encrypted traffic segmentation model, and constructs the first feature value sequence corresponding to the feature vector sequence using the feature value corresponding to each feature vector. Then, the flow monitoring platform 300 generates a second characteristic value sequence corresponding to the first characteristic value sequence by using a plurality of cascade-arranged encoding modules 1-4 included in the encoding network of the encrypted flow segmentation model; and generating the encrypted traffic segmentation vector by using a plurality of decoding modules 1-3 which are arranged in cascade and included in a decoding network of the encrypted traffic segmentation model according to the second characteristic value sequence and the characteristic value sequences output by the encoding modules 1-3 which are connected with the decoding modules in a jumping manner.
Specifically, as described above, the feature conversion module includes a convolution layer including a plurality of convolution kernels, and the structure of the convolution layer is n×1×32. The convolution layer of the feature conversion module thus comprises 32 convolution kernels exhibiting n-dimensional column vectors. Thus, the flow monitoring platform 300 may perform convolution operation on the feature vector sequence by using the convolution layer of the feature conversion module, so as to generate a feature value sequence with a length of m (i.e., a first feature value sequence). And since the convolutional layer of the feature conversion module includes 32 convolutional kernels, 32 sequences of feature values of length m (i.e., the first sequences of feature values of 32 channels) are generated.
Further, fig. 5 shows a schematic diagram of the encoding network and decoding network of the encrypted traffic segmentation model. Referring to fig. 5, the encoding network includes cascaded encoding modules 1 to 4, and the decoding network includes cascaded decoding modules 1 to 3.
Thus, referring to fig. 5, in the process of generating the second eigenvalue sequence corresponding to the first eigenvalue sequence by using the cascade set multiple coding modules included in the coding network of the encrypted traffic segmentation model, the traffic monitoring platform 300 first performs a convolution operation on the first eigenvalue sequence by using multiple convolution layers of the coding module 1 (i.e., the first coding module), where the coding module 1 includes 2 convolution layers, and each convolution layer includes 64 convolution kernels of 1*3, i.e., each convolution layer is a convolution layer of 1×3×64. Thus, the flow monitoring platform 300 obtains the characteristic value sequences of 64 channels, namely 64 side-by-side characteristic value sequences through the encoding module 1.
Then, the flow monitoring platform 300 performs a convolution operation on the feature value sequence output by the first encoding module 1 and subjected to downsampling by using a plurality of convolution layers of the encoding module 2 (i.e., the second encoding module) cascaded with the encoding module 1. Wherein the downsampling operation may be, for example, a pooling operation of 1*2 (i.e., 1 x 2, max pooling), thereby achieving 1/2 downsampling. And the coding module 2 comprises 2 convolution layers, each comprising 128 convolution kernels of 1*3, i.e. each convolution layer is a convolution layer of 1 x 3 x 128. Thus, the flow monitoring platform 300 obtains the characteristic value sequences of 128 channels, namely 128 side-by-side characteristic value sequences through the encoding module 2.
Then, the flow monitoring platform 300 performs a convolution operation on the feature value sequence output by the encoding module 2 and subjected to downsampling by using a plurality of convolution layers of the encoding module 3 (i.e., the third encoding module) cascaded with the encoding module 2. Wherein the downsampling operation may be, for example, a pooling operation of 1*2 (i.e., 1 x 2, max pooling), thereby achieving 1/2 downsampling. And the coding module 3 comprises 2 convolution layers, each comprising 256 convolution kernels of 1*3, i.e. each convolution layer is a convolution layer of 1 x 3 x 256. Thus, the flow monitoring platform 300 obtains a characteristic value sequence of 258 channels, namely 256 side-by-side characteristic value sequences through the encoding module 3.
Then, the flow monitoring platform 300 performs a convolution operation on the feature value sequence output by the encoding module 3 and subjected to downsampling by using a plurality of convolution layers of the encoding module 4 (i.e., the fourth encoding module) cascaded with the encoding module 3. Wherein the downsampling operation may be, for example, a pooling operation of 1*2 (i.e., 1 x 2, max pooling), thereby achieving 1/2 downsampling. And the coding module 4 comprises 2 convolution layers, each comprising 512 convolution kernels of 1*3, i.e. each convolution layer is a convolution layer of 1 x 3 x 512. Thus, the flow monitoring platform 300 obtains the characteristic value sequence of 512 channels (i.e. 256 side-by-side characteristic value sequences) through the encoding module 4 as a second characteristic value sequence.
With continued reference to fig. 5, the decoding network then includes decoding module 3 (i.e., a first decoding module), decoding module 2 (i.e., a second decoding module), and decoding module 1 (i.e., a third decoding module).
In the process of generating the encrypted traffic split vector by using the encrypted traffic split model, the traffic monitoring platform 300 first uses the decoding module 3 (i.e., the first decoding module) to perform jump connection and aggregation on the eigenvalue sequence output by the corresponding encoding module 3 (i.e., the third encoding module) and the second eigenvalue sequence output by the encoding network and subjected to convolution. Wherein the up-convolution operation may be, for example, a 1*2 up-convolution operation. Wherein the up-convolution operation may be performed using 256 1*2 convolution kernels to obtain a sequence of eigenvalues for 256 channels. Then, since the characteristic value sequence of 256 channels is output by the encoding module 3, the characteristic value sequence of 512 channels can be obtained through jump connection and aggregation. And then, carrying out convolution operation on the aggregated eigenvalue sequence by utilizing a plurality of convolution layers, wherein the convolution layers of the decoding module 1 are the convolution layers of 1 x 3 x 256, so as to obtain the eigenvalue sequence of 256 channels.
Then, the flow monitoring platform 300 performs jump connection and aggregation by using the characteristic value sequence output by the corresponding encoding module 2 and the characteristic value sequence output by the decoding module 3 and subjected to the deconvolution by using the decoding module 2 (i.e. the second decoding module) cascaded with the decoding module 3. Wherein the up-convolution operation may be performed using a convolution kernel of 128 1*2, resulting in a sequence of eigenvalues for 128 channels. Then, since the characteristic value sequence of 128 channels is output by the encoding module 2, the characteristic value sequence of 256 channels can be obtained through jump connection and aggregation. And then, carrying out convolution operation on the aggregated eigenvalue sequences by using a plurality of convolution layers, wherein the convolution layers of the decoding module 2 are the convolution layers of which the numbers are 1 x 3 x 128, so as to obtain the eigenvalue sequences of 128 channels.
Then, the flow monitoring platform 300 performs jump connection and aggregation by using the characteristic value sequence output by the corresponding encoding module 1 and the characteristic value sequence output by the decoding module 2 and subjected to deconvolution by using the decoding module 1 (i.e., the third decoding module) cascaded with the decoding module 2. Wherein the up-convolution operation may be performed using a convolution kernel of 64 1*2, resulting in a sequence of eigenvalues for 64 channels. Then, since the characteristic value sequences of 64 channels are output by the encoding module 1, the characteristic value sequences of 128 channels can be obtained through jump connection and aggregation. And then, performing convolution operation on the aggregated eigenvalue sequence by using a plurality of convolution layers, wherein the convolution layers of the decoding module 2 comprise convolution layers of 1×3×64, so as to obtain the eigenvalue sequence of 64 channels. Finally, the decoding module 2 convolves the characteristic value sequences of the 64 channels by using a convolution layer of 1 x 2, thereby obtaining flow dividing vectors F of the two channels 1 And F 2
Thus, for example, flow monitoring platform 300 may segment vector F according to flow 1 It is determined which of the data packets corresponding to each time instant are associated with the act of computationally acquiring blockchain certificates. From these data packets, a second encrypted traffic associated with the act of computationally acquiring blockchain certificates may then be determined.
Further, referring to fig. 1, according to a second aspect of the present embodiment, there is provided a storage medium. The storage medium includes a stored program, wherein the method described above is performed by a processor when the program is run.
As described in the background art, in order to combat monitoring, some devices for acquiring credentials and cloud networks connected to the devices for acquiring credentials combat traffic analysis in a manner that encrypts traffic confusion. Specifically, a cloud network proxy (i.e., a server) connected to the device for obtaining the pass establishes an HTTPS website, and the device for obtaining the pass can run a crawler to continuously access the website of the server, so that the encrypted traffic of the access website and the encrypted traffic of the obtaining of the blockchain pass through calculation are mixed, and therefore it is difficult to analyze and monitor the encrypted traffic of the obtaining of the blockchain pass through calculation by establishing a traffic analysis model.
In view of this, according to the present embodiment, in order to be able to extract an encrypted traffic corresponding to a behavior of acquiring a blockchain pass through calculation from the encrypted traffic, the present disclosure constructs an encrypted traffic division model adapted to divide the encrypted traffic related to the behavior of acquiring a blockchain pass through calculation from the confused encrypted traffic. The encryption traffic segmentation model adopts the architecture of an encoding network and a decoding network, and the convolution kernel of each convolution layer is modified according to the needs of encryption traffic segmentation. Firstly, the embodiment converts the eigenvector sequence of the encrypted traffic into the eigenvalue sequence through the convolution kernels distributed in columns, and then adjusts the convolution kernels in the encoding module and the decoding module into 1*3 convolution kernels suitable for dividing the eigenvalue sequence from the 3*3 convolution kernels suitable for dividing the image. In addition, the encryption traffic segmentation model fuses the feature code sequence output by the encoding module and the feature code sequence to be input by the decoding module in a jump connection and aggregation mode, so that the encryption traffic effect segmented from the mixed encryption traffic mixed with other encryption traffic can be more accurately segmented in the mode. Therefore, the technical problem that the encrypted traffic generated by adopting an encrypted traffic confusion mode in the prior art cannot be monitored by calculating and acquiring the encrypted traffic generated by the blockchain pass through traffic analysis is solved.
Therefore, the embodiment further researches the technologies of flow injection and the like for obtaining the blockchain through calculation, and the rapid positioning agent software background participates in service domain name, IP and port for forwarding the flow for obtaining the blockchain through calculation. The research analysis utilizes the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the main flow is obtained through calculation, such as the management software of the equipment for obtaining the pass through which the blockchain pass is obtained through calculation by using the plaintext, the monitoring software of the place of the equipment for obtaining the pass through which the ciphertext is used for obtaining the blockchain pass through which the equipment for obtaining the pass is used, the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the blockchain pass is obtained through calculation, including the characteristics of domain name, ip, package statistics, time and the like, so as to form the activity discovery technology of the blockchain pass through which can be obtained through calculation without depending on cloud network communication behavior data of the equipment connected for obtaining the pass through which is only depending on the self flow characteristics of the ecological software of the blockchain pass through calculation.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
Fig. 6 shows an encrypted traffic monitoring apparatus 600 based on feature extraction according to the first aspect of the present embodiment, the apparatus 600 corresponding to the method according to the first aspect of embodiment 1. Referring to fig. 6, the apparatus 600 includes: a monitoring object determining module 610 for determining a flow source and a flow target as monitoring objects; a feature vector sequence generating module 620, configured to generate a feature vector sequence related to a first encrypted traffic between a traffic source and a traffic destination according to the network monitoring log, where each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic, and is used to indicate traffic information of the corresponding data packet; an encrypted traffic segmentation module 630, configured to generate an encrypted traffic segmentation vector corresponding to the feature vector sequence using an encrypted traffic segmentation model, where the encrypted traffic segmentation vector is used to indicate a second encrypted traffic related to a behavior of obtaining blockchain credentials through calculation between a traffic source and a traffic target; and a determining module 640 for determining a second encrypted traffic based on the encrypted traffic split vector.
Optionally, the feature vector sequence generating module 620 includes: the feature vector construction sub-module is used for acquiring flow information corresponding to each data packet transmitted between the flow source and the flow target from the network monitoring log and constructing feature vectors corresponding to each data packet according to the flow information; and a feature vector deployment module for deploying feature vectors of the data packets corresponding to the respective times in time sequence according to the minimum unit of the time stamp, and filling the corresponding feature vectors with '0' for the time without the corresponding data packet, thereby generating a feature vector sequence.
Optionally, the encrypted traffic splitting module 630 includes: a feature conversion unit for generating feature values corresponding to the feature vectors by using a feature conversion module of the encrypted traffic segmentation model, and forming a first feature value sequence corresponding to the feature vector sequence by using the feature values corresponding to the respective feature vectors; the coding unit is used for generating a second characteristic value sequence corresponding to the first characteristic value sequence by utilizing a plurality of cascade coding modules which are included in a coding network of the encryption traffic segmentation model; and the decoding unit is used for generating the encrypted flow dividing vector according to the second characteristic value sequence and the characteristic value sequence output by the encoding module which is in jump connection with the decoding module by utilizing a plurality of decoding modules which are arranged in cascade and included in the decoding network of the encrypted flow dividing model.
Optionally, the feature conversion unit includes: and the feature conversion subunit is used for carrying out convolution on the feature vector sequence by utilizing a plurality of convolution cores preset in the feature conversion module so as to obtain a feature value, wherein the convolution cores are distributed in a column direction and have the same dimension as that of the feature vector.
Optionally, the encoding unit includes: the first coding subunit is configured to perform convolution operation on the first eigenvalue sequence by using a plurality of convolution layers of the first coding module, where the convolution layers of the first coding module are convolution layers of 1×3×64, so as to obtain eigenvalue sequences of 64 channels; the second coding subunit is configured to perform convolution operation on the feature value sequence that is output by the first coding module and is subjected to downsampling by using a plurality of convolution layers of the second coding module that are cascaded with the first coding module, where the convolution layers of the second coding module are convolution layers of 1×3×128, so as to obtain feature value sequences of 128 channels; the third coding subunit is configured to perform convolution operation on the feature value sequence that is output by the second coding module and is subjected to downsampling by using a plurality of convolution layers of the third coding module that are cascaded with the second coding module, where the convolution layers of the third coding module are convolution layers of 1×3×256, so as to obtain a feature value sequence of 256 channels; and a fourth coding subunit, configured to perform a convolution operation on the down-sampled characteristic value sequence output by the third coding module by using a plurality of convolution layers of the fourth coding module cascaded with the third coding module, where the convolution layers of the fourth coding module are convolution layers of 1×3×512, so as to obtain a characteristic value sequence of 512 channels, which is used as the second characteristic value sequence.
Optionally, the decoding unit includes: the first decoding subunit performs jump connection and aggregation on the characteristic value sequence output by the corresponding third coding module and the second characteristic value sequence subjected to the upper convolution by utilizing the first decoding module, and then performs convolution operation on the aggregated characteristic value sequence by utilizing a plurality of convolution layers, wherein the convolution layers of the first decoding module are the convolution layers of 1 x 3 x 256, so that the characteristic value sequences of 256 channels are obtained; the second decoding subunit performs jump connection and aggregation on the characteristic value sequence output by the corresponding second coding module and the characteristic value sequence output by the first decoding module and subjected to upper convolution by using a second decoding module cascaded with the first decoding module, and then performs convolution operation on the aggregated characteristic value sequence by using a plurality of convolution layers, wherein the convolution layers of the second decoding module are convolution layers of 1 x 3 x 128, so that the characteristic value sequences of 128 channels are obtained; and the third decoding subunit performs jump connection and aggregation on the characteristic value sequence output by the corresponding first coding module and the characteristic value sequence output by the second decoding module after being subjected to upper convolution by using a third decoding module cascaded with the second decoding module, and then performs convolution operation on the aggregated characteristic value sequence by using a plurality of convolution layers, wherein the convolution layers of the second decoding module comprise at least one convolution layer with the size of 1 x 3 x 128 and the last convolution layer with the size of 1 x 2, so as to obtain encrypted traffic split vectors of 2 channels, wherein the encrypted traffic split vector of one channel is used for indicating encrypted traffic related to the behavior of obtaining the blockchain through certificate through calculation, and the encrypted traffic split vector of the other channel is used for indicating encrypted traffic irrelevant to the behavior of obtaining the blockchain through calculation.
Optionally, the determining module includes: determining a data packet related to the behavior of obtaining the blockchain through calculation according to the encryption traffic segmentation vector; and determining a second encrypted traffic from the data packets associated with the act of obtaining blockchain certificates by the computing.
Thus, according to the present embodiment, in order to be able to extract an encrypted traffic corresponding to a behavior of obtaining a blockchain through calculation from an encrypted traffic, the present disclosure constructs an encrypted traffic segmentation model adapted to segment an encrypted traffic related to the behavior of obtaining a blockchain through calculation from a confused encrypted traffic. The encryption traffic segmentation model adopts the architecture of an encoding network and a decoding network, and the convolution kernel of each convolution layer is modified according to the needs of encryption traffic segmentation. Firstly, the embodiment converts the eigenvector sequence of the encrypted traffic into the eigenvalue sequence through the convolution kernels distributed in columns, and then adjusts the convolution kernels in the encoding module and the decoding module into 1*3 convolution kernels suitable for dividing the eigenvalue sequence from the 3*3 convolution kernels suitable for dividing the image. In addition, the encryption traffic segmentation model fuses the feature code sequence output by the encoding module and the feature code sequence to be input by the decoding module in a jump connection and aggregation mode, so that the encryption traffic effect segmented from the mixed encryption traffic mixed with other encryption traffic can be more accurately segmented in the mode. Therefore, the technical problem that the encrypted traffic generated by adopting an encrypted traffic confusion mode in the prior art cannot be monitored by calculating and acquiring the encrypted traffic generated by the blockchain pass through traffic analysis is solved.
Therefore, the embodiment further researches the technologies of flow injection and the like for obtaining the blockchain through calculation, and the rapid positioning agent software background participates in service domain name, IP and port for forwarding the flow for obtaining the blockchain through calculation. The research analysis utilizes the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the main flow is obtained through calculation, such as the management software of the equipment for obtaining the pass through which the blockchain pass is obtained through calculation by using the plaintext, the monitoring software of the place of the equipment for obtaining the pass through which the ciphertext is used for obtaining the blockchain pass through which the equipment for obtaining the pass is used, the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the blockchain pass is obtained through calculation, including the characteristics of domain name, ip, package statistics, time and the like, so as to form the activity discovery technology of the blockchain pass through which can be obtained through calculation without depending on cloud network communication behavior data of the equipment connected for obtaining the pass through which is only depending on the self flow characteristics of the ecological software of the blockchain pass through calculation.
Example 3
Fig. 7 shows an encrypted traffic monitoring device 700 based on feature extraction according to the first aspect of the present embodiment, which device 700 corresponds to the method according to the first aspect of embodiment 1. Referring to fig. 7, the apparatus 700 includes: a processor; and a memory, coupled to the processor, for providing instructions to the processor to process the steps of: determining a flow source and a flow target as monitoring objects; generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to the network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet; generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between a traffic source and a traffic target, which is related to the behavior of obtaining the blockchain pass through calculation; and determining a second encrypted traffic from the encrypted traffic split vector.
Optionally, generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to the network monitoring log includes: acquiring flow information corresponding to each data packet transmitted between a flow source and a flow target from a network monitoring log, and constructing feature vectors corresponding to each data packet according to the flow information; and disposing the feature vectors of the data packets corresponding to the respective times in time sequence according to the minimum unit of the time stamp, and filling the corresponding feature vectors with '0' for the time without the corresponding data packet, thereby generating a feature vector sequence.
Optionally, the operation of generating the encrypted traffic segmentation vector corresponding to the feature vector sequence using the encrypted traffic segmentation model includes: generating feature values corresponding to the feature vectors by using a feature conversion module of the encryption traffic segmentation model, and forming a first feature value sequence corresponding to the feature vector sequence by using the feature values corresponding to the feature vectors; generating a second characteristic value sequence corresponding to the first characteristic value sequence by utilizing a plurality of cascade-arranged coding modules included in a coding network of the encryption traffic segmentation model; and generating the encrypted traffic segmentation vector by using a plurality of decoding modules which are arranged in cascade and included in the decoding network of the encrypted traffic segmentation model according to the second characteristic value sequence and the characteristic value sequence output by the encoding module which is in jump connection with the decoding module.
Optionally, the operation of generating the feature value corresponding to the feature vector by using the feature conversion module of the encrypted traffic segmentation model includes: and convolving the feature vector sequence by utilizing a plurality of convolution cores preset in the feature conversion module, so as to obtain a feature value, wherein the convolution cores are distributed in a column direction and have the same dimension as the feature vector.
Optionally, the operation of generating the second eigenvalue sequence corresponding to the first eigenvalue sequence by using a plurality of encoding modules of cascade arrangement included in the encoding network of the encrypted traffic segmentation model includes: performing convolution operation on the first characteristic value sequence by using a plurality of convolution layers of the first coding module, wherein the convolution layers of the first coding module are convolution layers of 1 x 3 x 64, so as to obtain the characteristic value sequences of 64 channels; performing convolution operation on the feature value sequence which is output by the first coding module and subjected to downsampling by utilizing a plurality of convolution layers of the second coding module cascaded with the first coding module, wherein the convolution layers of the second coding module are convolution layers of which the number is 1 x 3 x 128, so that the feature value sequence of 128 channels is obtained; performing convolution operation on the feature value sequence which is output by the second coding module and subjected to downsampling by utilizing a plurality of convolution layers of a third coding module cascaded with the second coding module, wherein the convolution layers of the third coding module are convolution layers of 1 x 3 x 256, so that the feature value sequence of 256 channels is obtained; and performing convolution operation on the feature value sequence which is output by the third coding module and is subjected to downsampling by utilizing a plurality of convolution layers of a fourth coding module cascaded with the third coding module, wherein the convolution layers of the fourth coding module are convolution layers of which the number is 1 x 3 x 512, so that feature value sequences of 512 channels are obtained and are used as second feature value sequences.
Optionally, the operation of generating the encrypted traffic split vector by using a plurality of decoding modules in cascade set in the decoding network of the encrypted traffic split model according to the second characteristic value sequence and the characteristic value sequence output by the encoding module in jump connection with the decoding module includes: the first decoding module is utilized to carry out jump connection and aggregation on the characteristic value sequence output by the corresponding third encoding module and the second characteristic value sequence subjected to the upper convolution, and then a plurality of convolution layers are utilized to carry out convolution operation on the characteristic value sequence after the aggregation, wherein the convolution layers of the first decoding module are the convolution layers of 1 x 3 x 256, so that the characteristic value sequences of 256 channels are obtained; the characteristic value sequence output by the corresponding second coding module and the characteristic value sequence output by the first decoding module and subjected to the upper convolution are subjected to jump connection and aggregation by utilizing a second decoding module cascaded with the first decoding module, and then the aggregated characteristic value sequence is subjected to convolution operation by utilizing a plurality of convolution layers, wherein the convolution layers of the second decoding module are the convolution layers of which the number is 1 x 3 x 128, so that the characteristic value sequences of 128 channels are obtained; and performing jump connection and aggregation on the characteristic value sequence output by the corresponding first coding module and the characteristic value sequence output by the second decoding module after being subjected to upper convolution by utilizing a third decoding module cascaded with the second decoding module, and then performing convolution operation on the aggregated characteristic value sequence by utilizing a plurality of convolution layers, wherein the convolution layers of the second decoding module comprise at least one convolution layer of 1 x 3 x 128 and the last convolution layer of 1 x 2, so as to obtain encryption traffic segmentation vectors of 2 channels, wherein the encryption traffic segmentation vectors of one channel are used for indicating encryption traffic related to the behavior of obtaining the blockchain through calculation, and the encryption traffic segmentation vectors of the other channel are used for indicating encryption traffic unrelated to the behavior of obtaining the blockchain through calculation.
Optionally, the operation of determining the second encrypted traffic according to the encrypted traffic split vector includes: determining a data packet related to the behavior of obtaining the blockchain through calculation according to the encryption traffic segmentation vector; and determining a second encrypted traffic from the data packets associated with the act of obtaining blockchain certificates by the computing.
Thus, according to the present embodiment, in order to be able to extract an encrypted traffic corresponding to a behavior of obtaining a blockchain through calculation from an encrypted traffic, the present disclosure constructs an encrypted traffic segmentation model adapted to segment an encrypted traffic related to the behavior of obtaining a blockchain through calculation from a confused encrypted traffic. The encryption traffic segmentation model adopts the architecture of an encoding network and a decoding network, and the convolution kernel of each convolution layer is modified according to the needs of encryption traffic segmentation. Firstly, the embodiment converts the eigenvector sequence of the encrypted traffic into the eigenvalue sequence through the convolution kernels distributed in columns, and then adjusts the convolution kernels in the encoding module and the decoding module into 1*3 convolution kernels suitable for dividing the eigenvalue sequence from the 3*3 convolution kernels suitable for dividing the image. In addition, the encryption traffic segmentation model fuses the feature code sequence output by the encoding module and the feature code sequence to be input by the decoding module in a jump connection and aggregation mode, so that the encryption traffic effect segmented from the mixed encryption traffic mixed with other encryption traffic can be more accurately segmented in the mode. Therefore, the technical problem that the encrypted traffic generated by adopting an encrypted traffic confusion mode in the prior art cannot be monitored by calculating and acquiring the encrypted traffic generated by the blockchain pass through traffic analysis is solved.
Therefore, the present embodiment further researches the service domain name, IP and port of the flow forwarding of the blockchain through the computation, which are participated in by the fast positioning agent software background through the computation of the flow injection of the blockchain through the computation. The research analysis utilizes the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the main flow is obtained through calculation, such as the management software of the equipment for obtaining the pass through which the blockchain pass is obtained through calculation by using the plaintext, the monitoring software of the place of the equipment for obtaining the pass through which the ciphertext is used for obtaining the blockchain pass through which the equipment for obtaining the pass is used, the characteristics of the self flow (the flow of the blockchain pass through which the blockchain pass is not obtained through calculation) of the ecological software of the blockchain pass through which the blockchain pass is obtained through calculation, including the characteristics of domain name, ip, package statistics, time and the like, so as to form the activity discovery technology of the blockchain pass through which can be obtained through calculation without depending on cloud network communication behavior data of the equipment connected for obtaining the pass through which is only depending on the self flow characteristics of the ecological software of the blockchain pass through calculation.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (10)

1. The encrypted traffic monitoring method based on the feature extraction is characterized by comprising the following steps of:
determining a flow source and a flow target as monitoring objects;
generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to a network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet;
generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between the traffic source and the traffic target, which is related to the behavior of obtaining blockchain pass through calculation; and
and determining the second encrypted traffic according to the encrypted traffic segmentation vector.
2. The method of claim 1, wherein generating a sequence of feature vectors associated with a first encrypted traffic between the traffic source and the traffic target from a network monitoring log comprises:
acquiring flow information corresponding to each data packet transmitted between the flow source and the flow target from the network monitoring log, and constructing a feature vector corresponding to each data packet according to the flow information; and
According to the minimum unit of the time stamp, the feature vectors of the data packets corresponding to all the moments are deployed according to the time sequence, and for the moment without the corresponding data packet, the corresponding feature vectors are filled with '0', so that the feature vector sequence is generated.
3. The method of claim 1, wherein generating an encrypted traffic segmentation vector corresponding to the sequence of feature vectors using an encrypted traffic segmentation model comprises:
generating a feature value corresponding to the feature vector by using a feature conversion module of the encryption traffic segmentation model, and forming a first feature value sequence corresponding to the feature vector sequence by using the feature value corresponding to each feature vector;
generating a second characteristic value sequence corresponding to the first characteristic value sequence by utilizing a plurality of cascade-arranged coding modules included in a coding network of the encryption traffic segmentation model; and
and generating the encrypted flow dividing vector by using a plurality of decoding modules which are arranged in cascade and included in a decoding network of the encrypted flow dividing model according to the second characteristic value sequence and the characteristic value sequence output by the encoding module which is connected with the decoding module in a jumping manner.
4. A method according to claim 3, wherein generating feature values corresponding to the feature vectors using a feature transformation module of the encrypted traffic segmentation model comprises: and convolving the feature vector sequence by utilizing a plurality of convolution cores preset in the feature conversion module so as to obtain the feature value, wherein the convolution cores are distributed in a column direction and have the same dimension as the feature vector.
5. A method according to claim 3, wherein generating a second sequence of eigenvalues corresponding to the first sequence of eigenvalues using a plurality of encoding modules of a cascade arrangement comprised by an encoding network of said encrypted traffic segmentation model comprises:
performing convolution operation on the first eigenvalue sequence by using a plurality of convolution layers of a first coding module, wherein the convolution layers of the first coding module are convolution layers of 1 x 3 x 64, so as to obtain eigenvalue sequences of 64 channels;
performing convolution operation on the feature value sequence which is output by the first coding module and is subjected to downsampling by using a plurality of convolution layers of a second coding module cascaded with the first coding module, wherein the convolution layers of the second coding module are convolution layers of 1 x 3 x 128, so that feature value sequences of 128 channels are obtained;
Performing convolution operation on the feature value sequence which is output by the second coding module and subjected to downsampling by using a plurality of convolution layers of a third coding module cascaded with the second coding module, wherein the convolution layers of the third coding module are convolution layers of 1 x 3 x 256, so as to obtain the feature value sequence of 256 channels; and
and carrying out convolution operation on the feature value sequence which is output by the third coding module and is subjected to downsampling by utilizing a plurality of convolution layers of a fourth coding module cascaded with the third coding module, wherein the convolution layers of the fourth coding module are convolution layers of 1 x 3 x 512, so that feature value sequences of 512 channels are obtained and are used as the second feature value sequences.
6. The method of claim 5, wherein generating the encrypted traffic splitting vector by using a plurality of decoding modules in a cascade arrangement included in a decoding network of the encrypted traffic splitting model based on the second sequence of eigenvalues and the sequence of eigenvalues output by an encoding module that is in skip connection with the decoding module, comprises:
performing jump connection and aggregation on the characteristic value sequence output by the corresponding third coding module and the second characteristic value sequence subjected to the upper convolution by using a first decoding module, and then performing convolution operation on the aggregated characteristic value sequence by using a plurality of convolution layers, wherein the convolution layers of the first decoding module are convolution layers of 1 x 3 x 256, so that the characteristic value sequences of 256 channels are obtained;
Performing jump connection and aggregation on the characteristic value sequence output by the corresponding second coding module and the characteristic value sequence output by the first decoding module and subjected to upper convolution by using a second decoding module cascaded with the first decoding module, and then performing convolution operation on the aggregated characteristic value sequence by using a plurality of convolution layers, wherein the convolution layers of the second decoding module are convolution layers of 1 x 3 x 128, so that the characteristic value sequences of 128 channels are obtained; and
and performing jump connection and aggregation on the characteristic value sequence output by the corresponding first coding module and the characteristic value sequence output by the second decoding module after being subjected to upper convolution by using a third decoding module cascaded with the second decoding module, and performing convolution operation on the aggregated characteristic value sequence by using a plurality of convolution layers, wherein the convolution layers of the second decoding module comprise at least one convolution layer with the size of 1 x 3 x 128 and the last convolution layer with the size of 1 x 2, so as to obtain encrypted traffic split vectors of 2 channels, wherein the encrypted traffic split vector of one channel is used for indicating encrypted traffic related to the behavior of obtaining the blockchain through syndrome through calculation, and the encrypted traffic split vector of the other channel is used for indicating encrypted traffic irrelevant to the behavior of obtaining the blockchain through calculation.
7. The method of claim 1, wherein determining the second encrypted traffic from the encrypted traffic split vector comprises:
determining a data packet related to the behavior of obtaining the blockchain through certificate through calculation according to the encryption traffic segmentation vector; and
and determining the second encryption flow according to the data packet related to the action of obtaining the blockchain through calculation.
8. A storage medium comprising a stored program, wherein the method of any one of claims 1 to 7 is performed by a processor when the program is run.
9. An encrypted traffic monitoring device based on feature extraction, comprising:
the monitoring object determining module is used for determining a flow source and a flow target serving as monitoring objects;
the system comprises a feature vector sequence generation module, a data packet generation module and a data packet generation module, wherein the feature vector sequence is used for generating a feature vector sequence related to first encrypted traffic between a traffic source and a traffic target according to a network monitoring log, and each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet;
An encrypted traffic segmentation module for generating an encrypted traffic segmentation vector corresponding to the sequence of feature vectors using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating a second encrypted traffic between the traffic source and the traffic target, which is related to the behavior of obtaining blockchain pass through calculation; and
and the determining module is used for determining the second encrypted traffic according to the encrypted traffic segmentation vector.
10. An encrypted traffic monitoring device based on feature extraction, comprising:
a processor; and
a memory, coupled to the processor, for providing instructions to the processor to process the following processing steps:
determining a flow source and a flow target as monitoring objects;
generating a feature vector sequence related to the first encrypted traffic between the traffic source and the traffic target according to a network monitoring log, wherein each feature vector in the feature vector sequence corresponds to a data packet of the first encrypted traffic respectively and is used for indicating traffic information of the corresponding data packet;
generating an encrypted traffic segmentation vector corresponding to the feature vector sequence by using an encrypted traffic segmentation model, wherein the encrypted traffic segmentation vector is used for indicating second encrypted traffic between the traffic source and the traffic target, which is related to the behavior of obtaining blockchain pass through calculation; and
And determining the second encrypted traffic according to the encrypted traffic segmentation vector.
CN202311604355.7A 2023-11-28 2023-11-28 Encrypted flow monitoring method and device based on feature extraction and storage medium Pending CN117896277A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311604355.7A CN117896277A (en) 2023-11-28 2023-11-28 Encrypted flow monitoring method and device based on feature extraction and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311604355.7A CN117896277A (en) 2023-11-28 2023-11-28 Encrypted flow monitoring method and device based on feature extraction and storage medium

Publications (1)

Publication Number Publication Date
CN117896277A true CN117896277A (en) 2024-04-16

Family

ID=90649567

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311604355.7A Pending CN117896277A (en) 2023-11-28 2023-11-28 Encrypted flow monitoring method and device based on feature extraction and storage medium

Country Status (1)

Country Link
CN (1) CN117896277A (en)

Similar Documents

Publication Publication Date Title
US10805438B2 (en) Configuring the protocol-based generation of event streams by remote capture agents
US9596253B2 (en) Capture triggers for capturing network data
CN103220164B (en) Data integrity score and network visualization and user experience monitoring
US8041303B2 (en) Auto sniffing of carrier performance using reverse round trip time
CN107667510A (en) The detection of Malware and malicious application
US11831763B2 (en) Methods, systems, and computer readable media for utilizing predetermined encryption keys in a test simulation environment
CN108650218A (en) Network Traffic Monitoring method, apparatus, computer equipment and storage medium
JP2013513261A (en) Random data stream sampling
US20130212263A1 (en) Encapsulating data packets
US20160381183A1 (en) Server grouping system
EP2882135B1 (en) Network server system, client device, computer program product and computer-implemented method
CN103780501A (en) Peer-to-peer network traffic identification method of inseparable-wavelet support vector machine
CN114691167A (en) Method and device for updating machine learning model
Hamici Towards genetic cryptography for biomedical wireless sensor networks gateways
CN111934854B (en) Data determining method and device, storage medium and electronic device
CN105592030B (en) IP packet processing method and processing device
WO2013125989A1 (en) Capacity estimates using burst-trailer trains
CN117896277A (en) Encrypted flow monitoring method and device based on feature extraction and storage medium
US11194839B2 (en) System and method for aggregating subscriber perspective data
CN115801221A (en) Acceleration apparatus, computing system, and acceleration method
CN107529190B (en) User data acquisition system and method
CN106156048A (en) Method and apparatus and communication system that short URL services are provided
US10599680B2 (en) Reduction of volume of reporting data using multiple datasets
CN115632995B (en) Data feature extraction method, equipment and computer medium for industrial control network
CN113094745B (en) Data transformation method and device based on privacy protection and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination