Network security is very important for the web lovers and the demand of enterprise,government and other groups, also, malicious traffic becomes important danger threat for thenetwork security, so accurate and efficient identifying malicious code is a hot demand. Basing ondeep packet inspection technology is being used in some application, but this method for someencrypted data flow of malicious is not good. Based on network transport layer packets sessionbehavior characteristics identification technology has been extensive research, but the accuracy ofthe technical is very low. This paper combines the above three kinds of technology, and designs asystem, for the identification of malicious traffic, the entire system can reduce the memory and therecognition time it used.Based on researching the recognition and session behavior characteristic of malicious trafficThis paper designs a identifying system for malicious traffic. The principle of the recognitionsystem is to use a fixed application port and some other fixed features as a priority recognitionengine module, then use the transport layer session behavior characteristics combination recognitiontechnology as the next recognition module, so to improve the accurate rate. In the process ofmodule design, the fixed characteristic of engine module come from plenty of malicious packetanalysis. Reverse analysis tools is also be used. With the study of behavior characteristics ofnetwork packet transport layer, this paper summarizes eight kinds of packet session feature for therecognition of common malicious code, according to this method, it designs a real-time malicioustraffic identification system. The experiment results show that using the combination of featuresfrom eight sessions data packet for the designed system, not only the get a real-time identification,of malicious code, but also a highly detection accuracy performance. |