Research On Encrypted Malicious Traffic Detection Based On Deep Learning

As a fundamental infrastructure of information technology,the Internet plays an irreplaceable role in social production and life.More and more businesses use encryption technology to avoid malicious tampering and privacy disclosure.However,illegal attacks on the network are also carried by encrypted traffic for hiding malicious attempts,which makes it difficult to detect.The traditional decryption detection methods are at the risk of privacy disclosure,and the cost is enormous.This research relies on the "Smart Chip for Network Processing" project,a key research and development plan of the Ministry of Science and Technology.Based on the powerful feature-learning ability of deep learning,detection of encrypted malicious traffic without decryption is realized by capturing the malicious traffic features automatically.Firstly,in view of the problems affecting the detection accuracy,such as the inadequate optimization of deep learning layer structure and poor matching of algorithms and scenes,two typical deep learning networks,namely one-dimensional convolutional neural network(1D-CNN)and Long Short-Term Memory network(LSTM)are constructed.The experiments show that the detection accuracy on feature data set and slice data set is over 97% and 99% respectively.This thesis draws 6 conclusions: for example,both algorithms achieve the best detection performance in a 4-layer network structure,1D-CNN and LSTM are suitable for feature data set and slice data set respectively,the best slice dimension in the slice data set is the first 100 bytes,etc.The results are analyzed by using homomorphism,algorithm structure principle,and protocol frame format,etc.Secondly,aiming at the problem that a single deep learning detection model extracts features one-sidedly and cannot fully reflect the original traffic information,a parallel fusion encrypted malicious traffic detection model based on 1D-CNN and LSTM is proposed.According to the conclusions of the first study,a 4-layer structure is adopted in the two branches,and each branch extracts features from the original traffic.Then,the spatial features extracted by 1D-CNN and the timing features extracted by LSTM are simultaneously sent to the fully connected layer for feature fusion.The fused features are used for encrypted malicious traffic detection.Experimental results show that the detection accuracy of the proposed detection model is over 99% on both feature data set and slice data set,which is better than that of the two single algorithm mode and the serial connection detection model.Finally,on account of the contradiction that the network traffic data is variable-length while traditional deep learning algorithms can only handle fixed-length input,a one-dimensional convolutional pyramid pooling(1D-CPP)detection model is proposed.Improved spatial pyramid pooling mechanism is introduced into 1D-CNN to build 1D-CPP detection model which is able to handle variable-length input.Thus,in data processing,the tedious work of data slicing or data feature extraction is avoided.Experiments with different pyramid pooling network structures show that the average detection accuracy of the proposed algorithm in multi-class detection is higher than that of 1D-CNN detection model by 2.4%,and the detection accuracy increases as the number of pyramid pooling cores increases.