Research On Malicious Encrypted Traffic Identification Based On TLS

With the improvement of users' privacy protection and security awareness,encryption technologies such as TLS,IPSec,SSH and VPN are more and more widely used,and the proportion of encrypted traffic in network transmission is increasing.Most network attackers use encryption protocol to implement their malicious behavior,which further increases the difficulty of network security management.This paper aims to improve the precision identification accuracy of malicious encrypted traffic,focuses on data preprocessing and model establishment,and improves the malicious encrypted traffic detection model based on machine learning in view of the low accuracy of traditional detection methods based on port and deep packet analysis and the low recognition rate caused by the class imbalance of public malicious encrypted traffic data sets.The main work of this paper is summarized as follows:1.To address the problem of coarse granularity in the classification of current machine learning malicious encrypted traffic detection algorithms,a fine-grained classification model for malicious encrypted traffic based on multiple features and model integration is proposed.First,the relevant encryption protocols and their principles are analyzed,and multiple malicious data flow features are extracted from TLS handshake information and metadata,respectively.Afterwards,automatic feature filtering and dimensionality reduction is performed using the random forest algorithm to obtain the global optimal feature subset.Finally,the feature subsets were fed into different classifiers,and the probabilities of different model classification results were transformed into weights,weighting multiple models integrated for classification detection.Experiments show that the combination of feature selection and model integration can effectively distinguish the malware categories belonging to different malicious encrypted traffic,and have a good classification effect on different types of malware.2.Second,to further improve the accuracy of malicious traffic identification,a malicious encrypted traffic identification model based on a bi-directional gated cyclic unit Bi GRU fused with an attention mechanism is proposed to address the problem that the classification results of traditional machine learning algorithms are affected by the subjectivity of experts and are timeconsuming and labor-intensive.The model uses Bi GRU to extract forward and reverse temporal features from malicious encrypted traffic,and uses the attention mechanism to highlight important features and reduce the influence of irrelevant features.Experiments show that compared with commonly used malicious encrypted traffic recognition algorithms,the model has better accuracy,recall,F1 and other metrics,and can effectively achieve multi-classification recognition of malicious encrypted traffic.3.Finally,a malicious TLS traffic generation model based on deep generative adversarial network is proposed to improve the overall performance of malicious traffic identification,in order to address the problem of degraded prediction accuracy due to unbalanced malicious encrypted traffic categories.The model uses generators and discriminators in the deep generative adversarial network DGAN to simulate real datasets to generate and extend small categories of data to form a balanced dataset.Experiments show that using deep generative adversarial networks to expand and balance the small class data can effectively reduce the chance of misclassification of small class data,thus improving the overall recognition accuracy of the model.