Research On Detecting Malware With Encrypted Traffic

In recent years,with the popularity of network encryption technology,more and more websites and applications use this technology to protect the privacy of individuals through network traffic.However,the number of malicious attacks using network encryption technology is also increasing year by year.The traditional detection methods that rely on the content of packets can no longer effectively deal with the malware attacks hidden in encrypted traffic,which has brought a severe challenge to the traffic-based malware detection methods.According to research statistics,more than 60% of current network traffic is encrypted through TLS/SSL,of which more than 10% is generated by malicious software.Among the network encryption protocols,the HTTPS protocol is the most frequently used.This paper studies the detection technology of malicious software using encrypted network communication protocol,and proposes an algorithm of encrypted malicious traffic detection based on multi-layer Auto-Encoder.Through in-depth analysis of the workflow of the HTTPS protocol,the feature extraction method based on the protocol is proposed,and the feature expansion algorithm and the feature mapping algorithm based on the clustering algorithm are designed according to the traffic communication behavior characteristics.Experiments show that our algorithm has a high detection accuracy.In addition to the HTTPS protocol,malicious software will also use SSH,Tor and other network encryption protocols to send malicious attacks.For some botnets,such as Mirai,malwares use even as many as 11 protocols to attack.In order to cope with the detection of encrypted malicious traffic under different protocols,this paper proposes a malicious encrypted traffic detection algorithm based on Profile HMM.This method uses bioinformatics gene sequence analysis to detect and match key gene sequences to realize the ability of encryption malicious traffic identification.Experiments were carried out in different situations through open source data sets,and the results show the effectiveness of the algorithm.In addition,this paper discusses and experiments the ability of this method to detect malicious traffic of traditional unencrypted protocols,and proves that the proposed method is independent of the communication protocol.At the end of this paper,two algorithms we proposed are discussed and we also design and implement the method of circumvention detection,and verifies the effectiveness of the method through experiments.Compared with the existing research,this paper has the characteristics of wide application scenarios and high detection accuracy,providing a comprehensive solution for malware detection based on encrypted traffic.