Research Of The Malicious Traffic Detection Technology Based On Deep Learning

The rapid development of Internet technology not only facilities people's life,but also promotes the spread and proliferation of malicious code.In real life,facing a large number of malicious codes with extensive harm,no matter individuals,enterprises or government agencies are seriously threatened.Currently,malicious code uses technologies such as obfuscation,and deformation to avoid detection,and it is increasingly difficult for traditional detection methods to keep pace with the development of malicious codes.With the increasing of malicious code network activities,the malicious traffic detection technology to identify malicious code through traffic analysis has become a research hotspot in the field of network security.In recent years,the rapid development of deep learning technology has also brought new development power for malicious traffic detection technology.Therefore,based on the problem of malicious traffic detection,this thesis uses the powerful feature learning ability of deep learning to capture malicious behaviors hidden in network traffic to achieve more efficient and intelligent malicious traffic detection.The main research achievements and contributions of this thesis are as follows:1.Through the analysis of the characteristics of malicious code network behavior,combined with the thought of classical network attack model,malicious code network behavior chain model is constructed,and the entire network activity of malicious code is divided into four stages: stage of infection,detection phase,the command control stage and destruction stage,providing guidance for the practice of malicious traffic detection.2.Aiming at the detection problem of C&C communication traffic in the command control stage,a detection method of C&C communication traffic based on multi-mode is proposed.This method draws lessons from the general law of human understanding the world and analyzes C&C traffic from different angles.The statistical characteristics of traffic,the original load of traffic and the sequence of communication lines of C&C communication traffic are extracted respectively,and the corresponding DNN submodels,CNN submodels and LSTM submodels are designed based on the information characteristics of different modes.Experimental results show that this method can effectively identify C&C traffic,has better performance than the single mode detection model,and has stronger generalization ability compared with traditional machine learning methods and other deep learning methods.3.Aiming at general detection of network traffic of various malicious codes in the destruction stage,a malicious traffic detection method based on time position encoding and multi-head attention is proposed.This method will network traffic analogy to text matrix to retain its space characteristics,and use time position encoding for characterizing the time characteristic of the network traffic.The multi-head attention mechanism is used to capture the spatiotemporal characteristics of the original traffic from multiple dimensions.The whole process is automatically completed by deep learning model,which saves feature engineering work.The experimental results show that the proposed method performs well in many aspects,such as accuracy,precision,recall and F1 value,and has strong universality for malicious traffic detection.It can also capture some key behaviors in network traffic and give higher attention weight.4.In order to solve the problem that the malicious traffic detection method based on deep learning mostly uses the relevant features of the session flow and lacks a comprehensive description of the malicious code network behavior chain,a HTTP malicious traffic detection method based on the graph attention network is proposed.This method is based on the correlation between the HTTP traffic,from the Web session to build communication behavior graph.By integrating the statistical features and field content features of session flow,the feature dimension of communication behavior graph is enriched,and a graph attention network is constructed based on the improved graph attention layer,so that the graph attention network can process node features and edge features simultaneously,so as to learn more knowledge of communication behavior graph.Experimental results show that this method can achieve more accurate malicious traffic detection effect,lower false positive rate and has stronger anti-interference ability by using the comprehensive features obtained at the host level.