Research On The Identification Of Mobile Encryption Family Applications Based On Service Coupling

Traffic classification can detect the source of traffic and can be used for network management and network security.In recent years,the flow statistical features widely used in the field of encrypted traffic recognition are prone to cause drift problems.With the change of time and geographical factors,the classification accuracy will obviously decrease.The rise of standard web services has led to an increase in service coupling,and the identification of mobile encrypted family application traffic will therefore cause classification ambiguity.For mobile family applications that include standard web services,the classification accuracy will be severely reduced.The results of some related studies have shown that the same application classification model has a classification effect of more than 80% for ordinary applications,but the classification effect for some family applications is only There are 20%,and the classification accuracy of individual family applications is only 0%.In response to the above problems,this paper introduces the idea of recurrent neural network and ensemble learning,and proposes a new encryption traffic classification and family application identification method.The research mainly includes the following contents:(1)An encrypted traffic classification method based on TLS flow sequence neural network called TFSN is proposed.The TFSN method mainly extracts flow sequence features based on the bidirectional LSTM layer,and enhances the learned features through the attention layer to improve classification performance.This method can automatically learn features and complete traffic classification according to the input flow sequence,without manual intervention and feature extraction,so it can save a lot of manpower and is very suitable for classifying large-scale network traffic.The experimental results show that the TFSN model proposed in this paper can accurately classify encrypted flows,and the classification accuracy of encrypted flows can reach more than 98%.(2)Two types of mobile family application identification methods based on the TFSN method are proposed.Including the direct recognition method of family applications based on sequence features and the indirect classification method of family applications based on web service recognition.The former mainly uses TLS flow sequence neural network model to directly classify family applications based on long sequence features.This type of method causes large classification errors due to the highly similar encrypted information content and length of some standard web service traffic in family applications.The latter method takes into account the limitations of the former method and separates the overall application traffic to avoid possible classification errors.Since the service coupling phenomenon exists between various family application flows,the most likely family applications can be identified and inferred by subdividing the flows into services,and then according to the differences in the services contained in the application flows.The classification results of the family application data set by the application classification model based on web service recognition show that the classification accuracy of the 20 types of family applications is mostly above 99%,indicating that the application distribution model has good classification performance.The application traffic used in the test comes from two different operating systems,Android and IOS.At the same time,the specific operating system version and mobile phone model are different,which indicates that the application classification model has good generalization performance.(3)Based on the above method,this paper designs and implements a prototype system for encrypted traffic classification and family application identification.The system mainly includes encrypted traffic preprocessing module,feature extraction and data set construction module,flow identification module and application identification module.The encrypted traffic classification and family application identification prototype system has a simple and user-friendly interface.Users can configure and input the original encrypted network stream data,TFSN model parameters,and application identification model parameters,etc.,and can conveniently classify the encrypted flow processing results and flow classification results.The application classification results are saved to the designated file for subsequent analysis and research.In addition,the system can visually display the results of TFSN encrypted flow classification and family application identification in the form of charts,which has strong application value.