Research On Encrypted Malicious Traffic Detection Method Based On Android Mobile Device

In recent years,the rapid development of the Internet has provided a lot of convenience for human society,and network technology is increasingly closely related to people's daily life,especially in the using of smart phones.However,the increasing number of smartphone users has also caused many criminals to have crooked thoughts.They steal users' private information,induce consumption and remote control by inducing users to download malware.In the mobile phone market,Google's Android system has surpassed Saipan with its advantages of open source,freedom and high secondary development,and has become the most popular mobile phone system in the world with three-quarters of the market share.Undoubtedly,it made it the main target of the attack.Traditional malware detection usually includes static detection and dynamic detection,including honeypot technology and reverse engineering.Identifying malware through network traffic detection is also an effective detection method.Early detection of malicious traffic is usually based on port and payload-based methods.However,more and more network communication adopts random port strategy,which makes the port-based identification method unreliable.The payload-based method has a low false positive rate advantages,but it needs to build a huge database of fingerprints,and cannot be used to identify encrypted traffic.In recent years,feature-based detection methods have been proposed for encrypted traffic.This method can effectively identify encrypted traffic,but it requires researchers to have sufficient prior knowledge and is easily affected by escape attacks and network noise.In order to solve the above problems of encrypted traffic detection,thesis proposes a malicious traffic detection method based on dual domains and rules.In thesis,the network traffic is abstracted as a digital signal,and the method of dealing with noise in the digital signal is used to extract the frequency domain characteristics of encrypted traffic,and separate the noise and the effective signal.Then thesis uses the deep learning algorithm to automatically extract the time series features of network traffic,which not only retains the work of feature detection,but also does not require rich prior knowledge.Thesis also designs an association rule mining method for encrypted traffic as an upgrade of the loadbased method,which can not only automatically mine the rule base of malicious traffic,but also quantify and double-domain through rules.The combination of features enhances the detection effect;finally,thesis designs an attention mechanism on the time step to calculate the weight of each time step,and completes the detection and classification of encrypted malicious traffic.Thesis uses the data set And Mal2017 of the Canadian Network Security Laboratory for experiments.We design longitudinal experiments with dual domains and rules to verify the feasibility of detecting malicious traffic in the time domain,frequency domain,and rules,and to determine the optimal packet sequence length and sampling frequency.At the same time,a horizontal comparison with other encrypted malicious traffic detection methods is carried out to verify the effectiveness of the detection method in thesis.The experimental results show that the detection method based on dual domains and rules in thesis has improved the accuracy of encrypted malicious traffic detection compared with other detection methods.Especially in the two-class,it is 21.2% higher than the detection method using static features and 6% higher than the detection method using time series,which shows that this method can be suitable for encrypted malicious traffic detection.