Research And Implementation Of Encryption Malicious Traffic Detection Technology Based On Sequence Multi-granularity Feature

In order to ensure the confidentiality and integrity of communication data,most applications use encryption protocols to encrypt communication data.The application of encryption protocol can effectively protect the privacy of legitimate users’ communication data,but it also becomes a tool for attackers to bypass the detection of network security devices.Therefore,it is of great significance to study encryption malicious traffic detection technology.Some existing detection methods based on traditional machine learning extract protocol-specific fields from encryption protocol packets as features.However,these features become invisible with the upgrade of encryption protocol.As a result,detection methods can only be used for traffic detection of specific protocols.Some existing detection methods based on deep learning,which convert network data into two-dimensional digital matrix or extract features from traffic manually,cannot retain the original state of traffic well.In view of the shortcomings of existing methods,this paper proposes two encryption malicious traffic detection methods and a detection system.The main contents are as follows:(1)Encryption malicious traffic detection method combined with multi-granularity characteristics.This method describes and analyzes network traffic by extracting different granularity features from original network data.These features are independent of specific network protocols,so they can be effectively detected in different network environments.The extracted features include four different granularity: field level feature,packet level feature,session level feature,and host level feature.For different granularity features,naive Bayes,XGBoost and random forest were used as base classifiers to carry out model fusion through soft voting.The experimental results show that the method has high detection accuracy,recall rate and generalization ability.(2)Encryption malicious traffic detection method based on sequential context semantics.This method can effectively preserve the original state of network traffic and extract sufficient context information from it.First,network traffic is divided into sessions to form a series of session data.The data for each session is then converted into a one-dimensional traffic sequence and an appropriate length is selected for data clipping.Finally,the Text CNN neural network is used to extract the context semantic features from the one-dimensional traffic sequence to realize the detection of encrypted malicious traffic.Experimental results show that this method has higher detection accuracy and lower false positive rate than the existing methods.(3)Encryption malicious traffic detection system based on sequence multi-granularity characteristics.The system functions include data upload,data set information visualization,feature information visualization,encrypted malicious traffic detection and encr ypted traffic multi-classification.Among them,the encryption malicious traffic detection function is implemented based on the two methods proposed above.The multi-classification of encrypted traffic includes 12 and 100 classifications,demonstrating that the proposed method can achieve high classification accuracy in multi-classification tasks.