Research And System Implementation Of Encrypted Traffic Anomaly Detection Technology Based On Model Ensemble

In recent years,network security incidents have occurred frequently on a global scale,and people have increasingly attached importance to network security risks.With the enhancement of public security awareness and the progress of network technology,encryption schemes have been widely used in network communication.Due to the good security and compatibility of the Transport Layer Security(TLS)protocol,its proportion in network traffic is increasing.However,traffic encryption technology is a double-edged sword.While protecting user privacy,it also provides a camouflage carrier for network threat participants.Therefore,it is necessary to perform anomaly detection on encrypted traffic to improve network security and protect the normal operation of business networks.Traditional traffic anomaly detection methods perform poorly when facing complex traffic types,difficult feature extraction,and traffic encryption.The use of machine learning algorithms and manual feature extraction methods has been the main approach to alleviate these problems.However,due to problems such as simple artificial feature construction and weak generalization ability of a single machine learning algorithm,the detection effect still has room for improvement.Therefore,based on network traffic behavior analysis,this thesis uses multi-feature fusion integrated machine learning technology to conduct research on anomaly detection of encrypted traffic.The main research content and work arrangements of this thesis are as follows:(1)The information entropy-based technique for distinguishing between plaintext and ciphertext traffic suffers from insufficient recognition ability in scenarios involving compressed and multimedia traffic.Therefore,this thesis proposes an encrypted traffic determination method based on multiple feature fusion.This method uses heterogeneous feature compositions,including information entropy,chi-square values,and α-Renyi entropy values,to determine the presence of encrypted traffic in network flows,thereby alleviating the problem of misjudgment of compressed traffic using information entropy recognition methods.To address the difficulty of feature extraction in encrypted protocol identification,this thesis statistically analyzes the payload distribution of different protocol samples and designs an encrypted protocol identification method based on Z-score.This method calculates the Z-score of payload characters as features,effectively reducing the complexity of feature extraction in encryption protocol identification.Compared with existing plaintext/ciphertext traffic identification and protocol classification methods,the proposed method has significant advantages in all evaluation metrics.(2)Existing encryption traffic anomaly detection methods have problems of single model detection algorithms that cannot adapt to multiple granular features and high false positive rates in mixed traffic detection.This thesis adds protocol and certificate features based on the characteristics of malicious and normal traffic sessions and protocols in encrypted traffic.In addition,to address the problem of insufficient generalization ability of a single machine learning method,a model ensemble-based encryption traffic anomaly detection method is proposed.This method uses multi-dimensional features that have been processed by flow fingerprint fusion,and combines Cat Boost,Light GBM,and Gaussian Naive Bayes classifiers through Stacking technology to construct a detection model for identifying malicious encrypted traffic in the network.The precision of the proposed model reaches 98.51%,and the false positive rate is about 1.2%.Experimental results on publicly dataset show that the proposed algorithm has significantly improved detection performance compared to nine related algorithms.(3)Based on the two recognition models described above,an online system for detecting anomalous encrypted traffic was designed and implemented.The detection system adopts a B/S architecture,with the back-end server loading and scheduling traffic recognition and anomaly detection models,and the front-end web page displaying the results of encrypted traffic anomaly recognition.The system was tested by replaying dataset samples to simulate real traffic,and the results showed that the actual accuracy and false positive rate of the system were 96.47% and 1.36%,respectively,indicating good application performance.The system can capture,identify,detect and display network traffic in real time,and build a well-performing and fully functional encrypted traffic monitoring system.