Research On Traffic Intelligent Identification Technology Based On Traffic Context

With the development of Information Society and the advent of big data era,the demand for data security is increasing,and people’s awareness of network security is also increasing.As a result,the encryption traffic protocol represented by SSL/TLS protocol is widely used.While encryption protocol provides data security and privacy protection,it also hides the characteristics of malicious traffic,which brings great challenges to traditional traffic identification methods.As an important foundation of network security,the accurate identification of malicious encrypted traffic is a challenging and significant research.With the development of network technology,port-based traffic identification methods are facing failure.The method based on deep packet detection is not effective for the identification of encrypted traffic.The black-and-white list-based approach relies on the timely updating of the list.The method based on artificial feature extraction combined with machine learning and the method based on deep learning are becoming the main methods in the field of encrypted traffic identification.Current research mainly uses flow or session as the basic unit of identification.In addition,the research with four-tuple as the basic unit of identification has been emerging.In this paper,we use four-tuple as the basic unit of encrypted traffic recognition,make full use of the context information of the session,and realize the intelligent identification of encrypted traffic based on artificial feature selection and deep learning.The work of this article consists of the following four parts.Firstly,this paper researches the features of handshake stage in SSL/TLS protocol.Inspired by the task of natural language processing,this paper presents the features of byte stream of four-tuple handshake.At the same time,this part considers the spatiotemporal relationship of the message in SSL/TLS protocol and the handshake type record which was ignored by previous research,and proposes the graph structure feature based on record and message.In view of the feature of the handshake byte stream,it’s proved that the model based on one-dimensional convolutional neural network can achieve the best identification effect,and then the identification effect is compared with the feature of the byte stream in different parts of the handshake byte stream.According to the graph structure feature based on record and message,a deep learning model based on convolutional neural network is adopted.The experiment proves the validity of the feature.Then,combining the features of handshake byte stream,graph structure and deep learning,the intelligent recognition of encrypted traffic based on four-tuple handshake feature is realized.Finally,it is proved that the recognition effect based on four-tuple is better than that based on conversation.Secondly,this paper discusses the features of application data transmission in SSL/TLS protocol.Although the feature of payload is difficult to be extracted because the payload is transmitted in ciphertext,the record length in SSL/TLS protocol contains the payload content and the content negotiated between the two parties.In this paper,we first propose the application data record length sequence feature,and combine the model based on Conv1D to prove that this feature is superior to the packet length sequence feature in the session level identification.Secondly,several kinds of four-tuple features based on the length of record and corresponding depth learning models are designed to carry out experiments,a hierarchical feature based on record length->session->four-tuple is combined with a deep learning model based on Conv1D and LSTM,implementation of intelligent identification of encrypted traffic based on application data feature in four-tuple.At last,it is proved that the application data feature extracted for four-tuple contains session context information,which is better than that extracted for session.In the third part,we discuss the multi-features of four-tuple.In this paper,the statistical features of four-tuple are divided into general statistical features,TLS statistical features and certificate statistical features,which are 92-dimensional types.Firstly,background knowledge and statistical analysis are used to explain the reasons for the selection of these features.Then the importance of the feature is analyzed.Finally,the experimental results show that the identification effect of the proposed feature is better than that of other scholars.Feature selection is helpful to further improve the identification effect.Finally,based on the deep learning method,the intelligent identification of encrypted traffic is realized by the combination of handshake feature,application data feature and statistical feature.Fourthly,design an encrypted traffic identification system based on the above three parts of the research.Firstly,the demand analysis is carried out to determine the market demand,the user group and the function to be satisfied.After that,the system is divided into 4 layers,in which the business layer contains four modules,Then we describes the functions of each module in detail.Finally,the system is deployed,and the visual interface of the system is displayed.