| Among the existing encrypted malicious traffic detection methods,the method based on statistical features has the problem that feature extraction depends on expert experience and the characteristics are independent of each other,and the machine learning and deep learning methods based on original input have problems of incomplete information,random fields,and single granularity,the semantic representation of encrypted traffic interaction behavior is insufficient.At the same time,in network traffic scenarios,with the upgrade of attack and defense,attackers will try to bypass model detection by means of concealment and camouflage,and counterattacks have become a problem that cannot be ignored now.According to the two problems of encrypted malicious traffic detection,this paper designs a new encrypted malicious traffic detection algorithm,verifies the robustness of the model under adversarial attacks,and designs and implements an encrypted malicious traffic detection system.The main content of this article is as follows:(1)Aiming at the problem of effective representation learning in encrypted traffic communication process,this paper proposes an encrypted malicious traffic detection method MGREL(Multi-Granularity REpresentation Learning)based on multi-granularity representation learning.This method divides the encryption session into two granularities of field level and packet level for processing respectively.In field-level granularity,local behavior modeling is performed based on word vectors,handshake messages are extracted and key fields are selected to alleviate the problem of missing semantics caused by incomplete information,and the byte values of fields are expressed as word vectors,while adding message types The handshake type is used as a location prefix to solve the problem of lack of location semantics.Multi-head Attention is used to calculate the interaction between fields,and then the packet-level semantics are obtained through BiLSTM(Bidirectional Long Short-Term Memory);at the packet-level granularity,global behavior modeling is performed based on time and space,and packet The spatio-temporal state information and the LSTM(Long Short-Term Memory)model are used to obtain the stream-level semantics.The local behavior semantics and global behavior semantics obtained under the two granularities are fused to obtain the representation of encrypted traffic,which solves the problem of insufficient representation capability of a single granularity.Finally,through comparative experiments,it is verified that the method MGREL proposed in this paper performs best in detecting encrypted malicious traffic.(2)Aiming at the problem of model robustness under adversarial attacks,this paper uses FGSM(Fast Gradient Sign Method)adversarial attacks and DeepFool adversarial attacks to detect the current SOTA(State-Of-The-Art)model.This paper verifies the destructiveness of adversarial attacks from multiple perspectives,1)the robustness of the same model with different inputs under the same attack;2)the robustness of different models with the same input under the same attack;3)model detection under adversarial attacks ability.Finally,through verification,this paper verifies the destructiveness of adversarial attacks to existing models,the robustness of different inputs to adversarial attacks,and the robustness of different model structures to adversarial attacks.(3)According to the proposed encrypted malicious traffic detection algorithm,this paper completes the encrypted malicious traffic detection system.It includes detection part and background management part.The encrypted traffic detection part includes traffic collection,traffic division,feature extraction,model detection and result display,which realizes the judgment and analysis from real-time traffic to detection results,and conducts system testing. |
PDF Full Text Request