| Network traffic encryption is effective in protecting user privacy and sensitive information security.However,it can also be exploited by network attackers,posing significant security risks to the Internet.Researching encryption traffic detection techniques to detect malicious activities and network attacks in encrypted communications is currently a hot topic in the field of network security.In this paper,after analyzing the research status and existing issues of encrypted malicious traffic at home and abroad,a graph-based approach for detecting encrypted malicious traffic is proposed.The specific research work includes the following three aspects.Firstly,a graph-based preprocessing method for encrypted malicious traffic feature extraction is proposed.It utilizes traffic graphs to incorporate the topological structure of encrypted malicious traffic into the graph feature representation.Flow interaction graphs and flow communication graphs are proposed separately for encrypted malicious application traffic detection and network intrusion detection.A traffic interaction graph construction algorithm is used to transform encrypted malicious traffic into flow interaction graphs,and visual analysis is performed,demonstrating the powerful representation capability of flow interaction graphs.Additionally,flow communication graphs more suitable for representing network intrusion detection are constructed.Secondly,a GNN-based encrypted malicious traffic classification model is proposed,which utilizes a self-attention mechanism.Based on the constructed flow interaction graph,the classification problem of encrypted malicious applications is transformed into a graph classification problem.The model employs graph convolution and a self-attention pooling mechanism based on Top K to extract features and learn representations from the flow interaction graph.It effectively recognizes the learned embeddings of malicious traffic graphs,distinguishing the unique graph structures of malicious traffic to detect malicious traffic.Through experimental comparisons,the effectiveness of this method is demonstrated.Thirdly,an E-GraphSAGE network intrusion detection model based on residual fusion is proposed.This model considers the statistical features of network flows as edge features of flow communication graphs.By incorporating the idea of residual networks,the existing edge embedding generation algorithm of E-GraphSAGE is improved.It extracts multi-dimensional features from the flow communication graph to generate edge embeddings that serve as the basis for malicious traffic detection and classification.The encrypted malicious traffic detection task is transformed into an edge classification task.Four anomaly detection algorithms are used to train the transformed edge embedding data.Experimental results demonstrate the efficient detection of anomalous traffic achieved by this model. |
