【打印本页】      【下载PDF全文】   View/Add Comment  Download reader   Close
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 8516次   下载 7868 本文二维码信息
码上扫一扫!
结合多特征识别的恶意加密流量检测方法
李慧慧,张士庚,宋虹,王伟平
分享到: 微信 更多
(中南大学计算机学院 长沙 中国 410083;中南大学计算机学院 长沙 中国 410083;中国科学院信息工程研究所信息安全国家重点实验室 北京 中国 100093)
摘要:
随着加密流量的广泛使用,越来越多恶意软件也利用加密流量来传输恶意信息,由于其传输内容不可见,传统的基于深度包分析的检测方法带来精度下降和实时性不足等问题。本文通过分析恶意加密流量和正常流量的会话和协议,提出了一种结合多特征的恶意加密流量检测方法,该方法提取了加密流量会话的包长与时间马尔科夫链、包长与时间分布及包长与时间统计等方面的统计特征,结合握手阶段的TLS加密套件使用、证书及域名等协议特征,构建了863维的特征向量,利用机器学习方法对加密流量进行检测,从而发现恶意加密流量。测试结果表明,结合多特征的恶意加密流量检测方法能达到98%以上的分类准确性及99.8%以上召回率,且在保持相当的分类准确性基础上,具有更好的鲁棒性,适用性更广。
关键词:  加密流量  恶意检测  TLS协议分析  鲁棒性
DOI:10.19363/J.cnki.cn10-1380/tn.2021.03.09
Received:April 30, 2020Revised:July 12, 2020
基金项目:本课题得到国家自然科学基金项目(No.61772559、No.61672543),中南大学研究生科研创新项目(No.1053320183917)的资助。
Robust Malicious Encrypted Traffic Detection based with Multiple Features
LI Huihui,Zhang Shigeng,Song Hong,Wang Weiping
School of Computer Science and Engineering, Central South University, Changsha 410083, China;School of Computer Science and Engineering, Central South University, Changsha 410083, China;State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
Abstract:
With the widespread use of encrypted traffic, more and more malware also uses encrypted traffic to transmit malicious information. Since the transmission content is not visible, the traditional detection method based on deep packet inspection brings problems such as accuracy reduction and insufficient realtime performance. In this paper, by analyzing the protocol and the sessions of malicious encrypted traffic and normal traffic, a method for detecting malicious encrypted traffic combining multiple features is proposed. The method extracts the statistical characteristics of encrypted sessions such as the Markov chain of packet length and time, the distribution of packet length and time, and the statistical values of packet length and time. Combined with protocol features such as the use of TLS cipher suites in the handshake phase, certificates and domain names, an 863-dimensional feature vector is constructed. We use machine learning methods to detect encrypted traffic to discover malicious encrypted traffic. The test results show that the robust malicious encryption traffic detection method based on multiple features can achieve a classification accuracy of more than 98% and recall value of more than 99%, and the new method can receive better robustness while keeping the high classification accuracy and can be applied wider.
Key words:  encrypted traffic  malicious detection  TLS protocol analysis  robustness