计算机工程 ›› 2019, Vol. 45 ›› Issue (8): 31-34,41.doi: 10.19678/j.issn.1000-3428.0051218

所属专题: 网络空间安全专题

• 网络空间安全专题 • 上一篇    下一篇

基于CNN的加密C&C通信流量识别方法

程华, 谢金鑫, 陈立皇   

  1. 华东理工大学 信息科学与工程学院, 上海 200237
  • 收稿日期:2018-04-16 修回日期:2018-07-26 出版日期:2019-08-15 发布日期:2019-08-08
  • 作者简介:程华(1975-),男,副研究员,主研方向为网络安全;谢金鑫、陈立皇,硕士研究生。
  • 基金项目:
    赛尔网络下一代互联网技术创新项目(NGII20160606)。

CNN-based Encrypted C&C Communication Traffic Identification Method

CHENG Hua, XIE Jinxin, CHEN Lihuang   

  1. School of Information Science and Engineering, East China University of Science and Technology, Shanghai 200237, China
  • Received:2018-04-16 Revised:2018-07-26 Online:2019-08-15 Published:2019-08-08

摘要: 为实现恶意软件加密C&C通信流量的准确识别,分析正常网页浏览访问和C&C通信的https通信过程,发现恶意软件C&C通信的服务器独立性特征,提出https通信序列建模方法。针对加密通信的行为特点,利用密文十六进制字符的向量表示方法完成加密流量的向量化表达,并采用多窗口卷积神经网络提取加密C&C通信模式的特征,实现加密C&C通信数据流的识别与分类。实验结果表明,该方法识别恶意软件加密C&C流量的准确率高达91.07%。

关键词: 加密流量, C&C通信, https通信, 卷积神经网络, 密文字符表达

Abstract: In order to achieve accurate identification of malware encrypted C&C communication traffic,this paper analyzes the https communication process of normal Webpage browsing access and C&C communication,discovers the server independence feature of malware C&C communication and proposes a sequence modeling method of https communication.Based on the behaviour characteristics of encrypted communication,a vector representation method for hexadecimal characters of ciphertext is used to implement a vectorized expression of encrypted traffic.Multi-window Convolutional Neural Network(CNN) is used to extract the pattern characteristics of encrypted C&C communication and realize the identification and classification of encrypted C&C communication data traffic.Experimental results show that the accuracy of identifying the encrypted C&C communication traffic of malware is 91.07%.

Key words: encrypted traffic, C&C communication, https communication, Convolutional Neural Network(CNN), ciphertext character expression

中图分类号: