作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2020, Vol. 46 ›› Issue (11): 157-163. doi: 10.19678/j.issn.1000-3428.0055588

• 网络空间安全 • 上一篇    下一篇

结合报文负载与流指纹特征的恶意流量检测

胡斌a, 周志洪a,b, 姚立红a, 李建华a,b   

  1. 上海交通大学 a. 网络空间安全学院;b. 上海市信息安全综合管理技术研究重点实验室, 上海 200240
  • 收稿日期:2019-07-26 修回日期:2019-10-22 发布日期:2019-12-14
  • 作者简介:胡斌(1995-),男,硕士研究生,主研方向为网络安全、深度学习;周志洪,讲师;姚立红,高级工程师;李建华,教授、博士生导师。
  • 基金资助:
    国家重点研发计划(2016YFB0800904)。

Malicious Traffic Detection Combining Features of Packet Payload and Stream Fingerprint

HU Bina, ZHOU Zhihonga,b, YAO Lihonga, LI Jianhuaa,b   

  1. a. School of Cyber Science and Engineering;b. Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, Shanghai Jiao Tong University, Shanghai 200240, China
  • Received:2019-07-26 Revised:2019-10-22 Published:2019-12-14

摘要: SSL/TLS协议的恶意流量检测数据集来源单一,而传统检测方法通常将网络流量的五元组特征作为主要分类特征,但其在复杂网络环境下对于恶意流量的检测准确率较低。为此,提出一种改进的加密恶意流量检测方法。采用数据预处理方式将加密恶意流量划分为报文负载和流指纹两个特征维度,在规避五元组信息的情况下根据报文负载和流指纹特征描述网络流量的位置分布,并通过逻辑回归模型实现加密恶意流量检测。实验结果表明,在不依赖五元组特征的条件下,该方法对复杂网络环境下SSL/TLS协议加密恶意流量的检测准确率达到97.60%,相比使用五元组与报文负载特征的传统检测方法约提升36.05%。

关键词: SSL/TLS协议, 恶意流量检测, 五元组特征, 逻辑回归模型, 僵尸网络, 报文负载特征, 流指纹特征

Abstract: The data sets for the detection of malicious traffic by the SSL/TLS protocol are single-sourced.Traditional detection methods take the quintuple feature of network traffic as the main feature for classification,which reduces the accuracy of malicious traffic detection in complex network environments.To address the problem,this paper proposes an improved method for encrypted malicious traffic detection.During data pre-processing,the encrypted malicious traffic is divided into two feature dimensions,packet payload and stream fingerprint,which are used to describe the distribution of traffic when the quintuple information is avoided.Also,the logistic regression model is used to realize the detection of encrypted malicious traffic.Experimental results show that,without relying on the five-tuple feature,the detection accuracy of the proposed method for malicious traffic encrypted by the SSL/TLS protocol in the complex network environment reaches 97.60%,which is approximately 36.05% higher than the traditional detection method based on quintuple feature and packet payload feature.

Key words: SSL/TLS protocol, malicious traffic detection, quintuple feature, logistic regression model, Botnet, packet payload feature, stream fingerprint feature

中图分类号: