基于TextCNN的加密恶意流量检测方法  被引量：6

作　　者：杨彦召 朱程威 仇晶 童咏昕[3] YANG Yan-zhao;ZHU Cheng-wei;QIU Jing;TONG Yong-xin(China Automotive Innovation Corporation, Nanjing 211100, China;Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China;School of Computer Science and Engineering, Beijing University of Aeronautics and Astronautics, Beijing 100191, China)

机构地区：[1]中汽智创科技有限公司,江苏南京211100 [2]广州大学网络空间先进技术研究院,广东广州510006 [3]北京航空航天大学计算机学院,北京100191

出　　处：《广州大学学报（自然科学版）》2022年第1期1-9,共9页Journal of Guangzhou University:Natural Science Edition

基　　金：国家自然科学基金资助项目(U20B2046,U1636215,61871140,U1803263);国家重点研发计划资助项目(2018YFB1800702);广东省重点研发计划资助项目(2019B010136003)。

摘　　要：随着互联网技术的飞速发展,95%的流量使用SSL/TLS协议进行加密,其中隐藏着大量的恶意流量。由于网络流量体量大、加密数据的不可见性,使得如何在不解密的前提下,检测加密恶意流量的研究成为一个重要课题。现有的基于模式匹配的方法,无法处理加密流量。基于统计特征和时序特征的方法,依赖专家经验,需要花费大量的时间,人工提取特征。文章将深度学习算法与加密恶意流量检测领域相结合,首先,对原始的网络流量进行切分、清洗、转换和修剪,变为统一长度的一维序列;然后,自定义TextCNN网络结构,通过多组一维卷积自动地从原始流量中提取上下文特征,并利用这些特征对流量进行分类。为了证明该方法的有效性,使用真实的网络流量样本进行实验,并与CNN、LSTM和GRU等网络模型进行对比。实验数据显示,文章提出的方法,在未知数据上具有较强的泛化能力,检测精度高,且误报率低。With the rapid development of Internet technology,95%of traffic is encrypted using SSL/TLS protocol,which hides a large amount of malicious traffic.Because of the large volume of network traffic and the invisibility of encrypted data,how to detect encrypted malicious traffic without decryption becomes an important topic.Existing methods based on pattern matching cannot handle encrypted traffic.Methods based on statistical features and temporal features rely on expert experience and require a lot of time to extract features manually.In this paper,the deep learning algorithm is combined with the field of encrypted malicious traffic detection.First,the original network traffic is segmented,cleaned,converted and pruned into a one-dimensional sequence of uniform length.Then,the TextCNN network structure is customized,and the context features are automatically extracted from the original traffic through multiple groups of one-dimensional convolution,and these features are used to classify the traffic.In order to prove the effectiveness of this method,real network traffic samples were used for experiments and compared with network models such as CNN,LSTM and GRU.Experimental data show that the method proposed in this paper has strong generalization ability on unknown data,high detection accuracy and a low false positive rate.

关 键 词：SSL/TLS 恶意软件 加密恶意流量检测 深度学习 TextCNN 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]