面向加密流量的恶意RAT攻击行为识别方法  

作　　者：雷轩 刘华飞 田峥 唐泽华 李爱元 许路 LEI Xuan;LIU Huafei;TIAN Zheng;TANG Zehua;LI Aiyuan;XU Lu(Zhuzhou Power Supply Branch,State Grid Hunan Electric Power Co.,Ltd.,Zhuzhou Hunan 412011,China;Information and Communication Branch,State Grid Hunan Electric Power Co.,Ltd.,Changsha Hunan 410029,China)

机构地区：[1]国网湖南省电力有限公司株洲供电分公司,湖南株洲412011 [2]国网湖南省电力有限公司信息通信分公司,湖南长沙410029

出　　处：《信息安全与通信保密》2024年第10期127-143,共17页Information Security and Communications Privacy

摘　　要：远程控制木马(Remote Access Trojan,RAT)是一类能够远程控制和监视计算机的恶意软件,广泛用于各种网络攻击。由于其危险性和隐蔽性,现已成为网络安全领域的重要关注点。针对细粒度恶意RAT攻击行为识别混淆程度更高的问题,提出一种面向加密流量的恶意RAT攻击行为识别方法。首先,提出一种加密恶意RAT攻击行为精细化分割方法,基于滑动窗口算法分析报文序列相似度,通过相对熵变化来寻找行为分割点;其次,设计基于报文负载长度序列的2种神经网络分类模型LS-CNN和LS-LSTM,用于提取不同攻击行为流量中的深层空间特征来识别不同恶意攻击行为。通过在自建的真实数据集上进行实验,结果表明,提出的方法能够以92.08%的准确率识别出不同恶意RAT攻击行为。RAT(Remote Access Trojan)is a type of malicious software that can remotely control and monitor computers,and it is widely used in various cyber attacks.Now,RAT becomes an important focus in the field of cyber security due to its danger and concealment.In order to address the issue of higher confusion in identifying fine-grained malicious RAT attack behaviors,this paper proposes a malicious RAT attack behaviors identification method for encrypted traffic.First,it puts forward a finegrained segmentation method for encrypted malicious RAT attack behaviors,which analyzes the similarity of packet sequences based on the sliding window algorithm,and searches for behavior segmentation points through relative entropy changes.Then,the paper designs two neural network classification models,LSCNN and LS-LSTM,based on packet payload length sequences for extracting deep spatial features from different attack behaviors traffic to identify different malicious attack behaviors.Through experiments on a self-built real dataset,the results indicate that the proposed method can identify different malicious RAT attack behaviors with an accuracy of 92.08%.

关 键 词：加密流量 恶意远程控制木马 攻击行为识别 序列分割 深度学习 

分 类 号：TP393.06[自动化与计算机技术—计算机应用技术]