基于图表示的恶意TLS流量检测方法

Malicious TLS Traffic Detection Based on Graph Representation

出于隐私保护的需要,加密服务日益普及,然而这也为恶意流量提供了隐藏自身的渠道.因此,加密恶意流量识别成为网络管理的重要任务.目前,一些基于机器学习和深度学习的主流技术已经取得了良好的效果,然而,这些方法大多忽略了流量的结构特性,也未对加密协议进行深入分析.针对这一问题,提出了一种针对安全套接层/传输层安全(secure sockets layer/transport layer security, SSL/TLS)流量的图表示方法,总结TLS流量关键特征,并从流的源IP、目的端口、数据包数等多个属性角度考虑流量关联性.在此基础上,建立了一个基于图卷积神经网络(graph convolutional networks, GCN)的加密恶意流量识别框架GCN-RF.该方法将流量转化为图结构,综合利用流量的结构信息和节点特征进行识别与分类.在真实的公共数据集上的实验结果表明,该方法的分类准确率高于目前的主流模型.

Owing to the need for privacy protection,encryption services online are becoming increasingly popular.However,this also provides an avenue for malicious traffic to hide itself.As a result,the identification of encrypted malicious traffic has become an important task for network management.Currently,some mainstream techniques based on machine learning and deep learning have achieved good results.However,most of these methods ignore the structure of traffic and do not provide in-depth analysis of encryption protocols.To address this problem,this paper proposes a graph representation method for SSLTLS traffic,summarizes the key features of TLS traffic and considers traffic correlation from the perspective of multiple attributes such as source IP,destination port and packet count of the flow.Furthermore,this paper establishes a malicious traffic identification framework GCN-RF based on graph convolutional neural network and random forest algorithm.This method transforms traffic into graph structure,integrates the structural information and node features of traffic for identification and classification.Experimental results on real public datasets show that the classification accuracy of this method is higher than that of current mainstream models.