期刊文献+

一种基于多模型融合的隐蔽隧道和加密恶意流量检测方法

A Covert Tunnel and Encrypted Malicious Traffic Detection Method Based on Multi-Model Fusion
下载PDF
导出
摘要 高级持续威胁APT攻击为了躲避检测,攻击者往往采用加密恶意流量和隐蔽隧道等策略隐匿恶意行为,从而增加检测的难度。目前大多数检测DNS隐蔽隧道的方法基于统计、频率、数据包等特征,这种方法不能很好地进行实时检测,从而导致数据泄露,因此,需要根据单个DNS请求进行检测而不是对流量进行统计后再检测,才能够实现实时且可靠的检测,当系统判定单个DNS请求为隧道流量,便可做出响应,进而避免数据泄露。而现有的加密恶意检测方法存在无法完整提取流量特征信息、提取特征手段单一、特征利用少等问题。因此,文章提出了基于多模型融合的隐蔽隧道加密恶意流量检测方法。对于DNS隐蔽隧道,文章提出了MLP、1D-CNN、RNN模型融合的检测方法并根据提出的数学模型计算融合结果,该方法能够对隐蔽隧道实时监测,进一步提高检测的整体准确率。对于加密恶意流量,文章提出了1D-CNN、LSTM模型的并行融合的检测方法,并行融合模型能够更加全面地提取特征信息,反应流量数据的全貌,进而提高模型的检测精度。 To evade detection,advanced persistent threat(APT)attackers often employ strategies such as encrypted malicious traffic and covert tunnels to conceal malicious activities,thereby increasing the difficulty of detection.Currently,most methods for detecting DNS covert tunnels are based on characteristics such as statistics,frequency,and packets.These methods are not well-suited for real-time detection,which can lead to data leaks.Therefore,it is necessary to detect based on individual DNS requests rather than performing statistical analysis on traffic,to achieve real-time and reliable detection.When the system determines that a single DNS request is tunnel traffic,it can respond accordingly to prevent data leaks.However,existing methods for detecting encrypted malicious traffic have issues such as the inability to fully extract traffic feature information,limited means of feature extraction,and underutilization of features.Thus,this paper proposed a method for detecting covert tunnel malicious encrypted traffic based on multi-model fusion.For DNS covert tunnels,the paper proposed a detection method that fused MLP,1D-CNN,and RNN models and calculates the fusion results based on a proposed mathematical model.This method can monitor covert tunnels in real-time,further improving the overall detection accuracy.For encrypted malicious traffic,the paper proposed a parallel fusion detection method combining 1D-CNN and LSTM models.The parallel fusion model can more comprehensively extract feature information and reflect the full scope of the traffic data,thereby enhancing the detection accuracy of the model.
作者 顾国民 陈文浩 黄伟达 GU Guomin;CHEN Wenhao;HUANG Weida(College of Computer Science and Technology,Zhejiang University of Technology,Hangzhou 310023,China)
出处 《信息网络安全》 CSCD 北大核心 2024年第5期694-708,共15页 Netinfo Security
基金 国家自然科学基金[U22B2028] 浙江省“万人计划”科技创新领军人才[2020R52011] 浙江省基础公益研究计划[LD22F020002]。
关键词 加密恶意流量检测 DNS隐蔽隧道检测 多模型融合 encrypt malicious traffic detection DNS hidden tunnel detection multi model fusion
  • 相关文献

参考文献6

二级参考文献21

共引文献37

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部