结合多特征识别的恶意加密流量检测方法

随着加密流量的广泛使用,越来越多恶意软件也利用加密流量来传输恶意信息,由于其传输内容不可见,传统的基于深度包分析的检测方法带来精度下降和实时性不足等问题。本文通过分析恶意加密流量和正常流量的会话和协议,提出了一种结合多特征的恶意加密流量检测方法,该方法提取了加密流量会话的包长与时间马尔科夫链、包长与时间分布及包长与时间统计等方面的统计特征,结合握手阶段的TLS加密套件使用、证书及域名等协议特征,构建了863维的特征向量,利用机器学习方法对加密流量进行检测,从而发现恶意加密流量。测试结果表明,结合多特征的恶意加密流量检测方法能达到98%以上的分类准确性及99.8%以上召回率,且在保持相当的分类准确性基础上,具有更好的鲁棒性,适用性更广。

Robust Malicious Encrypted Traffic Detection based with Multiple Features

With the widespread use of encrypted traffic, more and more malware also uses encrypted traffic to transmit malicious information. Since the transmission content is not visible, the traditional detection method based on deep packet inspection brings problems such as accuracy reduction and insufficient realtime performance. In this paper, by analyzing the protocol and the sessions of malicious encrypted traffic and normal traffic, a method for detecting malicious encrypted traffic combining multiple features is proposed. The method extracts the statistical characteristics of encrypted sessions such as the Markov chain of packet length and time, the distribution of packet length and time, and the statistical values of packet length and time. Combined with protocol features such as the use of TLS cipher suites in the handshake phase, certificates and domain names, an 863-dimensional feature vector is constructed. We use machine learning methods to detect encrypted traffic to discover malicious encrypted traffic. The test results show that the robust malicious encryption traffic detection method based on multiple features can achieve a classification accuracy of more than 98% and recall value of more than 99%, and the new method can receive better robustness while keeping the high classification accuracy and can be applied wider.