基于LSTM循环神经网络的恶意加密流量检测

加密流量已经成为互联网中的主要流量,攻击者使用加密技术可以逃避传统的检测方法。在不对应用流量进行解密的情况下,网络管理者对传输内容进行深度包解析和恶意字符匹配进而检测恶意通信。针对该问题,在不对流量解密的情况下使用网络层的传输包序列和时间序列识别流量行为,使用过采样方法处理不平衡的黑白样本,基于LSTM循环神经网络建立检测模型。使用清华2017年-2018年边界网关的正常流量数据,在沙箱中采集恶意样本产生的流量数据进行检测实验,结果表明该模型能够较好地检测恶意软件的加密通信流量。

DETECTION OF MALICIOUS ENCRYPTED TRAFFIC BASED ON LSTM RECURRENT NEURAL NETWORK

Encrypted traffic has become the main-stream traffic in the Internet.Attackers can use encryption techniques to evade traditional detection methods.Without decrypting the application traffic,the network administrator conducts deep packet parsing and malicious character matching on the transmitted content to detect Malicious communication.In order to solve this problem,we used the transmission packet sequence and time sequence of the network layer to identify the traffic behavior without decrypting the traffic.The oversampling method was used to process,the unbalanced black and white samples,and the detection model was established based on the LSTM recurrent neural network.Using the normal traffic data of the border gateway of Tsinghua university from 2017-2018,the traffic data generated by malicious samples were collected in the sandbox for detection experiment.The results show that the model has a good performance in detecting the encrypted traffic of malicious software.