The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.
翻译:在加密机制越来越受欢迎的背景下,加密恶意流量的检测面临很大的挑战,因为传统的检测技术需要解密加密流量才可以进行。目前,加密恶意流量的无需解密检测研究主要集中在特征提取和机器学习或深度学习算法的选择上。本文首先对流量特征进行了深入分析,比较了不同的最新流量特征创建方法,并提出了一种专门针对加密恶意流量分析的新概念。此外,我们提出了一个加密恶意流量检测框架。该框架是一个两层检测框架,包含深度学习和传统机器学习算法。通过比较实验,我们发现它的表现优于常用的深度学习和传统机器学习算法,如ResNet和随机森林。此外,为了为深度学习模型提供足够的训练数据,我们还创建了一组完全由公共数据集组成的数据集。比起单独使用任何公共数据集,这个数据集更全面。最后,我们讨论了未来的研究方向。