Research On Anonymous And Adversarial Malicious Encrypted Traffic Detection

Traffic detection is an important part of modern network security research.In recent years,encrypted traffic has exploded,and many malicious traffic flows are mixed in with it,posing security threats to Internet users and organizations.Today,the Tor network is increasingly becoming a criminal space for criminals,and in order to effectively monitor illegal activities,Tor traffic needs to be detected,and traditional methods cannot be used to detect Tor traffic.Unlike earlier malicious traffic,encrypted malicious traffic cannot be analyzed directly from its payload,making traditional detection methods no longer applicable.The current popular method is to use the statistical features of encrypted traffic,however,as the attack and defense confrontation escalates,adversarial malicious encrypted traffic will gradually appear,which makes the existing research methods difficult to detect.This paper addresses the detection of adversarial malicious encrypted traffic and the classification of Tor malicious traffic,and the main research work is as follows:(1)By analyzing the interpretability and correlation of statistical features of encrypted traffic,it was found that malicious encrypted traffic detection based on statistical features can be deceived at present.Therefore,an algorithm was designed to generate adversarial malicious encrypted traffic.Based on this,an adversarial malicious encrypted traffic detection method based on session analysis(ADRSA)is proposed,which restores the extracted features and extracts the overall session features,and the classification is trained using a CNN-GRU model,which is able to extract high-dimensional spatial features and temporal features of the traffic.Through experimental tests,the ADRSA method can accurately detect malicious encrypted traffic,especially adversarial malicious encrypted traffic,with an accuracy rate of over 95%.(2)By analyzing the communication features of Tor network and different kinds of malware,we design features to effectively distinguish Tor traffic and tor malicious traffic,and apply the currently popular malware classification to Tor network.A Tor malicious traffic classification method based on the combination of feature analysis and deep learning(FA-DL)is proposed to extract high-order features and use the FATNet model to classify Tor malicious traffic.The FATNet model can improve the model training speed and model inference speed while ensuring a high accuracy rate.Through experimental tests,the FA-DL method can accurately classify Tor malicious traffic with an accuracy rate of up to 99%.