| With the popularity of network encryption protocols,more malicious traffic will be mixed with encrypted traffic.More and more malicious network services bypass firewalls and intrusion detection systems through encryption and tunneling techniques,especially malicious encrypted tunnels built on the basis of DoH protocols,which are increasingly favored by attackers in recent years due to their stealth and usability.How to effectively analyze and extract DoH traffic features and build detection models has become an important topic.In addition,the tools for generating malicious DoH tunnel traffic keep changing,making the traffic drift and difficult for the original model to detect the new DoH tunnel traffic.Meanwhile,when incrementally training the original model to adapt it to the new DoH traffic environment,the label quality in the training set can greatly affect the training effect.In response to these challenges,the following three fields of research are developed in this thesis.Firstly,to improve detection performance,this thesis proposes a fusion learning based malicious DoH tunnel traffic detection,using packet bucketing algorithm and Zeek to parse DoH tunnel traffic and extract three aspects of features.GBDT classifier-based integration algorithm is proposed to learn each class of features.The idea of feature fusion is applied to fuse the voting results of the three classes of features to obtain the final prediction results.The results of experiments on the CICDoHBrw2020 dataset show that the method has some performance improvement for malicious DoH tunnel traffic detection model.Secondly,to solve concept drift problem,this thesis proposes a concept drift detection method based on a contrastive sparse autoencoder,which uses a contrastive sparse autoencoder to downscale the traffic features.Then it detects whether the sample is a drifted sample based on its outlier distance in the low-dimensional space,and finally samples the sample according to its drift distance.We train the original model incrementally,and conduct experiments on the CIC-DoHBrw2020 dataset.Experimental results show that the method can effectively detect the new DoH tunnel traffic with concept drift and can recover the detection performance of the original model to a certain extent.Finally,to solve noisy label problem,this thesis proposes a weighted differential deep learning framework to purify the noisy DoH dataset by establishing a weighted loss behavior matrix for each sample based on the difference in loss values of the samples during two iterations of the same neural network.It is fed to the outlier detection algorithm as a feature,as a single iteration to detect part of the noisy labels.Through multiple iterations,the method achieves the effect of purifying the labels of the dataset.The results show that the method can effectively detect most of the labels in the noisy DoH dataset.It is compared with other three methods to verify the effectiveness and stability.Thus the method can improve the performance of the incremental training of the DoH malicious tunnel detection model.This thesis starts from the purpose of building a complete malicious DoH traffic detection model,and according to the logic of building and optimizing the model,it proposes the above three solutions for the three problems that will be encountered when detecting malicious DoH traffic,and verifies the effectiveness of the methods through experiments.The future work of this thesis is mainly to increase the data set used in the experiment,and to broaden the detection categories of the model,to further strengthen the robustness and generalization of the model. |
PDF Full Text Request