Design And Implementation Of Malicious Encrypted Traffic Detection Technology Based On Graph Model

Network data privacy protection and communication security have increasingly become the focus of users.More and more services and applications use encryption technology to ensure the confidentiality and integrity of network communication.Although encryption technology protects users’ data privacy and communication security,in order to avoid detection,attackers will also use these network encryption technologies to carry out malicious acts such as malware propagation,user privacy theft and botnet communication.These malicious behaviors hidden in encryption technology have the characteristics of high concealment and diversity,which seriously threaten the privacy of users and the security of network environment.Therefore,the research and detection of malicious encrypted traffic has become a major problem in network security defense.At present,researchers have extracted various types of features of encrypted traffic for the detection of malicious encrypted traffic,such as statistical features,image features and sequence features of encrypted traffic.These features are usually suitable for different detection scenarios.Therefore,it is widely concerned by more and more researchers that how to fuse these features in a complex cyberspace environment to make them complement each other.Ensemble learning method is the most common feature fusion method,but it only constructs different classifiers for different types of features,and does not fuse various types of features.When one of the features is missing or unavailable,the effect of Ensemble learning method will be greatly reduced.Therefore,it is still a challenging problem that how to effectively use the heterogeneous features of different types of encrypted traffic samples to learn a unified traffic representation method.In view of the shortcomings of the current research,this paper proposes a malicious encrypted traffic detection scheme based on feature fusion and sample correlation analysis based on the graph model analysis method.The main research results include the following aspects:(1)Aiming at the problem that various types of features in the current malicious encrypted traffic detection methods are isolated and cannot be effectively fused,this paper proposes to use GraphSAGE model to fuse and analyze the features of encrypted traffic samples.This method not only pays attention to the features of samples,but also considers the significance of the correlation between samples for malicious detection,so that samples not only include their own feature,but also aggregate the multi type features of neighbor nodes at any depth,which better enriches the node information of samples.(2)Aiming at the problem of how GraphSAGE model determines the relationship between two sample nodes,this paper measures the distance between any two sample points by calculating the similarity of image features of encrypted traffic,so as to reflect the strength of the correlation between different samples.Image features include more comprehensive original data information,such as handshake information,certificate information,etc.Even if the feature of a field cannot be extracted in a specific scene,it can also be matched by extracting local features.(3)On this basis,this paper designs a malicious encrypted traffic detection mechanism based on multi-layer graph model.Firstly,the attributed KNN graph is constructed based on the correlation of encrypted traffic samples,in which the relationships of image feature are used to construct the edges in the KNN graph,and the statistical feature is used as the attribute of the nodes in the graph.After that,the attributed KNN graph is used as the input of the multi-layer graph model.Through this method,the problem of malicious traffic detection is successfully transformed into the problem of node classification.(4)Design and implement malicious encrypted traffic detection system.In order to verify the effectiveness of the malicious encrypted traffic detection method based on graph model proposed in this paper,a complete detection system is designed and implemented.After optimization,the malicious encrypted traffic detection system based on graph model proposed in this paper has reached 99.8%F1 score on the current data set,which is significantly improved compared with other methods.