CN-121984690-A - Abnormal encryption flow detection method and device

Abstract

The application provides an abnormal encryption flow detection method which can be applied to the fields of big data and information security. The method comprises the steps of grouping all connections carrying service flows according to the flow directions of the service flows, wherein all the connections are respectively constructed according to corresponding transmission protocols, the connections corresponding to different service flows are different, sampling data packets transmitted by all the connections to obtain a plurality of sampled data packets corresponding to all the connections, wherein the data packets are decrypted data packets, calculating entropy values of the plurality of sampled data packets to obtain all the connection entropy values, calculating statistical parameters of the connection entropy values in all groups based on the connection entropy values, judging the flow of the connection corresponding to the connection entropy value which is larger than a corresponding preset threshold value in the same group as abnormal encryption flow, and obtaining the preset threshold value according to the statistical parameters of the connection entropy values in the groups corresponding to the abnormal encryption flow. The application also provides an abnormal encryption flow detection device, equipment, a storage medium and a program product.

Inventors

• Gong Pengxian
• SUN YUAN
• ZHANG QIAN
• MA XUEQING

Assignees

• 中国工商银行股份有限公司

Dates

Publication Date

20260505

Application Date

20250625

Claims (11)

1. 1. An abnormal encrypted traffic detection method, the method comprising: Grouping each connection carrying the service flow according to the flow direction of the service flow, wherein each connection is respectively constructed according to a corresponding transmission protocol, and the connections corresponding to different service flows are different; sampling the data packets transmitted by each connection respectively to obtain a plurality of sampled data packets corresponding to each connection, wherein the data packets are decrypted data packets; Respectively calculating entropy values of the plurality of sampling data packets, and obtaining each connection entropy value; Calculating statistical parameters of the connection entropy values in each group based on the connection entropy values; and respectively comparing each connection entropy value in the same group with a corresponding preset threshold value, and judging the flow on the connection corresponding to the connection entropy value larger than the preset threshold value as abnormal encrypted flow, wherein the preset threshold value is obtained according to the statistical parameters of the connection entropy values in the groups corresponding to the abnormal encrypted flow.
2. 2. The method of claim 1, wherein grouping the connections carrying the traffic flow according to the traffic flow direction comprises: If the traffic direction of the service flow is the network outlet direction, grouping each connection carrying the service flow by taking a source address and a source port as grouping identifiers; and if the traffic direction of the service flow is the network access direction, grouping each connection carrying the service flow by taking the destination address and the destination port as grouping identifiers.
3. 3. The method according to claim 1, wherein after sampling the data packets transmitted by each connection to obtain a plurality of sampled data packets corresponding to each connection, the method comprises: Traversing the bytes in the plurality of sampling data packets respectively, counting the occurrence times of the byte corresponding value in the sampling data packet corresponding to the bytes, and recording the occurrence times to a corresponding byte frequency counting array.
4. 4. The method of claim 3, wherein the calculating entropy values of the plurality of sampled data packets, respectively, to obtain each connection entropy value comprises: respectively calculating the probability of occurrence of byte corresponding values in the plurality of sampling data packets in corresponding sampling data packets according to the byte frequency statistic array; according to the probability, obtaining the entropy value of each sampling data packet by utilizing an entropy value calculation formula; and calculating the average value of the entropy values of all the sampling data packets transmitted by the same connection to obtain the entropy value of the same connection.
5. 5. The method according to claim 1, wherein after determining the traffic on the connection corresponding to the connection entropy value greater than the preset threshold as the abnormal encrypted traffic, the method comprises: The connection entropy value larger than the preset threshold value is compared with preset level alarm threshold values respectively, and the abnormality degree of the abnormal encrypted flow is determined, wherein the preset level alarm threshold values are obtained according to the statistical parameters of the connection entropy values in the packets corresponding to the abnormal encrypted flow respectively; If the abnormality degree is the first level, generating alarm information and monitoring connection for transmitting the abnormal encrypted flow; and if the abnormality degree is the second level, generating alarm information and blocking connection for transmitting the abnormal encrypted traffic, wherein the first level is smaller than the second level.
6. 6. The method according to claim 1, wherein the method further comprises: If the connection entropy values smaller than or equal to the corresponding preset threshold value exist in the same group, updating the statistical parameters of the connection entropy values in the corresponding group by adopting a statistical parameter recurrence formula according to the connection entropy values smaller than or equal to the corresponding preset threshold value, and re-determining the preset threshold value corresponding to the corresponding group according to the updated statistical parameters.
7. 7. The method according to claim 1, wherein the method further comprises: and monitoring entropy values of all the connections in each group, and when the entropy values of the connections are detected to meet the preset alarm triggering conditions, optimizing the sampling density of the data packets corresponding to the connections meeting the preset alarm triggering conditions, and recovering the sampling density to be before optimization after the sampling density lasts for a preset time.
8. 8. An abnormally encrypted traffic detection apparatus, the apparatus comprising: The system comprises a grouping module, a grouping module and a control module, wherein the grouping module is used for grouping each connection carrying the service flow according to the flow direction of the service flow, wherein each connection is respectively constructed according to a corresponding transmission protocol, and the connections corresponding to different service flows are different; The sampling module is used for sampling the data packets transmitted by each connection respectively to obtain a plurality of sampled data packets corresponding to each connection, wherein the data packets are decrypted data packets; the entropy calculating module is used for calculating entropy values of the plurality of sampling data packets respectively and obtaining each connection entropy value; The statistical parameter calculation module is used for calculating the statistical parameters of the connection entropy values in each group based on the connection entropy values; The abnormal detection module is used for respectively comparing each connection entropy value in the same group with a corresponding preset threshold value, and judging the flow on the connection corresponding to the connection entropy value larger than the preset threshold value as abnormal encrypted flow, wherein the preset threshold value is obtained according to the statistical parameters of the connection entropy value in the group corresponding to the abnormal encrypted flow.
9. 9. An electronic device, comprising: One or more processors; a memory for storing one or more computer programs, Characterized in that the one or more processors execute the one or more computer programs to implement the steps of the method according to any one of claims 1-7.
10. 10. A computer-readable storage medium, on which a computer program or instructions is stored, which, when executed by a processor, carries out the steps of the method according to any one of claims 1 to 7.
11. 11. A computer program product comprising a computer program or instructions which, when executed by a processor, implement the steps of the method according to any one of claims 1 to 7.

Description

Abnormal encryption flow detection method and device Technical Field The present application relates to the field of big data and information security, and in particular, to a traffic detection scenario, and more particularly, to an abnormal encrypted traffic detection method, apparatus, device, medium, and program product. Background In the current network security, the existing abnormal flow detection method generally analyzes and detects the decrypted flow content so as to acquire abnormal flow therefrom, but if an attacker encrypts the decrypted data again, the encrypted malicious content cannot be identified by utilizing the existing abnormal flow detection method, so that a detection blind area is generated, a certain potential safety hazard is provided, and in addition, the existing abnormal flow detection method only uses a single flow characteristic (such as a port number or a protocol type and the like) as a detection basis, and ignores the distinction of service scenes, so that false detection or omission of abnormal flow is caused. Disclosure of Invention In view of the foregoing, the present application provides an abnormal encrypted traffic detection method, apparatus, device, medium, and program product that improve detection accuracy, efficiency, and detection range. According to a first aspect of the present application, there is provided an abnormal encrypted traffic detection method, comprising grouping connections carrying traffic flows according to traffic directions of the traffic flows, wherein the connections are respectively constructed according to corresponding transmission protocols, and the connections corresponding to different traffic flows are different; sampling the data packets transmitted by each connection respectively to obtain a plurality of sampled data packets corresponding to each connection, wherein the data packets are decrypted data packets; Respectively calculating entropy values of a plurality of sampling data packets, and obtaining each connection entropy value; Based on the connection entropy values, calculating the statistical parameters of the connection entropy values in each group respectively; and respectively comparing each connection entropy value in the same group with a corresponding preset threshold value, and judging the flow on the connection corresponding to the connection entropy value larger than the preset threshold value as abnormal encrypted flow, wherein the preset threshold value is obtained according to the statistical parameters of the connection entropy values in the group corresponding to the abnormal encrypted flow. According to an embodiment of the present application, grouping connections carrying traffic flows according to traffic directions of the traffic flows, respectively, includes: If the traffic direction of the service flow is the network outlet direction, the source address and the source port are used as grouping identifications, and each connection carrying the service flow is grouped; if the traffic direction of the traffic flow is the network access direction, the destination address and the destination port are used as packet identifications, and each connection carrying the traffic flow is grouped. According to an embodiment of the present application, after sampling data packets transmitted by each connection to obtain a plurality of sampled data packets corresponding to each connection, the method includes: traversing bytes in the plurality of sampling data packets respectively, counting the occurrence times of the byte corresponding value in the sampling data packet corresponding to the bytes, and recording the occurrence times to the corresponding byte frequency counting array. According to an embodiment of the present application, entropy values of a plurality of sampling data packets are calculated respectively, and each connection entropy value is obtained, including: Respectively calculating the probability of occurrence of byte corresponding values in a plurality of sampling data packets in corresponding sampling data packets according to the byte frequency statistic array; According to the probability, obtaining the entropy value of each sampling data packet by utilizing an entropy value calculation formula; and calculating the average value of the entropy values of all the sampling data packets transmitted by the same connection to obtain the entropy value of the same connection. According to an embodiment of the present application, after determining that a traffic on a connection corresponding to a connection entropy value larger than a preset threshold is an abnormal encrypted traffic, the method includes: Determining the abnormality degree of the abnormal encrypted flow by respectively comparing the connection entropy value larger than the preset threshold value with the preset alarm threshold values of all levels, wherein the preset alarm threshold values of all levels are respectively obtained accordin