CN-121984707-A - Method, device, electronic equipment and program product for detecting encrypted malicious traffic

Abstract

The application discloses an encryption malicious flow detection method, an encryption malicious flow detection device, electronic equipment and a program product, and relates to the technical field of network security. The method comprises the steps of obtaining and preprocessing encrypted flow data, converting the preprocessed encrypted flow data into gray images by utilizing Hilbert filling curves, training a neural network model by utilizing the gray images, grouping inquiry and key vectors, calculating attention force diagram difference of the inquiry and key vectors, restraining irrelevant noise and focusing key malicious features, and finally detecting and outputting results by utilizing the trained neural network model. The method solves the problems of complex feature extraction, weak generalization capability and easy information loss of the traditional encryption malicious traffic detection method, and remarkably improves the accuracy and generalization capability of encryption malicious traffic detection.

Inventors

• CHEN XIANG
• WANG LIN

Assignees

• 中移(苏州)软件技术有限公司
• 中国移动通信集团有限公司

Dates

Publication Date

20260505

Application Date

20251224

Claims (10)

1. 1. An encrypted malicious traffic detection method, comprising: Acquiring encrypted flow data and preprocessing the encrypted flow data; converting the preprocessed encrypted flow data into a gray image; Training a neural network model by using the gray level image, wherein the neural network model comprises a generator, and the generator calculates attention by adopting a transducer model of differential attention; And detecting the encrypted flow data to be detected by using the trained neural network model, and outputting a malicious flow judgment result.
2. 2. The method of claim 1, wherein the generator, when calculating the attention, comprises: Dividing the query vector and the key vector into a first query vector, a second query vector, a first key vector and a second key vector respectively; Calculating a first attention profile from the first query vector and the first key vector; calculating a second attention profile from the second query vector and the second key vector; Subtracting the results of the first attention map and the second attention map after being processed by the softmax function respectively to obtain a differential attention score; and calculating the output of the attention layer according to the differential attention score and the value vector.
3. 3. The method of claim 2, wherein subtracting the first attention profile from the second attention profile comprises: subtracting said first attention profile processed by said softmax function from a second attention profile processed by said softmax function and weighted by a learnable scalar to obtain said differential attention score; wherein the initial value of the learnable scalar is determined according to the number of layers in the generator where the attention layer performs the subtraction operation.
4. 4. The method according to claim 2, wherein the generator assigns different weight matrices to each attention head to calculate the corresponding differential attention score independently when calculating the attention, splices the calculated outputs of each attention head, and performs layer normalization processing on the spliced results.
5. 5. The method of claim 1, wherein converting the encrypted traffic data into the grayscale image includes extracting features from the encrypted traffic data, the features including at least one of packet size, time interval, and protocol type.
6. 6. The method of claim 5, wherein the extracted features are mapped to a one-dimensional space to generate codes, and gray scale images are generated based on the codes, and wherein Hilbert filler curves are used in encoding the features.
7. 7. An encrypted malicious traffic detection device, comprising: The data acquisition module is configured to acquire encrypted flow data and preprocess the encrypted flow data; the image conversion module is configured to convert the preprocessed encrypted flow data into a gray image; The model training module is configured to train a neural network model based on the gray level image output by the image conversion module, wherein the neural network model comprises a generator, and the generator calculates attention by adopting a transducer model of differential attention; and the flow detection module is configured to detect the encrypted flow data to be detected by using the trained neural network model and output a malicious flow judgment result.
8. 8. The device of claim 7, wherein the image conversion module comprises a feature extraction sub-module, a coding sub-module, and a grey-scale map generation sub-module, wherein, The feature extraction submodule is configured to extract features from the preprocessed encrypted traffic data, wherein the features comprise at least one of data packet size, time interval and protocol type; the coding submodule is configured to map the extracted features to a one-dimensional space to generate codes, and Hilbert filling curves are adopted when the codes are generated; the gray-scale image generation sub-module is configured to receive the code and generate the gray-scale image based on the code.
9. 9. An electronic device comprising a processor and a memory, the memory storing a computer program, the processor implementing the encrypted malicious traffic detection method of any one of claims 1 to 6 when the computer program is executed.
10. 10. A computer program product comprising a computer readable storage medium having a computer program stored thereon, characterized in that the computer program, when executed by a processor, implements the encrypted malicious traffic detection method of any of claims 1 to 6.

Description

Method, device, electronic equipment and program product for detecting encrypted malicious traffic Technical Field The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, an electronic device, and a program product for detecting encrypted malicious traffic. Background In the field of network security, the concealment and diversity of encrypted malicious traffic make malicious traffic detection a complex technical problem that detection accuracy, generalization capability and information integrity are required to be considered. The traditional detection means not only breaks through the limitation that the content can not be directly analyzed, but also adapts to the malicious behavior difference under the multi-network environment and the multi-protocol type, and has the challenge of searching for an efficient detection scheme. The current mainstream encryption flow detection technology has obvious limitations when facing complex encryption malicious flow, such as difficulty in adapting to diversified encryption flow types due to the fact that statistical feature analysis and traditional machine learning depend on a manual design feature extraction strategy, limited generalization capability, easiness in losing flow key space structure information in a feature conversion process, detection omission, and easiness in being interfered by context noise in a common deep learning model, so that the capturing capability of the model on key malicious features is weak, misjudgment or omission is easy to occur, and the encryption malicious flow detection requirement cannot be met. Therefore, it is needed to provide an encrypted malicious traffic detection method with high efficient and accurate feature extraction, strong generalization capability and high detection accuracy. Disclosure of Invention The application provides an encryption malicious traffic detection method, an encryption malicious traffic detection device, electronic equipment and a program product. In a first aspect, the present application provides a method for detecting encrypted malicious traffic, including: acquiring encrypted flow data and preprocessing the encrypted flow data; Converting the preprocessed encrypted flow data into a gray image; training a neural network model by using a gray image, wherein the neural network model comprises a generator, and the generator calculates attention by adopting a transducer model of differential attention; And detecting the encrypted traffic data to be detected by using the trained neural network model, and outputting a malicious traffic judgment result. In some embodiments, the generator, when calculating the attention, comprises: Dividing the query vector and the key vector into a first query vector, a second query vector, a first key vector and a second key vector respectively; Calculating a first attention profile from the first query vector and the first key vector; Calculating a second attention profile based on the second query vector and the second key vector; subtracting the results of the first attention map and the second attention map after being processed by the softmax function respectively to obtain a differential attention score; the output of the attention layer is calculated from the differential attention score and the value vector. In some embodiments, subtracting the first attention profile from the second attention profile comprises: Subtracting the softmax-function-processed first attention profile from a softmax-function-processed second attention profile weighted by a learnable scalar to obtain a differential attention score; Wherein the initial value of the learnable scalar is determined according to the number of layers in the generator where the attention layer performing the subtraction operation is located. In some embodiments, the generator distributes different weight matrixes for each attention head to independently calculate corresponding differential attention scores when calculating the attention, splices the calculated outputs of each attention head, and performs layer normalization processing on the spliced results. In some embodiments, converting the encrypted traffic data into a grayscale image includes extracting features from the encrypted traffic data, the features including at least one of packet size, time interval, and protocol type. In some embodiments, the extracted features are mapped to one-dimensional space to generate codes, and gray scale images are generated based on the codes, wherein Hilbert fill curves are used in encoding the features. In a second aspect, the present application provides an encrypted malicious traffic detection device, including: the data acquisition module is configured to acquire encrypted flow data and preprocess the encrypted flow data; the image conversion module is configured to convert the preprocessed encrypted flow data into a gray image; the model trainin