CN-122001634-A - VPN encrypted traffic load characteristic automatic identification method

Abstract

An automatic VPN encrypted traffic load characteristic identification method belongs to the technical field of encrypted traffic identification methods, and particularly relates to a V2Ray encrypted proxy protocol disguised variant traffic identification and classification method. The invention provides a multi-mode V2Ray encryption agent flow identification method based on 2D-CNN and a Transformer, which constructs a flow identification classification model AG-CTNet based on a cross-mode attention mechanism and a gating fusion strategy. The model introduces a 2D-CNN and Transformer parallel structure with residual connection, a 2D-CNN flow gray map feature extraction module extracts space texture and local structural features from a flow gray map to identify shallow camouflage of encrypted proxy flow, and a Transformer flow sequence feature extraction module focuses on long-distance dependency in an original flow sequence to improve the perceptibility of the model to proxy protocol feature variation and context behavior.

Inventors

• XU GUOTIAN
• WU WENXIN

Assignees

• 中国刑事警察学院

Dates

Publication Date

20260508

Application Date

20260123

Claims (10)

1. 1. A VPN encrypted traffic load characteristic automatic identification method is characterized by constructing a traffic identification classification model AG-CTNet based on a cross-modal attention mechanism and a gating fusion strategy based on multi-modal V2Ray encrypted proxy traffic identification of 2D-CNN and a Transformer, introducing a 2D-CNN and Transformer parallel structure with residual connection into the model, extracting spatial textures and local structural characteristics from a traffic gray map by a 2D-CNN flow gray map characteristic extraction module to identify shallow camouflage of encrypted proxy traffic, focusing a Transformer flow sequence characteristic extraction module on long-distance dependency in an original flow sequence, improving perception capability of the model on proxy protocol characteristic variation and context behavior, realizing information interaction between traffic spatial characteristics and time sequence characteristics by the multi-modal attention mechanism, improving discrimination capability of the model on different modal characteristics, relieving semantic deviation problem caused by camouflage traffic, dynamically adjusting an information flow path by the gating traffic characteristic dynamic fusion module according to weights of traffic modal characteristics, preventing single mode from generating leading in the discrimination process, improving decision balance, and completing full-dimensional 39connection of five-dimensional characteristic vectors after fusion to complete full-class Normal, vmess, vless, trojan, shadowsocks high-precision classification traffic classification.
2. 2. The automatic VPN encrypted traffic load characteristic identification method according to claim 1, comprising a preprocessing part, wherein the preprocessing part comprises four steps of traffic segmentation, traffic cleaning, data normalization and data enhancement; Step 1) flow splitting The method comprises the steps of adopting a flow session containing a bidirectional data stream as an experimental object, dividing the data stream according to five-tuple, and dividing an original PCAP file into different session forms; Step 2) flow cleaning The cleaning process firstly filters out irrelevant and empty load data packets, and only retains the part related to the communication of the encryption agent; step 3) data normalization The method comprises the steps of selecting front L multiplied by L bytes of N data packets in front of each data stream as a feature extraction object, converting effective loads of the front N messages into (N multiplied by L) multiplied by L two-dimensional flow gray level images as input of a 2D-CNN module, and filling the data packets with insufficient length; Step 4) data enhancement The data enhancement operation of the V2 Ray-type encryption proxy flow is added in the training stage, gaussian noise is added in a flow gray level diagram to simulate channel interference and transmission fluctuation, the noise is sampled from standard normal distribution N (0, sigma 2), 0 is set in a random area of an image with a certain probability, a specified size area is shielded, and random packet loss, field dislocation or protocol header field damage caused by flow variety camouflage are simulated.
3. 3. The automatic VPN encrypted traffic load feature identification method according to claim 2, wherein standard deviation σ=0.05, and the random area of the image is set to 0 with a probability of 20%, and 4% of the area is blocked.
4. 4. The automatic VPN encrypted traffic load characteristic identification method according to claim 1, wherein the 2D-CNN module comprises 2 shallow convolution structures, 2 residual blocks, a pooling layer and a normalization layer assembly, deep networks directly access shallow extracted low-level protocol header characteristics through jump connection, and the protocol header characteristics of different depths are fused to realize multidimensional analysis of a V2Ray encrypted proxy protocol; In the aspect of space feature extraction, a 2D-CNN module introduces 2 two-dimensional convolution layers and 2 residual structures, so that the model simultaneously has local field sensitivity and overall structure discrimination capability in space dimension, and a residual block adopts a standard identity mapping structure , wherein, An input feature map representing a residual block, An output characteristic map representing a residual block, Representing a residual mapping function for learning a non-linear residual representation of an input feature, wherein Consists of two layers of 3 x 3 convolutions, batchNorm and ReLU, the convolutions set stride=1, padding=1 to keep the number of channels and spatial dimensions consistent.
5. 5. The automatic identifying method for VPN encrypted traffic load features according to claim 1, characterized in that the original byte stream is divided into fixed time step input sequences, a learnable position code and a multi-layer transducer encoder are introduced, global traffic sequence modeling is realized, and anti-aliasing capability of a model is enhanced.
6. 6. The automatic identifying method of VPN encrypted traffic load feature according to claim 1, wherein the transform flow sequence feature extracting module divides the original traffic byte sequence into 160 time steps, each step feature dimension is 40, forming 160×40 input matrix; time sequence position information using learnable absolute position coding to explicitly model traffic sequences for length First mapping the original features to the input traffic sequence of (a) =128-Dimensional embedding space, and introducing a trainable position-coding matrix Wherein the method comprises the steps of =160 Is the maximum sequence length, for length Is used for the input sequence of (a), front of intercepting position codes The position vectors are fused with the input features in an element-by-element addition mode to obtain the position information : Wherein, the Representing the embedded features of the linearly mapped traffic sequence, In order to be of the size of the batch, For the length of the sequence, Is an embedding dimension; a position coding matrix which can be learned and is used for representing position information of different time steps in the sequence; Processing new sequences using multi-layer transducer encoders, each encoder layer comprising two parts, a, utilized A feed-forward neural network which is independently applied to the characteristics of each position and comprises 2 linear layers and 1 Relu activation functions, and the expressive power of a model is improved by adding nonlinear transformation; And (3) designing and stacking Y encoder layers to further improve the model performance, and finally unifying sequence features into 256-dimensional space through mean value pooling to serve as global time sequence feature representation, so that the sequence features are convenient to fuse with the 2D-CNN branch output sequence.
7. 7. The VPN encryption traffic load characteristic automatic identification method according to claim 1 is characterized by comprising a cross-modal attention traffic characteristic enhancement module, wherein the cross-modal attention module traffic characteristic enhancement module takes flow sequence characteristics as context information to enhance the flow gray map characteristic expression capacity, and an asymmetric cross-modal interaction strategy is adopted, gray map characteristics are taken as Query, so that a local area most relevant to the current traffic behavior is focused by a guide model in an image space.
8. 8. The automatic VPN encrypted traffic load feature identification method according to claim 1, wherein the gray map of the 2D-CNN branch has an input size of [ B,1,160,40], and the output feature dimension after convolution pooling is [ B,256], and each sample is encoded into a 256-dimensional spatial feature vector: Meanwhile, the transducer branch is input as a time sequence signal sequence with the size of [ B,160,40], and after being subjected to position coding and multi-layer coder, the sequence signal sequence is mapped into a representation with the same dimension through average pooling and linear transformation: Three linear mapping layers are defined in the CATT module: is a matrix of learnable parameters, a query matrix From image channel features, key matrix Matrix of values From the time sequence characteristics, all three dimensions are Maintaining consistency of numerical space in the same hidden space Linear mapping and matching is done within=256; by dot product calculation And Similarity between the current gray scale image features to determine the importance of the current gray scale image features to the flow time sequence features at different positions based on the attention score And a weighted value The most relevant part in the stream sequence is obtained and fused into the image characteristics, and the method is concretely realized as follows: Wherein the method comprises the steps of For the scaling factor to suppress the unstable value caused by the increase of feature dimension When=256, the inner product value is controlled in a proper range to prevent oversaturation or gradient disappearance of softmax in calculation, and after similarity is calculated, the softmax function normalizes the attention score so that: distributing normalized attention weight to each query vector on all key vectors, describing the dependency relationship of the image feature on each time sequence semantic, and when a certain key vector is used as the query vector When the similarity of the model is remarkably increased, the softmax generates a larger weight value at a corresponding position, and the model tends to pay attention to semantic information contained in the time step; for the information extracted from the sequence features, As a feature of the gray scale map of the original stream, And the image characteristic vector is obtained after the sequence information is fused.
9. 9. The automatic VPN encrypted traffic load characteristic identification method according to claim 1, characterized in that the gating coefficient of the dynamic integration module of the gating traffic characteristic Based on the characteristic generation of the current sample, two layers of nonlinear transformation pair splicing characteristics are introduced Mapping is carried out, so that the weights of two modes of a gray level diagram and a sequence are adaptively adjusted among different V2Ray type encryption proxy traffic samples, a more appropriate leading channel is selected, and the adaptive feature fusion is realized, wherein the fusion process comprises the following steps: Step 1) splice input Gating coefficient And (3) calculating: step 2) feature weighted fusion and normalization output: as a feature of the flow sequence, Is output after the dynamic fusion by gating, The vector is the vector after the multi-mode feature is spliced; To map splice features to a unified dimension Is provided with a first layer of linear transformation and offset, For the second layer linear mapping and biasing, for generating final gating coefficients; Providing a smooth nonlinear mapping for the gaussian error linear unit, suitable for capturing small variations in flow characteristics, Constraint of gating value in [0,1] interval for Sigmoid function, final generation of gating coefficient vector ; EGF combines flow confusion scene characteristics, and a slight entropy regularization term is introduced into a total loss function: Wherein the method comprises the steps of Representing the loss of the basis of the correlation, For the purpose of entropy regularization of the weights, To gate the number of dimensions of the variable, Represent the first Gating probability of individual features.
10. 10. The automatic VPN encrypted traffic load characteristic identification method according to claim 1 is characterized by comprising the steps of reducing the dimension to 128 dimensions through a 1-layer full-connection layer, compressing a characteristic space, then using GELU activation functions to improve the fitting capacity of a model to complex boundaries, introducing a Dropout regularization mechanism in a training stage, randomly discarding part of neurons in a proportion of 50%, and finally mapping 128-dimensional intermediate characteristics to a final classification space through a 2 nd full-connection layer to realize high-precision classification of 4-class V2Ray encrypted proxy traffic and 1-class non-proxy traffic.

Description

VPN encrypted traffic load characteristic automatic identification method Technical Field The invention belongs to the technical field of encrypted traffic identification methods, and particularly relates to a V2Ray type encrypted proxy protocol disguised variant traffic identification and classification method. The automatic VPN encryption traffic load characteristic identification method is a general encryption traffic analysis and identification technology, and under the condition that traffic data load content is invisible, the difference of traffic in the aspects of statistical characteristics, time sequence characteristics, behavior modes and the like is automatically learned through a construction model, so that the identification and classification of VPN encryption communication types are realized. The VPN encryption traffic load characteristic identification method is suitable for various encryption agent communication scenes, and the emphasis is placed on identifying VPN encryption traffic by extracting relevant traffic load characteristics. On the basis, the V2Ray type encryption agent protocol disguised variant flow identification classification method is realized specifically and pertinently under a specific application scene. The V2Ray type encryption proxy protocol enables traffic to be highly similar to conventional VPN or normal encrypted communication traffic in surface features through protocol disguise, transport layer confusion and various variational mechanisms. Aiming at the characteristics, the invention takes the VPN encrypted traffic load characteristic automatic identification method as a technical basis, further combines the communication behavior characteristic of the V2Ray protocol disguised traffic, and carries out targeted optimization on the specific module design of the identification model, thereby realizing the refined identification and classification of the V2Ray protocol and disguised variant traffic thereof. Background The novel domestic mainstream V2Ray type encryption proxy protocol provides a hidden channel for network criminal activities while protecting the personal privacy of users, and accurately identifies that the flow becomes a new research hotspot for network space management. In order to avoid supervision, the protocol generally adopts a flow variety technology, so that the camouflage is stronger, and the existing method is difficult to effectively detect. Network proxy （Choi J, Abuhamad M, Abusnaina A, et al. Understanding the proxy ecosystem: A comparative analysis of residential and open proxies on the internet[J]. IEEE Access, 2020, 8: 111368-111380） is a network service that forwards user requests through an intermediate server to enable identity concealment and secure transmission of data. In recent years, a modularized encryption agent framework represented by V2Ray is continuously evolving, and various encryption agent protocols such as Shadowsocks, vmess, vless, trojan are integrated. The encryption agent software has the characteristics of strong anonymity, cross-platform property and the like, is often used for breaking through region limitation, avoiding different kinds of blocking strategies, becoming a main means for bypassing network examination, and is more important for spreading malicious software, spreading illegal information and implementing network crimes by utilizing the flow camouflage property. V2 Ray-like encryption proxy traffic has significant differences in protocol design and traffic characteristics compared to traditional VPN protocols (e.g., IPSec VPN, SSL VPN). Although the conventional VPN protocol adopts an encryption technology represented by TLS/SSL, a plaintext interaction stage （Ruan L, Li W, Li H. A novel method for encrypted traffic classification using handshake metadata. Computer Networks, 2021, 187: 107828. DOI: 10.1016/j.comnet.2021.107828）, such as handshake, certificate exchange and the like is still reserved in the connection establishment process, the flow characteristics are relatively obvious, and the detection means are mature. In contrast, the domestic main stream V2Ray type encryption proxy traffic generally adopts a private protocol stack and a pre-shared key mechanism, a plaintext handshake process is canceled, and traffic confusion technologies such as random filling, protocol disguising and the like are introduced, so that the characteristic difference of the V2Ray type encryption proxy traffic compared with the traditional encryption traffic is weakened, and the concealment of the V2Ray type encryption proxy traffic is remarkably enhanced. In this context, implementing accurate identification of such traffic has become an important challenge in the field of network space security. Early encryption agent traffic identification methods often relied on extraction of traffic payload features to identify encryption agent traffic. For example, xue D et al （Xue D, Kallitsis M, Houmansadr A, Ensafi R. Fin