网络与信息安全学报 ›› 2020, Vol. 6 ›› Issue (1): 77-83.doi: 10.11959/j.issn.2096-109x.2020008

• 学术论文 • 上一篇    下一篇

基于机器学习的TLS恶意加密流量检测方案

骆子铭1,2,许书彬1,刘晓东1   

  1. 1 中国电子科技集团公司第五十四研究所,河北 石家庄 050081
    2 石家庄通信测控技术研究所,河北 石家庄 050081
  • 修回日期:2020-01-21 出版日期:2020-02-15 发布日期:2020-03-23
  • 作者简介:骆子铭(1993- ),女,河北石家庄人,石家庄通信测控技术研究所硕士生,主要研究方向为网络安全|许书彬(1981- ),男,河北石家庄人,中国电子科技集团公司第五十四研究所研究员,主要研究方向为网络安全|刘晓东(1983- ),男,河北沧州人,中国电子科技集团公司第五十四研究所高级工程师,主要研究方向为网络安全
  • 基金资助:
    国家重点研发计划基金资助项目(2016YFB0800302);信息保障技术重点实验室基金资助项目(614211203020717)

Scheme for identifying malware traffic with TLS data based on machine learning

Ziming LUO1,2,Shubin XU1,Xiaodong LIU1   

  1. 1 The 54th Research Institute of China Electronics Technology Group Corporation,Shijiazhuang 050081,China
    2 Shijiazhuang Communication Observation and Control Technology Institute,Shijiazhuang 050081,China
  • Revised:2020-01-21 Online:2020-02-15 Published:2020-03-23
  • Supported by:
    The National Key R&D Program of China(2016YFB0800302);Foundation of Science and Technology on Information Assurance Laboratory(614211203020717)

摘要:

首先介绍了安全传输层(TLS,transport layer security)协议的特点、流量识别方法;然后给出了一种基于机器学习的分布式自动化的恶意加密流量检测体系;进而从 TLS 特征、数据元特征、上下文数据特征3个方面分析了恶意加密流量的特征;最后,通过实验对几种常见机器学习算法的性能进行对比,实现了对恶意加密流量的高效检测。

关键词: 安全传输层, 恶意加密流量, 机器学习

Abstract:

Based on analyzing the characteristics of transport layer security (TLS) protocol,a distributed automation malicious traffic detecting system based on machine learning was designed.The characteristics of encrypted malware traffic from TLS data,observable metadata and contextual flow data was extracted.Support vector machine,random forest and extreme gradient boosting were used to compare the performance of the mainstream malicious encryption traffic identification which realized the efficient detection of malicious encryption traffic,and verified the validity of the detection system of malicious encryption traffic.

Key words: transport layer security, encrypted malware traffic, machine learning

中图分类号: