Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Malicious encrypted channel detection method based on process behavior analysis

A technology of behavior analysis and channel detection, which is applied in the field of information security construction/network security, can solve problems such as low accuracy rate, loss of enterprises or users, unstable time attributes, etc., and achieve the effect of improving accuracy and strengthening recognition ability

Active Publication Date: 2022-03-04
SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
View PDF5 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the current mainstream feature selection contains a large number of noise features that are not strongly related to the encryption behavior itself. For example, the side channel feature extracts the time difference (interval) of the sequential arrival of data packets. However, the time attribute is easily affected by the delay of the network communication environment. Stable; ②The characteristics of TLS handshake protocol parameters can be actively selected and modified, etc., which are not the essential characteristics of malicious encrypted communication; ③A large number of TLS sessions are transmitted by session multiplexing without certificate transmission, so the server-side digital certificate is not an essential feature of encrypted communication; ④The header data of the TCP / IP protocol will introduce too many protocol transmission details, which more serve the needs of stable connections, and are also not the essential characteristics of encrypted communication
The existence of the above noise features makes the classifier model trained by it unable to accurately capture the classification boundaries of encrypted communication behavior patterns, resulting in inevitable high misjudgment results
[0014] (2) Lack of multi-session association pattern analysis
Therefore, the present invention considers that it is necessary to use multi-session correlation analysis of the same process file to identify the malicious correlation among them. However, the current malicious encrypted channel detection method mainly focuses on extracting encrypted flow features for a single session to perform detection tasks, and lacks the mining of inter-session correlation patterns. identification, making it impossible to effectively identify hidden malicious correlations between sessions
The above problems lead to the fact that although the current detection method has a good performance on controllable experimental data in the laboratory environment, when it is applied in the actual production work scene, it is often limited by the limitation of malicious expression in a single session. The accuracy rate seriously restricts the applicability of actual malicious encrypted channel detection
[0015] (3) Excessive reliance on supervised learning classifiers
With the popularity of encrypted communication represented by the TLS protocol (Transport Layer Security, secure transport layer protocol), attackers often use the TLS protocol to construct encrypted channels, making it impossible for DPI technology to analyze the content of the data packet, thereby bypassing the existing security defense mechanism. Carry out confidential data theft, key system attacks, etc., causing huge losses to organizations, enterprises or users

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Malicious encrypted channel detection method based on process behavior analysis
  • Malicious encrypted channel detection method based on process behavior analysis
  • Malicious encrypted channel detection method based on process behavior analysis

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0154] The main idea of ​​the present invention is to start with the encrypted session traffic data of the network process, construct a hierarchical feature tree that can express encrypted communication behavior; and then use the hierarchical feature tree set of normal process files as a benchmark for normal encrypted communication behavior to identify malicious process files As a malicious communication terminal, it is then associated with a malicious encrypted channel, and reported to the security administrator for research and judgment.

[0155] A malicious encrypted channel detection method based on process behavior analysis, comprising the following steps:

[0156] Step 1: Encrypted session traffic data collection and process classification;

[0157] Since the current network attack mainly uses the TLS protocol to establish a malicious encrypted channel, the present invention will focus on capturing and collecting encrypted session traffic based on the TLS protocol transm...

Embodiment 2

[0169] According to a method for detecting a malicious encrypted channel based on process behavior analysis described in Embodiment 1, the difference is that:

[0170] Encrypted traffic data collection, specifically refers to: by installing the Wireshark network packet analysis tool (https: / / www.wireshark.org / ) on the target terminal (such as internal network computer / server, etc.), capture all TCP Protocol traffic, and obtain TLS protocol traffic by extracting the TCP traffic whose destination port is equal to 443, and further name and save it as Host_TLS_Date.pcap file, where the Host field represents the terminal identification, such as the host name or the unique IP address of the local network, etc., and the Date field Indicates the date of collecting traffic files, such as "2021-10-01".

[0171] Encrypted traffic data preprocessing, specifically refers to:

[0172] Generally, the Host_Date.pcap file contains all the TLS protocol session traffic of the terminal Host on D...

Embodiment 3

[0185] According to a method for detecting a malicious encrypted channel based on process behavior analysis described in Embodiment 2, the difference is that:

[0186] Correlate the encrypted session traffic data Host_Date_Session.csv captured by the terminal with the process information on the terminal at the same time, specifically:

[0187] Install and run the netstat command to obtain network connection information, and associate the IP address and port number with the process PID, further install and run the tasklist command to obtain the current process detailed information, trace back from the PID to the corresponding process file PEF, and also establish a process file and communication process The mapping relationship with the corresponding session traffic.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a malicious encrypted channel detection method based on process behavior analysis. The method comprises the following steps: step 1, acquiring encrypted session flow data and classifying processes; comprising the steps of encrypted traffic data acquisition, preprocessing and process classification; 2, constructing a process file encryption communication behavior feature tree; constructing a three-level feature tree of a meta feature of the encrypted session, namely an IP layer, a TCP segment load length sequence feature, namely a TCP layer, and an SSL message state transition feature, namely an SSL recording layer; step 3, anomaly detection based on the feature tree; comprising the steps of collecting normal encrypted communication behavior data; constructing a normal encryption communication behavior benchmark; constructing a target PEF encrypted communication behavior model; calculating the dissimilarity degree between the feature trees; and performing anomaly detection based on a threshold value. By means of an anomaly detection method, the limitation that malicious encrypted channels are detected purely from the session level is broken through, and effective detection of malicious process files is achieved.

Description

technical field [0001] The invention relates to a malicious encrypted channel detection method based on process behavior analysis, and belongs to the technical field of information security construction / network security. Background technique [0002] With the rapid development of network technology, the Internet has been widely used in various fields such as military affairs, economy, education, and life. However, while the Internet brings various conveniences to our lives, it also brings various security problems. The number and types of various computer viruses, worms and other malicious software are also increasing rapidly, which brings great harm to the safety of Internet users. great challenge. In order to protect the transmitted data, encrypted transmission has become a widely used method. Cisco's survey shows that from 2016 to 2017 alone, encrypted traffic has increased by more than 90%, and more than 50% of traffic is encrypted traffic. The use of encrypted transm...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L9/40H04L41/14
CPCH04L63/1416H04L63/1425H04L63/1441H04L41/145
Inventor 杨光付勇王继志赵大伟陈丽娟陈振娅杨美红吴晓明王英龙
Owner SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products