A Malicious TLS Traffic Detection Method with Multi-modal Features
The malicious TLS traffic detection aims to identify network traffic that involves malicious activities transmitted through the TLS protocol.Due to the encryption properties of the TLS protocol,traditional text-based traffic analysis methods have limited effectiveness when dealing with encrypted traffic.To address this issue,a malicious TLS traffic detection method called Multi-Modal Feature Fusion for TLS Traffic Detection(MTBRL)has been proposed.This method extracts and fuses features from different modalities to detect malicious TLS traffic.Firstly,expert knowledge is employed for feature engineering,extracting key features from encrypted traffic,including protocol versions,encryption suites,and certificate information.These features are processed and transformed into two-dimensional image representations.Then,ResNet is utilized to encode these images and extract their features.Simultaneously,an encrypted traffic pre-trained BERT model is used to encode TLS flows,allowing the learning of contextual and semantic features of the TLS traffic.Additionally,an LSTM model is employed to encode the sequence of packet length distributions of the encrypted traffic,capturing temporal characteristics.Finally,through feature fusion techniques,the different modality features are integrated,and the model's weight parameters are automatically learned and optimized using the backpropagation algorithm to accurately predict malicious TLS traffic.Experimental results demonstrate that this method achieves accuracy,precision,recall,and F1-score of 94.94%,94.85%,94.15%,and 94.45%,on the DataCon2020 dataset.This performance is significantly superior to traditional machine learning and deep learning methods.
国家科技期刊平台
NSTL
万方数据
