Multi-Granularity Representation Learning for Encrypted Malicious Traffic Detection

In the field of encrypted malicious traffic detection, the current detection methods arc insufficient. In the method based on statistical features, feature extraction relies on expert experience, and the features arc independent of each other; while the method based on original input has problems of incomplete information, random fields, and single granularity, and cannot learn the semantics of traffic interaction behavior well. In order to overcome the shortcomings of existing methods, this paper proposes an encrypted malicious traffic detection method MGREL (Multi-Granularity REpresentation Learning). This method divides the encrypted session into two granularities, field-level and packet-level. In field-level granularity, local behavior modeling is performed based on word vectors, handshake messages arc extracted and key fields are selected to relieve the problem of incomplete information, the byte values of fields are represented as word vectors, and message types arc added at the same time. Use the handshake type as the location prefix to solve the problem of lack of location semantics. Multi-head Attention is used to calculate the interaction between fields, and then BiLSTM is used to obtain the message-level semantics. In the packet-level granularity, global behavior modeling is performed based on space and time, and packets are extracted. The spatiotemporal state information is obtained and the LSTM model is used to obtain stream-level semantics. The local behavior semantics and global behavior semantics obtained at two granularities are fused to obtain the representation of encrypted traffic, which solves the problem of insufficient representation capability of a single granularity. Finally, it is verified by comparative experiments that the proposed method MGREL performs the best in detecting encrypted malicious traffic. © 2023 Science Press. All rights reserved.