Implementation of Malicious Encrypted Traffic Identification System Based on Transport Layer Behavior Characteristics

The identification of Malicious Encrypted Traffic (MET) is an important issue in the field of network security. This study proposes a new MET recognition system based on transport layer behavior characteristics, which is implemented through two steps: feature extraction and classifier construction. In the feature extraction stage, the system uses IP (Intelligent Property), TCP (Transmission Control Protocol), and SSL (Secure Socket Layer) protocols to extract information and construct feature sequences; In the classifier construction stage, the system uses the KNN (K-Nearest Neighbor) algorithm to classify the data after feature extraction. To test system performance, researchers constructed four sample sets, including normal encrypted traffic, SSH malicious encrypted traffic, HTTP (Hyper Text Transfer Protocol) malicious encrypted traffic, and TCP flood attack malicious encrypted traffic, to train and test classifiers. The experimental results show that the system has the highest accuracy in classifying normal encrypted traffic, reaching 0.967. It also demonstrates the ability to classify SSH malicious encrypted traffic, HTTP malicious encrypted traffic, and TCP flood attack malicious encrypted traffic. This system is of great significance in the field of network security, especially in the field of enterprise network security monitoring, Data breach prevention and other fields.