A Malicious TLS Traffic Detection Method with Multimodal Features

Abstract

Abstract: The malicious TLS traffic detection aims to identify network traffic that involves malicious activities transmitted through the TLS protocol. Due to the encryption properties of the TLS protocol, traditional textbased traffic analysis methods have limited effectiveness when dealing with encrypted traffic. To address this issue, a malicious TLS traffic detection method called MultiModal Feature Fusion for TLS Traffic Detection (MTBRL) has been proposed. This method extracts and fuses features from different modalities to detect malicious TLS traffic. Firstly, expert knowledge is employed for feature engineering, extracting key features from encrypted traffic, including protocol versions, encryption suites, and certificate information. These features are processed and transformed into twodimensional image representations. Then, ResNet is utilized to encode these images and extract their features. Simultaneously, an encrypted traffic pretrained BERT model is used to encode TLS flows, allowing the learning of contextual and semantic features of the TLS traffic. Additionally, an LSTM model is employed to encode the sequence of packet length distributions of the encrypted traffic, capturing temporal characteristics. Finally, through feature fusion techniques, the different modality features are integrated, and the model’s weight parameters are automatically learned and optimized using the backpropagation algorithm to accurately predict malicious TLS traffic. Experimental results demonstrate that this method achieves accuracy, precision, recall, and F1score of 94.94%, 94.85%, 94.15%, and 94.45%, on the DataCon2020 dataset. This performance is significantly superior to traditional machine learning and deep learning methods.

Key words: encrypted traffic, network security, intrusion detection, multimodal, deep learning

摘要： 恶意TLS流量检测旨在识别出利用TLS协议传输恶意活动的网络流量，由于TLS协议的加密特性，传统的基于文本特征的流量分析方法在面对加密流量时效果有限.为了解决这个问题，提出了一种融合多模态特征的恶意TLS流量检测方法(MTBRL)，该方法从不同模态中提取和融合特征，实现对恶意TLS流量的检测.首先，通过专家经验进行特征工程，从加密流量中提取关键特征，包括协议版本、加密套件和证书信息等，对这些特征进行处理后将其转化为2维图像表示，再利用ResNet对这些图像进行编码，以提取图像的特征.其次，使用加密流量预训练的BERT对TLS流进行编码，从中学习到TLS流的上下文和语义特征.此外，使用LSTM对加密流量的包长度分布序列进行编码，以捕捉时序特征.最后通过特征融合技术整合不同模态特征，利用反向传播算法自动学习并优化模型的权重参数，以准确预测恶意TLS流量.实验结果表明，该方法在DataCon2020数据集上准确率、精确率、召回率和F1值分别达到94.94%,94.85%,94.15%和94.45%，显著优于传统机器学习和深度学习方法.

关键词: 加密流量, 网络安全, 入侵检测, 多模态, 深度学习

CLC Number:

TP393

曾庆鹏, 贺述明, 柴江力, . 融合多模态特征的恶意TLS流量检测方法[J]. 信息安全研究, 2025, 11(2): 130-.

References

［1］Google. HTTPS encryption on the WebGoogle transparency report［EBIL］. ［20240422］. https:transparencyreport.google.comhttpsoverview?hl=en［2］Sean G. Nearly half of malware now use TLS to conceal communications［NOL］. SOPHOS NEWS, (20210421) ［20240801］. https:news.so phos.comenus20210421nearlyhalfofmalwarenowusetlstoconcealcommunications［3］elebi M, zbilen A, Yavanolu U. A comprehensive survey on deep packet inspection for advanced network traffic analysis: Issues and challenges［J］. Nide mer Halisdemir niversitesi Mühendislik Bilimleri Dergisi, 2023, 12(1): 129［4］骆子铭, 许书彬, 刘晓东. 基于机器学习的TLS恶意加密流量检测方案［J］. 网络与信息安全学报, 2020, 6(1): 7783［5］Dai R, Gao C, Lang B, et al. SSL malicious traffic detection based on multiview features［C］ Proc of the 9th Int Conf on Communication and Network Security. New York: ACM, 2019: 4046［6］Liu J Y, Zeng Y Z, Shi J Y, et al. MalDetect: A structure of encrypted malware traffic detection［J］. Comput Mater Continua, 2019, 60(1): 721739［7］Fu Z, Liu M, Qin Y, et al. Encrypted malware traffic detection via graphbased network analysis［C］ Proc of the 25th Int Symp on Research in Attacks, Intrusions and Defenses. New York: ACM, 2022: 495509［8］Lin X, Xiong G, Gou G, et al. ETBERT: A contextualized datagram representation with pretraining transformers for encrypted traffic classification［C］ Proc of the ACM Web Conf 2022. New York: ACM, 2022: 633642［9］Kipf T N, Welling M. Semisupervised classification with graph convolutional networks［J］. arXiv preprint, arXiv:1609.02907, 2016［10］Shi Z,Luktarhan N, Song Y, et al. BFCN: A novel classification method of encrypted traffic based on BERT and CNN［J］. Electronics, 2023, 12(3): 516532［11］Devlin J, Chang M W, Lee K, et al. Bert: Pretraining of deep bidirectional transformers for language understanding［J］. arXiv preprint, arXiv:1810.04805, 2018［12］Achiam J, Adler S, Agarwal S, et al. GPT4 technical report［J］. arXiv preprint, arXiv:2303.08774, 2023［13］杨宏宇, 马建辉, 侯旻, 等. 基于多模态对比学习的代码表征增强预训练方法［J］. 软件学报, 2024, 35(4): 16011617［14］Gu J, Wang Z, Kuen J, et al. Recent advances in convolutional neural networks［J］. Pattern Recognition, 2018, 77(12): 354377［15］Abdul Raheem M, Oladipo I D, Imoize A L, et al. Machine learning assisted snort and zeek in detecting DDoS attacks in softwaredefined networking［J］. International Journal of Information Technology, 2024, 16(3): 16271643［16］Guo J, Sang Y, Chang P, et al. MGEL: A robust malware encrypted traffic detection method based on ensemble learning with multigrained features［C］ Proc of Int Conf on Computational Science. Berlin: Springer, 2021: 195208［17］Shah S R, Qadri S, Bibi H, et al. Comparing inception V3, VGG 16, VGG 19, CNN, and ResNet 50: A case study on early detection of a rice disease［J］. Agronomy, 2023, 13(6): 16331646［18］Sumayli A. Development of advanced machine learning models for optimization of methyl ester biofuel production from papaya oil: Gaussian process regression (GPR), multilayer perceptron (MLP), and Knearest neighbor (KNN) regression models［J］. Arabian Journal of Chemistry, 2023, 16(7): 104833104846［19］Shiri F M, Perumal T, Mustapha N, et al. A comprehensive overview and comparative analysis on deep learning models: CNN, RNN, LSTM, GRU［J］. arXiv preprint, arXiv:2305.17473, 2023［20］DataCon社区. DataCon开放数据集DataCon2020加密恶意流量数据集方向开放数据集［DBOL］. ［20211111］. https:datacon.qianxin.comopendataopenpage?resources Id=6

[1]	. Privacypreserving Federated Learning Research Based on #br# Confused Modulo Projection Homomorphic Encryption#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 198-.
[2]	. Design of Adversarial Attack Scheme Based on YOLOv8 Object Detector [J]. Journal of Information Security Reserach, 2025, 11(3): 221-.
[3]	. Fake Face Detection Method Based on ConvNeXt [J]. Journal of Information Security Reserach, 2025, 11(3): 231-.
[4]	. An Intrusion Detection Method for Internet of Things by Fusing #br# Spatiotemporal Features#br# [J]. Journal of Information Security Reserach, 2025, 11(3): 241-.
[5]	. Research on Deep Learningbased Spatiotemporal Feature Fusion Network Intrusion Detection Model [J]. Journal of Information Security Reserach, 2025, 11(2): 122-.
[6]	. Research on Multimodal Cyberbullying Detection Model for #br# Social Networking Platforms#br# [J]. Journal of Information Security Reserach, 2025, 11(2): 154-.
[7]	. [J]. Journal of Information Security Reserach, 2025, 11(2): 173-.
[8]	. Research of Invisible Backdoor Attack Based on Interpretability [J]. Journal of Information Security Reserach, 2025, 11(1): 21-.
[9]	. Container Anomaly Detection Based on Attention Mechanism and Multiscale Convolutional Neural Network [J]. Journal of Information Security Reserach, 2025, 11(1): 35-.
[10]	. Encrypted Traffic Detection Technology for Multisession Coordinated #br# Attack Based on Deep Learning#br# [J]. Journal of Information Security Reserach, 2025, 11(1): 66-.
[11]	. Network Traffic Measurement Based on Multilayer Sketch in SDN [J]. Journal of Information Security Reserach, 2024, 10(9): 840-.
[12]	. Image Processing Model Watermarking Method Based on #br# Attention Mechanism and Passport Layer Embedding#br# [J]. Journal of Information Security Reserach, 2024, 10(9): 849-.
[13]	. Research on Risk Analysis of Opensource Software Supply Chain Security [J]. Journal of Information Security Reserach, 2024, 10(9): 862-.
[14]	. A Review of GPU Acceleration Technology for Deep Learning in Plaintext and Private Computing Environments [J]. Journal of Information Security Reserach, 2024, 10(7): 586-.
[15]	. Model of Intrusion Detection Based on Federated Learning and Convolutional Neural Network [J]. Journal of Information Security Reserach, 2024, 10(7): 642-.