中图分类号：TP393.08
文献标识码：A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式：孟楠，周成胜，赵勋，等.基于时空主成分分析的恶意加密流量检测技术［J］.网络安全与数据治理，2023，42（10）：33-39.

Detection of malicious encrypted network traffic based on temporal and spatial principal component analysis

Abstract： Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure, which is also an effective method against cyberattacks, such as Distributed Denial of Service (DDoS) attacks. In this paper, malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis (PCA) technique. From a temporal perspective, the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error (SPE) between temporal model prediction and the measurement of network traffic. The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the predefined threshold. From a spatial perspective, the PCA technique is operated on historical network traffic monitoring information of various countries and regions. The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region. Finally, a practical algorithm for malicious encrypted network traffic behavior detection is designed. The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.

Key words : temporal and spatial principal component analysis; monitoring of malicious encrypted network traffic; trace; squared prediction error