Detection of malicious encrypted network traffic based on temporal and spatial principal component analysis
Meng Nan1，Zhou Chengsheng1，Zhao Xun 1，Wang Bin 2，Jiang Qiaomu 2
(1.Institute of Security, The China Academy of Information and Communications Technology, Beijing 100191, China; 2.Guangzhou Intelligence Communication Technology Co., Ltd., Guangzhou 510639, China)
Abstract： Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure, which is also an effective method against cyberattacks, such as Distributed Denial of Service (DDoS) attacks. In this paper, malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis (PCA) technique. From a temporal perspective, the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error (SPE) between temporal model prediction and the measurement of network traffic. The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the predefined threshold. From a spatial perspective, the PCA technique is operated on historical network traffic monitoring information of various countries and regions. The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region. Finally, a practical algorithm for malicious encrypted network traffic behavior detection is designed. The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.
Key words : temporal and spatial principal component analysis; monitoring of malicious encrypted network traffic; trace; squared prediction error