面向后渗透攻击行为的网络恶意流量检测研究OA北大核心CSTPCD

Existing post-exploitation behavior studies mainly focus on the host side of the attack and defense countermeasures,and lack pattern analysis and detection methods for the traffic side.With the rapid development and widespread use of post-exploitation attack frameworks and tools,it is difficult for malicious traffic detection models based on statistical features or raw traffic input to cope with the malicious traffic of post-exploitation attack behaviors in complex and variable scenarios,with weak generalization capabilities,low detection accuracies,and high false alarm rates.By deeply analyzing the post-exploitation attack malicious traffic samples and normal network traffic session flow,this study proposes a session flow-level granularity classification method for post-exploitation attack malicious traffic,mining the interaction behavior and semantic representation of post-exploitation attack malicious traffic on a time scale,and modeling the global behavior of the session flow by introducing a Markov model-based time vector feature extraction method to characterize the behavioral similarity of the flow sequence.The problem of insufficient learning capability of single granularity features is addressed,and a malicious traffic detection framework based on multi-granularity feature fusion for post-exploitation attacks is constructed.The experimental results demonstrate that the method has higher classification accuracies and lower false alarm rates,which achieves accuracy of 99.98％in post-exploitation attack malicious traffic detection.