The popularity of encryption mechanisms poses a great challenge to malicious traffic detection. The reason is traditional detection techniques cannot work without the decryption of encrypted traffic. Currently, research on encrypted malicious traffic detection without decryption has focused on feature extraction and the choice of machine learning or deep learning algorithms. In this paper, we first provide an in-depth analysis of traffic features and compare different state-of-the-art traffic feature creation approaches, while proposing a novel concept for encrypted traffic feature which is specifically designed for encrypted malicious traffic analysis. In addition, we propose a framework for encrypted malicious traffic detection. The framework is a two-layer detection framework which consists of both deep learning and traditional machine learning algorithms. Through comparative experiments, it outperforms classical deep learning and traditional machine learning algorithms, such as ResNet and Random Forest. Moreover, to provide sufficient training data for the deep learning model, we also curate a dataset composed entirely of public datasets. The composed dataset is more comprehensive than using any public dataset alone. Lastly, we discuss the future directions of this research.

翻译：加密机制的普及对恶意流量检测构成了巨大挑战，其原因在于传统检测技术需依赖加密流量的解密才能工作。当前，针对无需解密的加密恶意流量检测研究主要聚焦于特征提取以及机器学习或深度学习算法的选择。本文首先深入分析了流量特征，比较了不同先进的流量特征创建方法，同时针对加密恶意流量分析提出了一个全新的加密流量特征概念。此外，我们设计了一个加密恶意流量检测框架。该框架为双层检测架构，融合了深度学习与传统机器学习算法。通过对比实验，该框架性能优于ResNet和随机森林等经典深度学习与传统机器学习算法。同时，为给深度学习模型提供充足的训练数据，我们整合了一个完全由公开数据集构成的数据集，该综合数据集比单独使用任一公开数据集更为全面。最后，我们探讨了本研究的未来方向。