Classification of botnet families based on features self-learning under Network Traffic Censorship

Network encryption traffic security censorship is an indispensable part of Internet security. The accuracy and speed of the censorship is a very important requirement. In the actual censorship environment, there is much unknown protocol traffic so that the existing method of artificial designing features cannot satisfy the classification of unknown protocols. CNN can automatically learn features and use them to construct the classification algorithm of the model. CNN has strict requirements on input and we divide the original traffic to numbers of sessions which have a size as large as 400 bytes for each. We do some experiments to get this result, 400-byte size and get a series of inspiring results. We get 64 feature maps automatically learned by CNN, which verify our thoughts on feature self-learning. The classification results meet the requirements of network traffic censorship. This is the first time that CNN has been used to classify botnet encrypted and unencrypted traffic, and the focus of research is on features self-learning. This has implications for the future research of artificial intelligence methods on botnet and provides a reference.