Encrypted network behaviors identification based on dynamic time warping and k-nearest neighbor

In order to solve the problem of encrypted traffic identification, the identification method based on dynamic time warping (DTW) and k-nearest neighbor (KNN) for the encrypted network behaviors was proposed. The method took the encrypted Twitter traffic as an example of research, and a large number of encrypted Twitter network behaviors were deeply analyzed, and then the features representing the encrypted network behaviors were extracted, and the specific encrypted network behavior module database based on DTW and KNN were established, and the DTW between the collection data set and the module database were calculated, and then were normalized, and then the encrypted network behaviors were classified by comparing with the preset empirical threshold, and the distance information were also considered by DTW algorithm, at the same time, the influence of TCP retransmission and duplicate ACK packets can be effectively eliminated by the dynamic time warping algorithm. In order to overcome the noise interference of the similar data traffic except the distance information, the similar filtered data packets were classified as the true behavior or the false behavior by KNN algorithm, and then the encrypted network behaviors were identified automatically and in real time, compared with the only correlation coefficient method or only DTW method, the online correct recognition rate by DTW and KNN has been greatly increased and reached to about 93%, and the missed detection rate is almost same with the traditional methods, the experiments and actual project applications showed that the proposed method was effective.