一种基于DPI和负载随机性的加密流量识别方法

doi:10.3969/j.issn.0255-8297.2019.05.012

应用科学学报 ›› 2019, Vol. 37 ›› Issue (5): 711-720.doi: 10.3969/j.issn.0255-8297.2019.05.012

一种基于DPI和负载随机性的加密流量识别方法

孙中军¹, 翟江涛¹, 戴跃伟²

1. 江苏科技大学电子信息学院, 江苏镇江 212003;
2. 南京信息工程大学计算机与软件学院, 南京 210044

收稿日期:2019-07-27 修回日期:2019-07-29 出版日期:2019-09-30 发布日期:2019-10-18
通信作者: 翟江涛,副教授,研究方向:多媒体与信息安全,E-mail:jiangtaozhai@gmail.com E-mail:jiangtaozhai@gmail.com
基金资助:
国家自然科学基金（No.61702235，No.61472188，No.61602247，No.U1636117）；江苏省自然科学基金（No.BK20150472，No.BK20160840）资助

An Encrypted Traffic Identification Method Based on DPI and Load Randomness

SUN Zhongjun¹, ZHAI Jiangtao¹, DAI Yuewei²

1. School of Electronics and Information, Jiangsu University of Science and Technology, Zhenjiang 212003, Jiangsu Province, China;
2. School of Computer and Software, Nanjing University of Information Science & Technology, Nanjing 210044, China

Received:2019-07-27 Revised:2019-07-29 Online:2019-09-30 Published:2019-10-18

摘要/Abstract

摘要： 随着加密技术的发展和私有协议的不断出现，加密流量的识别已经成为信息安全领域的重要研究方向.该文在现有加密流量识别技术研究基础上提出一种基于深度包检测技术（deep packet inspection，DPI）和负载随机性的加密流量识别方法，该方法主要分为三部分：首先用DPI技术对网络流量快速筛选识别；其次对DPI无法识别流量的有效负载计算信息熵值和蒙特卡罗仿真估计π值的误差；最后输入C4.5决策树分类器进行分类评估.所提方法不仅可克服了DPI无法完全识别协议交互阶段的加密数据和私有协议的缺陷，同时解决了用信息熵识别加密流量和非加密压缩流量误判的问题.实验表明，所提方法较现有的识别模型对加密流量的识别效果有较大提高，同时验证了所提方法的鲁棒性.

关键词: 加密流量, 深度包检测技术, 信息熵, 蒙特卡罗仿真, C4.5决策树

Abstract: With the development of encryption technologies and the emergence of private protocols, the identification of encrypted traffic has become an important research area in the field of information security. Based on the research of existing encrypted traffic identification technologies, an encrypted traffic identification algorithm based on DPI (deep packet inspection) and load randomness is proposed in this paper. The proposed algorithm mainly contains three steps. First, the DPI is used to filter and identify network traffic rapidly. Second, for those payload which could not be recognized by the DPI, their information entropies are calculated and the error of π-value is computed by Monte Carlo simulation. Finally, the C4.5 decision tree classifier is input for classification evaluation. The method can not only overcome the limitation that DPI can't fully identify the encrypted traffic and private protocol in the protocol interaction phase, but also solve the mis-distinguish of encrypted traffic and compressed file traffic as employing information entropy independently. Experimental results show that the proposed method is much more effective on encrypted traffic than the existing methods. At the same time, the method is proved to have good robustness.

Key words: encrypted traffic, deep packet inspection(DPI), information entropy, Monte Carlo simulation, C4.5 decision tree

中图分类号:

TP393

孙中军, 翟江涛, 戴跃伟. 一种基于DPI和负载随机性的加密流量识别方法[J]. 应用科学学报, 2019, 37(5): 711-720.

SUN Zhongjun, ZHAI Jiangtao, DAI Yuewei. An Encrypted Traffic Identification Method Based on DPI and Load Randomness[J]. Journal of Applied Sciences, 2019, 37(5): 711-720.

参考文献

[1] Zhang Y, Pan X M, Liu Q Z, et al. APT attacks and defenses[J]. Journal of Tsinghua University, 2017, 57(11):1127-1133.
[2] 陈继磊,祁云嵩. 基于深度学习的入侵检测算法[J]. 江苏科技大学学报(自然科学版). 2017, 31(6):795-800. Chen J L, Qi Y S. Intrusion detection method based on deep learning[J]. Journal of Jiangsu University of Science & Technology, 2017, 31(6):795-800. (in Chinese)
[3] 潘吴斌,程光,郭晓军,等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016, 37(9):154-167. Pan W B, Cheng G, Guo X J, et al. Review and perspective on encrypted traffic identification research[J]. Journal on Communications, 2016, 37(9):154-167. (in Chinese)
[4] Moore A W, Papagiannaki K. Toward the accurate identification of network applications[C]//International Conference on Passive and Active Network Measurement, 2005:41-54.
[5] Pektas A, Acarman T. Identification of application in encrypted traffic by using Machine learning[C]//International Conference on Man-Machine interactions. Springer, 2017:545-554.
[6] Zhao B, Guo H, Liu Q R, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6):1334-1345.
[7] Shen M, Wei M W, Zhu L H, et al. Classification of encrypted traffic with second-order Markov chains and application attribute bigrams[J]. IEEE Tranlations on Information Forensics and Security, 2017, 12(8):1830-1843.
[8] 陈利,张利,班晓芳,等. 基于信息熵的加密会话检测方法[J]. 计算机科学, 2015, 42(2):142-174. Chen L, Zhang L, Ban X F, et al. Encrypted session detection approach based on information entropy[J]. Computer Science, 2015, 42(2):142-174. (in Chinese)
[9] Afek Y, Bremler-Barr A, Harchol Y, et al. Making DPI engines resilient to algorithmic complexity attacks[J]. IEEE ACM Transactions on Networking, 2016, 24(6):3262-3275.
[10] Huang J W. Development and design of traffic identification system based on DPI[J]. Electronic Design Engineering, 2017, 25(11):14-18.
[11] Bujlow T, Carela-español V, Barlet-Ros P. Independent comparison of popular DPI tools for traffic classification[J]. Computer Networks, 2015, 76:75-89.
[12] 刘畅. 面向特定网络流的深度报文检测技术研究[D]. 哈尔滨:哈尔滨工程大学,2017.
[13] 张玉冲,王松杰,李样. 基于信息熵的数据流加密判断算法[J]. 计算机与数字工程, 2014, 42(4):555-558. Zhang Y C, Wang S J, Li Y. Detection of encrypted data-flow based on entropy[J]. Computer & Digital Engineering, 2014, 42(4):555-558. (in Chinese)
[14] Cheng G, Chnen Y X. Identification method of encrypted traffic based on support vector machine[J]. Journal of Southeast University, 2017, 47(4):655-659.
[15] Nithya R A, Sujatha R. Decision tree classification for traffic congestion detection using data mining[J]. International Journal of Engineering & Techniques, 2018, 4(2):166-173.
[16] 刘从军,郭昌言,陈刚. 基于决策SVM的入侵检测技术研究[J]. 江苏科技大学学报(自然科学版), 2009, 23(5):434-437. Liu C J, Guo C Y, Chen G. Research on intrusion detection technology based on SVM-decision tree[J]. Journal of Jiangsu University of Science & Technology, 2009, 23(5):434-437. (in Chinese)
[17] Huang Y X, Li Y, Qiang B H. Internet traffic classification based on min-max ensemble feature selection[C]//International Joint Conference on Neural Networks, IEEE, 2016:3485-3492.

一种基于DPI和负载随机性的加密流量识别方法

An Encrypted Traffic Identification Method Based on DPI and Load Randomness

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 4

编辑推荐

Metrics

本文评价

[1]	陈金杰1,3，计同钟2，杨俊安1. 高误码条件下线性分组码的盲识别[J]. 应用科学学报, 2013, 31(5): 459-467.
[2]	陈凤腾;左洪福;倪现存. 基于广义更新过程的航空备件需求和应用[J]. 应用科学学报, 2007, 25(5): 526-526 .
[3]	李雄伟, 刘建业, 康国华. 熵的地形信息分析在高程匹配中的应用[J]. 应用科学学报, 2006, 24(6): 608-612.
[4]	张海军, 左洪福, 梁剑. 航空发动机多指标模糊信息熵的性能排序研究[J]. 应用科学学报, 2006, 24(3): 288-292.