随着加密技术的发展和私有协议的不断出现,加密流量的识别已经成为信息安全领域的重要研究方向.该文在现有加密流量识别技术研究基础上提出一种基于深度包检测技术(deep packet inspection,DPI)和负载随机性的加密流量识别方法,该方法主要分为三部分:首先用DPI技术对网络流量快速筛选识别;其次对DPI无法识别流量的有效负载计算信息熵值和蒙特卡罗仿真估计π值的误差;最后输入C4.5决策树分类器进行分类评估.所提方法不仅可克服了DPI无法完全识别协议交互阶段的加密数据和私有协议的缺陷,同时解决了用信息熵识别加密流量和非加密压缩流量误判的问题.实验表明,所提方法较现有的识别模型对加密流量的识别效果有较大提高,同时验证了所提方法的鲁棒性.
With the development of encryption technologies and the emergence of private protocols, the identification of encrypted traffic has become an important research area in the field of information security. Based on the research of existing encrypted traffic identification technologies, an encrypted traffic identification algorithm based on DPI (deep packet inspection) and load randomness is proposed in this paper. The proposed algorithm mainly contains three steps. First, the DPI is used to filter and identify network traffic rapidly. Second, for those payload which could not be recognized by the DPI, their information entropies are calculated and the error of π-value is computed by Monte Carlo simulation. Finally, the C4.5 decision tree classifier is input for classification evaluation. The method can not only overcome the limitation that DPI can't fully identify the encrypted traffic and private protocol in the protocol interaction phase, but also solve the mis-distinguish of encrypted traffic and compressed file traffic as employing information entropy independently. Experimental results show that the proposed method is much more effective on encrypted traffic than the existing methods. At the same time, the method is proved to have good robustness.
[1] Zhang Y, Pan X M, Liu Q Z, et al. APT attacks and defenses[J]. Journal of Tsinghua University, 2017, 57(11):1127-1133.
[2] 陈继磊,祁云嵩. 基于深度学习的入侵检测算法[J]. 江苏科技大学学报(自然科学版). 2017, 31(6):795-800. Chen J L, Qi Y S. Intrusion detection method based on deep learning[J]. Journal of Jiangsu University of Science & Technology, 2017, 31(6):795-800. (in Chinese)
[3] 潘吴斌,程光,郭晓军,等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016, 37(9):154-167. Pan W B, Cheng G, Guo X J, et al. Review and perspective on encrypted traffic identification research[J]. Journal on Communications, 2016, 37(9):154-167. (in Chinese)
[4] Moore A W, Papagiannaki K. Toward the accurate identification of network applications[C]//International Conference on Passive and Active Network Measurement, 2005:41-54.
[5] Pektas A, Acarman T. Identification of application in encrypted traffic by using Machine learning[C]//International Conference on Man-Machine interactions. Springer, 2017:545-554.
[6] Zhao B, Guo H, Liu Q R, et al. Protocol independent identification of encrypted traffic based on weighted cumulative sum test[J]. Journal of Software, 2013, 24(6):1334-1345.
[7] Shen M, Wei M W, Zhu L H, et al. Classification of encrypted traffic with second-order Markov chains and application attribute bigrams[J]. IEEE Tranlations on Information Forensics and Security, 2017, 12(8):1830-1843.
[8] 陈利,张利,班晓芳,等. 基于信息熵的加密会话检测方法[J]. 计算机科学, 2015, 42(2):142-174. Chen L, Zhang L, Ban X F, et al. Encrypted session detection approach based on information entropy[J]. Computer Science, 2015, 42(2):142-174. (in Chinese)
[9] Afek Y, Bremler-Barr A, Harchol Y, et al. Making DPI engines resilient to algorithmic complexity attacks[J]. IEEE ACM Transactions on Networking, 2016, 24(6):3262-3275.
[10] Huang J W. Development and design of traffic identification system based on DPI[J]. Electronic Design Engineering, 2017, 25(11):14-18.
[11] Bujlow T, Carela-español V, Barlet-Ros P. Independent comparison of popular DPI tools for traffic classification[J]. Computer Networks, 2015, 76:75-89.
[12] 刘畅. 面向特定网络流的深度报文检测技术研究[D]. 哈尔滨:哈尔滨工程大学,2017.
[13] 张玉冲,王松杰,李样. 基于信息熵的数据流加密判断算法[J]. 计算机与数字工程, 2014, 42(4):555-558. Zhang Y C, Wang S J, Li Y. Detection of encrypted data-flow based on entropy[J]. Computer & Digital Engineering, 2014, 42(4):555-558. (in Chinese)
[14] Cheng G, Chnen Y X. Identification method of encrypted traffic based on support vector machine[J]. Journal of Southeast University, 2017, 47(4):655-659.
[15] Nithya R A, Sujatha R. Decision tree classification for traffic congestion detection using data mining[J]. International Journal of Engineering & Techniques, 2018, 4(2):166-173.
[16] 刘从军,郭昌言,陈刚. 基于决策SVM的入侵检测技术研究[J]. 江苏科技大学学报(自然科学版), 2009, 23(5):434-437. Liu C J, Guo C Y, Chen G. Research on intrusion detection technology based on SVM-decision tree[J]. Journal of Jiangsu University of Science & Technology, 2009, 23(5):434-437. (in Chinese)
[17] Huang Y X, Li Y, Qiang B H. Internet traffic classification based on min-max ensemble feature selection[C]//International Joint Conference on Neural Networks, IEEE, 2016:3485-3492.
