网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (1): 30-40.doi: 10.11959/j.issn.2096-109x.2022004

• 专栏:安全感知与检测方法 • 上一篇    下一篇

基于流谱理论的SSL/TLS协议攻击检测方法

郭世泽1,2,3, 张帆1,2,3,4, 宋卓学1,2,3,4, 赵子鸣1,2,3, 赵新杰1,2,3, 王小娟6, 罗向阳7   

  1. 1 浙江大学计算机科学与技术学院,浙江 杭州 310027
    2 浙江大学网络空间安全学院,浙江 杭州 310027
    3 浙江大学控制科学与工程学院,浙江 杭州 310027
    4 浙江省区块链与网络空间治理重点实验室,浙江 杭州 310027
    5 移动终端安全浙江省工程实验室,浙江 杭州 310027
    6 北京邮电大学电子工程学院,北京 100876
    7 信息工程大学河南省网络空间态势感知重点实验室,河南 郑州 450001
  • 修回日期:2022-02-08 出版日期:2022-02-15 发布日期:2022-02-01
  • 作者简介:郭世泽(1969− ),男,河北石家庄人,浙江大学教授,主要研究方向为网络空间安全
    张帆(1978− ),男,浙江杭州人,浙江大学教授、博士生导师,主要研究方向为网络安全、硬件安全、系统安全
    宋卓学(1998− ),男,浙江衢州人,浙江大学硕士生,主要研究方向为网络空间安全
    赵子鸣(1998− ),男,河北邢台人,浙江大学博士生,主要研究方向为网络空间安全
    赵新杰(1986− ),男,河南开封人,浙江大学高级工程师,主要研究方向为网络与信息安全
    王小娟(1985− ),女,河北保定人,北京邮电大学副教授,主要研究方向为计算机网络安全
    罗向阳(1978− ),男,湖北钟祥人,信息工程大学教授、博士生导师,主要研究方向为网络与信息安全
  • 基金资助:
    国家重点研发计划(2020AAA0107700);国家自然科学基金(62072398);国家自然科学基金(U1804263);国家自然科学基金(62172435);信息系统安全技术重点实验室基金;浙江省重点研发计划(2021C01116);浙江省引进培育领军型创新创业团队(2018R01005);网络空间国际治理研究基地;中原科技创新领军人才计划(214200510019)

Detection of SSL/TLS protocol attacks based on flow spectrum theory

Shize GUO1,2,3, Fan ZHANG1,2,3,4, Zhuoxue SONG1,2,3,4, Ziming ZHAO1,2,3, Xinjie ZHAO1,2,3, Xiaojuan WANG6, Xiangyang LUO7   

  1. 1 College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China
    2 School of Cyber Science and Technology, Zhejiang University, Hangzhou 310027, China
    3 College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, China
    4 Zhejiang Key Laboratory of Blockchain and Cyberspace Governance, Hangzhou 310027, China
    5 Engineering Laboratory of Mobile Security of Zhejiang Province, Hangzhou 310027, Chine
    6 School of Electronic Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China
    7 Information Engineering University, Key Laboratory of Cyberspace Situation Awareness of Henan Province, Zhengzhou 450001, China
  • Revised:2022-02-08 Online:2022-02-15 Published:2022-02-01
  • Supported by:
    The National Key R&D Program of China(2020AAA0107700);TheNational Natural Science Foundation of China(62072398);TheNational Natural Science Foundation of China(U1804263);TheNational Natural Science Foundation of China(62172435);National Key Laboratory of Science and Technology on Information System Securitya;Zhejiang Key R&D Program(2021C01116);Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang(2018R01005);Research Institute of Cyberspace Governance in Zhejiang University;Zhongyuan Science and Technology Innovation Leading Talent Project(214200510019)

摘要:

网络攻击检测在网络安全中扮演着重要角色。网络攻击检测的对象主要为僵尸网络、SQL 注入等攻击行为。随着安全套接层/安全传输层(SSL/TLS)加密协议的广泛使用,针对 SSL/TLS 协议本身发起的SSL/TLS攻击日益增多,因此通过搭建网络流采集环境,构建了包含4种SSL/TLS攻击网络流与正常网络流的网络流数据集。针对当前网络攻击流检测的可观测性有限、网络流原始时空域分离性有限等问题,提出流谱理论,将网络空间中的威胁行为通过“势变”过程从原始时空域空间映射到变换域空间,具象为“势变谱”,形成可分离、可观测的特征表示集合,实现对网络流的高效分析。流谱理论在实际网络空间威胁行为检测中的应用关键是在给定变换算子的情况下,针对特定威胁网络流找到势变基底矩阵。由于 SSL/TLS 协议在握手阶段存在着强时序关系与状态转移过程,同时部分 SSL/TLS 攻击间存在相似性,因此对于 SSL/TLS攻击的检测不仅需要考虑时序上下文信息,还需要考虑对 SSL/TLS 网络流的高分离度的表示。基于流谱理论,采用威胁模板思想提取势变基底矩阵,使用基于长短时记忆单元的势变基底映射,将 SSL/TLS 攻击网络流映射到流谱域空间。在自建SSL/TLS攻击网络流数据集上,通过分类性能对比、势变谱降维可视化、威胁行为特征权重评估、威胁行为谱系划分评估、势变基底矩阵热力图可视化等手段,验证了流谱理论的有效性。

关键词: 安全套接层/安全传输层攻击, 网络流检测, 流谱理论, 长短时记忆

Abstract:

Network attack detection plays a vital role in network security.Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection.The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol.With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled.Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”.The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows.The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator.Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows.Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space.On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Key words: SSL/TLS attacks, network traffic detection, flow spectrum theory, long short-term memory

中图分类号: 

No Suggested Reading articles found!