面向密码协议在线安全性的监测方法

doi:10.11959/j.issn.1000-436x.2016293

摘要/Abstract

摘要：

为解决现有方法无法在线监测协议逻辑进行的低交互型攻击的问题，提出一种密码协议在线监测方法CPOMA。首先构建面向密码协议的特征项本体框架，以统一描述不同类型的特征项，并基于该框架首次利用模糊子空间聚类方法进行特征加权，建立个体化的密码协议特征库；在此基础上给出自学习的密码协议识别与会话实例重构方法，进而在线监测协议异常会话。实验结果表明，CPOMA不仅能够较好地识别已知协议、学习未知协议、重构会话，而且能够有效在线监测协议异常会话，提高密码协议在线运行的安全性。

关键词: 密码协议识别, 会话重构, 在线安全性, 本体, 子空间聚类

Abstract:

Previous methods can not detect the low-interaction attacks of protocol logic.A cryptographic protocol online monitoring approach named CPOMA was presented.An ontology framework of cryptographic protocol features was constructed for the unified description of cryptographic protocol features with different types.Based on the framework,a feature weighting method was proposed by fuzzy subspace clustering first,and the individualized feature database of cryptographic protocols was built.On this basis,a self-learning method was presented for protocol identification and session rebuilding,and then abnormal protocol sessions were detected online.Experimental results show that CPOMA can identify protocols,rebuild sessions,detect abnormal sessions efficiently,and can improve the online security of cryptographic protocols.

Key words: cryptographic protocol identification, session rebuilding, online security, ontology, subspace clustering

朱玉娜,韩继红,袁霖,范钰丹,陈韩托,谷文. 面向密码协议在线安全性的监测方法[J]. 通信学报, 2016, 37(6): 75-85.

Yu-na ZHU,Ji-hong HAN,Lin YUAN,Yu-dan FAN,Han-tuo CHEN,Wen GU. Monitoring approach for online security of cryptographic protocol[J]. Journal on Communications, 2016, 37(6): 75-85.

图/表 10

图1

图2

图3

图4

表1

图5

图6

图7

表2

图8

参考文献 24

[1]	BERNAILLE L , TEIXEIRA R . Early recognition of encrypted applications[C]// The 8th International Conference on Passive and Active Network Measurement. Belgium, 2007: 165-175.
[2]	HAFFNER P , SEN S , SPATSCHECKO ,et al. ACAS:automated construction of application signatures[C]// ACM SIGCOMM Workshop on Mining Network Data. Philadelphia,PA,USA, 2005: 197-202.
[3]	MOORE A , ZUEV D , CROGAN M . Discriminators for use in flow-based classification:technical report,RR-05-13[R]. UK:Quecn Mayr University of London, 2005.
[4]	BERNAILLE L , TEIXEIRA R , SALAMATIAN K . Early application identification[C]// ACM CoNEXT,Lisboa,Portugal, 2006.
[5]	ZHANG J , XIANG Y , WANG Y ,et al. Network traffic classification using correlation information[J]. IEEE Transactions on Parallel ＆Distributed Systems, 2013,24(1): 104-117.
[6]	BARALIS E M , MELLIA M , GRIMAUDO L . Self-learning classifier for internet traffic[J]. IEEE INFOCOM,Turin,Italy, 2013,11(2): 423-428.
[7]	DIVAKARAN D M , SU L , LIAU Y S ,et al. SLIC:self-learning intelligent classifier for network traffic[J]. Computer Networks, 2015,91: 283-297.
[8]	XIE G W , ILIOFOTOU M , KERALAPURA R ,et al. SubFlow:Towards practical flow-level traffic classification[C]// IEEE INFOCOM. Orlando,Florida,USA, 2012: 2541-2545.
[9]	ACETO G , DAINOTTI A , DONATO W ,et al. PortLoad:taking the best of two worlds in traffic classification[C]// IEEE INFOCOM. San Diego, 2010: 1-5.
[10]	DONATO WD , PESCAPè A , DAINOTTI A . TIE:a community-oriented traffic classification platform[C]// International Workshop on Traffic Monitoring and Analysis(TMA),Springer Berlin Heidelberg. 2009.
[11]	LEE S , KIM H-C , BARMAN D ,et al. NeTraMark:a network traffic classification benchmark[C]// ACM SIGCOMM. Toronto,ON,Canada, 2011.
[12]	张众, 杨建华, 谢高岗 . 高效可扩展的应用层流量识别架构[J]. 通信学报, 2008,29(12): 22-31. ZHANG Z , YANG J H , XIE G G . Efficient and extensible architecture of traffic identification at application layer[J]. Journal on Communications, 2008,29(12): 22-31.
[13]	BEDDOE M . The Protocol information project[EB/OL]. .
[14]	CUI W D , KANNAN J , WANG H J . Discoverer:automatic protocol reverse engineering from network traces[C]// The 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley:USENIX, 2007: 199-212.
[15]	朱玉娜, 韩继红, 袁霖 ,等. SPFPA:一种面向未知密码协议的格式解析方法[J]. 计算机研究与发展, 2015,52(10): 2200-2211. ZHU Y N , HAN J H , YUAN L ,et al. SPFPA:a format parsing approach for unknown security protocols[J]. Journal of Computer Research and Development, 2015,52(10): 2200-2211.
[16]	JOGLEKAR S P , TATE S R . Protomon:embedded monitors for cryptographic protocol intrusion detection and prevention[C]// International Conference on Information Technology:Coding and Computing,2004.ITCC 2004. IEEE, 2004,1: 81-88.
[17]	LECKIE T , YASINSAC A . Metadata for anomaly-based security protocol attack deduction[J]. IEEE Transactions on Knowledge and Data Engineering, 2004,16(9): 1157-1168.
[18]	FADLULLAH Z M , TALEB T , ANSARI N ,et al. Combating against attacks on encrypted protocols[C]// In Communications,IEEE International Conference on ICC'07. 2007: 1211-1216.
[19]	FADLULLAH Z M , TALE B T , VASIAKOS A V ,et al. DTRAB:combating against attacks on encrypted protocols through traffic-feature analysis[J]. IEEE/ACM Transactions on Networking (TON), 2010,18(4): 1234-1247.
[20]	YASINSAC A . An environment for security protocol intrusion detection[J]. Journal of Computer Security, 2002,10(1/2): 177-188.
[21]	MAEDCHE A . Ontology learning for the semantic Web[M]. Boston: Kluwer Academic PublishersPress, 2002.
[22]	GAN G , WU J . A convergence theorem for the fuzzy subspace clustering (FSC)algorithm[J]. Pattern Recognition, 2008,41(6): 1939-1947.
[23]	朱玉娜, 韩继红, 袁霖 ,等. 基于主体行为的多方密码协议会话识别方法[J]. 通信学报, 2015,11(36): 190-200. ZHU Y N , HAN J H , YUAN L ,et al. Towards session identification using principal behavior for multi-party secure protocol[J]. Journal on Communications, 2015,11(36): 190-200.
[24]	KHAKPOUR A R , LIU A X . High-speed flow nature identification[C]// International Conference on Distributed Computing Systems. Montreal,Canada, 2009: 510-517.

协议	流数量	数据来源
SSL	2 950	WAN
SSH	270 548	InfoVisContest
NS	2 000	LAN
Skype	2 000	Tstat
http	2 000	WAN
FTP	2 000	WAN

测试集	流量	识别比例	自学习结果
1	SSL、SSH、NS	95.43%	较好识别SSL、SSH、NS协议
2	SSL、SSH、NS、Http、FTP	57.2%	Http、FTP判定为非密码协议
3	SSL、SSH、NS、Skype、加密数据传输	56.4%	Skype判定为未知密码协议，加密数据传输判定为非密码协议
4	SSL、SSH、NS、Http、FTP、Skype	63.9%	Skype协议识别率为97.2%