基于流谱理论的SSL/TLS协议攻击检测方法

doi:10.11959/j.issn.2096-109x.2022004

Chinese Journal of Network and Information Security ›› 2022, Vol. 8 ›› Issue (1): 30-40.doi: 10.11959/j.issn.2096-109x.2022004

• Topic: Security Awareness and Detection Method • Previous Articles Next Articles

Detection of SSL/TLS protocol attacks based on flow spectrum theory

Shize GUO¹^,²^,³, Fan ZHANG¹^,²^,³^,⁴, Zhuoxue SONG¹^,²^,³^,⁴, Ziming ZHAO¹^,²^,³, Xinjie ZHAO¹^,²^,³, Xiaojuan WANG⁶, Xiangyang LUO⁷

¹ College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China
² School of Cyber Science and Technology, Zhejiang University, Hangzhou 310027, China
³ College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, China
⁴ Zhejiang Key Laboratory of Blockchain and Cyberspace Governance, Hangzhou 310027, China
⁵ Engineering Laboratory of Mobile Security of Zhejiang Province, Hangzhou 310027, Chine
⁶ School of Electronic Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China
⁷ Information Engineering University, Key Laboratory of Cyberspace Situation Awareness of Henan Province, Zhengzhou 450001, China

Revised:2022-02-08 Online:2022-02-15 Published:2022-02-01
Supported by:
The National Key R＆D Program of China(2020AAA0107700);TheNational Natural Science Foundation of China(62072398);TheNational Natural Science Foundation of China(U1804263);TheNational Natural Science Foundation of China(62172435);National Key Laboratory of Science and Technology on Information System Securitya;Zhejiang Key R＆D Program(2021C01116);Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang(2018R01005);Research Institute of Cyberspace Governance in Zhejiang University;Zhongyuan Science and Technology Innovation Leading Talent Project(214200510019)

Abstract

Abstract:

Network attack detection plays a vital role in network security.Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection.The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol.With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled.Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”.The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows.The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator.Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows.Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space.On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Key words: SSL/TLS attacks, network traffic detection, flow spectrum theory, long short-term memory

CLC Number:

TP393

Shize GUO, Fan ZHANG, Zhuoxue SONG, Ziming ZHAO, Xinjie ZHAO, Xiaojuan WANG, Xiangyang LUO. Detection of SSL/TLS protocol attacks based on flow spectrum theory[J]. Chinese Journal of Network and Information Security, 2022, 8(1): 30-40.

Figures/Tables 12

References 23

[1]	GURUBARAN S . Cisco encrypted traffic analytics white paper[EB].
[2]	SHEFFER Y , HOLZ R , SAINT-ANDRE P , . Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS)[J]. Internet Engineering Task Force Request for Comments,2015, 7457.
[3]	MCPHERSON J , MA K L , KRYSTOSK P ,et al. Portvis:a tool for port-based detection of security events[C]// Proceedings of the 2004 ACM workshop on Visualization and Data Mining for Computer Security. 2004: 73-81.
[4]	FINSTERBUSCH M , RICHTER C , ROCHA E ,et al. A survey of payload-based traffic classification approaches[J]. IEEE Communications Surveys ＆ Tutorials, 2013,16(2): 1135-1156.
[5]	CAO Z , XIONG G , ZHAO Y ,et al. A survey on encrypted traffic classification[C]// International Conference on Applications and Techniques in Information Security. 2014: 73-81.
[6]	FREIER A , KARLTON P , KOCHER P . The secure sockets layer (SSL) protocol version 3.0[R]. RFC 6101, 2011.
[7]	RESCORLA E , DIERKS T . The transport layer security (TLS) protocol version 1.3[J]. 2018.
[8]	M?LLER B , DUONG T , KOTOWICZ K . This POODLE bites:exploiting the SSL 3.0 fallback[J]. Security Advisory, 2014,21: 34-58.
[9]	GLUCK Y , HARRIS N , PRADO A . BREACH:reviving the CRIME attack[J]. Unpublished manuscript, 2013.
[10]	VANHOEF M , PIESSENS F . All your biases belong to us:Breaking RC4 in WPA-TKIP and TLS[C]// 24th USENIX Security Symposium {USENIX} Security. 2015: 97-112.
[11]	KORCZY?SKI M , DUDA A . Markov chain fingerprinting to classify encrypted traffic[C]// IEEE INFOCOM 2014-IEEE Conference on Computer Communications. 2014: 781-789.
[12]	SHEN M , WEI M , ZHU L ,et al. Classification of encrypted traffic with second-order markov chains and application attribute bigrams[J]. IEEE Transactions on Information Forensics and Security, 2017,12(8): 1830-1843.
[13]	LIU C , HE L , XIONG G ,et al. Fs-net:a flow sequence network for encrypted traffic classification[C]// IEEE INFOCOM 2019-IEEE Conference on Computer Communications. 2019: 1171-1179.
[14]	RADFORD B J , APOLONIO L M , Trias A J ,et al. Network traffic anomaly detection using recurrent neural networks[J]. arXiv pre print arXiv:1803.10769, 2018.
[15]	MIRSKY Y , DOITSHMAN T , ELOVICI Y ,et al. Kitsune:an ensemble of autoencoders for online network intrusion detection[J]. arXiv preprint arXiv:1802.09089, 2018.
[16]	FU C , LI Q , SHEN M ,et al. Realtime robust malicious traffic detection via frequency domain analysis[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2021: 3431-3446.
[17]	HOCHREITER S , SCHMIDHUBER J . Long short-term memory[J]. Neural Computation, 1997,9(8): 1735-1780.
[18]	SNELL J , SWERSKY K , ZEMEL R . Prototypical networks for few-shot learning[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 4080-4090.
[19]	VAN DER MAATEN L , HINTON G . Visualizing data using t-SNE[J]. Journal of Machine Learning Research, 2008,9(11).
[20]	HOLMES A , KELLOGG M . Automating functional tests using selenium[C]// AGILE 2006 (AGILE'06). 2006.
[21]	MERINO B . Instant traffic analysis with Tshark how-to[M]. Packt Publishing Ltd, 2013.
[22]	PASZKE A , GROSS S , MASSA F ,et al. Pytorch:an imperative style,high-performance deep learning library[J]. Advances in neural Information Processing Systems, 2019,32: 8026-8037.
[23]	PEDREGOSA F , VAROQUAUX G , GRAMFORT A ,et al. Scikit-learn:machine learning in Python[J]. The Journal of Machine Learning Research, 2011,12: 2825-2830.

Metrics

Recommended 0

No Suggested Reading articles found!

网络流类型	采集样本数
POODLE攻击	10 738
BREACH攻击	10 726
RC4NOMORE攻击	11 083
THC-SSL-DoS攻击	10 049
正常网络流	25 797

SSL/TLS协议报文	协议字段
ClientHello
ServerHello	内容类型
Certificate
ServerHelloDone	长度
ClientKeyExchange
HandshakeMessage	版本
ApplicationData
ClientHello
ServerHello
Certificate	握手类型
ServerHelloDone
ClientKeyExchange
ClientHello	密码套件长度
ServerHello	压缩类型
Certificate	证书长度
	证书个数

指标参数	参数含义
TP（true positive）	被正确预测为正例的样本数
TN（true negative）	被正确预测为负例的样本数
FP（false positive）	被错误预测为正例的样本数
FN（false negative）	被错误预测为负例的样本数

网络流类型	原始LSTM				本文方法
网络流类型	准确率	精确率	召回率	F1值	准确率	精确率	召回率	F1值
POODLE	87.45%	85.22%	87.45%	86.32%	97.65%	97.32%	97.65%	97.48%
BREACH	89.98%	85.68%	89.98%	87.78%	97.11%	96.72%	97.11%	96.91%
RC4NOMORE	86.44%	90.84%	86.44%	88.59%	92.74%	98.58%	92.74%	95.57%
THC-SSL-DoS	92.23%	88.35%	92.23%	90.25%	98.74%	97.56%	98.54%	98.15%
正常网络流	92.24%	96.78%	92.24%	94.46%	99.25%	99.30%	99.25%	99.27%
总体	90.19%	91.02%	90.19%	90.56%	97.72%	98.37%	97.72%	98.03%

Detection of SSL/TLS protocol attacks based on flow spectrum theory

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 23

Related Articles 3

Metrics

Recommended 0

[1]	Yang SUN,Chunjie CAO,Junxiao LAI,Tianjiao YU. AntiGPS spoofing method for UAV based on LSTM-KF model [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 80-88.
[2]	Wei HUANG,Cuncai LIU,Sibo QI. LSTM network traffic prediction and link congestion warning scheme for single port and single link [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 50-57.
[3]	Xiaobin ZHANG, Fucai CHEN, Ruiyang HUANG. Relation extraction based on CNN and Bi-LSTM [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 44-51.