基于流感知的复杂网络应用识别模型

doi:10.11959/j.issn.1000-436x.2015070

摘要/Abstract

摘要：

传统协议识别技术多以单网络流为识别手段，不能应对复杂网络应用多服务、多协议等特性，因此在面对复杂网络应用识别时严重失效。针对复杂网络应用的识别难题，提出了一种流感知模型，从空间、时间和流量3个维度来刻画复杂网络应用的通信特性，深度分析并挖掘了复杂网络应用的行为和状态特征；基于此模型，提出了一套快速识别复杂网络应用的方法和架构。实验结果表明，流感知模型能有效识别复杂网络应用，具有良好的识别效果。

关键词: 协议识别, 行为分析, 流感知, 复杂网络应用

Abstract:

Traditional methods of protocol identification, which is mainly based on individual flow, lose their effective-ness as dealing with sophisticated network applications. A novel model of identifying sophisticated network applications, called flow-aware model, is addressed. This proposed model abstracts the characteristics of sophisticated network appli-cations from spatial dimension, time dimension and flow dimension, and provides the detailed analysis and deeply mining in characteristics of behaviors and states. Based on this model, a framework and method of sophisticated network appli-cations identification is proposed. The experimental results demonstrate that the proposed method can achieve the pur-pose of identifying sophisticated network applications effectively.

Key words: protocol identification, behavior analysis, flow aware, sophisticated network application

张洛什,王大伟,薛一波. 基于流感知的复杂网络应用识别模型[J]. 通信学报, 2015, 36(3): 161-169.

Luo-shi ZHANG,Da-wei WANG,Yi-bo XUE. Flow-awared identification model of sophisticated network application[J]. Journal on Communications, 2015, 36(3): 161-169.

图/表 13

图1

图2

图3

图4

图5

图6

表1

图7

图8

图9

表2

表3

表4

参考文献 21

[1]	IANA[EB/OL]. .
[2]	SEN S , SPATSCHECK O , WANG D . Accurate, scalable in network identification of P2P traffic using application signatures[A]. Proceedings of the 13th international conference on World Wide Web[C]. New York, USA, 2004.512-521.
[3]	KARAGIANNIS T , BROIDO A , BROWNLEE N , et al. Is P2P dying or just hiding?[A]. Proceedings of the 47th annual IEEE Global Tele-communications Conference[C]. Dallas, USA, 2004.1532-1538.
[4]	HU C C , YI T , CHEN X F . et al. Per-flow queueing by dynamic queue sharing[A]. Proceedings of the 26th IEEE International Conference on Computer Communications[C]. Anchorage, Alaska, 2007.1613-1621.
[5]	SOMMER R , PAXSON V . Enhancing byte-levelnetwork intrusion detection signatures with context[A]. Proceedings of the 10th ACM Conference on Computer and Communications Decurity (CCS 2003)[C]. Chicago, USA, 2003.262-271.
[6]	SMTICH R , ESTAN C , JHA S . XFA: faster signaturematching with extended automata[A]. Proceedings of the 2008 IEEE Symposium on Security and Privacy (sp 2008)[C]. Oakland, USA, 2008.187-201.
[7]	JAMES E , CARLA B , CATHERINE Behavioral authentication of server flows[A]. Proceedings of the 19th Annual Computer Security Applications Conference[C]. Oakland, USA, 2003.46-55.
[8]	王一鹏，云晓春，张永铮，李书豪．基于主动学习和 SVM 方法的网络协议识别技术[J]．通信学报， 2013,34(10):135-142. WANG Y P , YUN X C , ZHANG Y Z , LI S H . Network protocol iden-tification based on activelearning and SVM algorithm[J]. Journal of Communications, 2013,34(10):135-142.
[9]	AULD T , MOORE ANDREW W , STEPHEN F . Bayesian neural net-works for Internet traffic classification[J]. IEEE Trans Neural Networks, 2007,18(1):223-239.
[10]	YANG B H , HOU G D , RUAN L Y , et al. SMILER:towards proacti-cal online traffic classification[A]. Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems[C]. DC, USA, 2011.178-188.
[11]	THOMAS K , KONSTANTINA P , MICHALIS F . BLINC: Multilevel traffic classification in the dark[A]. Proceedings of the 2005 Confer-ence on Applications, Technologies, Architectures, and Protocols for Computer Communications[C]. New York, USA, 2005.229-240.
[12]	ANDREW M , KONSTANTINA P . Towards the accurate identification of network applications[A]. Proceedings of 6th International Work-shop, PAM 2005[C]. New York, USA, 2005.50-60.
[13]	LI C L , XUE Y B , et al. HMC: A novel mechanism for identifying encrypted P2P thunder traffic[A]. Proceedings of Global Telecommu-nications Conference (GLOBECOM 2010)[C]. Miami, USA, 2010.1-5.
[14]	XU K , ZHANG Z L , BHATTACHARYYA S . Profiling Internet back-bone traffic: behavior models and applications[A]. Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM'05)[C]. New York, USA, 2005.169-180.
[15]	JIN Y , SHARAFUDDIN E , ZHANG Z L . Unveiling core net-work-wide communication patterns through application traffic activity graph decomposition[A]. Proceedings of the Eleventh International Joint Conference on Measurement and Modeling of Computer Sys-tems (SIGMETRICS '09)[C]. New York, NY, USA, 2009.49-60.
[16]	JIN Y , DUFFIELD N , et al. Can't see forest through the trees?under-standing mixed network traffic graphs from application class distribution[A]. Proceedings of the 9th Workshop on Mining and Learning with Graphs (MLG 2011)[C]. San Diego, California, USA, 2011.20-21.
[17]	SHI X G , CHAU C K , CHIU D M . Space-efficient tracking of net-work-wide flow correlations[A]. Proceedings of INFO-COM'2011[C]. Shanghai, China, 2011.11-15.
[18]	RABINER L R . A tutorial on hidden Markov models and selected applications in speech recognition[J]. Proceedings of the IEEE, 1889,77(2):257-286.
[19]	谢柏林，余顺争．基于应用层协议分析的应用层实时主动防御系统[J]．计算机学报， 2011,34(3):452-463. XIE B L , YU S Z . Application layer real-time proactive defense sys-tem based on application layer protocol analysis[J]. Chinese Journal of Computers, 2011,34(3):452-463.
[20]	KOTISANTISS. B . Supervised machine learning: a review of classifi-cation techniques[J]. Informatica, 2007,31(3):249-268.
[21]	nDPI[EB/OL]. .

编号	特征名称	特征描述
1	Ip_num	同一个内网IP所连接的外网IP数
2	Flow_num	同一个内网IP收发的网络流数
3	Packets_num	同一个内网IP收发的数据分组数
4	Bytes_num	同一个内网IP收发的字节数

	数据集	网络流数量	网络分组数量
	Skype	207 532	1 287 402
训练集	Thunder	721 232	16 933 250
	PPS	530 695	48 341 227
	Skype	875 502	5 544 857
测试集	Thunder	1 624 724	38 145 643
	PPS	1 890 933	1 392 988 874

复杂网络应用	准确率	识别协议	分组百分比	流百分比
		Skype	64.75%	79.66%
Skype	79.66%	SSL	32.23%	16.93%
		DNS	2.18%	1.69%
		BitTorrent	1.91%	16.47%
		DNS	0.62%	4.13%
Thunder	16.47%	HTTP	4.33%	8.78%
		Unknown	92.35%	69.08%
		Other	0.79%	1.54%
		H232	0.11%	0.99%
PPS	23.32%	HTTP	7.53%	22.22%
PPS	23.32%	DNS	0.50%	20.15%
		Unknown	91.86%	56.64%

复杂网络应用	召回率	准确率
Skype	93.69%	96.01%
Thunder	95.73%	90.96%
PPS	92.82%	93.66%