通信学报 ›› 2015, Vol. 36 ›› Issue (9): 65-75.doi: 10.11959/j.issn.1000-436x.2015171

• 学术论文 • 上一篇    下一篇

基于抽样分组长度分布的加密流量应用识别

高长喜1,2,吴亚飚2,王枞1   

  1. 1 北京邮电大学 博士后流动站,北京 100876
    2 北京天融信公司 企业博士后工作站,北京 100085
  • 出版日期:2015-09-25 发布日期:2017-09-15
  • 基金资助:
    中关村科技园区海淀园企业博士后工作专项基金资助项目;北京市博士后科研活动经费基金资助项目

Encrypted traffic classification based on packet length distribution of sampling sequence

Chang-xi GAO1,2,Ya-biao WU2,Cong WANG1   

  1. 1 Postdoctoral Research Station,Beijing University of Posts and Telecommunications,Beijing 100876,China
    2 Enterprise Postdoctoral Working Station,Beijing TopSec Co.,Beijing 100085,China
  • Online:2015-09-25 Published:2017-09-15
  • Supported by:
    Enterprise Postdoctoral Research Support Program of Zhongguancun Haidian Science Park;Beijing Municipal Postdoctoral Research Support Program

摘要:

基于确定性抽样数据分组序列的位置、方向、分组长度和连续性、有序性等流统计特征和典型的分组长度统计签名,并结合带数据分组位置、方向约束和半流关联动作的提升型DPI,提出了一种基于假设检验的加密流量应用识别统计决策模型,包括分组长度统计签名决策模型和DFI决策模型,并给出了相应的分组长度统计签名匹配算法以及基于DPI和DFI混合方法的加密流量应用识别算法。实验结果表明,该方法能够成功捕获加密应用在流坐标空间中独特的统计流量行为,并同时具有极高的加密识别精确率、召回率、总体准确率和极低的加密识别误报率、总体误报率。

关键词: 加密流量分类, 应用识别, 深度分组检测, 动态流检测, 混合方法

Abstract:

A hypothesis testing-based statistical decision model (HTSDM) for application identification of encrypted traf-fic was presented.HTSDM was based on packet length distribution of deterministic sampling sequence at flow level,which was characterized by packet positions,packet directions,packet sizes,packet arrival continuity and packet arrival order.HTSDM boosted deep packet inspection (DPI) by introducing constraints of packet position and direction as well as inter-flow correlation action.A hybrid method of encrypted traffic classification combining DPI and dynamic flow in-spection (DFI) was proposed based on HTSDM.Experiment results show that this method can effectively identify the unique statistical traffic behavior of encrypted application in flow coordinate space,and achieve high precision,recall and overall accuracy while keeping low false positive rate (FPR) and overall FPR.

Key words: encrypted traffic classification, application identification, deep packet inspection, dynamic flow inspection;hybrid method

No Suggested Reading articles found!