支持数据隐私保护的恶意加密流量检测确认方法

doi:10.11959/j.issn.1000-436x.2022034

通信学报 ›› 2022, Vol. 43 ›› Issue (2): 156-170.doi: 10.11959/j.issn.1000-436x.2022034

支持数据隐私保护的恶意加密流量检测确认方法

何高峰¹, 魏千峰¹, 肖咸财¹, 朱海婷¹, 徐丙凤²

¹ 南京邮电大学物联网学院，江苏南京 210003
² 南京林业大学信息科学技术学院，江苏南京 210042

修回日期:2022-01-19 出版日期:2022-02-25 发布日期:2022-02-01
作者简介:何高峰（1984-），男，安徽安庆人，博士，南京邮电大学讲师、硕士生导师，主要研究方向为网络异常检测、可证明安全的网络安全防御等
魏千峰（1997-），男，江苏徐州人，南京邮电大学硕士生，主要研究方向为网络流量异常检测
肖咸财（1998-），男，江西赣州人，南京邮电大学硕士生，主要研究方向为加密网络流量分析
朱海婷（1983-），女，江苏如皋人，博士，南京邮电大学讲师、硕士生导师，主要研究方向为网络管理和网络性能优化
徐丙凤（1986-），女，安徽安庆人，博士，南京林业大学讲师、硕士生导师，主要研究方向为网络安全威胁建模与评估
基金资助:
国家自然科学基金资助项目(61802192);国家自然科学基金资助项目(61702282);南京邮电大学校级自然科学基金项目(NY221096);南京航空航天大学基本科研业务费科研基地创新基金资助项目(NJ2020022)

Confirmation method for the detection of malicious encrypted traffic with data privacy protection

Gaofeng HE¹, Qianfeng WEI¹, Xiancai XIAO¹, Haiting ZHU¹, Bingfeng XU²

¹ School of Internet of Things, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
² College of Information Science and Technology, Nanjing Forestry University, Nanjing 210042, China

Revised:2022-01-19 Online:2022-02-25 Published:2022-02-01
Supported by:
The National Natural Science Foundation of China(61802192);The National Natural Science Foundation of China(61702282);The Natural Science Foundation of Nanjing University of Posts and Telecommunications(NY221096);The Fundamental Research Funds for the Central Universities, NUAA(NJ2020022)

摘要/Abstract

摘要：

为解决基于机器学习的恶意加密流量检测易产生大量误报的问题，利用安全两方计算，在不泄露具体数据内容的前提下实现网络流量内容和入侵检测特征间的字符段比对。基于字符段比对结果，设计入侵检测特征匹配方法，完成关键词的精准匹配。为保证所提方法的有效执行，提出用户终端输入随机验证策略，使恶意用户终端难以使用任意数据参与安全两方计算进而躲避检测确认。对所提方法的安全性和性能进行了理论分析，并采用真实部署和仿真实验相结合的方式进行验证。实验结果表明，所提方法能显著提升检测效果，且资源消耗低。

关键词: 恶意加密流量, 机器学习, 安全两方计算, 自动确认

Abstract:

In order to solve the problem that excessive false positives in the detection of encrypted malicious traffic based on machine learning, secure two-party computation was used to compare character segments between network traffic and intrusion detection rulers without revealing the data content.Based on the comparison results, an intrusion detection feature matching algorithm was designed to accurately match keywords.A random verification strategy for users’ input was also proposed to facilitate the method.As a result, malicious users couldn’t use arbitrary data to participate in secure two-party calculations and avoid confirmation.The security and resource consumption of the method were theoretically analyzed and verified by a combination of real deployment and simulation experiments.The experimental results show that the proposed method can significantly improve the detection performance with low system resources.

Key words: malicious encrypt traffic, machine learning, secure two-party computation, automatic confirmation

中图分类号:

TP39

何高峰, 魏千峰, 肖咸财, 朱海婷, 徐丙凤. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022, 43(2): 156-170.

Gaofeng HE, Qianfeng WEI, Xiancai XIAO, Haiting ZHU, Bingfeng XU. Confirmation method for the detection of malicious encrypted traffic with data privacy protection[J]. Journal on Communications, 2022, 43(2): 156-170.

图/表 13

图1

图2

表1

参数符号"

参数	含义
U	用户终端集合，其集合元素用u表示
C	用户终端处的数据集合，其集合元素用c表示
S	检测节点处的数据集合，其集合元素用s表示
$\| \cdot \|$	集合大小
$a \overset{R}{\leftarrow} A G$	从集合A中随机选择元素a
p, q	p和q为素数，且q\|p–1
Z_q	小于q的正整数集合
$G, g$	G为循环群，g为 $G$ 的一个生成元
H₁()	随机预言 $H_{1} () : {0 ， 1}^{*} \to G$
H₂()	随机预言 $H_{2} () : G \times G \times {0 ， 1}^{*} \to {0 ， 1}^{k}$
ZK{}	离散对数零知识证明
R	随机数，并以上下标区分不同随机数
f	加密网络流量
k_f	流f对应的加密密钥
L	数据总长度，并以下标区分不同数据类型
l	数据分割长度
r	攻击者修改的字符数量
e	验证时选择的字符段数量
h	入侵检测特征关键词总数量
λ	资源消耗，并以下标区分不同资源消耗

表1

表2

表3

图3

图4

图5

图6

图7

图8

图9

表4

参考文献 36

[1]	罗军舟, 何源, 张兰 ,等. 云端融合的工业互联网体系结构及关键技术[J]. 中国科学:信息科学, 2020,50(2): 195-220.
	LUO J Z , HE Y , ZHANG L ,et al. The architecture and key technologies for an industrial Internet with synergy between the cloud and clients[J]. Scientia Sinica (Informationis), 2020,50(2): 195-220.
[2]	DING D R , HAN Q L , XIANG Y ,et al. A survey on security control and attack detection for industrial cyber-physical systems[J]. Neurocomputing, 2018,275: 1674-1683.
[3]	张蕾, 崔勇, 刘静 ,等. 机器学习在网络空间安全研究中的应用[J]. 计算机学报, 2018,41(9): 1943-1975.
	ZHANG L , CUI Y , LIU J ,et al. Application of machine learning in cyberspace security research[J]. Chinese Journal of Computers, 2018,41(9): 1943-1975.
[4]	ANDERSON B , PAUL S , MCGREW D . Deciphering malware’s use of TLS (without decryption)[J]. Journal of Computer Virology and Hacking Techniques, 2018,14(3): 195-211.
[5]	WANG W , ZHU M , ZENG X W ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// Proceedings of 2017 International Conference on Information Networking (ICOIN). Piscataway:IEEE Press, 2017: 712-717.
[6]	HAN D Q , WANG Z L , CHEN W Q ,et al. DeepAID:interpreting and improving deep learning-based anomaly detection in security applications[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 3197-3217.
[7]	FROLOV S , WUSTROW E . The use of TLS in censorship circumvention[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[8]	HO C Y , LAI Y C , CHEN I W ,et al. Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems[J]. IEEE Communications Magazine, 2012,50(3): 146-154.
[9]	DE CRISTOFARO E , KIM J , TSUDIK G . Linear-complexity private set intersection protocols secure in malicious model[C]// 2010 International Conference on the Theory and Application of Cryptology and Information Security. Berlin:Springer, 2010: 213-231.
[10]	ZHAO C , ZHAO S N , ZHAO M H ,et al. Secure multi-party computation:theory,practice and applications[J]. Information Sciences, 2019,476: 357-372.
[11]	CARNAVALET X D , MANNAN M . Killed by proxy:analyzing client-end TLS interception software[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-17.
[12]	O’NEILL M , RUOTI S , SEAMONS K ,et al. TLS proxies:friend or foe?[C]// Proceedings of the 2016 Internet Measurement Conference. New York:ACM Press, 2016: 551-557.
[13]	NAYLOR D , SCHOMP K , VARVELLO M ,et al. Multi-context TLS (mcTLS)[J]. ACM SIGCOMM Computer Communication Review, 2015,45(4): 199-212.
[14]	LIU C , CUI Y , TAN K ,et al. Building generic scalable middlebox services over encrypted protocols[C]// Proceedings of 2018 IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2018: 2195-2203.
[15]	SHERRY J , LAN C , POPA R A ,et al. BlindBox:deep packet inspection over encrypted traffic[C]// Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. New York:ACM Press, 2015: 213-226.
[16]	NING J T , POH G S , LOH J C ,et al. PrivDPI:privacy-preserving encrypted traffic inspection with reusable obfuscated rules[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1657-1670.
[17]	LAI S Q , YUAN X L , SUN S F ,et al. Practical encrypted network traffic pattern matching for secure middleboxes[J]. IEEE Transactions on Dependable and Secure Computing, 2021,PP(99): 1.
[18]	IOVINO V , PERSIANO G . Hidden-vector encryption with groups of prime order[C]// 2008 International Conference on Pairing-Based Cryptography. Berlin:Springer, 2008: 75-88.
[19]	ANDERSON B , CHI A , DUNLOP S ,et al. Limitless HTTP in an HTTPS world:inferring the semantics of the HTTPS protocol without decryption[C]// Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. New York:ACM Press, 2019: 267-278.
[20]	HELLEMONS L , HENDRIKS L , HOFSTEDE R ,et al. SSHCure:a flow-based SSH intrusion detection system[C]// 2012 IFIP International Conference on Autonomous Infrastructure,Management and Security. Berlin:Springer, 2012: 86-97.
[21]	HE G F , ZHANG T , MA Y Y ,et al. A novel method to detect encrypted data exfiltration[C]// Proceedings of 2014 Second International Conference on Advanced Cloud and Big Data. Piscataway:IEEE Press, 2014: 240-246.
[22]	HE G F , XU B F , ZHANG L ,et al. On-device detection of repackaged android malware via traffic clustering[J]. Security and Communication Networks,2020, 2020:8630748.
[23]	CHEN Y C , LI Y J , TSENG A ,et al. Deep learning for malicious flow detection[C]// Proceedings of 2017 IEEE 28th Annual International Symposium on Personal,Indoor,and Mobile Radio Communications. Piscataway:IEEE Press, 2017: 1-7.
[24]	翟明芳, 张兴明, 赵博 . 基于深度学习的加密恶意流量检测研究[J]. 网络与信息安全学报, 2020,6(3): 66-77.
	ZHAI M F , ZHANG X M , ZHAO B . Survey of encrypted malicious traffic detection based on deep learning[J]. Chinese Journal of Network and Information Security, 2020,6(3): 66-77.
[25]	何高峰, 司勇瑞, 徐丙凤 . 针对 Android 移动应用的恶意加密流量标注方法研究[J]. 计算机工程, 2020,46(7): 116-121,128.
	HE G F , SI Y R , XU B F . Research on malicious encrypted traffic annotation method for android mobile application[J]. Computer Engineering, 2020,46(7): 116-121,128.
[26]	JAN S T K , HAO Q Y , HU T R ,et al. Throwing darts in the dark? detecting bots with limited data using neural data augmentation[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1190-1206.
[27]	LAN C , SHERRY J , POPA R A ,et al. Embark:securely outsourcing middleboxes to the cloud[C]// 2016 USENIX Symposium on Net worked Systems Design and Implementation. Berkeley:USENIX Association, 2016: 255-273.
[28]	GUO Y , WANG M Y , WANG C ,et al. Privacy-preserving packet header checking over in-the-cloud middleboxes[J]. IEEE Internet of Things Journal, 2020,7(6): 5359-5370.
[29]	CASTELLUCCIA C , CRISTOFARO E D , PERITO D . Private information disclosure from web searches[C]// 2010 International Symposium on Privacy Enhancing Technologies Symposium. Berlin:Springer, 2010: 38-55.
[30]	SEOK J , CHOI M , KIM J ,et al. A comparative study on performance of open source IDS/IPS snort and suricata[J]. Journal of the Korea Society of Digital Industry and Information Management, 2016,12(1): 89-95.
[31]	CHAUM D , . Zero-knowledge undeniable signatures[C]// 1990 Workshop on the Theory and Application of Cryptographic Techniques. Berlin:Springer, 1990: 458-464.
[32]	COHEN H , PORAT E . Fast set intersection and two-patterns matching[J]. Theoretical Computer Science, 2010,411(40/41/42): 3795-3800.
[33]	LI N , . Research on Diffie-Hellman key exchange protocol[C]// Proceedings of 2010 2nd International Conference on Computer Engineering and Technology. Piscataway:IEEE Press, 2010: 634-637.
[34]	DIEM C . On the discrete logarithm problem in elliptic curves[J]. Compositio Mathematica, 2011,147(1): 75-104.
[35]	潘吴斌, 程光, 郭晓军 ,等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016,37(9): 154-167.
	PAN W B , CHENG G , GUO X J ,et al. Review and perspective on encrypted traffic identification research[J]. Journal on Communications, 2016,37(9): 154-167.
[36]	ZENG F , CHANG S , WU X C . Classification for DGA-based malicious domain names with deep learning architectures[J]. International Journal of Intelligent Information Systems, 2017,6(6): 67-71.

指标	数值
捕获的TLS总数量/条	15 887
判断为恶意的TLS流量数量/条	13
确认为误报的TLS流量数量/条	12

指标	数值
捕获的TLS总数量/条	278
判断为恶意的TLS流量数量/条	269
确认为恶意的TLS流量数量/条	267
确认所产生的漏报数量/条	2

指标（均值）	数值
CPU执行时间/s	58.3
CPU占用率	24.9%
网络带宽消耗/MB	11.6
内存占用量/MB	52.1

支持数据隐私保护的恶意加密流量检测确认方法

Confirmation method for the detection of malicious encrypted traffic with data privacy protection

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 36

相关文章 15

Metrics

推荐阅读 0

[1]	戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80.
[2]	冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54.
[3]	陆彦辉, 柳寒, 李航, 朱光旭. 基于多鉴别器生成对抗网络的时间序列生成模型[J]. 通信学报, 2022, 43(10): 167-176.
[4]	梅锴, 赵海涛, 刘潇然, 刘军, 熊俊, 任保全, 魏急波. 高效的基于数据与模型的信道估计算法[J]. 通信学报, 2022, 43(1): 59-70.
[5]	彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160.
[6]	邹福泰, 谭越, 王林, 蒋永康. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106.
[7]	刘留, 张建华, 樊圆圆, 于力, 张嘉驰. 机器学习在信道建模中的应用综述[J]. 通信学报, 2021, 42(2): 134-153.
[8]	伏玉笋,杨根科. 人工智能在移动通信中的应用：挑战与实践[J]. 通信学报, 2020, 41(9): 190-201.
[9]	陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138.
[10]	韩春雨,张永铮,张玉. Fast-flucos：基于DNS流量的Fast-flux恶意域名检测方法[J]. 通信学报, 2020, 41(5): 37-47.
[11]	周鑫,何晓新,郑昌文. 基于图像深度学习的无线电信号识别[J]. 通信学报, 2019, 40(7): 114-125.
[12]	杜学绘,林杨东,孙奕. 基于混合特征的恶意PDF文档检测[J]. 通信学报, 2019, 40(2): 118-128.
[13]	孙鸿宇,何远,王基策,董颖,朱立鹏,王鹤,张玉清. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018, 39(8): 1-17.
[14]	黄杨琛,贾焰,甘亮,徐菁,黄九鸣,赫中翮. 基于远程监督的多因子人物关系抽取模型[J]. 通信学报, 2018, 39(7): 103-112.
[15]	俞艺涵,付钰,吴晓平. MapReduce框架下支持差分隐私保护的随机梯度下降算法[J]. 通信学报, 2018, 39(1): 70-77.