通信学报 ›› 2022, Vol. 43 ›› Issue (2): 156-170.doi: 10.11959/j.issn.1000-436x.2022034
何高峰1, 魏千峰1, 肖咸财1, 朱海婷1, 徐丙凤2
修回日期:
2022-01-19
出版日期:
2022-02-25
发布日期:
2022-02-01
作者简介:
何高峰(1984-),男,安徽安庆人,博士,南京邮电大学讲师、硕士生导师,主要研究方向为网络异常检测、可证明安全的网络安全防御等基金资助:
Gaofeng HE1, Qianfeng WEI1, Xiancai XIAO1, Haiting ZHU1, Bingfeng XU2
Revised:
2022-01-19
Online:
2022-02-25
Published:
2022-02-01
Supported by:
摘要:
为解决基于机器学习的恶意加密流量检测易产生大量误报的问题,利用安全两方计算,在不泄露具体数据内容的前提下实现网络流量内容和入侵检测特征间的字符段比对。基于字符段比对结果,设计入侵检测特征匹配方法,完成关键词的精准匹配。为保证所提方法的有效执行,提出用户终端输入随机验证策略,使恶意用户终端难以使用任意数据参与安全两方计算进而躲避检测确认。对所提方法的安全性和性能进行了理论分析,并采用真实部署和仿真实验相结合的方式进行验证。实验结果表明,所提方法能显著提升检测效果,且资源消耗低。
中图分类号:
何高峰, 魏千峰, 肖咸财, 朱海婷, 徐丙凤. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022, 43(2): 156-170.
Gaofeng HE, Qianfeng WEI, Xiancai XIAO, Haiting ZHU, Bingfeng XU. Confirmation method for the detection of malicious encrypted traffic with data privacy protection[J]. Journal on Communications, 2022, 43(2): 156-170.
表1
参数符号"
参数 | 含义 |
U | 用户终端集合,其集合元素用u表示 |
C | 用户终端处的数据集合,其集合元素用c表示 |
S | 检测节点处的数据集合,其集合元素用s表示 |
集合大小 | |
从集合A中随机选择元素a | |
p, q | p和q为素数,且q|p–1 |
Zq | 小于q的正整数集合 |
G为循环群,g为 | |
H1() | 随机预言 |
H2() | 随机预言 |
ZK{} | 离散对数零知识证明 |
R | 随机数,并以上下标区分不同随机数 |
f | 加密网络流量 |
kf | 流f对应的加密密钥 |
L | 数据总长度,并以下标区分不同数据类型 |
l | 数据分割长度 |
r | 攻击者修改的字符数量 |
e | 验证时选择的字符段数量 |
h | 入侵检测特征关键词总数量 |
λ | 资源消耗,并以下标区分不同资源消耗 |
[1] | 罗军舟, 何源, 张兰 ,等. 云端融合的工业互联网体系结构及关键技术[J]. 中国科学:信息科学, 2020,50(2): 195-220. |
LUO J Z , HE Y , ZHANG L ,et al. The architecture and key technologies for an industrial Internet with synergy between the cloud and clients[J]. Scientia Sinica (Informationis), 2020,50(2): 195-220. | |
[2] | DING D R , HAN Q L , XIANG Y ,et al. A survey on security control and attack detection for industrial cyber-physical systems[J]. Neurocomputing, 2018,275: 1674-1683. |
[3] | 张蕾, 崔勇, 刘静 ,等. 机器学习在网络空间安全研究中的应用[J]. 计算机学报, 2018,41(9): 1943-1975. |
ZHANG L , CUI Y , LIU J ,et al. Application of machine learning in cyberspace security research[J]. Chinese Journal of Computers, 2018,41(9): 1943-1975. | |
[4] | ANDERSON B , PAUL S , MCGREW D . Deciphering malware’s use of TLS (without decryption)[J]. Journal of Computer Virology and Hacking Techniques, 2018,14(3): 195-211. |
[5] | WANG W , ZHU M , ZENG X W ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// Proceedings of 2017 International Conference on Information Networking (ICOIN). Piscataway:IEEE Press, 2017: 712-717. |
[6] | HAN D Q , WANG Z L , CHEN W Q ,et al. DeepAID:interpreting and improving deep learning-based anomaly detection in security applications[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 3197-3217. |
[7] | FROLOV S , WUSTROW E . The use of TLS in censorship circumvention[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15. |
[8] | HO C Y , LAI Y C , CHEN I W ,et al. Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems[J]. IEEE Communications Magazine, 2012,50(3): 146-154. |
[9] | DE CRISTOFARO E , KIM J , TSUDIK G . Linear-complexity private set intersection protocols secure in malicious model[C]// 2010 International Conference on the Theory and Application of Cryptology and Information Security. Berlin:Springer, 2010: 213-231. |
[10] | ZHAO C , ZHAO S N , ZHAO M H ,et al. Secure multi-party computation:theory,practice and applications[J]. Information Sciences, 2019,476: 357-372. |
[11] | CARNAVALET X D , MANNAN M . Killed by proxy:analyzing client-end TLS interception software[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-17. |
[12] | O’NEILL M , RUOTI S , SEAMONS K ,et al. TLS proxies:friend or foe?[C]// Proceedings of the 2016 Internet Measurement Conference. New York:ACM Press, 2016: 551-557. |
[13] | NAYLOR D , SCHOMP K , VARVELLO M ,et al. Multi-context TLS (mcTLS)[J]. ACM SIGCOMM Computer Communication Review, 2015,45(4): 199-212. |
[14] | LIU C , CUI Y , TAN K ,et al. Building generic scalable middlebox services over encrypted protocols[C]// Proceedings of 2018 IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2018: 2195-2203. |
[15] | SHERRY J , LAN C , POPA R A ,et al. BlindBox:deep packet inspection over encrypted traffic[C]// Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. New York:ACM Press, 2015: 213-226. |
[16] | NING J T , POH G S , LOH J C ,et al. PrivDPI:privacy-preserving encrypted traffic inspection with reusable obfuscated rules[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1657-1670. |
[17] | LAI S Q , YUAN X L , SUN S F ,et al. Practical encrypted network traffic pattern matching for secure middleboxes[J]. IEEE Transactions on Dependable and Secure Computing, 2021,PP(99): 1. |
[18] | IOVINO V , PERSIANO G . Hidden-vector encryption with groups of prime order[C]// 2008 International Conference on Pairing-Based Cryptography. Berlin:Springer, 2008: 75-88. |
[19] | ANDERSON B , CHI A , DUNLOP S ,et al. Limitless HTTP in an HTTPS world:inferring the semantics of the HTTPS protocol without decryption[C]// Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. New York:ACM Press, 2019: 267-278. |
[20] | HELLEMONS L , HENDRIKS L , HOFSTEDE R ,et al. SSHCure:a flow-based SSH intrusion detection system[C]// 2012 IFIP International Conference on Autonomous Infrastructure,Management and Security. Berlin:Springer, 2012: 86-97. |
[21] | HE G F , ZHANG T , MA Y Y ,et al. A novel method to detect encrypted data exfiltration[C]// Proceedings of 2014 Second International Conference on Advanced Cloud and Big Data. Piscataway:IEEE Press, 2014: 240-246. |
[22] | HE G F , XU B F , ZHANG L ,et al. On-device detection of repackaged android malware via traffic clustering[J]. Security and Communication Networks,2020, 2020:8630748. |
[23] | CHEN Y C , LI Y J , TSENG A ,et al. Deep learning for malicious flow detection[C]// Proceedings of 2017 IEEE 28th Annual International Symposium on Personal,Indoor,and Mobile Radio Communications. Piscataway:IEEE Press, 2017: 1-7. |
[24] | 翟明芳, 张兴明, 赵博 . 基于深度学习的加密恶意流量检测研究[J]. 网络与信息安全学报, 2020,6(3): 66-77. |
ZHAI M F , ZHANG X M , ZHAO B . Survey of encrypted malicious traffic detection based on deep learning[J]. Chinese Journal of Network and Information Security, 2020,6(3): 66-77. | |
[25] | 何高峰, 司勇瑞, 徐丙凤 . 针对 Android 移动应用的恶意加密流量标注方法研究[J]. 计算机工程, 2020,46(7): 116-121,128. |
HE G F , SI Y R , XU B F . Research on malicious encrypted traffic annotation method for android mobile application[J]. Computer Engineering, 2020,46(7): 116-121,128. | |
[26] | JAN S T K , HAO Q Y , HU T R ,et al. Throwing darts in the dark? detecting bots with limited data using neural data augmentation[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1190-1206. |
[27] | LAN C , SHERRY J , POPA R A ,et al. Embark:securely outsourcing middleboxes to the cloud[C]// 2016 USENIX Symposium on Net worked Systems Design and Implementation. Berkeley:USENIX Association, 2016: 255-273. |
[28] | GUO Y , WANG M Y , WANG C ,et al. Privacy-preserving packet header checking over in-the-cloud middleboxes[J]. IEEE Internet of Things Journal, 2020,7(6): 5359-5370. |
[29] | CASTELLUCCIA C , CRISTOFARO E D , PERITO D . Private information disclosure from web searches[C]// 2010 International Symposium on Privacy Enhancing Technologies Symposium. Berlin:Springer, 2010: 38-55. |
[30] | SEOK J , CHOI M , KIM J ,et al. A comparative study on performance of open source IDS/IPS snort and suricata[J]. Journal of the Korea Society of Digital Industry and Information Management, 2016,12(1): 89-95. |
[31] | CHAUM D , . Zero-knowledge undeniable signatures[C]// 1990 Workshop on the Theory and Application of Cryptographic Techniques. Berlin:Springer, 1990: 458-464. |
[32] | COHEN H , PORAT E . Fast set intersection and two-patterns matching[J]. Theoretical Computer Science, 2010,411(40/41/42): 3795-3800. |
[33] | LI N , . Research on Diffie-Hellman key exchange protocol[C]// Proceedings of 2010 2nd International Conference on Computer Engineering and Technology. Piscataway:IEEE Press, 2010: 634-637. |
[34] | DIEM C . On the discrete logarithm problem in elliptic curves[J]. Compositio Mathematica, 2011,147(1): 75-104. |
[35] | 潘吴斌, 程光, 郭晓军 ,等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016,37(9): 154-167. |
PAN W B , CHENG G , GUO X J ,et al. Review and perspective on encrypted traffic identification research[J]. Journal on Communications, 2016,37(9): 154-167. | |
[36] | ZENG F , CHANG S , WU X C . Classification for DGA-based malicious domain names with deep learning architectures[J]. International Journal of Intelligent Information Systems, 2017,6(6): 67-71. |
[1] | 戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80. |
[2] | 冯智斌, 徐煜华, 杜智勇, 刘鑫, 李文, 韩昊, 张晓博. 对抗智能干扰的主动防御技术[J]. 通信学报, 2022, 43(10): 42-54. |
[3] | 陆彦辉, 柳寒, 李航, 朱光旭. 基于多鉴别器生成对抗网络的时间序列生成模型[J]. 通信学报, 2022, 43(10): 167-176. |
[4] | 梅锴, 赵海涛, 刘潇然, 刘军, 熊俊, 任保全, 魏急波. 高效的基于数据与模型的信道估计算法[J]. 通信学报, 2022, 43(1): 59-70. |
[5] | 彭长根, 高婷, 刘惠篮, 丁红发. 面向机器学习模型的基于PCA的成员推理攻击[J]. 通信学报, 2022, 43(1): 149-160. |
[6] | 邹福泰, 谭越, 王林, 蒋永康. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106. |
[7] | 刘留, 张建华, 樊圆圆, 于力, 张嘉驰. 机器学习在信道建模中的应用综述[J]. 通信学报, 2021, 42(2): 134-153. |
[8] | 伏玉笋,杨根科. 人工智能在移动通信中的应用:挑战与实践[J]. 通信学报, 2020, 41(9): 190-201. |
[9] | 陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138. |
[10] | 韩春雨,张永铮,张玉. Fast-flucos:基于DNS流量的Fast-flux恶意域名检测方法[J]. 通信学报, 2020, 41(5): 37-47. |
[11] | 周鑫,何晓新,郑昌文. 基于图像深度学习的无线电信号识别[J]. 通信学报, 2019, 40(7): 114-125. |
[12] | 杜学绘,林杨东,孙奕. 基于混合特征的恶意PDF文档检测[J]. 通信学报, 2019, 40(2): 118-128. |
[13] | 孙鸿宇,何远,王基策,董颖,朱立鹏,王鹤,张玉清. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018, 39(8): 1-17. |
[14] | 黄杨琛,贾焰,甘亮,徐菁,黄九鸣,赫中翮. 基于远程监督的多因子人物关系抽取模型[J]. 通信学报, 2018, 39(7): 103-112. |
[15] | 俞艺涵,付钰,吴晓平. MapReduce框架下支持差分隐私保护的随机梯度下降算法[J]. 通信学报, 2018, 39(1): 70-77. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|