支持数据隐私保护的恶意加密流量检测确认方法

doi:10.11959/j.issn.1000-436x.2022034

Abstract

Abstract:

In order to solve the problem that excessive false positives in the detection of encrypted malicious traffic based on machine learning, secure two-party computation was used to compare character segments between network traffic and intrusion detection rulers without revealing the data content.Based on the comparison results, an intrusion detection feature matching algorithm was designed to accurately match keywords.A random verification strategy for users’ input was also proposed to facilitate the method.As a result, malicious users couldn’t use arbitrary data to participate in secure two-party calculations and avoid confirmation.The security and resource consumption of the method were theoretically analyzed and verified by a combination of real deployment and simulation experiments.The experimental results show that the proposed method can significantly improve the detection performance with low system resources.

Key words: malicious encrypt traffic, machine learning, secure two-party computation, automatic confirmation

CLC Number:

TP39

Gaofeng HE, Qianfeng WEI, Xiancai XIAO, Haiting ZHU, Bingfeng XU. Confirmation method for the detection of malicious encrypted traffic with data privacy protection[J]. Journal on Communications, 2022, 43(2): 156-170.

Figures/Tables 13

参数	含义
U	用户终端集合，其集合元素用u表示
C	用户终端处的数据集合，其集合元素用c表示
S	检测节点处的数据集合，其集合元素用s表示
$\| \cdot \|$	集合大小
$a \overset{R}{\leftarrow} A G$	从集合A中随机选择元素a
p, q	p和q为素数，且q\|p–1
Z_q	小于q的正整数集合
$G, g$	G为循环群，g为 $G$ 的一个生成元
H₁()	随机预言 $H_{1} () : {0 ， 1}^{*} \to G$
H₂()	随机预言 $H_{2} () : G \times G \times {0 ， 1}^{*} \to {0 ， 1}^{k}$
ZK{}	离散对数零知识证明
R	随机数，并以上下标区分不同随机数
f	加密网络流量
k_f	流f对应的加密密钥
L	数据总长度，并以下标区分不同数据类型
l	数据分割长度
r	攻击者修改的字符数量
e	验证时选择的字符段数量
h	入侵检测特征关键词总数量
λ	资源消耗，并以下标区分不同资源消耗

References 36

[1]	罗军舟, 何源, 张兰 ,等. 云端融合的工业互联网体系结构及关键技术[J]. 中国科学:信息科学, 2020,50(2): 195-220.
	LUO J Z , HE Y , ZHANG L ,et al. The architecture and key technologies for an industrial Internet with synergy between the cloud and clients[J]. Scientia Sinica (Informationis), 2020,50(2): 195-220.
[2]	DING D R , HAN Q L , XIANG Y ,et al. A survey on security control and attack detection for industrial cyber-physical systems[J]. Neurocomputing, 2018,275: 1674-1683.
[3]	张蕾, 崔勇, 刘静 ,等. 机器学习在网络空间安全研究中的应用[J]. 计算机学报, 2018,41(9): 1943-1975.
	ZHANG L , CUI Y , LIU J ,et al. Application of machine learning in cyberspace security research[J]. Chinese Journal of Computers, 2018,41(9): 1943-1975.
[4]	ANDERSON B , PAUL S , MCGREW D . Deciphering malware’s use of TLS (without decryption)[J]. Journal of Computer Virology and Hacking Techniques, 2018,14(3): 195-211.
[5]	WANG W , ZHU M , ZENG X W ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// Proceedings of 2017 International Conference on Information Networking (ICOIN). Piscataway:IEEE Press, 2017: 712-717.
[6]	HAN D Q , WANG Z L , CHEN W Q ,et al. DeepAID:interpreting and improving deep learning-based anomaly detection in security applications[C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2021: 3197-3217.
[7]	FROLOV S , WUSTROW E . The use of TLS in censorship circumvention[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[8]	HO C Y , LAI Y C , CHEN I W ,et al. Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems[J]. IEEE Communications Magazine, 2012,50(3): 146-154.
[9]	DE CRISTOFARO E , KIM J , TSUDIK G . Linear-complexity private set intersection protocols secure in malicious model[C]// 2010 International Conference on the Theory and Application of Cryptology and Information Security. Berlin:Springer, 2010: 213-231.
[10]	ZHAO C , ZHAO S N , ZHAO M H ,et al. Secure multi-party computation:theory,practice and applications[J]. Information Sciences, 2019,476: 357-372.
[11]	CARNAVALET X D , MANNAN M . Killed by proxy:analyzing client-end TLS interception software[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-17.
[12]	O’NEILL M , RUOTI S , SEAMONS K ,et al. TLS proxies:friend or foe?[C]// Proceedings of the 2016 Internet Measurement Conference. New York:ACM Press, 2016: 551-557.
[13]	NAYLOR D , SCHOMP K , VARVELLO M ,et al. Multi-context TLS (mcTLS)[J]. ACM SIGCOMM Computer Communication Review, 2015,45(4): 199-212.
[14]	LIU C , CUI Y , TAN K ,et al. Building generic scalable middlebox services over encrypted protocols[C]// Proceedings of 2018 IEEE Conference on Computer Communications. Piscataway:IEEE Press, 2018: 2195-2203.
[15]	SHERRY J , LAN C , POPA R A ,et al. BlindBox:deep packet inspection over encrypted traffic[C]// Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. New York:ACM Press, 2015: 213-226.
[16]	NING J T , POH G S , LOH J C ,et al. PrivDPI:privacy-preserving encrypted traffic inspection with reusable obfuscated rules[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1657-1670.
[17]	LAI S Q , YUAN X L , SUN S F ,et al. Practical encrypted network traffic pattern matching for secure middleboxes[J]. IEEE Transactions on Dependable and Secure Computing, 2021,PP(99): 1.
[18]	IOVINO V , PERSIANO G . Hidden-vector encryption with groups of prime order[C]// 2008 International Conference on Pairing-Based Cryptography. Berlin:Springer, 2008: 75-88.
[19]	ANDERSON B , CHI A , DUNLOP S ,et al. Limitless HTTP in an HTTPS world:inferring the semantics of the HTTPS protocol without decryption[C]// Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy. New York:ACM Press, 2019: 267-278.
[20]	HELLEMONS L , HENDRIKS L , HOFSTEDE R ,et al. SSHCure:a flow-based SSH intrusion detection system[C]// 2012 IFIP International Conference on Autonomous Infrastructure,Management and Security. Berlin:Springer, 2012: 86-97.
[21]	HE G F , ZHANG T , MA Y Y ,et al. A novel method to detect encrypted data exfiltration[C]// Proceedings of 2014 Second International Conference on Advanced Cloud and Big Data. Piscataway:IEEE Press, 2014: 240-246.
[22]	HE G F , XU B F , ZHANG L ,et al. On-device detection of repackaged android malware via traffic clustering[J]. Security and Communication Networks,2020, 2020:8630748.
[23]	CHEN Y C , LI Y J , TSENG A ,et al. Deep learning for malicious flow detection[C]// Proceedings of 2017 IEEE 28th Annual International Symposium on Personal,Indoor,and Mobile Radio Communications. Piscataway:IEEE Press, 2017: 1-7.
[24]	翟明芳, 张兴明, 赵博 . 基于深度学习的加密恶意流量检测研究[J]. 网络与信息安全学报, 2020,6(3): 66-77.
	ZHAI M F , ZHANG X M , ZHAO B . Survey of encrypted malicious traffic detection based on deep learning[J]. Chinese Journal of Network and Information Security, 2020,6(3): 66-77.
[25]	何高峰, 司勇瑞, 徐丙凤 . 针对 Android 移动应用的恶意加密流量标注方法研究[J]. 计算机工程, 2020,46(7): 116-121,128.
	HE G F , SI Y R , XU B F . Research on malicious encrypted traffic annotation method for android mobile application[J]. Computer Engineering, 2020,46(7): 116-121,128.
[26]	JAN S T K , HAO Q Y , HU T R ,et al. Throwing darts in the dark? detecting bots with limited data using neural data augmentation[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1190-1206.
[27]	LAN C , SHERRY J , POPA R A ,et al. Embark:securely outsourcing middleboxes to the cloud[C]// 2016 USENIX Symposium on Net worked Systems Design and Implementation. Berkeley:USENIX Association, 2016: 255-273.
[28]	GUO Y , WANG M Y , WANG C ,et al. Privacy-preserving packet header checking over in-the-cloud middleboxes[J]. IEEE Internet of Things Journal, 2020,7(6): 5359-5370.
[29]	CASTELLUCCIA C , CRISTOFARO E D , PERITO D . Private information disclosure from web searches[C]// 2010 International Symposium on Privacy Enhancing Technologies Symposium. Berlin:Springer, 2010: 38-55.
[30]	SEOK J , CHOI M , KIM J ,et al. A comparative study on performance of open source IDS/IPS snort and suricata[J]. Journal of the Korea Society of Digital Industry and Information Management, 2016,12(1): 89-95.
[31]	CHAUM D , . Zero-knowledge undeniable signatures[C]// 1990 Workshop on the Theory and Application of Cryptographic Techniques. Berlin:Springer, 1990: 458-464.
[32]	COHEN H , PORAT E . Fast set intersection and two-patterns matching[J]. Theoretical Computer Science, 2010,411(40/41/42): 3795-3800.
[33]	LI N , . Research on Diffie-Hellman key exchange protocol[C]// Proceedings of 2010 2nd International Conference on Computer Engineering and Technology. Piscataway:IEEE Press, 2010: 634-637.
[34]	DIEM C . On the discrete logarithm problem in elliptic curves[J]. Compositio Mathematica, 2011,147(1): 75-104.
[35]	潘吴斌, 程光, 郭晓军 ,等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016,37(9): 154-167.
	PAN W B , CHENG G , GUO X J ,et al. Review and perspective on encrypted traffic identification research[J]. Journal on Communications, 2016,37(9): 154-167.
[36]	ZENG F , CHANG S , WU X C . Classification for DGA-based malicious domain names with deep learning architectures[J]. International Journal of Intelligent Information Systems, 2017,6(6): 67-71.

Metrics

Recommended 0

No Suggested Reading articles found!

指标	数值
捕获的TLS总数量/条	15 887
判断为恶意的TLS流量数量/条	13
确认为误报的TLS流量数量/条	12

指标	数值
捕获的TLS总数量/条	278
判断为恶意的TLS流量数量/条	269
确认为恶意的TLS流量数量/条	267
确认所产生的漏报数量/条	2

指标（均值）	数值
CPU执行时间/s	58.3
CPU占用率	24.9%
网络带宽消耗/MB	11.6
内存占用量/MB	52.1

Confirmation method for the detection of malicious encrypted traffic with data privacy protection

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 36

Related Articles 15

Metrics

Recommended 0

[1]	Qianyi DAI, Bin ZHANG, Song GUO, Kaiyong XU. Blockchain network layer anomaly traffic detection method based on multiple classifier integration [J]. Journal on Communications, 2023, 44(3): 66-80.
[2]	Zhibin FENG, Yuhua XU, Zhiyong DU, Xin LIU, Wen LI, Hao HAN, Xiaobo ZHANG. Active defense technology against intelligent jammer [J]. Journal on Communications, 2022, 43(10): 42-54.
[3]	Yanhui LU, Han LIU, Hang LI, Guangxu ZHU. Time series generation model based on multi-discriminator generative adversarial network [J]. Journal on Communications, 2022, 43(10): 167-176.
[4]	Kai MEI, Haitao ZHAO, Xiaoran LIU, Jun LIU, Jun XIONG, Baoquan REN, Jibo WEI. Efficient model-and-data based channel estimation algorithm [J]. Journal on Communications, 2022, 43(1): 59-70.
[5]	Changgen PENG, Ting GAO, Huilan LIU, Hongfa DING. PCA-based membership inference attack for machine learning models [J]. Journal on Communications, 2022, 43(1): 149-160.
[6]	Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG. Botnet detection based on generative adversarial network [J]. Journal on Communications, 2021, 42(7): 95-106.
[7]	Liu LIU, Jianhua ZHANG, Yuanyuan FAN, Li YU, Jiachi ZHANG. Survey of application of machine learning in wireless channel modeling [J]. Journal on Communications, 2021, 42(2): 134-153.
[8]	Yusun FU,Genke YANG. Application of artificial intelligence in mobile communication:challenge and practice [J]. Journal on Communications, 2020, 41(9): 190-201.
[9]	Tieming CHEN,Chengqiang JIN,Mingqi LYU,Tiantian ZHU. Intelligent detection method on network malicious traffic based on sample enhancement [J]. Journal on Communications, 2020, 41(6): 128-138.
[10]	Chunyu HAN,Yongzheng ZHANG,Yu ZHANG. Fast-flucos:malicious domain name detection method for Fast-flux based on DNS traffic [J]. Journal on Communications, 2020, 41(5): 37-47.
[11]	Xin ZHOU,Xiaoxin HE,Changwen ZHENG. Radio signal recognition based on image deep learning [J]. Journal on Communications, 2019, 40(7): 114-125.
[12]	Xuehui DU,Yangdong LIN,Yi SUN. Malicious PDF document detection based on mixed feature [J]. Journal on Communications, 2019, 40(2): 118-128.
[13]	Hongyu SUN,Yuan HE,Jice WANG,Ying DONG,Lipeng ZHU,He WANG,Yuqing ZHANG. Application of artificial intelligence technology in the field of security vulnerability [J]. Journal on Communications, 2018, 39(8): 1-17.
[14]	Yangchen HUANG,Yan JIA,Liang GAN,Jing XU,Jiuming HUANG,Zhonghe HE. Multi-factor person entity relation extraction model based on distant supervision [J]. Journal on Communications, 2018, 39(7): 103-112.
[15]	Yihan YU,Yu FU,Xiaoping WU. Stochastic gradient descent algorithm preserving differential privacy in MapReduce framework [J]. Journal on Communications, 2018, 39(1): 70-77.