Journal on Communications ›› 2016, Vol. 37 ›› Issue (9): 154-167.doi: 10.11959/j.issn.1000-436x.2016187
• Comprehensive Reviews • Previous Articles Next Articles
Wu-bin PAN1,2,Guang CHENG1,2,Xiao-jun GUO1,2,Shun-xiang HUANG1,2
Online:
2016-09-25
Published:
2016-09-28
Supported by:
Wu-bin PAN,Guang CHENG,Xiao-jun GUO,Shun-xiang HUANG. Review and perspective on encrypted traffic identification research[J]. Journal on Communications, 2016, 37(9): 154-167.
"
方法 | 检测内容 | 成本代价 | 识别速度 | 实时性 | 识别粒度 | 准确性 | 未识别率 | 兼容性 | 稳健性 |
负载随机性 | 部分负载 | ★★★★★ | ★★☆☆☆ | ★☆☆☆☆ | ★★★☆☆ | ★★☆☆☆ | ★★☆☆☆ | ★★★★☆ | ★★☆☆☆ |
有效负载 | 负载 | ★★★★★ | ★★☆☆☆ | ★☆☆☆☆ | ★★★☆☆ | ★★★★★ | ★★☆☆☆ | ★★★★☆ | ★★★☆☆ |
机器学习 | 流统计特征 | ★★☆☆☆ | ★★★★★ | ★★★★☆ | ★★★★★ | ★★★★☆ | ★★★★☆ | ★★☆☆☆ | ★★☆☆☆ |
行为 | 主机行为 | ★★★☆☆ | ★★★★☆ | ★★★☆☆ | ★★★★☆ | ★★★☆☆ | ★★★☆☆ | ★★☆☆☆ | ★★★☆☆ |
数据分组大小 | 数据分组大小 | ★★☆☆☆ | ★★★★★ | ★★★★☆ | ★★★★☆ | ★★★★☆ | ★★★☆☆ | ★★★☆☆ | ★★★☆☆ |
混合方法 | 多种特征 | ★★★☆☆ | ★★★☆☆ | ★★★☆☆ | ★★★★★ | ★★★★★ | ★★★★☆ | ★★★★☆ | ★★★★☆ |
"
实例 | 识别对象 | 特征 | 识别方法 | 算法 | 数据集 | 标记 |
文献[ | SSL & non-SSL SSL协议下应用 | 分组大小 | 机器学习 | 基于GMM聚类 | P6-2004,2006,UMass | 已知 |
文献[ | 加密与未加密,不同加密算法 | 字符随机性 | 负载随机性 | 熵矩阵估计 | Campus | 签名 |
文献[ | Skype及Skype协议下应用 | 签名 | 有效负载 | 签名、机器学习 | Campus,ISP | 已知 |
文献[ | SSL协议下应用 | 指纹 | 混合方法 | 指纹、HMM | 私有 | 签名 |
文献[ | SSH & non-SSH、Skype &non-Skype | 分组头特征流特征 | 机器学习 | C4.5、AdaBoost、GP | MAWI,DARPA99 | 端口,Packet Shaper |
文献[ | Edonkey、MSN、SSH等 | 行为特征 | 主机行为 | 启发式算法 | GN,UN1,2 | 签名 |
文献[ | HTTPS、Tor、Oscar等 | 签名、流特征 | 混合方法 | 匹配算法、NB | DARPA,私有 | 已知 |
文献[ | P2P、VoIP | 数据分组大小 | 分组大小分布 | Reiyi交叉熵 | CERNET | 手动标记 |
文献[ | SSH、SSL及非加密应用 | 流特征 | 机器学习 | 改进的k-means | Campus,公共 | L7-filter,端口 |
文献[ | SSH协议下应用 | 分组大小、方向 | 机器学习 | GMM、SVM | 私有 | SSHgate |
文献[ | BitTorrent与非加密应用 | 流特征 | 机器学习 | k-means和KNN混合 | 私有 | Cisco SCE 2020 box |
文献[ | SSH、HTTPS及非加密应用 | 分组大小、到达时间间隔、方向 | 机器学习 | Profile HMM | GMU | 端口 |
文献[ | SSH及非加密应用 | 行为特征 | 主机行为 | 图论 | LBL,GMU | 端口 |
文献[ | Skype | 指纹、流特征 | 混合方法 | Chi-Square、NB | Campus,ISP | 已知 |
[1] | ROUGHAN M , SEN S , SPATSCHECK O ,et al. Class-of-service mapping for QoS:a statistical signature-based approach to IP traffic classification[C]// The 4th ACM SIGCOMM Conference on Internet measurement. ACM, 2004: 135-148. |
[2] | DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor:the second-generation onion router[R]. Naval Research Lab Washington DC, 2004. |
[3] | GOMES J V,INáCIO P R M , PEREIRA M ,et al. Detection and classification of peer-to-peer traffic:a survey[J]. ACM Computing Surveys (CSUR), 2013,45(3):30. |
[4] | GILL P , ARLITT M , LI Z ,et al. Youtube traffic characterization:a view from the edge[C]// The 7th ACM SIGCOMM Conference on Internet Measurement. ACM, 2007: 15-28. |
[5] | ZHANG X B , LAM S S , LEE D Y ,et al. Protocol design for scalable and reliable group rekeying[J]. IEEE/ACM Transactions on Networking, 2003,11(6): 908-922. |
[6] | BARRY S . Google starts giving a ranking boost to secure HTTPS/SSL sites[EB/OL]. . 2015. |
[7] | NGUYEN T T T , ARMITAGE G . A survey of techniques for internet traffic classification using machine learning[J]. Communications Surveys & Tutorials,IEEE, 2008,10(4): 56-76. |
[8] | NAMDEV N , AGRAWAL S , SILKARI S . Recent advancement in machine learning based internet traffic classification[J]. Procedia Computer Science, 2015,60: 784-791. |
[9] | DAINOTTI A , PESCAPE A , CLAFFY K C . Issues and future directions in traffic classification[J]. Network,IEEE, 2012,26(1): 35-40. |
[10] | BUJLOW T, , CARELA-ESPA?OL V , BARLET-ROS P . Independent comparison of popular DPI tools for traffic classification[J]. Computer Networks, 2015,76: 75-89. |
[11] | WRIGHT C V , COULL S E , MONROSE F . Traffic morphing:an efficient defense against statistical traffic analysis[C]// NDSS. 2009: 237-250. |
[12] | VELAN P, , ?ERMáK M , ?ELEDA P ,et al. A survey of methods for encrypted traffic classification and analysis[J]. International Journal of Network Management, 2015,25(5): 355-374. |
[13] | PARK B , HONG J W K , WON Y J . Toward fine-grained traffic classification[J]. Communications Magazine,IEEE, 2011,49(7): 104-111. |
[14] | BERNAILLE L , TEIXEIRA R , AKODKENOU I ,et al. Traffic classification on the fly[J]. ACM SIGCOMM Computer Communication Review, 2006,36(2): 23-26. |
[15] | FADLULLAH Z M , TALEB T , VASILAKOS A V ,et al. DTRAB:combating against attacks on encrypted protocols through traffic-feature analysis[J]. IEEE/ACM Transactions on Networking (TON), 2010,18(4): 1234-1247. |
[16] | GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic[C]// Network and Distributed System Security Symposium. 2008. |
[17] | TANKARD C . Advanced persistent threats and how to monitor and deter them[J]. Network Security, 2011,2011(8): 16-19. |
[18] | CAO Z , XIONG G , ZHAO Y ,et al. A survey on encrypted traffic classification[M]// Applications and Techniques in Information Security. Springer Berlin Heidelberg, 2014: 73-81. |
[19] | GRIMAUDO L , MELLIA M , BARALIS E . Hierarchical learning for fine grained internet traffic classification[C]// Wireless Communications and Mobile Computing Conference (IWCMC). IEEE, 2012: 463-468. |
[20] | ROSSI D , VALENTI S . Fine-grained traffic classification with netflow data[C]// The 6th International Wireless Communications and Mobile Computing Conference. ACM, 2010: 479-483. |
[21] | DORFINGER P , PANHOLZER G , JOHN W . Entropy estimation for real-time encrypted traffic identification (short paper)[M]. Springer Berlin Heidelberg, 2011. |
[22] | BELLOVIN S M , MERRITT M . Cryptographic protocol for secure communications:U.S.Patent 5,241,599[P]. 1993-831. |
[23] | FAHAD A , TARI Z , KHALIL I ,et al. Toward an efficient and scalable feature selection approach for internet traffic classification[J]. Computer Networks, 2013,57(9): 2040-2057. |
[24] | Kent security architecture for the internet protocol, . 2015. |
[25] | YILDIRIM T , RADCLIFFE P J . VoIP traffic classification in IPSec tunnels[C]// Electronics and Information Engineering (ICEIE). IEEE, 2010,1:V1-151-V1-157. |
[26] | DIERKS T . The transport layer security (TLS) protocol version 1.2[EB/OL]. , 2015. |
[27] | BERNAILLE L , TEIXEIRA R . Early recognition of encrypted applications[M]// Passive and Active Network Measurement. Springer Berlin Heidelberg, 2007: 165-175. |
[28] | YLONEN T . The secure shell (SSH) transport layer protocol[EB/OL]. , 2015. |
[29] | MAIOLINI G , BAIOCCHI A , IACOVAZZI A ,et al. Real time identification of SSH encrypted application flows by using cluster analysis techniques[C]// NETWORKING 2009. Springer Berlin Heidelberg, 2009: 182-194. |
[30] | MADHUKAR A , WILLIAMSON C . A longitudinal study of P2P traffic classification[C]// Modeling,Analysis,and Simulation of Computer and Telecommunication Systems,MASCOTS 2006. IEEE, 2006: 179-188. |
[31] | LE T M , BUT J . Bittorrent traffic classification[R]. Centre for Advanced Internet Architectures.Technical Report A,91022. |
[32] | ADAMI D , CALLEGARI C , GIORDANO S ,et al. Skype‐hunter:a real‐time system for the detection and classification of Skype traffic[J]. International Journal of Communication Systems, 2012,25(3): 386-403. |
[33] | VALENTI S , ROSSI D , MEO M ,et al. Accurate,fine-grained classification of P2P-TV applications by simply counting packets[M]// Traffic Monitoring and Analysis. Springer Berlin Heidelberg, 2009: 84-92. |
[34] | BERMOLEN P , MELLIA M , MEO M ,et al. Abacus:accurate behavioral classification of P2P-TV traffic[J]. Computer Networks, 2011,55(6): 1394-1411. |
[35] | NYCHIS G , SEKAR V , ANDERSEN D G ,et al. An empirical evaluation of entropy-based traffic anomaly detection[C]// The 8th ACM SIGCOMM Conference on Internet Measurement. ACM, 2008: 151-156. |
[36] | LAKHINA A , CROVELLA M , DIOT C . Mining anomalies using traffic feature distributions[J]. ACM SIGCOMM Computer Communication Review, 2005,35(4): 217-228. |
[37] | SOULE A , SALAMATIAN K , TAFT N . Combining filtering and statistical methods for anomaly detection[C]// The 5th ACM SIGCOMM Conference on Internet Measurement. USENIX Association, 2005:31. |
[38] | KHAKPOUR A R , LIU A X . An information-theoretical approach to high-speed flow nature identification[J]. IEEE/ACM Transactions on Networking (TON), 2013,21(4): 1076-1089. |
[39] | CALLADO A , KAMIENSKI C,SZABó G ,et al. A survey on internet traffic identification[J]. Communications Surveys & Tutorials,IEEE, 2009,11(3): 37-52. |
[40] | KIM H , CLAFFY K C , FOMENKOV M ,et al. Internet traffic classification demystified:myths,caveats,and the best practices[C]// Proceedings of the 2008 ACM CoNEXT Conference. ACM, 2008:11. |
[41] | FINSTERBUSCH M , RICHTER C , ROCHA E ,et al. A survey of payload-based traffic classification approaches[J]. Communications Surveys & Tutorials,IEEE, 2014,16(2): 1135-1156. |
[42] | BONFIGLIO D , MELLIA M , MEO M ,et al. Revealing skype traffic:when randomness plays with you[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 37-48. |
[43] | KORCZYNSKI M , DUDA A . Markov chain fingerprinting to classify encrypted traffic[C]// INFOCOM,2014 Proceedings IEEE. IEEE, 2014: 781-789. |
[44] | 赵博, 郭虹, 刘勤让 ,等. 基于加权累积和检验的加密流量盲识别算法[J]. 软件学报, 2013,24(6): 1334-1345. ZHAO B , GUO H , LIU Q R ,et al. Protocol independent identification of encrypted traffic based on weighted eumnlative sum test[J]. Journal of Software, 2013,24(6): 1334-1345. |
[45] | MOORE A W , ZUEV D . Internet traffic classification using bayesian analysis techniques[J]. ACM SIGMETRICS Performance Evaluation Review, 2005,33(1): 50-60. |
[46] | OKADA Y , ATA S , NAKAMURA N ,et al. Comparisons of machine learning algorithms for application identification of encrypted traffic[C]// Machine Learning and Applications and Workshops (ICMLA). IEEE, 2011: 358-361. |
[47] | ALSHAMMARI R,ZINCIR-HEYWOOD A N . Can encrypted traffic be identified without port numbers,IP addresses and payload inspection?[J]. Computer networks, 2011,55(6): 1326-1350. |
[48] | KORCZY?SKI M , DUDA A . Classifying service flows in the encrypted Skype traffic[C]// Communications (ICC),2012 IEEE International. IEEE, 2012: 1064-1068. |
[49] | ERMAN J , MAHANTI A , ARLITT M ,et al. Semi-supervised network traffic classification[J]. ACM SIGMETRICS Performance Evaluation Review, 2007,35(1): 369-370. |
[50] | XIE G , ILIOFOTOU M , KERALAPURA R ,et al. SubFlow:towards practical flow-level traffic classification[C]// INFOCOM,2012 Proceedings IEEE. IEEE, 2012: 2541-2545. |
[51] | HE G , YANG M , LUO J ,et al. A novel application classification attack against Tor[J].Concurrency and Computation:Practice and Experience, 2015:27. |
[52] | KARAGIANNIS T , PAPAGIANNAKI K , FALOUTSOS M . BLINC:multilevel traffic classification in the dark[J]. ACM SIGCOMM Computer Communication Review, 2005,35(4): 229-240. |
[53] | LI B , MA M , JIN Z . A VoIP traffic identification scheme based on host and flow behavior analysis[J]. Journal of Network and Systems Management, 2011,19(1): 111-129. |
[54] | HURLEY J,GARCIA-PALACIOS E , SEZER S . Host-based P2P flow identification and use in real-time[J]. ACM Transactions on the Web (TWEB), 2011,5(2):7. |
[55] | SCHATZMANN D,MüHLBAUER W , SPYROPOULOS T , et al . Digging into HTTPS:flow-based classification of webmail traffic[C]// The 10th ACM SIGCOMM Conference on Internet Measurement. ACM, 2010: 322-327. |
[56] | BERMOLEN P , MELLIA M , MEO M ,et al. Abacus:accurate behavioral classification of P2P-TV traffic[J]. Computer Networks, 2011,55(6): 1394-1411. |
[57] | XIONG G , HUANG W , ZHAO Y ,et al. Real-time detection of encrypted thunder traffic based on trustworthy behavior association[M]// Trustworthy Computing and Services. Springer Berlin Heidelberg, 2013: 132-139. |
[58] | QIN T , WANG L , LIU Z ,et al. Robust application identification methods for P2P and VoIP traffic classification in backbone networks[J]. Knowledge-Based Systems, 2015,82: 152-162. |
[59] | SUN G L , XUE Y , DONG Y ,et al. An novel hybrid method for effectively classifying encrypted traffic[C]// Global Telecommunications Conference (GLOBECOM 2010),2010 IEEE. IEEE, 2010: 1-5. |
[60] | HE J , YANG Y , QIAO Y ,et al. Fine-grained P2P traffic classification by simply counting flows[J]. Frontiers of Information Technology &Electronic Engineering, 2015,16: 391-403. |
[61] | CALLADO A , KELNER J , SADOK D ,et al. Better network traffic identification through the independent combination of techniques[J]. Journal of Network and Computer Applications, 2010,33(4): 433-446. |
[62] | ALSHAMMARI R,ZINCIR-HEYWOOD A N , . A preliminary performance comparison of two feature sets for encrypted traffic classification[C]// The International Workshop on Computational Intelligence in Security for Information Systems CISIS’08. Springer Berlin Heidelberg, 2009: 203-210. |
[63] | 潘吴斌, 程光, 郭晓军 ,等. 基于选择性集成策略的嵌入式网络流特征选择[J]. 计算机学报, 2014,37(10): 2128-2138. PAN W B , CHENG G , GUO X J ,et al. An embedded feature selection wsing selatine ensemble for network traffic[J]. Chinese Journal of Computers, 2014,37(10): 2128-2138. |
[64] | ZHANG M , ZHANG H , ZHANG B ,et al. Encrypted traffic classification based on an improved clustering algorithm[M]// Trustworthy Computing and Services. Springer Berlin Heidelberg, 2013: 124-131. |
[65] | DUSI M , ESTE A , GRINGOLI F ,et al. Using GMM and SVM-based techniques for the classification of SSH-encrypted traffic[C]// Communications,2009.ICC'09,IEEE International Conference. IEEE, 2009: 1-6. |
[66] | BAR-YANAI R , LANGBERG M , PELEG D ,et al. Realtime classification for encrypted traffic[M]// Experimental Algorithms. Springer Berlin Heidelberg, 2010: 373-385. |
[67] | WRIGHT C V , MONROSE F , Masson G M . On inferring application protocol behaviors in encrypted network traffic[J]. The Journal of Machine Learning Research, 2006,7: 2745-2769. |
[68] | WRIGHT C V , MONROSE F , MASSON G M . Using visual motifs to classify encrypted traffic[C]// The 3rd International Workshop on Visualization for Computer Security. ACM, 2006: 41-50. |
[69] | BONFIGLIO D , MELLIA M , MEO M ,et al. Revealing skype traffic:when randomness plays with you[J]. ACM SIGCOMM Computer Communication Review, 2007,37(4): 37-48. |
[70] | WRIGHT C V , COULL S E , MONROSE F . Traffic morphing:an efficient defense against statistical traffic analysis[C]// NDSS. 2009. |
[71] | 何高峰, 杨明, 罗军舟 ,等. Tor 匿名通信流量在线识别方法[J]. 软件学报, 2013,24(3): 540-556. HE G F , YANG M , LUO J Z ,et al. Ouline identifrcation of Tor anongmous communication traffic[J]. Journal of Software, 2013,24(3): 540-556. |
[72] | SHEN Y , LIU Y , QIAO N ,et al. QoE-based evaluation model on video streaming service quality[C]// Globecom Workshops,2012 IEEE. IEEE, 2012: 1314-1318. |
[73] | DERI L , MARTINELLI M , BUJLOW T ,et al. nDPI:open-source high-speed deep packet inspection[C]// Wireless Communications and Mobile Computing Conference (IWCMC). IEEE, 2014: 617-622. |
[74] | ALCOCK S , NELSON R . Libprotoident:traffic classification using lightweight packet inspection[R]. WAND Network Research Group,Tech Rep, 2012. |
[75] | CARELA-ESPA?OL V , BUJLOW T , BARLET-ROS P . Is our ground-truth for traffic classification reliable[C]// Passive and Active Measurement.Springer International Publishing. 2014: 98-108. |
[76] | GRINGOLI F , SALGARELLI L , DUSI M ,et al. Gt:picking up the truth from the ground for internet traffic[J]. ACM SIGCOMM Computer Communication Review, 2009,39(5): 12-18. |
[77] | QU B , ZHANG Z , ZHU X ,et al. An empirical study of morphing on behavior‐based network traffic classification[J]. Security and Communication Networks, 2015,8(1): 68-79. |
[78] | RAAHEMI B , ZHONG W , LIU J . Peer-to-peer traffic identification by mining IP layer data streams using concept-adapting very fast decision tree[C]// Tools with Artificial Intelligence,2008.ICTAI'08.20th IEEE International. IEEE, 2008,1: 525-532. |
[79] | ZHANG H , LU G , QASSRAWI M T ,et al. Feature selection for optimizing traffic classification[J]. Computer Communications, 2012,35(12): 1457-1471. |
[1] | Heng-zhi LI,Chun-feng WANG,Wei-zhong WANG,Jie ZHANG. Research on distributed mobile management of satellite network based on software define network [J]. Journal on Communications, 2017, 38(Z1): 143-150. |
[2] | Yu-feng LI,Han QIU,Qin-rang LIU,Ju-long LAN. Design of network management and regulation system over flexible reconfiguration [J]. Journal on Communications, 2012, 33(11): 84-90. |
[3] | Fu XIAO,Li-juan SUN,Xiao-guo YE,Ru-chuan WANG. Routing algorithm for MPLS traffic engineering in satellite network [J]. Journal on Communications, 2011, 32(5): 104-111. |
[4] | Heng ZHANG,Xue-song QIU,Luo-ming MENG,Zhi-peng GAO,Xi-dong ZHANG. Management scheme for autonomic load balancing of TD-SCDMA wireless access network [J]. Journal on Communications, 2011, 32(1): 9-19. |
[5] | Ruo-tong WANG,Hui ZHANG,Jia-hai YANG,Gui-fen HUANG. Design and implementation of the information model of a P2P-based network management system [J]. Journal on Communications, 2010, 31(1): 85-91. |
[6] | Yan-tao SUN,Fang-nan YANG,Zhi-qiang SHI. Distributed network management system with load balancing [J]. Journal on Communications, 2009, 30(3): 34-41. |
[7] | Ning HU,Pei-dong ZHU,Peng ZOU,Hai-long WANG. Cooperative management framework for inter-domain routing [J]. Journal on Communications, 2009, 30(10A): 154-160. |
[8] | Yuan-ping ZOU,Hong-lin LIU. New dynamic load balancing method based on roulette wheel selection and its implementation [J]. Journal on Communications, 2008, 29(9): 18-23. |
[9] | Ying WANG,Luo-ming MENG,Xue-song QIU,Zhi-li WANG. Modeling methods and model for flow-based IP network [J]. Journal on Communications, 2008, 29(12): 103-108. |
[10] | Zhi-peng GAO,Xue-song QIU,Zhi-li WANG,Wen-jing LI. Denotation and application mechanism of complicated network shared management information model [J]. Journal on Communications, 2008, 29(12): 66-72. |
[11] | Luo-ming MENG,Gao-gang XIE,Xue-song QIU,Hui LI,Ke-ping LONG,Yi-xian YANG,Lie-guang ZENG. Current and upcoming development in basic research of measurable,controllable and manageable IP network [J]. Journal on Communications, 2008, 29(12): 96-102. |
[12] | Wei LI,Bo LIU,Jun-zhou LUO. Novel intelligent network management model for the large-scale network and its performance analysis [J]. Journal on Communications, 2006, 27(5): 60-69. |
[13] | Bo LIU,Jun-zhou LUO,Wei LI. Task decomposition and scheduling in large-scale network management [J]. Journal on Communications, 2006, 27(3): 64-72. |
[14] | Yan-Bo HUANHG,Ying YU. Study of network topology discovery based on mobile agent [J]. Journal on Communications, 2006, 27(11A): 147-150. |
[15] | Ruo-ying ZHANG,Luo-ming MENG,Xue-song QIU. NGI IP service management system architecture and application supporting workflow management and policy management [J]. Journal on Communications, 2005, 26(9): 68-74. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|