网络加密流量识别研究综述及展望

潘吴斌; 程光; 郭晓军; 黄顺翔

doi:10.11959/j.issn.1000-436x.2016187

您当前的位置：

首页 >

文章列表页 >

网络加密流量识别研究综述及展望

综述 | 更新时间：2024-06-05

- 网络加密流量识别研究综述及展望
- Review and perspective on encrypted traffic identification research
- 通信学报 2016年37卷第9期页码：154-167
- 作者机构：
  
  1. 东南大学计算机科学与工程学院，江苏南京 210096
  2. 东南大学计算机网络和信息集成教育部重点实验室，江苏南京 210096
- 作者简介：
  
  [ "潘吴斌（1987-），男，江苏苏州人，东南大学博士生，主要研究方向为网络安全、网络测量及流量分类。" ]
  [ "程光（1973-），男，安徽黄山人，东南大学教授、博士生导师，主要研究方向为网络安全、网络测量与行为学及未来网络安全。" ]
  [ "郭晓军（1983-），男，山西长治人，东南大学博士生，主要研究方向为网络安全、网络测量及网络管理。" ]
  [ "黄顺翔（1991-），男，湖南长沙人，东南大学硕士生，主要研究方向为网络安全、网络测量及流量分类。" ]
- 基金信息：
  
  国家高技术研究发展计划（“863”计划）基金资助项目(2015AA015603);江苏省未来网络前瞻性基金资助项目(BY2013095-5-03);江苏省“六大人才高峰”高层次人才基金资助项目(2011−DZ024)
- DOI：10.11959/j.issn.1000-436x.2016187
  中图分类号： TP393
- 网络出版日期：2016-09，
  
  纸质出版日期：2016-09-25
- 稿件说明：
移动端阅览
潘吴斌, 程光, 郭晓军, 等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016,37(9):154-167.

Wu-bin PAN, Guang CHENG, Xiao-jun GUO, et al. Review and perspective on encrypted traffic identification research[J]. Journal on communications, 2016, 37(9): 154-167.
潘吴斌, 程光, 郭晓军, 等. 网络加密流量识别研究综述及展望[J]. 通信学报, 2016,37(9):154-167. DOI： 10.11959/j.issn.1000-436x.2016187.

Wu-bin PAN, Guang CHENG, Xiao-jun GUO, et al. Review and perspective on encrypted traffic identification research[J]. Journal on communications, 2016, 37(9): 154-167. DOI： 10.11959/j.issn.1000-436x.2016187.

摘要

鉴于加密流量识别技术的重要性和已有相关研究工作，首先根据流量分析需求的层次介绍了加密流量识别的类型，如协议、应用和服务。其次，概述已有加密流量识别技术，并从多个角度进行分析对比。最后，归纳现有加密流量识别研究存在的不足及影响当前加密流量识别的因素，如隧道技术、流量伪装技术、新型协议HTTP/2.0和QUIC等，并对加密流量识别趋势及未来研究方向进行展望。

Abstract

Considering the importance of encrypted traffic identification technology and existing research work

first

the type of encrypted traffic identification according to the demand of traffic analysis were introduced

such as protocols

applications and services.Second

the encrypted traffic identification technology was summarized

and identification technology was compared from multiple views.Third

the deficiencies and the affecting factors of the existing encrypted traffic identification technologies were induced

such as tunneling

traffic camouflage technology

new protocols of HTTP/2.0 and QUIC.Finally

prospect trends and directions of future research on encrypted traffic identification were discussed.

关键词

Keywords

references

ROUGHAN M , SEN S , SPATSCHECK O , et al . Class-of-service mapping for QoS:a statistical signature-based approach to IP traffic classification [C ] // The 4th ACM SIGCOMM Conference on Internet measurement . ACM , 2004 : 135 - 148 .

DINGLEDINE R , MATHEWSON N , SYVERSON P . Tor:the second-generation onion router [R ] . Naval Research Lab Washington DC , 2004 .

GOMES J V,INÁCIO P R M , PEREIRA M , et al . Detection and classification of peer-to-peer traffic:a survey [J ] . ACM Computing Surveys (CSUR) , 2013 , 45 ( 3 ):30.

GILL P , ARLITT M , LI Z , et al . Youtube traffic characterization:a view from the edge [C ] // The 7th ACM SIGCOMM Conference on Internet Measurement . ACM , 2007 : 15 - 28 .

ZHANG X B , LAM S S , LEE D Y , et al . Protocol design for scalable and reliable group rekeying [J ] . IEEE/ACM Transactions on Networking , 2003 , 11 ( 6 ): 908 - 922 .

BARRY S . Google starts giving a ranking boost to secure HTTPS/SSL sites [EB/OL ] . http://searchengineland.com/google-starts-giving-rankingboost-secure-httpsssl-sites-199446 http://searchengineland.com/google-starts-giving-rankingboost-secure-httpsssl-sites-199446 . 2015 .

NGUYEN T T T , ARMITAGE G . A survey of techniques for internet traffic classification using machine learning [J ] . Communications Surveys & Tutorials,IEEE , 2008 , 10 ( 4 ): 56 - 76 .

NAMDEV N , AGRAWAL S , SILKARI S . Recent advancement in machine learning based internet traffic classification [J ] . Procedia Computer Science , 2015 , 60 : 784 - 791 .

DAINOTTI A , PESCAPE A , CLAFFY K C . Issues and future directions in traffic classification [J ] . Network,IEEE , 2012 , 26 ( 1 ): 35 - 40 .

BUJLOW T, , CARELA-ESPAÑOL V , BARLET-ROS P . Independent comparison of popular DPI tools for traffic classification [J ] . Computer Networks , 2015 , 76 : 75 - 89 .

WRIGHT C V , COULL S E , MONROSE F . Traffic morphing:an efficient defense against statistical traffic analysis [C ] // NDSS . 2009 : 237 - 250 .

VELAN P, , ČERMÁK M , ČELEDA P , et al . A survey of methods for encrypted traffic classification and analysis [J ] . International Journal of Network Management , 2015 , 25 ( 5 ): 355 - 374 .

PARK B , HONG J W K , WON Y J . Toward fine-grained traffic classification [J ] . Communications Magazine,IEEE , 2011 , 49 ( 7 ): 104 - 111 .

BERNAILLE L , TEIXEIRA R , AKODKENOU I , et al . Traffic classification on the fly [J ] . ACM SIGCOMM Computer Communication Review , 2006 , 36 ( 2 ): 23 - 26 .

FADLULLAH Z M , TALEB T , VASILAKOS A V , et al . DTRAB:combating against attacks on encrypted protocols through traffic-feature analysis [J ] . IEEE/ACM Transactions on Networking (TON) , 2010 , 18 ( 4 ): 1234 - 1247 .

GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic [C ] // Network and Distributed System Security Symposium . 2008 .

TANKARD C . Advanced persistent threats and how to monitor and deter them [J ] . Network Security , 2011 , 2011 ( 8 ): 16 - 19 .

CAO Z , XIONG G , ZHAO Y , et al . A survey on encrypted traffic classification [M ] // Applications and Techniques in Information Security . Springer Berlin Heidelberg , 2014 : 73 - 81 .

GRIMAUDO L , MELLIA M , BARALIS E . Hierarchical learning for fine grained internet traffic classification [C ] // Wireless Communications and Mobile Computing Conference (IWCMC) . IEEE , 2012 : 463 - 468 .

ROSSI D , VALENTI S . Fine-grained traffic classification with netflow data [C ] // The 6th International Wireless Communications and Mobile Computing Conference . ACM , 2010 : 479 - 483 .

DORFINGER P , PANHOLZER G , JOHN W . Entropy estimation for real-time encrypted traffic identification (short paper) [M ] . Springer Berlin Heidelberg , 2011 .

BELLOVIN S M , MERRITT M . Cryptographic protocol for secure communications:U.S.Patent 5,241,599 [P ] . 1993 - 8 31 .

FAHAD A , TARI Z , KHALIL I , et al . Toward an efficient and scalable feature selection approach for internet traffic classification [J ] . Computer Networks , 2013 , 57 ( 9 ): 2040 - 2057 .

Kent security architecture for the internet protocol , https://tools.ietf.org/html/rfc4301 https://tools.ietf.org/html/rfc4301 . 2015 .

YILDIRIM T , RADCLIFFE P J . VoIP traffic classification in IPSec tunnels [C ] // Electronics and Information Engineering (ICEIE) . IEEE , 2010 ,1:V1-151-V1-157.

DIERKS T . The transport layer security (TLS) protocol version 1.2 [EB/OL ] . https://tools.ietf.org/html/rfc5246 https://tools.ietf.org/html/rfc5246 , 2015 .

BERNAILLE L , TEIXEIRA R . Early recognition of encrypted applications [M ] // Passive and Active Network Measurement . Springer Berlin Heidelberg , 2007 : 165 - 175 .

YLONEN T . The secure shell (SSH) transport layer protocol [EB/OL ] . https://tools.ietf.org/html/rfc4253 https://tools.ietf.org/html/rfc4253 , 2015 .

MAIOLINI G , BAIOCCHI A , IACOVAZZI A , et al . Real time identification of SSH encrypted application flows by using cluster analysis techniques [C ] // NETWORKING 2009 . Springer Berlin Heidelberg , 2009 : 182 - 194 .

MADHUKAR A , WILLIAMSON C . A longitudinal study of P2P traffic classification [C ] // Modeling,Analysis,and Simulation of Computer and Telecommunication Systems,MASCOTS 2006 . IEEE , 2006 : 179 - 188 .

LE T M , BUT J . Bittorrent traffic classification [R ] . Centre for Advanced Internet Architectures.Technical Report A,91022 .

ADAMI D , CALLEGARI C , GIORDANO S , et al . Skype‐hunter:a real‐time system for the detection and classification of Skype traffic [J ] . International Journal of Communication Systems , 2012 , 25 ( 3 ): 386 - 403 .

VALENTI S , ROSSI D , MEO M , et al . Accurate,fine-grained classification of P2P-TV applications by simply counting packets [M ] // Traffic Monitoring and Analysis . Springer Berlin Heidelberg , 2009 : 84 - 92 .

BERMOLEN P , MELLIA M , MEO M , et al . Abacus:accurate behavioral classification of P2P-TV traffic [J ] . Computer Networks , 2011 , 55 ( 6 ): 1394 - 1411 .

NYCHIS G , SEKAR V , ANDERSEN D G , et al . An empirical evaluation of entropy-based traffic anomaly detection [C ] // The 8th ACM SIGCOMM Conference on Internet Measurement . ACM , 2008 : 151 - 156 .

LAKHINA A , CROVELLA M , DIOT C . Mining anomalies using traffic feature distributions [J ] . ACM SIGCOMM Computer Communication Review , 2005 , 35 ( 4 ): 217 - 228 .

SOULE A , SALAMATIAN K , TAFT N . Combining filtering and statistical methods for anomaly detection [C ] // The 5th ACM SIGCOMM Conference on Internet Measurement . USENIX Association , 2005 :31.

KHAKPOUR A R , LIU A X . An information-theoretical approach to high-speed flow nature identification [J ] . IEEE/ACM Transactions on Networking (TON) , 2013 , 21 ( 4 ): 1076 - 1089 .

CALLADO A , KAMIENSKI C,SZABÓ G , et al . A survey on internet traffic identification [J ] . Communications Surveys & Tutorials,IEEE , 2009 , 11 ( 3 ): 37 - 52 .

KIM H , CLAFFY K C , FOMENKOV M , et al . Internet traffic classification demystified:myths,caveats,and the best practices [C ] // Proceedings of the 2008 ACM CoNEXT Conference . ACM , 2008 :11.

FINSTERBUSCH M , RICHTER C , ROCHA E , et al . A survey of payload-based traffic classification approaches [J ] . Communications Surveys & Tutorials,IEEE , 2014 , 16 ( 2 ): 1135 - 1156 .

BONFIGLIO D , MELLIA M , MEO M , et al . Revealing skype traffic:when randomness plays with you [J ] . ACM SIGCOMM Computer Communication Review , 2007 , 37 ( 4 ): 37 - 48 .

KORCZYNSKI M , DUDA A . Markov chain fingerprinting to classify encrypted traffic [C ] // INFOCOM,2014 Proceedings IEEE . IEEE , 2014 : 781 - 789 .

赵博 , 郭虹 , 刘勤让 , 等 . 基于加权累积和检验的加密流量盲识别算法 [J ] . 软件学报 , 2013 , 24 ( 6 ): 1334 - 1345 .

ZHAO B , GUO H , LIU Q R , et al . Protocol independent identification of encrypted traffic based on weighted eumnlative sum test [J ] . Journal of Software , 2013 , 24 ( 6 ): 1334 - 1345 .

MOORE A W , ZUEV D . Internet traffic classification using bayesian analysis techniques [J ] . ACM SIGMETRICS Performance Evaluation Review , 2005 , 33 ( 1 ): 50 - 60 .

OKADA Y , ATA S , NAKAMURA N , et al . Comparisons of machine learning algorithms for application identification of encrypted traffic [C ] // Machine Learning and Applications and Workshops (ICMLA) . IEEE , 2011 : 358 - 361 .

ALSHAMMARI R,ZINCIR-HEYWOOD A N . Can encrypted traffic be identified without port numbers,IP addresses and payload inspection? [J ] . Computer networks , 2011 , 55 ( 6 ): 1326 - 1350 .

KORCZYŃSKI M , DUDA A . Classifying service flows in the encrypted Skype traffic [C ] // Communications (ICC),2012 IEEE International . IEEE , 2012 : 1064 - 1068 .

ERMAN J , MAHANTI A , ARLITT M , et al . Semi-supervised network traffic classification [J ] . ACM SIGMETRICS Performance Evaluation Review , 2007 , 35 ( 1 ): 369 - 370 .

XIE G , ILIOFOTOU M , KERALAPURA R , et al . SubFlow:towards practical flow-level traffic classification [C ] // INFOCOM,2012 Proceedings IEEE . IEEE , 2012 : 2541 - 2545 .

HE G , YANG M , LUO J , et al . A novel application classification attack against Tor [J ] . Concurrency and Computation:Practice and Experience , 2015 :27.

KARAGIANNIS T , PAPAGIANNAKI K , FALOUTSOS M . BLINC:multilevel traffic classification in the dark [J ] . ACM SIGCOMM Computer Communication Review , 2005 , 35 ( 4 ): 229 - 240 .

LI B , MA M , JIN Z . A VoIP traffic identification scheme based on host and flow behavior analysis [J ] . Journal of Network and Systems Management , 2011 , 19 ( 1 ): 111 - 129 .

HURLEY J,GARCIA-PALACIOS E , SEZER S . Host-based P2P flow identification and use in real-time [J ] . ACM Transactions on the Web (TWEB) , 2011 , 5 ( 2 ):7.

SCHATZMANN D,MÜHLBAUER W , SPYROPOULOS T , et al . Digging into HTTPS:flow-based classification of webmail traffic [C ] // The 10th ACM SIGCOMM Conference on Internet Measurement . ACM , 2010 : 322 - 327 .

BERMOLEN P , MELLIA M , MEO M , et al . Abacus:accurate behavioral classification of P2P-TV traffic [J ] . Computer Networks , 2011 , 55 ( 6 ): 1394 - 1411 .

XIONG G , HUANG W , ZHAO Y , et al . Real-time detection of encrypted thunder traffic based on trustworthy behavior association [M ] // Trustworthy Computing and Services . Springer Berlin Heidelberg , 2013 : 132 - 139 .

QIN T , WANG L , LIU Z , et al . Robust application identification methods for P2P and VoIP traffic classification in backbone networks [J ] . Knowledge-Based Systems , 2015 , 82 : 152 - 162 .

SUN G L , XUE Y , DONG Y , et al . An novel hybrid method for effectively classifying encrypted traffic [C ] // Global Telecommunications Conference (GLOBECOM 2010),2010 IEEE . IEEE , 2010 : 1 - 5 .

HE J , YANG Y , QIAO Y , et al . Fine-grained P2P traffic classification by simply counting flows [J ] . Frontiers of Information Technology &Electronic Engineering , 2015 , 16 : 391 - 403 .

CALLADO A , KELNER J , SADOK D , et al . Better network traffic identification through the independent combination of techniques [J ] . Journal of Network and Computer Applications , 2010 , 33 ( 4 ): 433 - 446 .

ALSHAMMARI R,ZINCIR-HEYWOOD A N , . A preliminary performance comparison of two feature sets for encrypted traffic classification [C ] // The International Workshop on Computational Intelligence in Security for Information Systems CISIS’08 . Springer Berlin Heidelberg , 2009 : 203 - 210 .

潘吴斌 , 程光 , 郭晓军 , 等 . 基于选择性集成策略的嵌入式网络流特征选择 [J ] . 计算机学报 , 2014 , 37 ( 10 ): 2128 - 2138 .

PAN W B , CHENG G , GUO X J , et al . An embedded feature selection wsing selatine ensemble for network traffic [J ] . Chinese Journal of Computers , 2014 , 37 ( 10 ): 2128 - 2138 .

ZHANG M , ZHANG H , ZHANG B , et al . Encrypted traffic classification based on an improved clustering algorithm [M ] // Trustworthy Computing and Services . Springer Berlin Heidelberg , 2013 : 124 - 131 .

DUSI M , ESTE A , GRINGOLI F , et al . Using GMM and SVM-based techniques for the classification of SSH-encrypted traffic [C ] // Communications,2009.ICC'09,IEEE International Conference . IEEE , 2009 : 1 - 6 .

BAR-YANAI R , LANGBERG M , PELEG D , et al . Realtime classification for encrypted traffic [M ] // Experimental Algorithms . Springer Berlin Heidelberg , 2010 : 373 - 385 .

WRIGHT C V , MONROSE F , Masson G M . On inferring application protocol behaviors in encrypted network traffic [J ] . The Journal of Machine Learning Research , 2006 , 7 : 2745 - 2769 .

WRIGHT C V , MONROSE F , MASSON G M . Using visual motifs to classify encrypted traffic [C ] // The 3rd International Workshop on Visualization for Computer Security . ACM , 2006 : 41 - 50 .

BONFIGLIO D , MELLIA M , MEO M , et al . Revealing skype traffic:when randomness plays with you [J ] . ACM SIGCOMM Computer Communication Review , 2007 , 37 ( 4 ): 37 - 48 .

WRIGHT C V , COULL S E , MONROSE F . Traffic morphing:an efficient defense against statistical traffic analysis [C ] // NDSS . 2009 .

何高峰 , 杨明 , 罗军舟 , 等 . Tor 匿名通信流量在线识别方法 [J ] . 软件学报 , 2013 , 24 ( 3 ): 540 - 556 .

HE G F , YANG M , LUO J Z , et al . Ouline identifrcation of Tor anongmous communication traffic [J ] . Journal of Software , 2013 , 24 ( 3 ): 540 - 556 .

SHEN Y , LIU Y , QIAO N , et al . QoE-based evaluation model on video streaming service quality [C ] // Globecom Workshops,2012 IEEE . IEEE , 2012 : 1314 - 1318 .

DERI L , MARTINELLI M , BUJLOW T , et al . nDPI:open-source high-speed deep packet inspection [C ] // Wireless Communications and Mobile Computing Conference (IWCMC) . IEEE , 2014 : 617 - 622 .

ALCOCK S , NELSON R . Libprotoident:traffic classification using lightweight packet inspection [R ] . WAND Network Research Group,Tech Rep , 2012 .

CARELA-ESPAÑOL V , BUJLOW T , BARLET-ROS P . Is our ground-truth for traffic classification reliable [C ] // Passive and Active Measurement.Springer International Publishing . 2014 : 98 - 108 .

GRINGOLI F , SALGARELLI L , DUSI M , et al . Gt:picking up the truth from the ground for internet traffic [J ] . ACM SIGCOMM Computer Communication Review , 2009 , 39 ( 5 ): 12 - 18 .

QU B , ZHANG Z , ZHU X , et al . An empirical study of morphing on behavior‐based network traffic classification [J ] . Security and Communication Networks , 2015 , 8 ( 1 ): 68 - 79 .

RAAHEMI B , ZHONG W , LIU J . Peer-to-peer traffic identification by mining IP layer data streams using concept-adapting very fast decision tree [C ] // Tools with Artificial Intelligence,2008.ICTAI'08.20th IEEE International . IEEE , 2008 , 1 : 525 - 532 .

ZHANG H , LU G , QASSRAWI M T , et al . Feature selection for optimizing traffic classification [J ] . Computer Communications , 2012 , 35 ( 12 ): 1457 - 1471 .

浏览量

8687

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于拓扑发现的校园网终端定位系统设计

基于工作流管理和策略管理的下一代互联网IP业务管理系统体系结构及应用

基于赌盘的动态负荷均衡方法及其实现

负载均衡的分布式网络管理系统

基于流的IP网管理信息建模方法及其模型