支持数据隐私保护的恶意加密流量检测确认方法

何高峰; 魏千峰; 肖咸财; 朱海婷; 徐丙凤

doi:10.11959/j.issn.1000-436x.2022034

您当前的位置：

首页 >

文章列表页 >

支持数据隐私保护的恶意加密流量检测确认方法

学术论文 | 更新时间：2024-06-05

- 支持数据隐私保护的恶意加密流量检测确认方法
- Confirmation method for the detection of malicious encrypted traffic with data privacy protection
- 通信学报 2022年43卷第2期页码：156-170
- 作者机构：
  
  1. 南京邮电大学物联网学院，江苏南京 210003
  2. 南京林业大学信息科学技术学院，江苏南京 210042
- 作者简介：
  
  [ "何高峰（1984-），男，安徽安庆人，博士，南京邮电大学讲师、硕士生导师，主要研究方向为网络异常检测、可证明安全的网络安全防御等" ]
  [ "魏千峰（1997-），男，江苏徐州人，南京邮电大学硕士生，主要研究方向为网络流量异常检测" ]
  [ "肖咸财（1998-），男，江西赣州人，南京邮电大学硕士生，主要研究方向为加密网络流量分析" ]
  [ "朱海婷（1983-），女，江苏如皋人，博士，南京邮电大学讲师、硕士生导师，主要研究方向为网络管理和网络性能优化" ]
  [ "徐丙凤（1986-），女，安徽安庆人，博士，南京林业大学讲师、硕士生导师，主要研究方向为网络安全威胁建模与评估" ]
- 基金信息：
  
  国家自然科学基金资助项目(61802192);国家自然科学基金资助项目(61702282);南京邮电大学校级自然科学基金项目(NY221096);南京航空航天大学基本科研业务费科研基地创新基金资助项目(NJ2020022)
- DOI：10.11959/j.issn.1000-436x.2022034
  中图分类号： TP39
- 网络出版日期：2022-02，
  
  纸质出版日期：2022-02-25
- 稿件说明：
移动端阅览
何高峰, 魏千峰, 肖咸财, 等. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022,43(2):156-170.

Gaofeng HE, Qianfeng WEI, Xiancai XIAO, et al. Confirmation method for the detection of malicious encrypted traffic with data privacy protection[J]. Journal on communications, 2022, 43(2): 156-170.
何高峰, 魏千峰, 肖咸财, 等. 支持数据隐私保护的恶意加密流量检测确认方法[J]. 通信学报, 2022,43(2):156-170. DOI： 10.11959/j.issn.1000-436x.2022034.

Gaofeng HE, Qianfeng WEI, Xiancai XIAO, et al. Confirmation method for the detection of malicious encrypted traffic with data privacy protection[J]. Journal on communications, 2022, 43(2): 156-170. DOI： 10.11959/j.issn.1000-436x.2022034.

摘要

为解决基于机器学习的恶意加密流量检测易产生大量误报的问题，利用安全两方计算，在不泄露具体数据内容的前提下实现网络流量内容和入侵检测特征间的字符段比对。基于字符段比对结果，设计入侵检测特征匹配方法，完成关键词的精准匹配。为保证所提方法的有效执行，提出用户终端输入随机验证策略，使恶意用户终端难以使用任意数据参与安全两方计算进而躲避检测确认。对所提方法的安全性和性能进行了理论分析，并采用真实部署和仿真实验相结合的方式进行验证。实验结果表明，所提方法能显著提升检测效果，且资源消耗低。

Abstract

In order to solve the problem that excessive false positives in the detection of encrypted malicious traffic based on machine learning

secure two-party computation was used to compare character segments between network traffic and intrusion detection rulers without revealing the data content.Based on the comparison results

an intrusion detection feature matching algorithm was designed to accurately match keywords.A random verification strategy for users’ input was also proposed to facilitate the method.As a result

malicious users couldn’t use arbitrary data to participate in secure two-party calculations and avoid confirmation.The security and resource consumption of the method were theoretically analyzed and verified by a combination of real deployment and simulation experiments.The experimental results show that the proposed method can significantly improve the detection performance with low system resources.

关键词

Keywords

references

罗军舟 , 何源 , 张兰 , 等 . 云端融合的工业互联网体系结构及关键技术 [J ] . 中国科学:信息科学 , 2020 , 50 ( 2 ): 195 - 220 .

LUO J Z , HE Y , ZHANG L , et al . The architecture and key technologies for an industrial Internet with synergy between the cloud and clients [J ] . Scientia Sinica (Informationis) , 2020 , 50 ( 2 ): 195 - 220 .

DING D R , HAN Q L , XIANG Y , et al . A survey on security control and attack detection for industrial cyber-physical systems [J ] . Neurocomputing , 2018 , 275 : 1674 - 1683 .

张蕾 , 崔勇 , 刘静 , 等 . 机器学习在网络空间安全研究中的应用 [J ] . 计算机学报 , 2018 , 41 ( 9 ): 1943 - 1975 .

ZHANG L , CUI Y , LIU J , et al . Application of machine learning in cyberspace security research [J ] . Chinese Journal of Computers , 2018 , 41 ( 9 ): 1943 - 1975 .

ANDERSON B , PAUL S , MCGREW D . Deciphering malware’s use of TLS (without decryption) [J ] . Journal of Computer Virology and Hacking Techniques , 2018 , 14 ( 3 ): 195 - 211 .

WANG W , ZHU M , ZENG X W , et al . Malware traffic classification using convolutional neural network for representation learning [C ] // Proceedings of 2017 International Conference on Information Networking (ICOIN) . Piscataway:IEEE Press , 2017 : 712 - 717 .

HAN D Q , WANG Z L , CHEN W Q , et al . DeepAID:interpreting and improving deep learning-based anomaly detection in security applications [C ] // Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2021 : 3197 - 3217 .

FROLOV S , WUSTROW E . The use of TLS in censorship circumvention [C ] // Proceedings of 2019 Network and Distributed System Security Symposium . Reston:Internet Society , 2019 : 1 - 15 .

HO C Y , LAI Y C , CHEN I W , et al . Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems [J ] . IEEE Communications Magazine , 2012 , 50 ( 3 ): 146 - 154 .

DE CRISTOFARO E , KIM J , TSUDIK G . Linear-complexity private set intersection protocols secure in malicious model [C ] // 2010 International Conference on the Theory and Application of Cryptology and Information Security . Berlin:Springer , 2010 : 213 - 231 .

ZHAO C , ZHAO S N , ZHAO M H , et al . Secure multi-party computation:theory,practice and applications [J ] . Information Sciences , 2019 , 476 : 357 - 372 .

CARNAVALET X D , MANNAN M . Killed by proxy:analyzing client-end TLS interception software [C ] // Proceedings of 2016 Network and Distributed System Security Symposium . Reston:Internet Society , 2016 : 1 - 17 .

O’NEILL M , RUOTI S , SEAMONS K , et al . TLS proxies:friend or foe? [C ] // Proceedings of the 2016 Internet Measurement Conference . New York:ACM Press , 2016 : 551 - 557 .

NAYLOR D , SCHOMP K , VARVELLO M , et al . Multi-context TLS (mcTLS) [J ] . ACM SIGCOMM Computer Communication Review , 2015 , 45 ( 4 ): 199 - 212 .

LIU C , CUI Y , TAN K , et al . Building generic scalable middlebox services over encrypted protocols [C ] // Proceedings of 2018 IEEE Conference on Computer Communications . Piscataway:IEEE Press , 2018 : 2195 - 2203 .

SHERRY J , LAN C , POPA R A , et al . BlindBox:deep packet inspection over encrypted traffic [C ] // Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication . New York:ACM Press , 2015 : 213 - 226 .

NING J T , POH G S , LOH J C , et al . PrivDPI:privacy-preserving encrypted traffic inspection with reusable obfuscated rules [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2019 : 1657 - 1670 .

LAI S Q , YUAN X L , SUN S F , et al . Practical encrypted network traffic pattern matching for secure middleboxes [J ] . IEEE Transactions on Dependable and Secure Computing , 2021 , PP ( 99 ): 1 .

IOVINO V , PERSIANO G . Hidden-vector encryption with groups of prime order [C ] // 2008 International Conference on Pairing-Based Cryptography . Berlin:Springer , 2008 : 75 - 88 .

ANDERSON B , CHI A , DUNLOP S , et al . Limitless HTTP in an HTTPS world:inferring the semantics of the HTTPS protocol without decryption [C ] // Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy . New York:ACM Press , 2019 : 267 - 278 .

HELLEMONS L , HENDRIKS L , HOFSTEDE R , et al . SSHCure:a flow-based SSH intrusion detection system [C ] // 2012 IFIP International Conference on Autonomous Infrastructure,Management and Security . Berlin:Springer , 2012 : 86 - 97 .

HE G F , ZHANG T , MA Y Y , et al . A novel method to detect encrypted data exfiltration [C ] // Proceedings of 2014 Second International Conference on Advanced Cloud and Big Data . Piscataway:IEEE Press , 2014 : 240 - 246 .

HE G F , XU B F , ZHANG L , et al . On-device detection of repackaged android malware via traffic clustering [J ] . Security and Communication Networks,2020 , 2020 :8630748.

CHEN Y C , LI Y J , TSENG A , et al . Deep learning for malicious flow detection [C ] // Proceedings of 2017 IEEE 28th Annual International Symposium on Personal,Indoor,and Mobile Radio Communications . Piscataway:IEEE Press , 2017 : 1 - 7 .

翟明芳 , 张兴明 , 赵博 . 基于深度学习的加密恶意流量检测研究 [J ] . 网络与信息安全学报 , 2020 , 6 ( 3 ): 66 - 77 .

ZHAI M F , ZHANG X M , ZHAO B . Survey of encrypted malicious traffic detection based on deep learning [J ] . Chinese Journal of Network and Information Security , 2020 , 6 ( 3 ): 66 - 77 .

何高峰 , 司勇瑞 , 徐丙凤 . 针对 Android 移动应用的恶意加密流量标注方法研究 [J ] . 计算机工程 , 2020 , 46 ( 7 ): 116 - 121 , 128 .

HE G F , SI Y R , XU B F . Research on malicious encrypted traffic annotation method for android mobile application [J ] . Computer Engineering , 2020 , 46 ( 7 ): 116 - 121 , 128 .

JAN S T K , HAO Q Y , HU T R , et al . Throwing darts in the dark? detecting bots with limited data using neural data augmentation [C ] // Proceedings of 2020 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2020 : 1190 - 1206 .

LAN C , SHERRY J , POPA R A , et al . Embark:securely outsourcing middleboxes to the cloud [C ] // 2016 USENIX Symposium on Net worked Systems Design and Implementation . Berkeley:USENIX Association , 2016 : 255 - 273 .

GUO Y , WANG M Y , WANG C , et al . Privacy-preserving packet header checking over in-the-cloud middleboxes [J ] . IEEE Internet of Things Journal , 2020 , 7 ( 6 ): 5359 - 5370 .

CASTELLUCCIA C , CRISTOFARO E D , PERITO D . Private information disclosure from web searches [C ] // 2010 International Symposium on Privacy Enhancing Technologies Symposium . Berlin:Springer , 2010 : 38 - 55 .

SEOK J , CHOI M , KIM J , et al . A comparative study on performance of open source IDS/IPS snort and suricata [J ] . Journal of the Korea Society of Digital Industry and Information Management , 2016 , 12 ( 1 ): 89 - 95 .

CHAUM D , . Zero-knowledge undeniable signatures [C ] // 1990 Workshop on the Theory and Application of Cryptographic Techniques . Berlin:Springer , 1990 : 458 - 464 .

COHEN H , PORAT E . Fast set intersection and two-patterns matching [J ] . Theoretical Computer Science , 2010 , 411 ( 40/41/42 ): 3795 - 3800 .

LI N , . Research on Diffie-Hellman key exchange protocol [C ] // Proceedings of 2010 2nd International Conference on Computer Engineering and Technology . Piscataway:IEEE Press , 2010 : 634 - 637 .

DIEM C . On the discrete logarithm problem in elliptic curves [J ] . Compositio Mathematica , 2011 , 147 ( 1 ): 75 - 104 .

潘吴斌 , 程光 , 郭晓军 , 等 . 网络加密流量识别研究综述及展望 [J ] . 通信学报 , 2016 , 37 ( 9 ): 154 - 167 .

PAN W B , CHENG G , GUO X J , et al . Review and perspective on encrypted traffic identification research [J ] . Journal on Communications , 2016 , 37 ( 9 ): 154 - 167 .

ZENG F , CHANG S , WU X C . Classification for DGA-based malicious domain names with deep learning architectures [J ] . International Journal of Intelligent Information Systems , 2017 , 6 ( 6 ): 67 - 71 .

浏览量

712

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于机器学习的加密流量分类研究综述

面向代码重用检测的程序语义分析模型

工业互联网流量分析技术综述

同态明文-密文矩阵运算及其应用

在线学习辅助的智能接收机设计与实现