一种加密流量行为分析系统的设计研究

随着互联网安全形势的日益严峻,采用流量加密方式进行业务传输的比重越来越大,针对加密流量的监管成为挑战。面对加密流量难以监管的难题,提出了一种加密流量行为分析系统。系统基于加密业务的流量特征,采用机器学习算法,无需解密网络流量就能对流量进行行为分析,实现了加密流量的识别和分类,并对系统进行了试验测试。测试结果显示,该系统可以发现隐藏在加密流量中的攻击行为、恶意行为和非法加密行为,对于安全人员掌握网络安全态势、发现网络异常具有重要意义。     

加密流量检测与态势预警平台研究

网络流量检测是实现网络整体安全态势感知的主要手段,通过采集网络流量、脆弱性、安全事件和威胁情报等数据,利用大数据和机器学习技术,分析网络行为及用户行为等因素构成的整个网络当前状态和变化趋势,并预测网络安全状态发展趋势。随着密码技术的广泛应用,网络中存在着越来越多的加密流量,如HTTPS、VPN流量;由于加密技术的使用,破坏了明文数据的统计特点、数据格式等,用通用的流量检测方法很难有效检测加密流量,基于加密技术的随机性、网络上下文等,结合人工智能技术和机器学习方法,研究和设计了网络加密流量检测体系框架、方法和关键技术,对加密流量的检测具有较强的指导意义。     

主动网络流水印技术研究进展

在匿名网络环境下通信双方关系确认、僵尸网络控制者追踪、中间跳板主机发现等方面,以被动网络流量分析（passive traffic analysis）为核心的传统入侵检测与流关联技术存在空间开销大、实时性差、识别率低、灵活性欠佳、难以应对加密流量等明显缺点。而将主动网络流量分析与数字水印思想相融合的主动网络流水印（ANFW, active network flow watermark）技术能有效克服传统被动网络流量分析方法的不足,已引起了国内外学者的广泛关注。首先阐述了ANFW机制的通用模型,总结了ANFW技术的分类及所涉及的角色关系;其次,详细综述了近年来提出的多种典型的基于不同网络流特征的ANFW技术,并进行对比性总结;最后,概述了当前ANFW技术自身安全威胁及应对措施现状,展望了其未来的研究方向。     

PCA算法在P2P加密流量识别中的研究与应用

传统的应用层协议识别方法均从改进匹配算法的角度来提高识别率,但是随着P2P协议的发展,其特征呈现多维化的趋势,算法复杂度也随之提高。鉴于此,在对P2P流量的多维特征进行分析并提取后,采用主成分分析(PCA)算法将提取到的特征降维处理,并通过实验证明了该方法在网络流量识别上的可行性和有效性。     

基于抽样分组长度分布的加密流量应用识别

基于确定性抽样数据分组序列的位置、方向、分组长度和连续性、有序性等流统计特征和典型的分组长度统计签名,并结合带数据分组位置、方向约束和半流关联动作的提升型DPI,提出了一种基于假设检验的加密流量应用识别统计决策模型,包括分组长度统计签名决策模型和DFI决策模型,并给出了相应的分组长度统计签名匹配算法以及基于DPI和DFI混合方法的加密流量应用识别算法。实验结果表明,该方法能够成功捕获加密应用在流坐标空间中独特的统计流量行为,并同时具有极高的加密识别精确率、召回率、总体准确率和极低的加密识别误报率、总体误报率。     

Length matters: Scalable fast encrypted internet traffic service classification based on multiple protocol data unit length sequence with composite deep learning

As an essential function of encrypted Internet traffic analysis, encrypted traffic service classification can support both coarse-grained network service traffic management and security supervision. However, the traditional plaintext-based Deep Packet Inspection (DPI) method cannot be applied to such a classification. Moreover, machine learning-based existing methods encounter two problems during feature selection: complex feature overcost processing and Transport Layer Security (TLS) version discrepancy. In this paper, we consider differences between encryption network protocol stacks and propose a composite deep learning-based method in multiprotocol environments using a sliding multiple Protocol Data Unit (multiPDU) length sequence as features by fully utilizing the Markov property in a multiPDU length sequence and maintaining suitability with a TLS-1.3 environment. Control experiments show that both Length-Sensitive (LS) composite deep learning model using a capsule neural network and LS-long short time memory achieve satisfactory effectiveness in F1-score and performance. Owing to faster feature extraction, our method is suitable for actual network environments and superior to state-of-the-art methods.     

Privacy-preserving real-time road conditions monitoring scheme based on intelligent traffic

To alleviate the traffic pressure on roads,reduce the appearance of road congestion,and avoid the occurrence of traffic accidents,a privacy-preserving intelligent monitoring (PPIM) scheme based on intelligent traffic was proposed in combination with the safe and k-nearest neighbor (KNN) algorithm.To ensure the security of traffic data,the data content was randomly divided into independent parts via the secure multi-party computing strategy,and the data components were stored and encrypted separately by non-colluding multi-servers.To improve the accuracy of road condition monitoring,an improved KNN traffic monitoring algorithm was proposed.By virtue of the similarity calculation of data,the correlation value to measure the degree of traffic condition relationship between roads was obtained.And it was integrated with the KNN as the weight coefficient.To speed up the processing of dense data,a series of data security computing protocols were designed,and the data security processing was realized.In addition,real traffic data were used to verify the algorithm.The results show that the improved KNN algorithm is helpful to improve the accuracy of traffic monitoring.The analysis shows that the algorithm can not only guarantee the safety of data but improve the accuracy of traffic monitoring.     

应用层负载特征定义及自动提取方法

针对现有网络流量识别中应用层负载特征提取方法对训练数据中字节值变化较为敏感的问题,首先定义了一种新的以位为最小特征单位的网络流量应用层负载特征,然后设计了相应的自动提取方法。通过3种常用标准协议的实验表明,自动提取方法可以快速获得负载特征,特征识别结果准确性高。对QQ私有应用协议的实验表明,使用获取到的负载特征进行网络流量识别,可以满足实际网络中对QQ网络流量识别的要求。     

一种基于隐马尔可夫模型的协议识别技术

目前的协议识别技术主要是基于端口映射或静态报文特征匹配的。随着网络协议的发展,一些新的协议采用动态端口进行通信或不具有明显的静态报文特征,且部分协议采用了加密技术。这使得传统的识别技术准确率大幅下降。针对传统协议识别技术的局限性,这里提出一种基于隐马尔可夫模型(Hidden Markov Model,HMM)的协议识别技术。它是一种基于统计特性的识别方法,选用对于加密不敏感的特征如包的大小、达到时间等来实现协议的识别。实验结果证明,与传统识别技术相比,它能有效地提高协议识别的准确率,并能用于加密条件下的协议识别。     

基于机器学习和深度学习的网络流量分类研究

随着互联网技术的不断发展以及网络规模的不断扩大,应用的类别纷繁复杂,新型应用层出不穷。为了保障用户服务质量(QoS)并确保网络安全,准确快速的流量分类是运营商及网络管理者亟须解决的问题。首先给出网络流量分类的问题定义和性能指标;然后分别介绍基于机器学习和基于深度学习的流量分类方法,分析了这些方法的优缺点,并对现存问题进行阐述;接着围绕流量分类线上部署时会遇到的3个问题:数据集问题、新应用识别问题、部署开销问题对相关工作进行阐述与分析,并进一步探讨目前网络流量分类研究面临的挑战;最后对网络流量分类下一步的研究方向进行展望。     

TD-SCDMA网络Iu-PS接口协议关联方案的设计与实现

为了对TD-SCDMA 网络的用户流量进行识别以及对用户行为进行分析,对Iu-PS 接口的信令面与业务面协议进行了研究,设计出一种信令面和业务面协议关联的方案。针对传统信令监测系统和业务监测系统数据处理效率的不足以及无法将信令面与业务面数据进行关联的缺陷,利用增强型散列算法以及超时处理技术,设计出一种基于关键字段关联的信令面呼叫详细记录（call detail record,CDR）和业务面呼叫详细记录合成的协议关联方案,提高了数据处理效率,并实现了信令面和业务面数据的有效关联,为后期进行流量识别以及对用户行为进行分析奠定了基础。经过现网数据测试,验证了该协议关联方案的正确性与可行性,在移动互联网流量分析领域具有推广意义。     

网络流量识别方法研究

随着P2P和多媒体流量的发展,原有的流量识别方法越来越显现出其不足.为识别这些流量,需要识别效率更高的识别方法.文中提出了一种混合流量识别方法,此方法将特征识别和会话行为映射方法相结合,进行精确的流量识别.接着给出了这种识别过程的流程图,对识别过程进行了说明.对包的识别是基于优先级的特征识别,以提高识别效率.通过实验,选取四种应用Monkey3,eDonkey2000,MSN messenger,BitTorrent流量,将这些单个流量和混合流量的识别结果进行了比较.由实验结果可得出该方法对混合流量识别率比单个流量识别率高.     

使用时空相关性分析检测加密僵尸网络流量

In this paper, we propose a novel method to detect encrypted botnet traffic. During the traffic preprocessing stage, the proposed payload extraction method can identify a large amount of encrypted applications traffic. It can filter out a large amount of non-malicious traffic, greatly improving the detection efficiency. A Sequential Probability Ratio Test (SPRT)-based method can find spatial-temporal correlations in suspicious botnet traffic and make an accurate judgment. Experimental results show that the false positive and false negative rates can be controlled within a certain range.     

FGWSO‐TAR: Fractional glowworm swarm optimization for traffic aware routing in urban VANET

In mobile distributed applications, such as traffic alert dissemination, dynamic route planning, file sharing, and so on, vehicular ad hoc network (VANET) has emerged as a feasible solution in recent years. However, the performance of the VANET depends on the routing protocol in accord with the delay and throughput requirements. Many of the routing protocols have been extensively studied in the literature. Although there are exemptions, they escalate research challenges in traffic aware routing (TAR) protocol of VANET. This paper introduces the fractional glowworm swarm optimization (FGWSO) for the TAR protocol of VANET in an urban scenario that can identify the optimal path for the vehicle with less traffic density and delay time. The proposed FGWSO searches the optimal routing path based on the fitness function formulated in this paper. Fractional glowworm swarm optimization is the combination of the GWSO and fractional theory. Moreover, exponential weighted moving average is utilized to predict the traffic density and the speed of the vehicle, which is utilized as the major constraints in the fitness function of the optimization algorithm to find the optimal traffic aware path. Simulation of FGWSO shows the significant improvement with a minimal end‐to‐end delay of 6.6395 seconds and distance of 17.3962 m, respectively, in comparison with the other existing routing approaches. The simulation also validates the optimality of the proposed TAR protocol.     

网络应用流类别不平衡环境下的SSL加密应用流识别关键技术

通过深入研究网络类别不平衡的原因,选择SMOTE（synthetic minority over-sampling technique）过抽样方法对数据集进行预处理,并充分利用特征匹配高准确性的优点识别和分拣出SSL 加密流,进而利用基于互信息最大化的聚类方法和SVM分类方法进一步识别SSL加密应用,这种混合方法有效地结合了静态特征匹配和机器学习方法的优点,达到识别分类方法在准确性和识别速度的均衡。     

应用流量管理技术在有线宽频网络中的应用

有线宽频网络运营商在网络运营中，会因为应用流量的不规范应用而对业务造成极大影响甚至带来损失，探讨把应用流量管理技术引进有线宽带网络，通过该技术对应用流量的智能识别、分类、控制等实现对网络流量的管理，进一步提高带宽资源的利用率。     

Measurement of video initial buffer size for mobile network

To resolve the difficulty in accurately measure the length of video initial buffering queue,two video platforms,non-encrypted Youku and encrypted YouTube,were selected to research,and the video initial buffer queue length measurement method was proposed.By identifying and analyzing the characteristics of video traffic,correlating the traffic behavior with the playing state,constructing video fingerprint database,accurate measurement of queue length was realized.The experimental results show that the measurement results of the two types could be accurate to the frame,fully meeting the need to accurately evaluate the quality of the video experience.     

Method of unknown protocol classification based on autoencoder

Aiming at the problem that a large number of unknown protocols exist in the Internet,which makes it very difficult to manage and maintain the network security,a classification and identification method of unknown protocols was proposed.Combined with the autoencoder technology and the improved K-means clustering technology,the unknown protocol was classified and identified for the network traffic.The autoencoder was used to reduce dimensionality and select features of network traffic,clustering technology was used to classify the dimensionality reduction data unsupervised,and finally unsupervised recognition and classification of network traffic were realized.Experimental results show that the classification effect is better than the traditional K-means,DBSCAN,GMM algorithm,and has higher efficiency.     

基于多级分类的网络流量在线识别方法(英文)

Internet traffic classification plays an important role in network management. Many approaches have been proposed to classify different categories of Internet traffic. However, these approaches have specific usage contexts that restrict their ability when they are applied in the current network environment. For example, the port based approach cannot identify network applications with dynamic ports; the deep packet inspection approach is invalid for encrypted network applications; and the statistical based approach is time-consuming. In this paper, a novel technique is proposed to classify different categories of network applications. The port based, deep packet inspection based and statistical based approaches are integrated as a multistage classifier. The experimental results demonstrate that this approach has high recognition rate which is up to 98% and good performance of real-time for traffic identification.     

基于多尺度分析和决策树的P2P流量检测模型

P2P流量的检测和管控是随着P2P技术应用变化而不断发展的,传统的P2P流量检测技术的局限性越来越明显,导致各种新的P2P流量检测技术成为当前研究热点.首先介绍了传统的P2P流量检测技术以及其存在的缺陷,然后重点提出了用于检测网络层数据包的多尺度分析模型.多尺度分析模型通过提取疑似P2P流量可以缩小P2P流量的检测范围,提高P2P流量的检测效率,提高P2P流量检测效率,并且结合决策树对疑似P2P流量进行协议分析达到有效识别和分类的目的.最后提出了P2P网络流量监管未来的研究方向.