| 基于信息熵的加密会话检测方法 |
| |
| 引用本文: | 陈利,张利,班晓芳,梁杰. 基于信息熵的加密会话检测方法[J]. 计算机科学, 2015, 42(1): 142-143,174 |
| |
| 作者姓名: | 陈利 张利 班晓芳 梁杰 |
| |
| 作者单位: | 中国信息安全测评中心 北京100085 |
| |
| 摘 要: | 传统协议分析方法在检测网络加密会话时大都通过端口识别,在加密应用使用非常规端口或者在周知明文端口出现加密流量时无法进行有效的检测.为此,提出基于信息熵的加密会话检测方法.该方法先对数据流按端口进行会话重组,再计算会话数据包字符熵,进而统计出整个会话字符熵,判断熵值是否属于训练模型正态分布置信区间,通过信息分布均匀度来检测加密会话.实验表明,该方法无需特征指纹库,且检测准确率高,并能实现实时检测和处理.
|
| 关 键 词: | 信息熵 加密会话 协议识别 正态分布 入侵检测 |
Encrypted Session Detection Approach Based on Information Entropy |
| |
| CHEN Li,ZHANG Li,BAN Xiao-fang and LIANG Jie. Encrypted Session Detection Approach Based on Information Entropy[J]. Computer Science, 2015, 42(1): 142-143,174 |
| |
| Authors: | CHEN Li ZHANG Li BAN Xiao-fang LIANG Jie |
| |
| Affiliation: | China Information Technology Security Evaluation Center,Beijing 100085,China,China Information Technology Security Evaluation Center,Beijing 100085,China,China Information Technology Security Evaluation Center,Beijing 100085,China and China Information Technology Security Evaluation Center,Beijing 100085,China |
| |
| Abstract: | Traditional protocol analysis algorithms detect the network encrypted session through the port.It cannot work when encrypted session uses unknown port or encrypted traffic appeares at known plaintext port.To this end,we put forward a detection approach of encrypted session based on information entropy.Firstly it reorganizes net flow according to the port,then calculates the entropy of each packet and statistical entropy value of the entire session,at last determines whether the value belongs to the normal distribution confidence interval,and identifies the encrypted session through character distribution uniformity.Experiments show that the approach does not need fingerprint database,and can achieve higher correct detection rate,real-time detection and processing. |
| |
| Keywords: | Information entropy Encrypted session Protocol identification Normal distribution Intrusion detection |
| 本文献已被 万方数据 等数据库收录! |
|
点击此处可从《计算机科学》下载全文 |
|
