Network application encrypted traffic recognition method and device based on protocol attributes

A network application and traffic identification technology, applied in electrical components, transmission systems, etc., can solve the problems of reduced classification and identification accuracy of encrypted network traffic, unsatisfactory application fingerprint differences, and inability to achieve high accuracy, etc. Effects of accuracy and recognition precision, likelihood reduction, low false positive and false positive rates

Inactive Publication Date: 2016-08-17
BEIJING INSTITUTE OF TECHNOLOGYGY
View PDF5 Cites 46 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Since the state used for modeling corresponds to the limited message types in the handshake phase of the SSL/TLS protocol, the difference of the generated application fingerprints is not ideal, and the fingerprints of different network services or applications overlap or are similar to each other from time to time, resulting in this In this case, the accuracy of encrypted network flow classification and id

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Network application encrypted traffic recognition method and device based on protocol attributes
  • Network application encrypted traffic recognition method and device based on protocol attributes
  • Network application encrypted traffic recognition method and device based on protocol attributes

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0060] The principle and structure of the data set acquisition in the "a method for identifying network application encrypted traffic based on protocol attributes" in this embodiment are as follows: figure 1 shown. The communication between the client and the application server is accomplished through continuous addressing, topology and delivery within the Internet through network flows. Deploy a data set acquisition platform based on network packet capture tools such as Wireshark or Tshark on network link nodes such as gateways, monitor and store encrypted network flows passing through this node, and construct offline training data sets. Due to the different configurations of SSL / TLS protocol clients, there are certain differences in the encrypted network flow from the client to the server corresponding to the same behavior operation of the same network service or application, which is not convenient for modeling, and only one-way flow is required for modeling , and does no...

Embodiment 2

[0067] The process of establishing a message type fingerprint based on a second-order Markov chain in the "A Method for Identifying Network Application Encrypted Traffic Based on Protocol Attributes" in this embodiment is described as follows:

[0068] We assume that there exists a discrete random variable X t , where t=t 0 ,t 1 ,...,t n ∈T, T is the time set, representing the time sequence relationship, the random variable X t The corresponding value of i t ∈ {1,...,s}, i t Represents a single message type in an SSL / TLS protocol session or a message type sequence in a TCP segment, and it is assumed to include S message types or sequences in total.

[0069] We assume that X t Represents a second-order Markov chain, that is, when we predict the current state, we need to consider the influence of the first two states. The formal description is as follows:

[0070] P ( ...

Embodiment 3

[0084] The process of establishing a message type fingerprint based on certificate length clustering combined with a second-order Markov chain in the "a method for identifying network application encrypted traffic based on protocol attributes" in this embodiment is described as follows. The message type fingerprint modeling based on the second-order Markov chain has been introduced in Embodiment 2, and this embodiment mainly introduces the method of combining certificate length clustering and modeling.

[0085] In fact, we extend the "certificate" message type in the SSL / TLS protocol session. One "certificate" may correspond to multiple "sub-certificates", and a certain Markov chain is from "certificate" to "sub-certificate". The connection path depends on the clustering result of the "certificate" length.

[0086] We cluster the certificate message types of all network services or applications extracted from the offline training set according to their length. Assuming that c ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a network application encrypted traffic recognition method and device based on protocol attributes, and belongs to the technical field of computer network service security. The device comprises an offline training module and an online identification module. The offline training module is composed of a data set obtaining module, a message type fingerprint establishment module based on a second order Markov chain and a certificate length clustering module. A training set is obtained through a data set obtaining module. Application fingerprints are obtained and stored according to the training set by the message type fingerprint establishment module based on the second order Markov chain; clustering results and application certificate cluster distribution probability are obtained and stored according to the training set by the certificate length clustering module. The offline training module is composed of a network traffic capturing module and a recognition module. The recognition module matches the network traffic obtained by the capturing module with a stored application fingerprint library one by one; moreover, the certificate clustering results are taken into consideration, thus obtaining a recognition probability; the recognition result is an application corresponding to the highest probability. Compared with the prior art, the method and the device have the advantage of improving the recognition accuracy and efficiency.

Description

technical field [0001] The invention relates to a method for identifying network application encrypted traffic based on protocol attributes, which aims at identifying the source of network traffic, discovering and shielding malicious traffic, and improving network security, and belongs to the technical fields of machine learning and network service security. Background technique [0002] Traffic is the carrier of network communication, network services, and even network attacks. Malicious programs hidden in traffic can easily cause network failures. Traffic identification technology refers to the technology of identifying the network service or application to which massive traffic in the network belongs. Through traffic identification, it is the key to ensure the normal operation of the network to detect malicious traffic in time and implement effective interception and shielding. In practical applications, systems equipped with traffic classification and identification fun...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06
CPCH04L63/1408H04L63/1466
Inventor 沈蒙魏明伟祝烈煌
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap