流量混淆技术及相应识别、追踪技术研究综述

流量混淆技术是目前审查规避系统常用技术之一.为了提升网络流量识别精度和监管能力,针对混淆流量的识别和追踪技术也备受关注.通过深入分析随机化、拟态和隧道这3类主流的流量混淆技术,对比了其技术框架、隐蔽性、易用性和应用场景;分析了深度包检测、机器学习等两类识别技术,对比了其识别精度;分析对比了被动关联、主动关联两类流量追踪技术.最后给出了流量混淆、识别和追踪技术的发展趋势.     

A nonlinear,recurrence-based approach to traffic classification

The ability to accurately classify and identify the network traffic associated with different applications is a central issue for many network operation and research topics including Quality of Service enforcement, traffic engineering, security, monitoring and intrusion-detection. However, traditional classification approaches for traffic to higher-level application mapping, such as those based on port or payload analysis, are highly inaccurate for many emerging applications and hence useless in actual networks. This paper presents a recurrence plot-based traffic classification approach based on the analysis of non-stationary “hidden” transition patterns of IP traffic flows. Such nonlinear properties cannot be affected by payload encryption or dynamic port change and hence cannot be easily masqueraded. In performing a quantitative assessment of the above transition patterns, we used recurrence quantification analysis, a nonlinear technique widely used in many fields of science to discover the time correlations and the hidden dynamics of statistical time series. Our model proved to be effective for providing a deterministic interpretation of recurrence patterns derived by complex protocol dynamics in end-to-end traffic flows, and hence for developing qualitative and quantitative observations that can be reliably used in traffic classification.     

基于多特征融合的Webshell恶意流量检测方法

Webshell是针对Web应用系统进行持久化控制的最常用恶意后门程序,对Web服务器安全运行造成巨大威胁。对于 Webshell 检测的方法大多通过对整个请求包数据进行训练,该方法对网页型 Webshell 识别效果较差,且模型训练效率较低。针对上述问题,提出了一种基于多特征融合的Webshell恶意流量检测方法,该方法以Webshell的数据包元信息、数据包载荷内容以及流量访问行为3个维度信息为特征,结合领域知识,从3个不同维度对数据流中的请求和响应包进行特征提取;并对提取特征进行信息融合,形成可以在不同攻击类型进行检测的判别模型。实验结果表明,与以往研究方法相比,所提方法在正常、恶意流量的二分类上精确率得到较大提升,可达99.25%;训练效率和检测效率也得到了显著提升,训练时间和检测时间分别下降95.73%和86.14%。     

Reservation arbitrated access — a bandwidth on demand protocol for multiplexing variable bit rate isochronous traffic over dual bus metropolitan area networks

With the advent of multimedia communication services, transport of real-time traffic over metropolitan area networks (MANs) is becoming an important problem. We present a novel reservation arbitrated (RA) access protocol for multiplexing variable bit rate isochronous (VBRI) traffic such as packet voice and video over dual bus MANs in general and IEEE 802.6 MANs in particular. In combination with a cyclic release mechanism, RA access allows variable bit rate traffic sources (VBRSs) to capture and reserve some isochronous channels on a bandwidth on demand basis in a round robin fashion. For a reasonable bus length suitable for metropolitan coverage, it is possible to select operation parameters which enable contention free access in the reservation process. Bandwidth utilization can be further improved by employing a movable boundary option to efficiently integrate VBRI traffic with other traffic. System performances including packet loss ratio, packet delay, delay jitter, probability distribution of consecutive packet loss and channel utilization are analyzed by both theoretical computations and computer simulations for voice, video conference and motion video traffic. Results indicate that the protocol is fair and provides a nearly isochronous transport service while ensuring efficient bandwidth utilization, yielding substantial capacity improvements over pre-arbitrated (PA) access. Compared to queue-arbitrated (QA) access, RA access not only provides variable bit rate isochronous channels but also allows VBRSs to adapt to the reserved bandwidth during network congestion so that performance degradation can be minimized. RA access complements existing PA and QA access methods in 802.6 MANs to provide a complete traffic transport solution for all types of BISDN services.     

基于载荷特征的加密流量快速识别方法

针对加密流量难以识别的问题,提出一种快速的网络流量识别方法。该方法无需对数据包载荷进行深入分析,使用256维向量描述数据包负载中256个ASCII字节发生的频率,根据载荷特征量化后的均值和方差进行数据特征提取,采用决策树算法对加密流量进行分类识别。实验结果表明,该方法可以对常见的加密网络流量进行准确识别,并能检测部分恶意攻击产生的流量。     

An expert system for real-time traffic management in wireless local area networks

The paper explores delay-based congestion and flow control and the offloading of real-time traffic from wireless local area networks (WLANs) to mobile cellular networks (MCNs) in multihomed devices. The control system developed is based on an embedded hierarchical expert system. It adjusts transceivers’ traffic flow(s) for prevailing network conditions to achieve application-dependent delay and throughput limits. In wireless networks, delay and throughput depend on the packet size, packet transmission interval, and node connection density. Therefore, the controller on the destination node monitors average one-way delay and the change of one-way delay of the incoming traffic. On this basis, it adjusts the packet size and transmission interval of the source node by transmitting a control command to the source. If the prevailing level of traffic in the network exceeds its capacity despite of the control actions taken, devices prepare for developed asynchronous offloading of traffic to another access network.The control model was validated via simulation of Voice over Internet Protocol (VoIP) traffic in the OMNeT++ network simulator. The results demonstrate that the expert system developed is able to regulate packet sizes to match the prevailing application-dependent optimum and transfer traffic to another network if the network exceed its capacity no matter the control actions taken. Although this work is motivated mainly by issues of congestion and flow control of WLAN systems and the simulations and results were prepared for the IEEE 802.11b system, the approach and techniques are not limited to these systems, but they are applicable for other packet switched access networks (PSANs), too.     

基于随机森林算法的无线传感网络攻击流量阻断模型构建

针对无线传感网络攻击流量阻断存在攻击流量检测准确率较低、阻断效果较差的问题,构建了一种基于随机森林算法的无线传感网络攻击流量阻断模型。基于字符（单词）的词频矩阵,利用TF-IDF算法将有效载荷的特征自动提取出来;根据特征结果使用随机森林算法通过词频矩阵对网络流量实行分类,基于分类结果对网络中的流量攻击实现溯源,完成异常无线传感网络检测;利用流表的报文过滤实现无线传感攻击流量的阻断。实验结果表明,该模型在检测攻击流量时,准确率最高可达100%,调和平均数最高为99.18%,错误率最高仅为7.3%,假阳性率最高仅为5.5%,同时能够有效阻断网络攻击流量,在较短时间内将网络恢复至正常,具有良好的攻击流量检测效果和攻击流量阻断效果。     

A cross-layer approach for multiuser multiplexing on IP mobility

In general, content distribution and multicasting can be implemented from proxies and gateways in the network on a static host in wired/wireless network environments. However, if an end point host moves to different wireless access networks, it will have a problem in many situations. For example, consideration of contents like the level of required service quality for network search, handoff, connection and call time, and caching and load balancing is necessary. Unlike previous studies, this article analyzes additional costs related to Fast Handover and compares the performance of group of pictures and data transmission delay time. For this, first, the total additional cost was divided into signaling cost and packet transmission cost, and results of the comparison calculated for video data transmission delay time and traffic overhead are presented. This article proposes service quality improvement methods by acquiring multiuser channel state information for multicast video-streaming transmission with a method implemented between network layers. Channel state information of each user in the multicast group is used as information for the transmission of multicast packets. Thus, through simulation like real-time traffic, the optimum traffic transmission state is maintained. As a result of the simulation, we found that video-streaming service performance for multicast users improved by applying the approach method between layers. This article proposes optimization methods of a cross-layered approach for wireless network multimedia communication systems and video-streaming application services.     

基于侧信道特征的安全代理流量分类方法

安全代理被越来越多的互联网用户用于规避网络审查和访问受限资源,因此安全代理流量的分类对于网络安全和网络管理具有重要意义。为弥补深度包检测技术在过滤和识别不良信息上的不足,提高防火墙流量探测能力,提出一种安全代理流量分类方法。提取用于安全代理流量分类的侧信道特征,包括有效载荷长度序列、信号序列等,使用机器学习和深度学习算法对Shadowsocks、V2Ray、Freegate、Ultrasurf 4种被广泛使用的安全代理流量进行识别。实验结果表明,通过提取与有效载荷内容无关的侧信道特征进行分类,与MLP、LSMP等算法相比,该方法在准确率、F1值等性能方面均有提升。     

ClassView: hierarchical video shot classification, indexing, and accessing

Recent advances in digital video compression and networks have made video more accessible than ever. However, the existing content-based video retrieval systems still suffer from the following problems. 1) Semantics-sensitive video classification problem because of the semantic gap between low-level visual features and high-level semantic visual concepts; 2) Integrated video access problem because of the lack of efficient video database indexing, automatic video annotation, and concept-oriented summary organization techniques. In this paper, we have proposed a novel framework, called ClassView, to make some advances toward more efficient video database indexing and access. 1) A hierarchical semantics-sensitive video classifier is proposed to shorten the semantic gap. The hierarchical tree structure of the semantics-sensitive video classifier is derived from the domain-dependent concept hierarchy of video contents in a database. Relevance analysis is used for selecting the discriminating visual features with suitable importances. The Expectation-Maximization (EM) algorithm is also used to determine the classification rule for each visual concept node in the classifier. 2) A hierarchical video database indexing and summary presentation technique is proposed to support more effective video access over a large-scale database. The hierarchical tree structure of our video database indexing scheme is determined by the domain-dependent concept hierarchy which is also used for video classification. The presentation of visual summary is also integrated with the inherent hierarchical video database indexing tree structure. Integrating video access with efficient database indexing tree structure has provided great opportunity for supporting more powerful video search engines.     

流特征的Skype流量识别

Skype流识别的研究大多局限于在静态载荷特征和通信机制,没有考虑网络流特征在Skype流量识别中的作用.提出了一种基于朴素贝叶斯分类的Skype流量识别模型.选择流的连接特征和实时特征作为分类特征集,根据流的连接特征组织网络流,再进一步根据流的包长度、平均发送间隔和突发带宽消耗等实时流特征识别Skype流量.在北京联通骨干网络上的实验表明该模型能有效地识别Skype流,是一种有效的Skype流识别算法.     

基于IP网络MPEG-4视频优化打包模型的研究

在当前网络是尽力而为的模式下,最终用户得到的视频质量是不好的。文章提出了一个基于IP网络上的MPEG-4视频包优化(Packetization)方案。所设计的算法是考虑SL分组的大小,对一个或多个SL流复用,所形成的FlexMux流完整的作为RTP包荷载。仿真结果表明,该算法所产生的包数量相对较少,降低了包之间的互关联性,体现了网络对视频传输的要求。     

Bayesian Neural Networks for Internet Traffic Classification

Internet traffic identification is an important tool for network management. It allows operators to better predict future traffic matrices and demands, security personnel to detect anomalous behavior, and researchers to develop more realistic traffic models. We present here a traffic classifier that can achieve a high accuracy across a range of application types without any source or destination host-address or port information. We use supervised machine learning based on a Bayesian trained neural network. Though our technique uses training data with categories derived from packet content, training and testing were done using features derived from packet streams consisting of one or more packet headers. By providing classification without access to the contents of packets, our technique offers wider application than methods that require full packet/payloads for classification. This is a powerful advantage, using samples of classified traffic to permit the categorization of traffic based only upon commonly available information     

Internet traffic clustering with side information

Internet traffic classification is a critical and essential functionality for network management and security systems. Due to the limitations of traditional port-based and payload-based classification approaches, the past several years have seen extensive research on utilizing machine learning techniques to classify Internet traffic based on packet and flow level characteristics. For the purpose of learning from unlabeled traffic data, some classic clustering methods have been applied in previous studies but the reported accuracy results are unsatisfactory. In this paper, we propose a semi-supervised approach for accurate Internet traffic clustering, which is motivated by the observation of widely existing partial equivalence relationships among Internet traffic flows. In particular, we formulate the problem using a Gaussian Mixture Model (GMM) with set-based equivalence constraint and propose a constrained Expectation Maximization (EM) algorithm for clustering. Experiments with real-world packet traces show that the proposed approach can significantly improve the quality of resultant traffic clusters.     

An adaptable neural-network model for recursive nonlinear traffic prediction and modeling of MPEG video sources

Multimedia services and especially digital video is expected to be the major traffic component transmitted over communication networks [such as internet protocol (IP)-based networks]. For this reason, traffic characterization and modeling of such services are required for an efficient network operation. The generated models can be used as traffic rate predictors, during the network operation phase (online traffic modeling), or as video generators for estimating the network resources, during the network design phase (offline traffic modeling). In this paper, an adaptable neural-network architecture is proposed covering both cases. The scheme is based on an efficient recursive weight estimation algorithm, which adapts the network response to current conditions. In particular, the algorithm updates the network weights so that 1) the network output, after the adaptation, is approximately equal to current bit rates (current traffic statistics) and 2) a minimal degradation over the obtained network knowledge is provided. It can be shown that the proposed adaptable neural-network architecture simulates a recursive nonlinear autoregressive model (RNAR) similar to the notation used in the linear case. The algorithm presents low computational complexity and high efficiency in tracking traffic rates in contrast to conventional retraining schemes. Furthermore, for the problem of offline traffic modeling, a novel correlation mechanism is proposed for capturing the burstness of the actual MPEG video traffic. The performance of the model is evaluated using several real-life MPEG coded video sources of long duration and compared with other linear/nonlinear techniques used for both cases. The results indicate that the proposed adaptable neural-network architecture presents better performance than other examined techniques.     

基于网络特征混淆的欺骗防御技术研究

网络攻击之前通常有侦查阶段,攻击者通过流量分析和主动扫描等技术获取目标系统的关键信息,从而制定有针对性的网络攻击。基于网络特征混淆的欺骗防御是一种有效的侦查对抗策略,该策略干扰攻击者在侦查阶段获取的信息,从而使攻击者发动无效的攻击。对现有混淆欺骗防御方案的技术原理进行了分析,给出了网络混淆欺骗的形式化定义,并从3个层次对现有的研究成果进行了讨论,最后分析了混淆欺骗防御技术的发展趋势。     

PCN Based Admission Control for Autonomic Video Quality Differentiation: Design and Evaluation

The popularity of multimedia services has introduced important new challenges for broadband access network management. As these services are very prone to network anomalies such as packet loss and jitter, accurate admission control mechanisms are needed to avoid congestion. Traditionally, centralized admission control mechanisms often underperform in combination with multimedia services, as they fail to effectively characterize the amount of needed resources. Recently, measurement based admission control mechanisms have been proposed such as the IETF Pre-Congestion Notification (PCN) mechanism, where the network load is measured at each intermediate node and signaled to the edge, where the admittance decision takes place. In this article, we design a PCN based admission control mechanism, optimized for protecting bursty traffic such as video services, which is currently not studied in the PCN working group. We evaluated and identified the effect of PCN’s configuration in protecting bursty traffic. The proposed admission control mechanism features three main improvements to the original PCN mechanism: first, it uses a new measurement algorithm, which is easier to configure for bursty traffic. Second, it allows to automatically adapt PCN’s configuration based on the traffic characteristics of the current sessions. Third, it introduces the differentiation between video quality levels to achieve an admission decision per video quality level of each request. The mechanism has been extensively evaluated in a packet switched simulation environment, which shows that the novel admission control mechanism is able to protect video traffic while maximizing the link utilization and avoiding packet loss.     

Online NetFPGA decision tree statistical traffic classifier

Classifying online network traffic is becoming critical in network management and security. Recently, new classification methods based on analysis of statistical features of transport layer traffic have been proposed. While these new methods address the limitations of the port based and payload based traffic classification, the current software-based solutions are not fast enough to deal with the traffic of today’s high-speed networks. In this paper, we propose an online statistical traffic classifier using the C4.5 machine learning algorithm running on the NetFPGA platform. Our NetFPGA classifier is constructed by adding three main modules to the NetFPGA reference switch design; a Netflow module, a feature extractor module, and a C4.5 search tree classifier. The proposed classifier is able to classify the input traffics at the maximum line speed of the NetFPGA platform, i.e. 8 Gbps without any packet loss. Our method is based on the statistical features of the first few packets of a flow. The flow is classified just a few micro seconds after receiving the desired number of packets.     

Application classification using packet size distribution and port association

Traffic classification is an essential part in common network management applications such as intrusion detection and network monitoring. Identifying traffic by looking at port numbers is only suitable to well-known applications, while signature-based classification is not applicable to encrypted messages. Our preliminary observation shows that each application has distinct packet size distribution (PSD) of the connections. Therefore, it is feasible to classify traffic by analyzing the variances of packet sizes of the connections without analyzing packet payload. In this work, each connection is first transformed into a point in a multi-dimensional space according to its PSD. Then it is compared with the representative points of pre-defined applications and recognized as the application having a minimum distance. Once a connection is identified as a specific application, port association is used to accelerate the classification by combining it with the other connections of the same session because applications usually use consecutive ports during a session. Using the proposed techniques, packet size distribution and port association, a high accuracy rate, 96% on average, and low false positive and false negative rates, 4–5%, are achieved. Our proposed method not only works well for encrypted traffic but also can be easily incorporated with a signature-based method to provide better accuracy.     

基于SSOM的网络流量分类方法

针对目前基于端口号匹配和特征码识别的流量分类方法准确率低、应用范围受限等问题,提出一种基于有监督的自组织映射(SSOM)的网络流量分类方法。该方法使用已标注类别的网络流量训练集,通过改变自组织映射(SOM)训练过程中的权值调整规则,使输出层中获胜神经元的选择更容易,各类别之间划分更清晰,从而提高分类性能。实验结果表明,SSOM的分辨率及拓扑连续性均优于SOM,对网络流量分类具有更高的准确率。