加密恶意流量检测及对抗综述

网络流量加密在保护企业数据和用户隐私的同时, 也为恶意流量检测带来新的挑战. 根据处理加密流量的方式不同, 加密恶意流量检测可分为主动检测和被动检测. 主动检测包括对流量解密后的检测和基于可搜索加密技术的检测, 其研究重点是隐私安全的保障和检测效率的提升, 主要分析可信执行环境和可控传输协议等保障措施的应用. 被动检测是在用户无感知且不执行任何加密或解密操作的前提下, 识别加密恶意流量的检测方法, 其研究重点是特征的选择与构建, 主要从侧信道特征、明文特征和原始流量等3类特征分析相关检测方法, 给出有关模型的实验评估结论. 最后, 从混淆流量特征、干扰学习算法和隐藏相关信息等角度, 分析加密恶意流量检测对抗研究的可实施性.

Detection and Countermeasure of Encrypted Malicious Traffic: A Survey

Network traffic encryption not only protects corporate data and user privacy but also brings new challenges to malicious traffic detection. According to different ways of processing encrypted traffic, encrypted malicious traffic detection technology can be divided into active and passive detection. Active detection technology includes detection after traffic decryption and that based on searchable encryption technology. Its research focuses on privacy protection and detection efficiency improvement, and mainly analyzes the application of trusted execution environments and controllable transmission protocols. Passive detection technology is a method of identifying encrypted malicious traffic without perception for users and without performing any encryption or decryption operations. The research focuses on the selection and construction of features. It analyzes relevant detection methods from three types of features such as side channel features, plaintext features, and raw traffic, and then the experimental evaluation conclusions of relevant models are given. Finally, the feasibility of the research on the countermeasures of encrypted malicious traffic detection is analyzed from the perspectives of obfuscating traffic characteristics, interference learning algorithms, and hiding relevant information.