Research On Identification Of Encrypted Network Application Traffic

The proportion of encrypted network traffic increases, and botnets and social apps transmits as encrypted traffic, posing serious challenges to network security and management. Therefore, the identification of encrypted network application traffic is an important issue. There are mainly the following three problems in existing identification of encrypted network application traffic: (1) The ratio of encrypted network traffic is smaller than the plaintext traffic and most of the identification methods based on statistics are susceptible to interference of the plaintext traffic. (2) Identification of automatic extraction based on application layer features has a higher time complexity. (3) The classic protocol fingerprint identification method based on the transport layer flow-level statistical characteristics is of less accurate.In response to these problems, this paper includes the following specific research work based on the above analysis, which relies on the National 863 issue "Common Security and Control Framework in Tri-Network Convergence". Firstly, this paper coarse-grained identifies irrelevant network encrypted traffic, excluding the interference of plaintext traffic. An encrypted traffic identification algorithm based on serial test (ETI-ST) is proposed based on stochastic assessment of network encrypted traffic. Then this paper fine-grained identifies specific network application layer encryption traffic. An automatic extraction algorithm based on the characteristics of ECLAT tree structure (FEA-ET) and a Skype protocol identification algorithm based on trend-aware protocol fingerprint (ISP-FT) are proposed. This dissertation has researched the following main contents:1. An encrypted traffic identification algorithm based on serial test is proposed.Most application layer encrypted traffic identification methods based on statistics are vulnerable to interference of plaintext traffic. An encryption traffic identification algorithm (ETI-ST) based on serial test according to stochastic characteristics of the network is proposed. ETI-ST takes the effects of random assessment of the relevance between network data into account, using serial test method to quantify the randomness of the sequences. Simulation results show that the accuracy of ETI-ST can reach 82.3%, increased by about 15% than the entropy-based approach.2. An automatic extraction algorithm of the application layer features based on ECLAT tree structure is proposed.Automatic extraction method based on application layer features has a higher time complexity. An automatic extraction algorithm of the application layer features based on ECLAT tree structure (FEA-ET) is proposed, applying DPI to identify the network application layer encrypted traffic. FEA-ET just scans tested sample sets only one time to get the support of each position. ECLAT tree structure is built to mining automatically frequent bytes sets of packets. Simulation results show that this algorithm reduces the I/O load than the classical APRIORI algorithm and the time complexity reduces 20 on average under a certain parameter set.3. A Skype protocol identification algorithm based on trend-aware protocol fingerprint is proposed.The classic protocol fingerprint identification method based on the transport layer flow-level statistical characteristics is of less accuracy. A Skype protocol identification algorithm based on trend-aware protocol fingerprint (ISP-FT) is proposed. ISP-FT defines the trend perceptual weighting function, which truly reflects the changing trend of the flow-level statistical characteristics in the early Skype communication. Simulation results show that compared with the classical protocol fingerprint algorithm and C4.5 algorithms, the accuracy and precision of ISP-FT have improved by 4% and 3.3% at least and ISP-FT is able to perform real-time identification of Skype with the first 6 packets.