The Identification Of Anonymous Traffic For Shadowsocks Based On Website Fingerprinting

With increasing need of communication privacy protection,a number of anonymous communication techniques are in fast development.However,though these techniques protect personal information from both parties in communication,they make the network monitoring via easy packet checking even harder.Shadowsocks is an emerging anonymous communication software.Because of its fast speed,easy deployment etc.,it has been widely used in our country.Most of the existing researches on anonymous traffic identification are highly targeted,they also have strong dependency in the aspects of software detection methods,like traffic features extraction,method modeling,etc.Due to unique protocol of shadowsocks,the existing methods are difficult to identify its flow.At the same time,most of the current academic analysis results remain in the experimental stage.Moreover,there is no suitable solution proposed on data collection and construction of anonymous traffic in high-speed network environment,as well as the division of website fingerprints under a large amount of mixed streams.Therefore,how to model shadowsocks traffic and how to solve the anonymous traffic identification in high-speed network environment are the current issues to be solved in domestic network security domain.In this thesis,based on the analysis of previous related research,we target on above questions and present an in-depth analysis of running mechanism of the shadowsocks anonymous software.By combining its running processes with HTTP protocol,this thesis proposes two algorithms,which are multi-granularity heuristic traffic detection algorithm and mixed streams division based website fingerprints detection algorithm.Multi-granularity heuristic traffic detection algorithm is used to detect shadowsocks' traffic from many aspects like host,data stream,hidden information,and it serves as a traffic filter.This method solves the low accuracy problem when anonymous traffic is rare or unbalanced in the whole data traffic.Based on multi-granularity heuristic traffic detection result,the mixed streams division based website fingerprints detection algorithm then chooses a distinctive fingerprint features for websites to separate suspicious flows into different clusters,which solves the problem of single-site and multi-sites detection among mixed flows to decrease the false alarm rate.Then,this thesis analyzes the difficulties of anonymous traffic identification in high-speed network environment,and determines the goal of the new system should achieve.Based on the multi-granularity heuristic traffic identification algorithm and the mixed streams division based website fingerprints detection algorithm,a high-speed shadowsocks anonymous traffic identification system is realized,and the overall module designs are elaborated in this thesis.Finally,this paper uses multiple sets of different real data sets to evaluate the multi-granularity heuristic traffic identification algorithm and the mixed streams division based website fingerprints detection algorithm respectively.By comparing with current methods and analyzing the system's adaptability,the high accuracy of the algorithm is verified.Also,specific module designs for high speed network environment are tested,which proves that the system has high recognition accuracy.