Research On Fine-grained Identification Technology Of Encrypted Traffic For SSL Application

In recent years,network security incidents have occurred frequently.The existing network attacks mainly are in form of the advanced persistent threats.They often apply some related hiding technologies to bypass the security equipment,invade the system and result in serious dangers to the system security.The SSL(Secure Sockets Layer)protocol has good security and compatibility,which makes it account for an increasing proportion of network traffic,and it is frequently used as a pseudo-loader for advanced persistent threats.Fine-Grained identification of SSL applications is of great significance to network security protection,and it is also an important support for improving network management and improving service quality.This paper focuses on the fine-grained identification technology of encrypted traffic for SSL application,The detailed work is shown as follows:(1)Aiming at the problems of the misjudgment of compression and multimedia traffic and the poor identification effect of private protocols by the existing method of identifying encrypted and unencrypted traffic based on information entropy.an encrypted traffic identification mechanism based on DPI(Deep Packet Inspection)and load randomness is proposed.The mechanism mainly contains the following steps.Firstly,the DPI technology is used to quickly and accurately identify the network traffic.Secondly,as for the unrecognized traffic,load information entropy and Monte Carlo estimation the error of ? value are computed for the further identification process.The mechanism not only overcomes the limitation of the DPI,but also makes up for the lack of misjudgment by only using the information entropy.Experiments show that the proposed method is superior to the traditional encrypted and unencrypted traffic identification model in the some indicators.The average precision rate,recall rate and F1-Measure of the method reach 94.98%,90.05% and 92.45%respectively.(2)Aiming at the difficulty of feature extraction in encryption protocol identification,an encryption traffic protocol identification model based on multi-dimensional feature fusion is proposed.The method combines the idea of VAE(Variational Auto-Encoder)algorithm to automatically extract features and commonly used features in the field of network traffic identification,and then the mutual information algorithm is introduced to obtain the feature set with the largest contribution for identification.This mode efficiently avoid the low identification efficiency problem result from the featureredundancy.Experiments show that the proposed mode not only has a quicker convergence rate,but also is better than the existing encryption protocol identification models in various performance indicators.The average precision rate,recall rate and F1-Measure of this method can reach more than 97%.(3)With the increasing demand for fine-grained identification of network traffic,the Fine-Grained identification of SSL applications has become an urgent need for network security and manageable network traffic.To fill such an gap,a parallel identification algorithm of multi-input maximizing single-output HMM(Hidden Markov Model)based on SSL protocol interaction fields is proposed.This algorithm uses the characteristics of the data flow of different SSL applications in the protocol interaction phase from the server/client direction to finely identify the application.The algorithm can effectively avoid the identification of unreliable factors such as modifying the packet size and time flow characteristics.Experiments show that the proposed algorithm can improve the identification effect of several typical encryption applications compared with the existing identification algorithms.The average accuracy and false alarm rate of this method are 95.78% and 5.16%,respectively,which have good experimental results.Finally,the full text is summarized and the research direction is pointed out.