| With the rapid development of the Internet,the network traffic is complexer.In addition to the traffic generated by a large number of standardized open protocols,there is plenty of many private protocol traffic in the network.The proprietary protocol indicts that the developers close the network communication technical specifications of their software for reasons such as commercial protection.Therefor,it is difficult to identify these special applications.The specific encryption application studied in this paper refers to the application of proprietary protocol and obfuscation communication.It uses encryption technology to ensure data transmission security,and uses traffic obfuscation technology to disguise its traffic form and evade network supervision.In consideration of the above problems,this paper proposes two schemes which are called passive detection and active probing,to deeply identify this type of application.Firstly,this paper analyzes the current results of passive detection and active probing of proprietary protocols,and introduces the experimental environment of protocol analysis.What's more,this paper explains the principle of traffic detection and active probing.Secondly,from the perspective of passive detection,this paper analyzes the traffic generated by the encryption application using the confusing camouflage communication technology.First,the three obfuscated communication principles of TCP,HTTP,and HTTPS for the encryption application are described.The typical message sequence is then tagged and an obfuscated traffic classification algorithm is designed.At the same time,this paper combines the idea of TF-IDF algorithm with traffic identification.Each feature weight is calculated and the effective features are integrated into a protocol feature library.Finally,an obfuscation traffic identification algorithm based on feature matching is designed.The test results show that the passive traffic detection method proposed in this paper can effectively identify the obfuscated traffic of specific encryption applications.Thirdly,from the perspective of active probing,this paper constructs a special format data packet to actively discover the encryption application on the host computer.Firstly,a protocol format extraction algorithm based on BWT suffix tree fast index is proposed.Subsequently,the application protocol state machine is inferred from two aspects of network traffic and instruction trajectory.Finally,the active probing algorithm is designed according to the protocol state transition,and the experiment is carried out according to the idea of layered detection model.The test results show that the proposed method can successfully discover the unique features of the specific encryption application,which proposes a new idea for protocol identification field.Finally,for the specific encryption application identification problem,this paper designs and implements a specific application recognition prototype system under complex network,including passive detection subsystem and active probing subsystem.According to the existing research results,there is few research work on the passive detection of confusing traffic and the active probing technology based on protocol state migration.Therefore,the work of this paper has certain significance for supplementing the deficiencies of these two fields.The test results show that the combination of passive traffic detection and protocol active probing technology is feasible to accurately identify specific encryption applications based on obfuscated communication. |
PDF Full Text Request