| Enterprise network management will usually use firewall to limit some network traffic that is not related to corporate business for network security and network management.On the one hand,it can ensure the reasonable use of network bandwidth,on the other hand,it can prevent possible network attack.In such a network environment,insiders or possible spywares usuallsy use HTTP tunnel technology or HTTP obfuscation technology based on data masquerading to achieve communication with external severs or transfer stolen data.It is one of the important research in current network security field to detect and analysis suspicious HTTP traffic at the enterprise network gateway.This paper studies the HTTP obfuscated traffic detection and the application identification in the HTTP obfuscation channel.The main work of the thesis is as follows:(1)Aiming at the shortcomings of current mainstream detection schemes for poor adaptability to different network environments,we proposed a suspicious-based HTTP obfuscated traffic detection scheme.This scheme combines protocol header analysis and load type matching mechanism for traffic detection.It doesn't need to rely on the fingerprint of network traffic and thus has better adaptability.(2)In view of the fact that traffic behavior information can help network administrators to understand network security situation,we proposed a decision-tree based application identification method in HTTP obfuscation channel.This method uses traffic characteristics to effectively identify typical traffic carried by obfuscated traffic.(3)Developed and implemented the test system of the HTTP obfuscated traffic detection and application identification.Verified the methods we proposed,and tested the system performance on the small-scale network.The experimental results show that the system has high accuracy and good generalization ability.At the end of this paper,it summarizes the whole thesis and looks forward to the issues which are worth studying in the future. |
PDF Full Text Request