Research On RDP Protocol Traffic Detection And Bearer Application Identification Technology

Power industry is significantly important to the national economy and civilian life.With State Grid Corporation of China accelerating the implementation of the plan named“Constructing Hub,Platform and Sharing enterprise and Strong Smart Grid” strategy and the full deployment of Ubiquitous Internet of Things in Power Systems’(UIOTIPS)construction,the power industry has set off a climax of the informatization process.Remote operations are becoming more common in power companies,and the remote desktop technology they rely on allows the staff in power industry to remotely access and operate the internal devices,or call system shared resources and telecommuting.Remote desktop protocol(RDP)is the main communication protocol for current remote desktop technology.Although the convenience and efficiency are provided,malicious accessor or mishandling will cause serious security risk to the stability of the system since the remote desktop technology enables a user to have full permissions to the host.Thus,the refined detection of RDP traffic and the identification of specific applications and behaviors are of great significance to the security of power grid information.This dissertation studies RDP traffic detection and its bearer application identification technology,analyzes characteristics of RDP traffic,uses machine learning-based methods to identify applications and behaviors,and finally realizes the refined recognition system based on multilevel classifier for RDP.The main research contents of this article include the following.1.The RDP protocol structure and its connection mechanism are summarized.Overview of RDP protocol using Transport Layer Security(TLS)encryption is made,and the main current applications of RDP is summarized.2.Identification method for encrypted RDP traffic is proposed,which analyzes packet length sequences of handshake protocol to construct fingerprints,and uses fingerprint matching to identify RDP.3.The identification scheme for RDP bearer applications is proposed.Feature sets based on the statistical type of the arriving packet and differences between adjacent loads are constructed.Using information gain based method to select the feature sets and establish the valid ones.Identification of the bearer applications is realized by combining machine learning methods.4.Typical behavior recognition scheme for RDP applications is proposed,and the feature set that reflects behavior is constructed through defining application behaviors,including feature set of sequence number of packets and feature set for reorganizing random measures of load length.Recognition model that can detect RDP applications is constructed using streamlined feature set and machine learning methods,and the possible factors affecting recognition results are analyzed.5.A refined RDP traffic recognition system based on multilevel classifier is designed,which can implement hierarchical processing and identification of traffic,and it can build a dedicated classification model for the same level of traffic.The results of system classification are verified by specific experiments,which proves that the system can recognize RDP applications and behaviors,and can be deployed as a traffic audit at the monitoring link of power companies’ gateway,thereby improving the awareness of remote operation behavior in the power grid.At the end of this dissertation,the research content is summarized,and the shortcomings and problems of the research are forecasted.