| With the network power strategy proposed,a new generation of high-speed,mobile,secure and ubiquitous information infrastructure has played an important role in infrastructure space construction.In this case,cyberspace security has received unprecedented attention.As a new network architecture,Software Defined Network(SDN)is adopted to enterprise network,cloud computing,operator network,campus network and many other cases,which is facing more security risks as well.Specially,malicious encrypted traffic poses a typical threat to SDN.Malicious encrypted traffic is generated by malware which uses encryption technology.Compared with unencrypted traffic,it can hide malicious activity and bypass existing malicious traffic detection schemes easily.Therefore,malicious encrypted traffic detection in SDN is of great significance to cyberspace security.Software Defined Network has certain visibility on traffic,however,it is still difficult to speculate the traffic's type and use.Existing malicious traffic detection schemes in SDN do not pay much attention to encrypted traffic,so there is insufficient ability for detecting encrypted traffic.Therefore,to design a detection scheme which is suitable for SDN,three aspects of research work have been carried out:Firstly,a detection scheme which is based on data-flow fingerprint and combination of host-side detection and controller-side detection is proposed.A data-flow level detection model is responsible for detecting malicious encrypted traffic quickly and efficiently in host-side,and a connection-quadruple level detection model is responsible for solving host's misdetection reliably in controller-side.In this scheme,data-flow fingerprint is used as input data,and a fingerprint enhancement method based on whole data-flow process is proposed to address the low-information problem in SSL fingerprint.Then,an efficient detection model based on enhanced fingerprint and high-order Markov chain is constructed at host end,accounting for data-flow level detection.Compared with first-order Markov chain,high-order Markov chain learns dependency relationship between current state and occurred states,and adapts to malicious encrypted traffic detection task as a result.Finally,an efficient detection model based on enhanced fingerprint and convolutional neural network is constructed on controller,to realize the connection-quadruple level detection.With the ability of extracting local features and multi-level features,convolutional neural network can mine time-related information in data-flow fingerprint well.In addition,a feature mapping method is proposed,making data-flow fingerprint information be used for connection-quadruple level detection well.The paper has realized the host-side detection algorithm and the controller-side detection algorithm.With complex encrypted traffic dataset,experiments are done.The effectiveness of data-flow level detection method is verified.Then,data-flow connection quadruple level detection method is verified.Finally,the effectiveness of detection scheme is verified. |
PDF Full Text Request