Mapping Method Between IP And Service Based On Compound Fingerprint Model

With the increasing awareness of information security and privacy protection,more and more network services begin to use TLS and other encryption protocols to communicate,which leads to the failure of traditional traffic and service identification methods based on DPI and plaintext features.However,all parties involved in network operation need to measure and analyze network services to achieve important purposes such as network resource optimization and malicious application identification.Therefore,how to measure and analyze encrypted services in the Internet is an urgent problem to be solved and has high research value.Machine learning or deep learning methods based on stream features have achieved certain results on this issue,but there are still some limitations,such as high training cost,heavy dependence on sample and feature selection,weak scalability,etc.At the same time,TLS fingerprint recognition methods based on non-machine learning methods mostly focus on the client-side,and lack of research on server-side identification.To solve the above problems,this thesis proposes an IP-service mapping method based on compound fingerprint model.The method based on active measurement technology and realizes the identification of IP-carried service in TLS.Specifically,this thesis mainly includes the following work:1?A compound fingerprint model and its service mapping strategy: Most of the existing work based on TLS fingerprint uses the data in Client Hello message to generate fingerprint,so it only supports the characterization of client-side target;The compound fingerprint model proposed in this thesis uses a variety of messages in TLS and HTTPS at the same time,so it could describe the target of the server-side.At the same time,based on active measurement technology,this thesis puts forward a service mapping strategy of compound fingerprint,which generates IP's fingerprint through multi-stage detection and compares it with fingerprint database to identify the network service carried by IP.This strategy also considers the problem of certificate anomaly caused by no SNI and family application discrimination,which improves the recognition speed and accuracy.Finally,based on the compound fingerprint model and its mapping strategy,this thesis designs and implements an automatic fingerprint collection method,and uses this method to collect and analyze fingerprints of 90 mobile applications.2?A dual-structure fingerprint database based on file and memory and a fast fingerprint retrieval method FP-Match: In view of the high time complexity and instability of fingerprint retrieval algorithms in existing work,this thesis proposes FP-Match fast fingerprint retrieval method based on Min Hash and LSH algorithm,and accelerates the retrieval process by using the memory-based runtime fingerprint database.At the same time,this thesis also studies the error of LSH algorithm and puts forward a weight-based error minimization parameter selection method,which can effectively reduce the influence of LSH algorithm error on fingerprint retrieval.The experimental results show that the above method has obvious advantages in fingerprint retrieval speed compared with the existing work.3 ? A prototype system of IP and service mapping based on distributed detection architecture : The prototype system realizes a series of functions including fingerprint collection,fingerprint database and service mapping strategy,and uses distributed detection nodes to realize parallel detection acceleration.In this paper,the IP and service mapping method based on composite fingerprint model is tested by the prototype system,and the experimental results prove the effectiveness of the method.