Research On VPN Traffic Identification And Tools Classification

VPN technology,as a remote network access technology that can effectively protect users' privacy and provide encryption services,has greatly increased its usage proportion in the network during recent years.However,while it provides users with convenient and secret remote access,it also brings difficulties to ISP's network traffic management.The encrypted traffic covered by VPN technology loses the header information of the message from original traffic and the side channel characteristics of the traffic,which makes it more difficult to detect and identify VPN traffic.Most of the existing VPN tools rely on anonymous proxy protocols such as SOCKS5,Shadowsocks or Vmess to conceal real network addresses and encrypt the user behavior data.These protocols bring great challenges to network supervision and management.Therefore,how to effectively detect and identify VPN encrypted traffic and classify VPN tools is an urgent problem to be solved in the field of Internet network security supervision.Based on the analysis of VPN encrypted traffic characteristics and the working principle of proxy protocol,this thesis proposes a method to identify VPN traffic and classify VPN tools,including the following research contents:(1)Aiming at the problems of VPN encrypted traffic information missing and entropy randomization,a detection and identification method of VPN encrypted traffic based on the distribution of piecewise entropy is proposed.In this method,the sliding window method is used to discriminate and divide the high entropy and low entropy regions of VPN encrypted traffic sequences,and the piecewise entropy feature of traffic is extracted.Then,this method uses the capsule neural network model to realize the detection and identification of the VPN encrypted traffic.The experimental results show that the accuracy of this method in identifying VPN encrypted traffic using Vmess protocol reaches 97.34%,which means that this method can be used for detecting and identifying VPN encrypted traffic.(2)Aiming at the problems of the difference in proxy methods and confusing traffic characteristics of VPN tools,a two-stage VPN tools classification method for proxy protocol is proposed.In the first stage,the data packet length and time correlation characteristics of a single stream in the process of proxy protocol key negotiation are extracted,and a GBDT-LR model in ensemble learning is established to realize the preliminary classification of VPN tools at the proxy protocol level.In the second stage,based on the handshake traffic characteristics of VPN tools,a 1D-CNN model based on deep learning is used to classify VPN tools.The experimental results show that this method can meet the classification requirements of different granularity,and realize the fine classification of five mainstream VPN tools.(3)Based on the above method,a prototype system of VPN traffic identification and tools classification is designed and implemented.The thesis introduces the overall architecture of the system,and separately designs and implements each functional module in detail,such as VPN encrypted traffic detection and identification model,VPN tool proxy protocol classification model,VPN tools fine classification model and interface front-end display model.At the end of the thesis,the actual flow test and verification of the designed system are carried out.