Research On Detection Method Of Anonymous Bridge

Anonymous network system is essentially a communication system to protect the anonymity of both sides.Anonymous bridge is a relay in anonymous network system,and its bridge information needs to be obtained through out of band distribution.Anonymous networks access the network through bridges.Most of the bridges used in anonymous networks have strong anti detection ability.This thesis focuses on the research of anonymous network bridge detection methods,which is an important research direction in the field of anonymous network security.Anti detection protocols usually require the client to prove that it knows a key before the server responds.The key is usually distributed out of band with the server address.If a valid key cannot be obtained,the server will not be able to respond to the active probe,which makes it more difficult to confirm the server protocol.In this thesis,a detection payload analysis method for anti detection bridge in anonymous network is proposed,and the effectiveness of this method is verified by experiments.The main research results are as follows:(1)In view of the strong anti detection ability of anonymous bridge,a detection payload mining method based on dynamic and static fusion analysis is proposed in this thesis.This method comprehensively analyzes the bridge protocol through the function call diagram and flow chart generated by greybox fuzzing tool and static analysis tool,and generates dynamic adaptive attack payloads based on different versions.Then,based on the detection payload obtained from fuzzing and static analysis,a method of constructing multi-level decision model is proposed to distinguish different protocols.The coarse-grained decision model is used to screen out ordinary protocols,and the fine-grained hierarchical decision model is used to further distinguish anti detection protocols.(2)For the obfs4 anti detection bridge,this thesis analyzes it based on the dynamic and static fusion analysis method,and puts forward the detection load characteristics based on different versions of obfs4.Since the anti probe bridge will not respond to any probe,the first decision-making layer uses TLS probe and HTTP probe to probe,and marks the endpoint responding to any probe as a non probe bridge.For the obfs4 anti detection bridge,through analysis,it is found that the detection performance of obfs4 after 0.0.10 is different from that of obfs4 before 0.0.10 when sending single packets and circulating packets.For the obfs4 of 0.0.10 and earlier versions,the server performs differently in three sections when sending a single packet,while the obfs4 of0.0.10 and earlier versions has only one performance when sending a single packet,which is also reflected in circular contracting.(3)According to the above analysis of the detection load of obfs4,the multi-level decision models of different versions of obfs4 are constructed and automated,and then the recall rate,effectiveness and accuracy of the multi-level decision model of obfs4 bridge are experimentally evaluated through three types of data sets: zmap,anti and obfs4.The experiment shows that the recall rate of obfs4 single package decision model is 99.2%,the specific effect and accuracy rate are about 99.9%,and the recall rate,specific effect and accuracy rate of multi-level decision model are 100%.Experiments show that the false alarm rate of the multi-level decision-making model is negligible,and the timeliness of obfs4 in the network is low.