基于時空主成分分析的惡意加密流量檢測技術*
網絡安全與數據治理 10期
孟 楠,周成勝,趙 勛,王 斌,姜喬木
(1.中國信息通信研究院安全研究所,北京100191;2.廣州匯智通信技術有限公司,廣東廣州510639)
摘要: 惡意加密流量檢測對關鍵信息基礎設施的可靠運行至關重要,也是應對DDoS攻擊等網絡威脅的有效手段。利用時空主成分分析技術,構建了時間維度和空間維度的網絡流量變化模型,實現惡意加密流量的實時檢測和追蹤溯源。在時間維度,利用歷史積累的網絡流量監測信息進行主成分分析,構建瞬時流量預測模型與實際監測流量之間的平方預測誤差,判定網絡中出現惡意加密流量的時刻。在空間維度,利用歷史積累的各國家和地區的網絡流量監測數據,構建區域流量預測模型與實際監測流量之間的平方預測誤差,對惡意加密流量的來源地進行追蹤溯源。最后,設計了一種可用于現網部署的算法實現流程,并分析了相比其他已有算法帶來的能力提升。
中圖分類號:TP393.08
文獻標識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式:孟楠,周成勝,趙勛,等.基于時空主成分分析的惡意加密流量檢測技術[J].網絡安全與數據治理,2023,42(10):33-39.
文獻標識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式:孟楠,周成勝,趙勛,等.基于時空主成分分析的惡意加密流量檢測技術[J].網絡安全與數據治理,2023,42(10):33-39.
Detection of malicious encrypted network traffic based on temporal and spatial principal component analysis
Meng Nan1,Zhou Chengsheng1,Zhao Xun 1,Wang Bin 2,Jiang Qiaomu 2
(1.Institute of Security, The China Academy of Information and Communications Technology, Beijing 100191, China; 2.Guangzhou Intelligence Communication Technology Co., Ltd., Guangzhou 510639, China)
Abstract: Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure, which is also an effective method against cyberattacks, such as Distributed Denial of Service (DDoS) attacks. In this paper, malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis (PCA) technique. From a temporal perspective, the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error (SPE) between temporal model prediction and the measurement of network traffic. The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the predefined threshold. From a spatial perspective, the PCA technique is operated on historical network traffic monitoring information of various countries and regions. The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region. Finally, a practical algorithm for malicious encrypted network traffic behavior detection is designed. The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.
Key words : temporal and spatial principal component analysis; monitoring of malicious encrypted network traffic; trace; squared prediction error
0 引言
隨著互聯網、大數據、云計算等新興信息技術的快速發展,網絡規模呈現指數級、爆發式增長趨勢,社會各行各業開始廣泛地應用互聯網技術開展工作,網絡的穩定可靠運行對社會平穩運行和快速發展具有重要意義。
為保障網絡穩定可靠運行,需要通過部署網絡流量監測設備(如流量探針)對特定網絡出入口的流量進行多維度實時監測,將關鍵網絡節點的流量數據通過鏡像或分光的方式進行采集,并發送至網絡安全分析監測系統,然后對網絡流量行為、傳輸協議和數據內容進行深度包解析,通過與內置的安全威脅情報庫進行匹配,從而對惡意加密流量行為實現實時檢測和預警[1]。
本文詳細內容請下載:http://m.xxav2194.com/resource/share/2000005736
作者信息:
孟楠1,周成勝1,趙勛1,王斌2,姜喬木2
(1.中國信息通信研究院安全研究所,北京100191;2.廣州匯智通信技術有限公司,廣東廣州510639)
此內容為AET網站原創,未經授權禁止轉載。