计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (10): 308-314.doi: 10.11896/jsjkx.230500141

• 信息安全 • 上一篇    下一篇

基于侧信道特征的IPSec VPN闭合性检测方法

孙云霄1, 李军1, 王佰玲1,2   

  1. 1 哈尔滨工业大学(威海)计算机科学与技术学院 山东 威海264209
    2 哈尔滨工业大学网络空间安全研究院 哈尔滨150001
  • 收稿日期:2023-05-21 修回日期:2023-07-25 出版日期:2023-10-10 发布日期:2023-10-10
  • 通讯作者: 王佰玲(wbl@hit.edu.cn)
  • 作者简介:(syx@hitwh.edu.cn)
  • 基金资助:
    国家重点研发计划(2021YFB2012400);国家自然科学基金(62272129);中央高校基本科研业务费专项资金(HIT.NSRIF.2020098)

IPSec VPN Closure Detection Method Based on Side-channel Features

SUN Yunxiao1, LI Jun1, WANG Bailing1,2   

  1. 1 School of Computer Science and Technology,Harbin Institute of Technology(Weihai),Weihai,Shandong 264209,China
    2 Harbin Institute of Technology Research Institute of Cyberspace Security,Harbin 150001,China
  • Received:2023-05-21 Revised:2023-07-25 Online:2023-10-10 Published:2023-10-10
  • About author:SUN Yunxiao,born in 1989,Ph.D.His main research interests include network security communication protocol and so on.WANG Bailing,born in 1978,Ph.D,professor,Ph.D supervisor,is a member of China Computer Federation.His main research interests include industrial Internet security,information security and financial security.
  • Supported by:
    National Key R & D Program of China(2021YFB2012400),National Natural Science Foundation of China(62272129) and Fundamental Research Funds for the Central Universities of Ministry of Education of China(HIT.NSRIF.2020098).

PDF (PC)

1230

摘要: IPSec VPN按照应用场景的不同可以分为闭合型网络和开放型网络,闭合型网络常用于定制虚拟专用网,而开放型网络代理是规避网络审计的常用手段,因此,IPSec VPN网络类型的识别分类对于网络监管具有重要意义。根据两种网络类型在业务复杂度上的区别,提出利用加密流量侧信道特征进行IPSec VPN闭合性检测的方法,提取IPSec加密流量帧长序列和隧道内TCP最大分片长度(Maximum Segment Size,MSS)的分布,引入信息熵来度量MSS值的分布情况,将MSS值信息熵和帧长序列的标准差作为特征向量,使用支持向量机和随机森林等机器学习算法进行训练和预测。实验结果表明,使用该分类方法进行闭合性检测的准确率超过了96%,可有效识别用于开放代理的VPN隧道。

关键词: IPSec VPN, 闭合性检测, 侧信道, TCP最大分片长度, 机器学习

Abstract: IPSec VPN can be divided into closed networks and open networks according to different application scenarios.Closed networks are generally used to customize virtual private networks,and open network proxies are commonly used to avoid network auditing.Therefore,the identification and classification of IPSec VPN network types is of great significance for network supervision.According to the difference in traffic complexity between the two network types,a method for IPSec VPN closure detection using side-channel features of the encrypted traffic is proposed.The distribution of IPSec encrypted traffic frame length sequence and TCP maximum segment size in the tunnel is extracted,and information entropy is introduced to measure the distribution of MSS value.The information entropy of MSS value and the standard deviation of the frame length sequence are used as feature vectors.Machine Learning algorithms such as support vector machine and random forest are used for training and prediction.Experimental results indicate that the accuracy of closure detection using this classification method exceeds 96% and can effectively identify VPN tunnels used for open proxies.

Key words: IPSec VPN, Closure detection, Side-channel, TCP MSS, Machine learning

中图分类号: 

  • TP309
[1]HAN Z H,CHEN X S,ZENG X M,et al.Detecting Proxy User Based on Communication Behavior Portrait[J].The Computer Journal,2019,62(12):1777-1792.
[2]REZAEI S,LIU X.Deep Learning for Encrypted Traffic Classification:An Overview [J].IEEE Communications Magazine,2019,57(5):76-81.
[3]ALSHAMMARI R,ZINCIR-HEYWOOD N.Generalization ofsignatures for SSH encrypted traffic identification[C]//Proceedings of Computational Intelligence in Cyber Security Confe-rence.2009:167-174.
[4]ANDERSON B,PAUL S,MCGREW D.Deciphering Malware's Use of TLS(without Decryption)[J].Journal of Computer Virology and Hacking Techniques,2018,14(3):195-211.
[5]ANDERSON B,MCGREW D.Machine learning for encrypted malware traffic classification:accounting for noisy labels and non-stationarity[C]//Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining.2017:1723-1732.
[6]L7 filter[EB/OL].[2023-02-10].http://l7-filter.sourceforge.net/.
[7]OpenDPI[EB/OL].[2023-02-10].https://github.com/thoma-sbhatia/OpenDPI.
[8]WANG L,FENG H M,LIU B,et al.SSL VPN encrypted trafficidentification based on hybrid method[J].Computer Applications and Software,2019,36(2):321-328.
[9]SU M Y .Using clustering to improve the KNN-based classifiers for online anomaly network traffic identification[J].Journal of Network & Computer Applications,2011,34(2):722-730.
[10]WU D,CHEN X,CHEN C,et al.On addressing the imbalance problem:a correlated KNN approach for network traffic classification[C]//Proceedings of International Conference on Network and System Security.Cham:Springer International Publishing,2014:138-151.
[11]ZHOU Y M,LIU F Z,WANG Y.IPSec VPN Encrypted Traffic Identification Based on Hybrid Method[J].Computer Science,2021,48(4):295-302.
[12]WANG A,GE J,SHANG N,et al.Practical cases of side-channel analysis[J].Journal of Cryptologic Research,2018,5(4):383-398.
[13]KOCHER P C.Timing attacks on implementations of Diffie-Hellman,RSA,DSS,and other systems[C]//Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology.1996:104-113.
[14]KOCHER P C,JAFFE J,JUN B.Differential power analysis[C]//Advances in Cryptology—CRYPTO'99.1999:388-397.
[15]GANDOLFI K,MOURTEL C,OLIVIER F.Electromagneticanalysis:Concrete results[C]//Cryptographic Hardware and Embedded Systems(CHES 2001).2001:251-261.
[16]TAYLOR V F,SPOLAOR R,CONTI M,et al.Appscanner:Automatic fingerprinting of smartphone apps from encrypted network traffic[C]//2016 IEEE European Symposium on Security and Privacy(EuroS&P).IEEE,2016:439-454.
[17]IETF.Security Architecture for the Internet Protocol [EB/OL].[2023-02-10].https://www.ietf.org.
[18]IETF.Requirements for Internet Hosts-Communication Layers[EB/OL].[2023-02-10].https://www.ietf.org/.
[19]SHANNON C E.A mathematical theory of communication[J].The Bell System Technical Journal,1948,27(3):379-423.
[20]DRAPER-GIL G,LASHKARI A H,MAMUN M S I,et al.Characterization of encrypted and vpn traffic using time-related[C]//Proceedings of the 2nd International Conference on Information Systems Security and Privacy(ICISSP).2016:407-414.
[21]DAI J,CHEN Y,CHEN Y,et al.An analysis of Network Traffic Identification based on Decision Tree[C]//2021 International Conference on Artificial Intelligence and Electromechanical Automation(AIEA).IEEE,2021:308-311.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发