计算机科学 ›› 2023, Vol. 50 ›› Issue (3): 371-379.doi: 10.11896/jsjkx.211200280

• 信息安全 • 上一篇    下一篇

基于时延特征的网络设备异常检测

崔竞松1, 张童桐1, 郭迟2, 郭文飞2   

  1. 1 空天信息安全与可信计算教育部重点实验室(武汉大学国家网络安全学院) 武汉 430079
    2 武汉大学卫星导航定位技术研究中心 武汉 430079
  • 收稿日期:2021-12-27 修回日期:2022-04-03 出版日期:2023-03-15 发布日期:2023-03-15
  • 通讯作者: 郭迟(guochi@whu.edu.cn)
  • 作者简介:(jscui@whu.deu.cn)
  • 基金资助:
    十三五重点研发计划项目(2016YFB0501801)

Network Equipment Anomaly Detection Based on Time Delay Feature

CUI Jingsong1, ZHANG Tongtong1, GUO Chi2, GUO Wenfei2   

  1. 1 Key Laboratory of Aerospace Information Security, Trusted Computing, Ministry of Education, School of Cyber Science, Engineering, Wuhan University, Wuhan 430079, China
    2 GNSS Research Center,Wuhan University,Wuhan 430079,China
  • Received:2021-12-27 Revised:2022-04-03 Online:2023-03-15 Published:2023-03-15
  • About author:CUI Jingsong,born in 1975,Ph.D,associate professor,master supervisor,is a member of China Computer Federation.His main research interests include information security,cloud security and chip security.
    GUO Chi,born in 1983,Ph.D,professor,Ph.D supervisor,is a senior member of China Computer Federation.His main research interests include Beidou application,unmanned system navigation and location-based service.
  • Supported by:
    National Key R & D Project of China During the 13th Five-Year Plan Period(2016YFB0501801).

摘要: 随着互联网的飞速发展,网络设备的安全问题受到了广泛关注。针对现有的网络设备异常检测技术存在破坏性强、检测难度大的问题,文中以网络设备传输处理数据包所花费的时延作为检测依据,提出了一种基于时延特征的异常检测方案。所提方案采用了侧信道分析的方法,无须对网络设备进行升级改造,具有非侵入、易实施、广域性等特点。首先,使用高精度授时技术时戳机采集家庭路由器传输数据包时的时延变化信息,采用遗传算法提取时延分布的峰值位置特征;然后,针对数据集不平衡的问题,使用一类支持向量机算法构建异常检测算法;最后,通过搭建实验平台验证了检测方案的有效性,并对实验结果进行了评估。实验结果表明,所提方法具备可行性和有效性。

关键词: 异常检测, 时延, 网络设备, 一类支持向量机, 峰值位置

Abstract: With the rapid development of the Internet,the security of network equipment has received extensive attention.Aiming at the problems of that the existing network equipment anomaly detection technology is destructive and difficult to detect,the paper uses the packets delay spent by the network equipment to transmit and process data packets as the detection basis,and proposes an anomaly detection scheme based on delay characteristics.The proposed scheme adopts side channel analysis,and it does not need to upgrade the equipment's software or hardware.It has the characteristics of non-intrusive and easy to implement.Firstly,the method uses the high-precision timing technology time stamp machine to collect the time delay information,and uses the genetic algorithm to extract the peak position feature of the delay distribution.Secondly,to solve the problem of the imbalance of data set,the method uses one-class support vector machine algorithm to construct anomaly detection algorithm.Finally,the validity of the method is verified by building an experimental platform,and the experimental results are evaluated.Experimental results show that the proposed method is feasible and effective.

Key words: Anomaly detection, Delay, Network equipment, One-class support vector machine, Peak position

中图分类号: 

  • TP181
[1]CNCERT.Summary of China's Internet Network Security Situation in 2020[EB/OL].(2021-05-26)[2021-12-02].http://www.cac.gov.cn/2021-05/26/c_1623610314656045.htm.
[2]LIU H,LANG B.Machine Learning and Deep Learning Me-thods for Intrusion Detection Systems:A survey [J].Applied Sciences,2019,9(20):4396-4420.
[3]KHRAISAT A,GONDAL I,VAMPLEW P,et al.Survey of Intrusion Detection Systems:Techniques,Datasets and Challenges[J].Cybersecurity,2019,2(1):1-22.
[4]CHOUDHARY S,KESSWANI N.A Survey:Intrusion Detec-tion Techniques for Internet of Things [J].International Journal of Information Security and Privacy(IJISP),2019,13(1):86-105.
[5]ADITHYAN A,NAGENDRAN K,CHETHANA R,et al.Reverse Engineering and Backdooring Router Firmwares[C]//2020 6th International Conference on Advanced Computing and Communication Systems(ICACCS).IEEE,2020:189-193.
[6]ESKANDARI M,JANJUA Z H,VECCHIO M,et al.Passban IDS:An Intelligent Anomaly-Based Intrusion Detection System for IoT Edge Devices [J].IEEE Internet of Things Journal,2020,7(8):6882-6897.
[7]YAN Z T,FANG B X,LIU Q X,et al.A Wireless Router-Based Lightweight Defense Framework for IoT Devices[J].Journal of University of Chinese Academy of Sciences,2017,34(6):759-770.
[8]DUNLAP S,BUTTS J,LOPEZ J,et al.Using Timing-BasedSide Channels for Anomaly Detection in Industrial Control Systems [J].International Journal of Critical Infrastructure Protection,2016(15):12-26.
[9]NI M T,ZHAO B,WU F S,et al.CREBAD:Chip Radio Emission Based Anomaly Detection Scheme of IoT Devices[J].Journal of Computer Research and Development,2018,55(7):1451-1461.
[10]YANG J G,LIANG L,LIU G J,et al.Method for Router Online Security Risk Assessment Quantification[J].Journal on Communications,2013,34(11):59-70.
[11]HEFFNER C.Binwalk-Firmware Analysis Tool[EB/OL].(2021-09-11)[2021-12-12].https://github.com/ReFirmLabs/binwalk.
[12]COLLAKE J,HEFFNER C.Firmware modification kit[EB/OL].(2021-05-20) [2021-12-12].https://github.com/rampageX/firmware-mod-kit.
[13]SHOSHITAISHVILI Y,WANG R,HAUSER C,et al.Firma-lice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware[C]//NDSS.2015:1.1-8.1.
[14]HU C J,XUE Y B,ZHAO L,et al.Backdoor Detection in Embedded System Firmware without File System[J].Journal on Communications,2013,34(8):140-145.
[15]ANGRISANI L,VENTRE G,PELUSO L,et al.Measurement of Processing and Queuing Delays Introduced by an Open-Source Router in a Single-Hop Network [J].IEEE transactions on instrumentation and measurement,2006,55(4):1065-1076.
[16]BREUER J,VIGNER V,ROZTOČIL J.Precise Packet Delay Measurement in an Ethernet Network [J].Measurement,2014(54):215-221.
[17]EIDSON J C,FISCHER M,WHITE J.IEEE-1588TM Stanard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems[C]//Proceedings of the 34th Annual Precise Time and Time Interval Systems and Applications Meeting.Reston,Virginia,2002:243-254.
[18]CHEN X,CHASAKI D,WOLF T.External Monitoring ofHighly Parallel Network Processors[C]//Proceedings of the 2013 IEEE 14th International Conference on High Performance Switching and Routing(HPSR).IEEE,2013:197-204.
[19]BASNIGHT Z,BUTTS J,LOPEZ JR J,et al.Firmware Modification Attacks on Programmable Logic Controllers [J].International Journal of Critical Infrastructure Protection,2013,6(2):76-84.
[20]SCHÖLKOPF B,PLATT J C,SHAWE-TAYLOR J,et al.Estimating The Support of a High-Dimensional Distribution[J].Neural Computation,2001,13(7):1443-1471.
[21]MATJELO N J,MOKHOMO M.Gaussian Mixture Model Fitting Using Differential Linear Regression[J/OL].International Research Journal of Engineering and Technology(IRJET),2021,8(7).https://www.irjet.net/archives/V8/i7/IRJET-V8I7253.pdf.
[22]KATOCH S,CHAUHAN S S,KUMAR V.A Review on Genetic Algorithm:Past,Present,and Future [J].Multimedia Tools and Applications,2021,80(5):8091-8126.
[23]VAPNIK V N.An Overview of Statistical Learning Theory [J].IEEE Transactions on Neural Networks,1999,10(5):988-99.
[1] 饶丹, 时宏伟.
基于深度聚类的航空交通流识别与异常检测研究
Study on Air Traffic Flow Recognition and Anomaly Detection Based on Deep Clustering
计算机科学, 2023, 50(3): 121-128. https://doi.org/10.11896/jsjkx.220100086
[2] 徐天慧, 郭强, 张彩明.
基于全变分比分隔距离的时序数据异常检测
Time Series Data Anomaly Detection Based on Total Variation Ratio Separation Distance
计算机科学, 2022, 49(9): 101-110. https://doi.org/10.11896/jsjkx.210600174
[3] 李其烨, 邢红杰.
基于最大相关熵的KPCA异常检测方法
KPCA Based Novelty Detection Method Using Maximum Correntropy Criterion
计算机科学, 2022, 49(8): 267-272. https://doi.org/10.11896/jsjkx.210700175
[4] 王馨彤, 王璇, 孙知信.
基于多尺度记忆残差网络的网络流量异常检测模型
Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network
计算机科学, 2022, 49(8): 314-322. https://doi.org/10.11896/jsjkx.220200011
[5] 杜航原, 李铎, 王文剑.
一种面向电商网络的异常用户检测方法
Method for Abnormal Users Detection Oriented to E-commerce Network
计算机科学, 2022, 49(7): 170-178. https://doi.org/10.11896/jsjkx.210600092
[6] 方韬, 杨旸, 陈佳馨.
D2D辅助移动边缘计算下的卸载策略优化
Optimization of Offloading Decisions in D2D-assisted MEC Networks
计算机科学, 2022, 49(6A): 601-605. https://doi.org/10.11896/jsjkx.210200114
[7] 胥昊, 曹桂均, 闫璐, 李科, 王振宏.
面向铁路集装箱的高可靠低时延无线资源分配算法
Wireless Resource Allocation Algorithm with High Reliability and Low Delay for Railway Container
计算机科学, 2022, 49(6): 39-43. https://doi.org/10.11896/jsjkx.211200143
[8] 武玉坤, 李伟, 倪敏雅, 许志骋.
单类支持向量机融合深度自编码器的异常检测模型
Anomaly Detection Model Based on One-class Support Vector Machine Fused Deep Auto-encoder
计算机科学, 2022, 49(3): 144-151. https://doi.org/10.11896/jsjkx.210100142
[9] 冷佳旭, 谭明圮, 胡波, 高新波.
基于隐式视角转换的视频异常检测
Video Anomaly Detection Based on Implicit View Transformation
计算机科学, 2022, 49(2): 142-148. https://doi.org/10.11896/jsjkx.210900266
[10] 马力文, 周颖.
改善STARTUP阶段空窗现象的BBR单边适应算法
BBR Unilateral Adaptation Algorithm for Improving Empty Window Phenomenon in STARTUP Phase
计算机科学, 2022, 49(2): 321-328. https://doi.org/10.11896/jsjkx.201200266
[11] 周士金, 邢红杰.
基于记忆增强 GAN 的异常检测
Memory-augmented GAN-based Anomaly Detection
计算机科学, 2022, 49(11A): 211000202-9. https://doi.org/10.11896/jsjkx.211000202
[12] 刘意, 毛莺池, 程杨堃, 高建, 王龙宝.
基于邻域一致性的异常检测序列集成方法
Locality and Consistency Based Sequential Ensemble Method for Outlier Detection
计算机科学, 2022, 49(1): 146-152. https://doi.org/10.11896/jsjkx.201000156
[13] 李双秋, 余志斌, 杨玲, 张译方, 刘莉萍.
无线帧间隔特征提取方法
Extraction Method of Wireless Frame Interval Feature
计算机科学, 2021, 48(9): 286-291. https://doi.org/10.11896/jsjkx.201100130
[14] 张叶, 李志华, 王长杰.
基于核密度估计的轻量级物联网异常流量检测方法
Kernel Density Estimation-based Lightweight IoT Anomaly Traffic Detection Method
计算机科学, 2021, 48(9): 337-344. https://doi.org/10.11896/jsjkx.200600108
[15] 侯春萍, 赵春月, 王致芃.
基于自反馈最优子类挖掘的视频异常检测算法
Video Abnormal Event Detection Algorithm Based on Self-feedback Optimal Subclass Mining
计算机科学, 2021, 48(7): 199-205. https://doi.org/10.11896/jsjkx.200800146
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!