《電子技術(shù)應(yīng)用》
您所在的位置:首頁 > 測(cè)試測(cè)量 > 設(shè)計(jì)應(yīng)用 > 基于時(shí)空主成分分析的惡意加密流量檢測(cè)技術(shù)*
基于時(shí)空主成分分析的惡意加密流量檢測(cè)技術(shù)*
網(wǎng)絡(luò)安全與數(shù)據(jù)治理 10期
孟 楠,周成勝,趙 勛,王 斌,姜喬木
(1.中國信息通信研究院安全研究所,北京100191;2.廣州匯智通信技術(shù)有限公司,廣東廣州510639)
摘要: 惡意加密流量檢測(cè)對(duì)關(guān)鍵信息基礎(chǔ)設(shè)施的可靠運(yùn)行至關(guān)重要,也是應(yīng)對(duì)DDoS攻擊等網(wǎng)絡(luò)威脅的有效手段。利用時(shí)空主成分分析技術(shù),構(gòu)建了時(shí)間維度和空間維度的網(wǎng)絡(luò)流量變化模型,實(shí)現(xiàn)惡意加密流量的實(shí)時(shí)檢測(cè)和追蹤溯源。在時(shí)間維度,利用歷史積累的網(wǎng)絡(luò)流量監(jiān)測(cè)信息進(jìn)行主成分分析,構(gòu)建瞬時(shí)流量預(yù)測(cè)模型與實(shí)際監(jiān)測(cè)流量之間的平方預(yù)測(cè)誤差,判定網(wǎng)絡(luò)中出現(xiàn)惡意加密流量的時(shí)刻。在空間維度,利用歷史積累的各國家和地區(qū)的網(wǎng)絡(luò)流量監(jiān)測(cè)數(shù)據(jù),構(gòu)建區(qū)域流量預(yù)測(cè)模型與實(shí)際監(jiān)測(cè)流量之間的平方預(yù)測(cè)誤差,對(duì)惡意加密流量的來源地進(jìn)行追蹤溯源。最后,設(shè)計(jì)了一種可用于現(xiàn)網(wǎng)部署的算法實(shí)現(xiàn)流程,并分析了相比其他已有算法帶來的能力提升。
中圖分類號(hào):TP393.08
文獻(xiàn)標(biāo)識(shí)碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式:孟楠,周成勝,趙勛,等.基于時(shí)空主成分分析的惡意加密流量檢測(cè)技術(shù)[J].網(wǎng)絡(luò)安全與數(shù)據(jù)治理,2023,42(10):33-39.
Detection of malicious encrypted network traffic based on temporal and spatial principal component analysis
Meng Nan1,Zhou Chengsheng1,Zhao Xun 1,Wang Bin 2,Jiang Qiaomu 2
(1.Institute of Security, The China Academy of Information and Communications Technology, Beijing 100191, China; 2.Guangzhou Intelligence Communication Technology Co., Ltd., Guangzhou 510639, China)
Abstract: Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure, which is also an effective method against cyberattacks, such as Distributed Denial of Service (DDoS) attacks. In this paper, malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis (PCA) technique. From a temporal perspective, the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error (SPE) between temporal model prediction and the measurement of network traffic. The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the predefined threshold. From a spatial perspective, the PCA technique is operated on historical network traffic monitoring information of various countries and regions. The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region. Finally, a practical algorithm for malicious encrypted network traffic behavior detection is designed. The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.
Key words : temporal and spatial principal component analysis; monitoring of malicious encrypted network traffic; trace; squared prediction error

0    引言

隨著互聯(lián)網(wǎng)、大數(shù)據(jù)、云計(jì)算等新興信息技術(shù)的快速發(fā)展,網(wǎng)絡(luò)規(guī)模呈現(xiàn)指數(shù)級(jí)、爆發(fā)式增長(zhǎng)趨勢(shì),社會(huì)各行各業(yè)開始廣泛地應(yīng)用互聯(lián)網(wǎng)技術(shù)開展工作,網(wǎng)絡(luò)的穩(wěn)定可靠運(yùn)行對(duì)社會(huì)平穩(wěn)運(yùn)行和快速發(fā)展具有重要意義。

為保障網(wǎng)絡(luò)穩(wěn)定可靠運(yùn)行,需要通過部署網(wǎng)絡(luò)流量監(jiān)測(cè)設(shè)備(如流量探針)對(duì)特定網(wǎng)絡(luò)出入口的流量進(jìn)行多維度實(shí)時(shí)監(jiān)測(cè),將關(guān)鍵網(wǎng)絡(luò)節(jié)點(diǎn)的流量數(shù)據(jù)通過鏡像或分光的方式進(jìn)行采集,并發(fā)送至網(wǎng)絡(luò)安全分析監(jiān)測(cè)系統(tǒng),然后對(duì)網(wǎng)絡(luò)流量行為、傳輸協(xié)議和數(shù)據(jù)內(nèi)容進(jìn)行深度包解析,通過與內(nèi)置的安全威脅情報(bào)庫進(jìn)行匹配,從而對(duì)惡意加密流量行為實(shí)現(xiàn)實(shí)時(shí)檢測(cè)和預(yù)警[1]。



本文詳細(xì)內(nèi)容請(qǐng)下載:http://ihrv.cn/resource/share/2000005736




作者信息:

孟楠1,周成勝1,趙勛1,王斌2,姜喬木2

(1.中國信息通信研究院安全研究所,北京100191;2.廣州匯智通信技術(shù)有限公司,廣東廣州510639)


微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。