《電子技術應用》
您所在的位置:首頁 > 测试测量 > 设计应用 > 基于时空主成分分析的恶意加密流量检测技术*
基于时空主成分分析的恶意加密流量检测技术*
网络安全与数据治理 10期
孟 楠,周成胜,赵 勋,王 斌,姜乔木
(1.中国信息通信研究院安全研究所,北京100191;2.广州汇智通信技术有限公司,广东广州510639)
摘要: 恶意加密流量检测对关键信息基础设施的可靠运行至关重要,也是应对DDoS攻击等网络威胁的有效手段。利用时空主成分分析技术,构建了时间维度和空间维度的网络流量变化模型,实现恶意加密流量的实时检测和追踪溯源。在时间维度,利用历史积累的网络流量监测信息进行主成分分析,构建瞬时流量预测模型与实际监测流量之间的平方预测误差,判定网络中出现恶意加密流量的时刻。在空间维度,利用历史积累的各国家和地区的网络流量监测数据,构建区域流量预测模型与实际监测流量之间的平方预测误差,对恶意加密流量的来源地进行追踪溯源。最后,设计了一种可用于现网部署的算法实现流程,并分析了相比其他已有算法带来的能力提升。
中圖分類號:TP393.08
文獻標識碼:A
DOI:10.19358/j.issn.2097-1788.2023.10.006
引用格式:孟楠,周成勝,趙勛,等.基于時空主成分分析的惡意加密流量檢測技術[J].網(wǎng)絡安全與數(shù)據(jù)治理,2023,42(10):33-39.
Detection of malicious encrypted network traffic based on temporal and spatial principal component analysis
Meng Nan1,Zhou Chengsheng1,Zhao Xun 1,Wang Bin 2,Jiang Qiaomu 2
(1.Institute of Security, The China Academy of Information and Communications Technology, Beijing 100191, China; 2.Guangzhou Intelligence Communication Technology Co., Ltd., Guangzhou 510639, China)
Abstract: Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure, which is also an effective method against cyberattacks, such as Distributed Denial of Service (DDoS) attacks. In this paper, malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis (PCA) technique. From a temporal perspective, the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error (SPE) between temporal model prediction and the measurement of network traffic. The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the predefined threshold. From a spatial perspective, the PCA technique is operated on historical network traffic monitoring information of various countries and regions. The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region. Finally, a practical algorithm for malicious encrypted network traffic behavior detection is designed. The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.
Key words : temporal and spatial principal component analysis; monitoring of malicious encrypted network traffic; trace; squared prediction error

0    引言

隨著互聯(lián)網(wǎng)、大數(shù)據(jù)、云計算等新興信息技術的快速發(fā)展,網(wǎng)絡規(guī)模呈現(xiàn)指數(shù)級、爆發(fā)式增長趨勢,社會各行各業(yè)開始廣泛地應用互聯(lián)網(wǎng)技術開展工作,網(wǎng)絡的穩(wěn)定可靠運行對社會平穩(wěn)運行和快速發(fā)展具有重要意義。

為保障網(wǎng)絡穩(wěn)定可靠運行,需要通過部署網(wǎng)絡流量監(jiān)測設備(如流量探針)對特定網(wǎng)絡出入口的流量進行多維度實時監(jiān)測,將關鍵網(wǎng)絡節(jié)點的流量數(shù)據(jù)通過鏡像或分光的方式進行采集,并發(fā)送至網(wǎng)絡安全分析監(jiān)測系統(tǒng),然后對網(wǎng)絡流量行為、傳輸協(xié)議和數(shù)據(jù)內(nèi)容進行深度包解析,通過與內(nèi)置的安全威脅情報庫進行匹配,從而對惡意加密流量行為實現(xiàn)實時檢測和預警[1]。



本文詳細內(nèi)容請下載:http://m.ihrv.cn/resource/share/2000005736




作者信息:

孟楠1,周成勝1,趙勛1,王斌2,姜喬木2

(1.中國信息通信研究院安全研究所,北京100191;2.廣州匯智通信技術有限公司,廣東廣州510639)


微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權禁止轉載。

相關內(nèi)容