Traffic Classification Method Based on Side-Channel Features for Security Proxy

doi:10.19678/j.issn.1000-3428.0058954

Abstract

Abstract: In recent years, security proxy has been utilized by more and more users to circumvent Internet censorship and access restricted resources. The classification of security proxy traffic is of great significance for network security and network management. In order to make up for the insufficiency of the existing deep packet inspection technology and improve firewall traffic detection capability, a secure proxy traffic classification method is proposed. The side-channel features used for security proxy traffic classification are extracted, including the payload length sequences and the signal sequence. Then based on these features, machine learning and deep learning algorithms are used to identify the traffic of widely used security proxies, including Shadowsocks, V2Ray, Freegate, and Ultrasurf. Experimental results show that compared with algorithms such as MLP and LSMP, the proposed traffic classification method provides higher accuracy, F1 value and other performance indicators.

Key words: secure proxy, traffic classification, machine leaning, deep learning, deep packet inspection

摘要： 安全代理被越来越多的互联网用户用于规避网络审查和访问受限资源，因此安全代理流量的分类对于网络安全和网络管理具有重要意义。为弥补深度包检测技术在过滤和识别不良信息上的不足，提高防火墙流量探测能力，提出一种安全代理流量分类方法。提取用于安全代理流量分类的侧信道特征，包括有效载荷长度序列、信号序列等，使用机器学习和深度学习算法对Shadowsocks、V2Ray、Freegate、Ultrasurf 4种被广泛使用的安全代理流量进行识别。实验结果表明，通过提取与有效载荷内容无关的侧信道特征进行分类，与MLP、LSMP等算法相比，该方法在准确率、F1值等性能方面均有提升。

关键词: 安全代理, 流量分类, 机器学习, 深度学习, 深度包检测

CLC Number:

TP309

GAO Ping, GUANG Hui, CHEN Xi, LI Guangsong. Traffic Classification Method Based on Side-Channel Features for Security Proxy[J]. Computer Engineering, 2021, 47(8): 140-148,156.

高平, 广晖, 陈熹, 李光松. 基于侧信道特征的安全代理流量分类方法[J]. 计算机工程, 2021, 47(8): 140-148,156.

/ / Recommend / Download Citations

URL: http://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0058954

http://www.ecice06.com/EN/Y2021/V47/I8/140

Figures/Tables 30

References

[1] CALLANAN C, DRIES-ZIEKENHEINER H.Leaping over the firewall:a review of censorship circumvention tools[EB/OL]. [2020-06-10]. https://freedomhouse.org/sites/default/files/inline_images/Censorship.pdf.
[2] IANA.DNS root, IP addressing, and Internet protocol resources[EB/OL]. [2020-07-09]. http://www.iana.org/.
[3] Open and Extensible LGPLv3 Deep Packet Inspection Library[EB/OL]. [2020-07-09]. https://www.ntop.org/products/deep-packet-inspection/ndpi/.
[4] Libprotoident[EB/OL]. [2020-07-09]. https://research.wand.net.nz/software/libprotoident.php.
[5] L7 filter[EB/OL]. [2020-07-09]. http://l7-filter.sourceforge.net/.
[6] OpenDPI[EB/OL]. [2020-07-09]. https://github.com/thomasbhatia/OpenDPI.
[7] BUJLOW T, CARELA-ESPANOL V, BARLET-ROS P.Independent comparison of popular DPI tools for traffic classification[J]. Computer Networks, 2015, 76:75-89.
[8] 何杭松.基于Xgboost算法的Shadowsocks流量识别研究[J]. 软件导刊, 2018, 17(12): 200-203. HE H S.Research on Shadowsocks traffic identification based on Xgboost algorithm[J]. Software Guide, 2018, 17(12): 200-203.(in Chinese)
[9] DENG Z, LIU Z, CHEN Z, et al. The random forest based detection of Shadowsocks traffic[C]//Proceedings of the 9th IEEE International Conference on Intelligent Human-Machine Systems and Cybernetics.Washington D.C., USA:IEEE Press, 2017:75-78.
[10] ZENG X, CHEN X, SHAO G, et al. Flow context and host behavior based Shadowsocks traffic identification[J]. IEEE Access, 2019, 7:41017-41032.
[11] CHENG J X, LI Y, HUANG C, et al. ACER:detecting Shadowsocks server based on active probe technology[J]. Journal of Computer Virology and Hacking Techniques, 2020, 16(3): 217-227.
[12] HAN Z H, CHEN X S, ZENG X M, et al. Detecting proxy user based on communication behavior portrait[J]. The Computer Journal, 2019, 62(12): 1777-1792.
[13] ACETO G, CIUONZO D, MONTIERI A, et al. Multi-classification approaches for classifying mobile app traffic[J]. Journal of Network and Computer Applications, 2018, 103:131-145.
[14] ACETO G, CIUONZO D, MONTIERI A, et al. Mobile encrypted traffic classification using deep learning:experimental evaluation, lessons learned, and challenges[J]. IEEE Transactions on Network and Service Management, 2019, 16(2): 445-458.
[15] ZHANG Y, CHEN J, CHEN K, et al. Network traffic identification of several open source secure proxy protocols[J]. International Journal of Network Management, 2019, 31(2): 209-220.
[16] ZHUO Z, ZHANG X, LI R, et al. A multi-granularity heuristic-combining approach for censorship circumvention activity identification[J]. Security and Communication Networks, 2016, 9(16): 3178-3189.
[17] VELAN P, ČERMAK M, ČELEDA P, et al. A survey of methods for encrypted traffic classification and analysis[J]. International Journal of Network Management, 2015, 25(5): 355-374.
[18] Pkt_Analyser Github[EB/OL]. [2020-06-10]. https://github.com/gpsvncl/Pkt_Analyser.
[19] 陈雪娇, 王攀, 俞家辉.基于卷积神经网络的加密流量识别方法[J]. 南京邮电大学学报(自然科学版), 2018, 38(6): 36-41. CHEN X J, WANG P, YU J H.CNN based encrypted traffic identification method[J]. Journal of Nanjing University of Posts and Telecommunications (Natural Science), 2018, 38(6): 36-41.(in Chinese)
[20] RUKHIN A, SOTO J, NECHVATAL J, et al. A statistical test suite for random and pseudorandom number generators for cryptographic applications[EB/OL]. [2020-06-10]. https://www.onacademic.com/detail.
[21] NIST sp 800_22_tests[EB/OL]. [2020-06-10]. https://github.com/dj-on-github/sp800_22_tests.
[22] OORD A V D, DIELEMAN S, ZEN H, et al. WaveNet:a generative model for raw audio[EB/OL]. [2020-06-10]. https://arxiv.org/abs/1609.03499.
[23] AYTAR Y, VONDRICH C, TORRALBA A.SoundNet:learning sound representations from unlabeled video[C]//Proceedings of the 29th Conference on Neural Information Processing Systems.Washington D.C., USA:IEEE Press, 2016:892-900.
[24] Selenium[EB/OL]. [2020-06-10]. https://www.selenium.dev/.
[25] ChinaZ[EB/OL]. [2020-06-10]. https://www.chinaz.com/.
[26] Scikit-Learn[EB/OL]. [2020-06-10]. https://scikit-learn.org/stable/.
[27] Tensorflow[EB/OL]. [2020-06-10]. https://www.tensorflow.org/?hl=zh-cn.
[28] Shadowsocks[EB/OL]. [2020-06-10]. https://shadowsocks.org/en/spec/Protocol.html.
[29] Shadowsocks Github[EB/OL]. [2020-06-10]. https://github.com/shadowsocks.

Please choose a citation manager

Content to export