摘要
提出一种面向HTTPS隐蔽隧道的加密流量检测方法,并将木马通信划分为元数据交互阶段与加密应用数据交互阶段,提出基于时间序列模式的木马流量检测方法,实现基于木马通信流量的检测系统。分别使用流量测试集DARPA98校园网实验流量进行测试,测试结果表明该方法能够有效检测基于HTTPS隐蔽隧道的加密木马,并具有较低的误报率和漏报率。
An encryption traffic detection method for HTTPS hidden tunnels is proposed to improve the accuracy of Trojan encryption traffic detection.We first classify the traffic flow into the metadata interaction stage and the encryption application data interaction stage.Then,we put forward a Trojan flow detection method based on time sequence mode.Finally,we build and construct the detection system based on traffic flow.The validity of the detection method is verified with the traffic test set DARPA98 and the campus network experimental traffic.The test results indicate that the method can effectively detect theencrypted Trojan based on HTTPS hidden tunnels,and has a low false alarm rate as well as missed alarm rate.
作者
贾放放
陈石
吴双
李伟光
刘胜利
JIA Fangfang;CHEN Shi;WU Shuang;LI Weiguang;LIU Shengli(Information Engineering University,Zhengzhou 450001,China;Unit 78006,Chengdu 610000,China;Unit 61081,Beijing 100081,China)
出处
《信息工程大学学报》
2019年第4期461-466,479,共7页
Journal of Information Engineering University
基金
国家重点研发计划资助项目(2016YFB0801505)。
关键词
流量加密
木马流量分析
时序分析
木马检测
encrypted flow
Trojan flow analysis
time sequence analysis
Trojan detection
