Two-Phased Method for Detecting Evasive Network Attack Channels  被引量：2

作　　者：CAO Zigang XIONG Gang ZHAO Yong GUO Li FANG Binxing 

机构地区：[1]Beijing University of Posts and Telecommunications, Beijing 100876, P. R. China [2]Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, P. R. China

出　　处：《China Communications》2014年第8期47-58,共12页中国通信（英文版）

基　　金：supported by the National Science and Technology Support Program under Grant No.2012BAH46B02 and 2012BAH45B01;the National High Technology Research and Development Program(863 Program) of China under Grant No.2011AA010703;the Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No.XDA06030200

摘　　要：With the rapid developments of information technology,various industries become much more dependent on networks.Driven by economic interests and the game between countries reflected by growing cyberspace confrontations,evasive network attacks on information infrastructures with high-tech,high concealment and longterm sustainability become severe threats to national security.In this paper,we propose a novel two-phased method for the detection of evasive network attacks which exploit or pretend to be common legal encryption services in order to escape security inspection.Malicious communications which camouflage themselves as legal encryption application are identified in the SSL'session structure verification phase firstly,and then by serverside X.509 certificate based anomaly detection,suspicious attack behaviors are further distinguished effectively.Experiment results show that our method is very useful for detecting the network activities of certain unknown threats or new malwares.Besides,the proposed method can be applied to other similar services easily.With the rapid developments of information technology,various industries become much more dependent on networks.Driven by economic interests and the game between countries reflected by growing cyberspace confrontations,evasive network attacks on information infrastructures with high-tech,high concealment and longterm sustainability become severe threats to national security.In this paper,we propose a novel two-phased method for the detection of evasive network attacks which exploit or pretend to be common legal encryption services in order to escape security inspection.Malicious communications which camouflage themselves as legal encryption application are identified in the SSL＇session structure verification phase firstly,and then by serverside X.509 certificate based anomaly detection,suspicious attack behaviors are further distinguished effectively.Experiment results show that our method is very useful for detecting the network activities of certain unknown threats or new malwares.Besides,the proposed method can be applied to other similar services easily.

关 键 词：evasiveencryption SSL X.509detectionnetwork attacks CERTIFICATE ANOMALY 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术] O221.1[自动化与计算机技术—计算机科学与技术]