针对SSH匿名流量的网站指纹攻击方法  被引量：18

作　　者：顾晓丹[1] 杨明[1] 罗军舟[1] 蒋平[2] 

机构地区：[1]东南大学计算机科学与工程学院,南京211189 [2]南京市公安局,南京210005

出　　处：《计算机学报》2015年第4期833-845,共13页Chinese Journal of Computers

基　　金：国家"九七三"重点基础研究发展规划项目基金(2010CB328104);国家"八六三"高技术研究发展计划项目基金(2013AA013503);国家自然科学基金(61272054;61320106007);国家科技支撑计划(2010BAI88B03;2011BAK21B02);高等学校博士点专项科研基金(20110092130002);江苏省网络与信息安全重点实验室资助项目(BM2003201);教育部计算机网络与信息集成重点实验室(东南大学)资助项目(93K-9)资助~~

摘　　要：目前在Internet上广泛部署的SSH单代理匿名通信系统利用其动态端口转发功能,在用户和代理之间构建加密隧道,通过对数据进行加密封装和转发,隐藏用户所访问站点的真实地址.为了实现对匿名Web访问的监管,现有工作基于流量分析技术提出了多种针对网站主页的指纹攻击方法,但在如何对目标网站建模、如何选择区分度高的流量特征以提高攻击准确率等问题上仍需进一步的研究.针对这些问题,深入分析SSH匿名流量的特征,提出一种新型的网站指纹攻击方法.该方法基于上下行流量的不同特性,分别抽取不同的区分度高的特征形成上下行指纹,并采取相应的匹配算法进行指纹比对.在此基础上,根据用户访问关联Web页面的行为模式,对所监管的目标网站建立隐马尔科夫模型,将目前只针对网站主页的识别扩展到了多级页面.通过使用公开数据集和在Internet环境中部署实验进行验证,该攻击方法获得了96.8%的准确率,可以有效地识别被监管者所访问的网站.As a single-hop anonymous system, SSH proxy is currently widely deployed in the Internet. By establishing an encrypted tunnel between the proxy and its client with dynamic port forwarding, SSH encapsulates all traffic through the tunnel. Hence, the identities of users＇ destination wehsites can be hidden. To prevent the anonymity abuse caused by the SSH proxy, the existing work utilized traffic analysis techniques and proposed some website fingerprinting attacks on the target of the homepage. However, several issues should be further well addressed, mainly including how to model the interesting websites and select traffic features with high distinguishability to achieve better accuracy. In this paper, we extract different features of incoming and outgoing flows and present a novel website fingerprinting attack based on hyperlink relations. The main idea is extending the current homepage targeted website fingerprinting attack to subpages. In order to realize the attack, we construct a Hidden Markov Model for the interesting website by simulating users＇ navigation behaviors. We then evaluate the attack by public dataset and real-world deployment. Our experiments confirm that the website fingerprinting attack based on link relations is able to classify anonymous traces with nearly 96.8% accuracy, which can be used to uncover the real identities of the websites requested by users efficiently.

关 键 词：匿名通信 流量分析 网站指纹攻击 隐马尔科夫模型 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]