StealthyFlow:一种对抗条件下恶意代码动态流量伪装框架  被引量：4

作　　者：韩宇[1] 方滨兴[1,2] 崔翔 王忠儒 冀甜甜[1] 冯林 余伟强 HAN Yu;FANG Bin-Xing;CUI Xiang;WANG Zhong-Ru;JI Tian-Tian;FENG Lin;YU Wei-Qiang(Key Laboratory of Trustworthy Distributed Computing and Service(BUPT),Ministry of Education,Beijing University of Posts and Telecommunications,Beijing 100876;Cyberspace Institute of Advanced Technology,Guangzhou University,Guangzhou 510006;Chinese Academy of Cyberspace Studies,Beijing 100010;Beijing DigApis Technology Co.,Ltd,Beijing 100081)

机构地区：[1]北京邮电大学可信分布式计算与服务教育部重点实验室,北京100876 [2]广州大学网络空间先进技术研究院,广州510006 [3]中国网络空间研究院,北京100010 [4]北京丁牛科技有限公司,北京100081

出　　处：《计算机学报》2021年第5期948-962,共15页Chinese Journal of Computers

基　　金：广东省重点领域研发计划(2019B010137004,2019B010136003);国家重点研发计划(2018YFB0803504,2019YFA0706404)资助.

摘　　要：恶意代码问题使国家安全面临严重威胁.随着TLS协议快速普及,恶意代码呈现出流量加密化的趋势,通信内容加密导致检测难度的进一步提高.本文提出一种恶意代码流量伪装框架StealthyFlow,以采用加密流量进行远控通信的公共资源型恶意代码与GAN结合,对恶意流量进行不影响攻击功能的伪装,旨在实现伪装后的对抗流量与良性流量的不可区分性,进而绕过基于机器学习算法的分类器.StealthyFlow具有如下优势:根据目标流量的变化动态调整对抗流量,实现动态流量伪装;伪装在恶意代码层面进行,保证攻击功能不被破坏;绕过目标不参与训练过程,保证恶意代码不会提前暴露.实验结果表明,StealthyFlow产生的攻击流量与良性流量相似度极高,在对抗环境中可以绕过机器学习分类器.因此,需要对此种恶意代码提起注意,并尽快研究防御对策.Malware emerges endlessly,which not only causes economic losses to enterprises and individuals,but also poses serious threats to national security.During the Gulf War in 1991,the United States publicly used malware attack technology to obtain major military benefits for the first time.Since then,malware attacks have become one of the most important intrusion methods for information and network warfare.In recent years,malware based on legitimate services has spread.The traffic of this kind of malware is mixed with the traffic of legitimate services and is not easy to be detected.At the same time,the use of TLS poses new challenges to traffic detection because the content can no longer be analyzed due to encryption.The combination of public resources and encrypted traffic makes“the traffic generated by malware flows to normal websites,and its communication content is based on encrypted protocols and cannot be checked”,which further increases the difficulty of detection.In order to ensure the security of network communication,researchers have conducted in-depth explorations on the detection of encrypted traffic.Due to the advantage of discovering unknown attacks,machine learning algorithms have become the mainstream detection method,but there is a risk of failure when malicious traffic and benign traffic are indistinguishable in the features focused by machine learning systems.In order to study the possibility of confronting machine-learning-based traffic detection system,we propose a dynamic traffic camouflaging framework named StealthyFlow.StealthyFlow combines Generative Adversarial Networks with malware that uses legitimate services for backdoor command and control,to realize traffic camouflaging without affecting the attack function.It consists of two modules,GAN module and malicious code module,which are responsible for feature generation and traffic generation respectively.It aimed at realizing the indistinguishability between traffic after disguise and benign traffic,and then bypass classifiers based on

关 键 词：恶意代码 加密流量 StealthyFlow 绕过 动态流量伪装 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]