基于流谱理论的 SSL/TLS 协议攻击检测方法  被引量：3

作　　者：郭世泽 张帆 宋卓学[1,2,3,5] 赵子鸣 赵新杰 王小娟 罗向阳[7] GUO Shize;ZHANG Fan;SONG Zhuoxue;ZHAO Ziming;ZHAO Xinjie;WANG Xiaojuan;LUO Xiangyang(College of Computer Science and Technology,Zhejiang University,Hangzhou 310027,China;School of Cyber Science and Technology,Zhejiang University,Hangzhou 310027,China;College of Control Science and Engineering,Zhejiang University,Hangzhou 310027,China;Zhejiang Key Laboratory of Blockchain and Cyberspace Governance,Hangzhou 310027,China;Engineering Laboratory of Mobile Security of Zhejiang Province,Hangzhou 310027,Chine;School of Electronic Engineering,Beijing University of Posts and Telecommunications,Beijing 100876,China;Information Engineering University,Key Laboratory of Cyberspace Situation Awareness of Henan Province,Zhengzhou 450001,China)

机构地区：[1]浙江大学计算机科学与技术学院,浙江杭州310027 [2]浙江大学网络空间安全学院,浙江杭州310027 [3]浙江大学控制科学与工程学院,浙江杭州310027 [4]浙江省区块链与网络空间治理重点实验室,浙江杭州310027 [5]移动终端安全浙江省工程实验室,浙江杭州310027 [6]北京邮电大学电子工程学院,北京100876 [7]信息工程大学河南省网络空间态势感知重点实验室,河南郑州450001

出　　处：《网络与信息安全学报》2022年第1期30-40,共11页Chinese Journal of Network and Information Security

基　　金：国家重点研发计划(2020AAA0107700);国家自然科学基金(62072398,U1804263,62172435);信息系统安全技术重点实验室基金;浙江省重点研发计划(2021C01116);浙江省引进培育领军型创新创业团队(2018R01005);网络空间国际治理研究基地;中原科技创新领军人才计划(214200510019)。

摘　　要：网络攻击检测在网络安全中扮演着重要角色。网络攻击检测的对象主要为僵尸网络、SQL注入等攻击行为。随着安全套接层/安全传输层(SSL/TLS)加密协议的广泛使用,针对SSL/TLS协议本身发起的SSL/TLS攻击日益增多,因此通过搭建网络流采集环境,构建了包含4种SSL/TLS攻击网络流与正常网络流的网络流数据集。针对当前网络攻击流检测的可观测性有限、网络流原始时空域分离性有限等问题,提出流谱理论,将网络空间中的威胁行为通过“势变”过程从原始时空域空间映射到变换域空间,具象为“势变谱”,形成可分离、可观测的特征表示集合,实现对网络流的高效分析。流谱理论在实际网络空间威胁行为检测中的应用关键是在给定变换算子的情况下,针对特定威胁网络流找到势变基底矩阵。由于SSL/TLS协议在握手阶段存在着强时序关系与状态转移过程,同时部分SSL/TLS攻击间存在相似性,因此对于SSL/TLS攻击的检测不仅需要考虑时序上下文信息,还需要考虑对SSL/TLS网络流的高分离度的表示。基于流谱理论,采用威胁模板思想提取势变基底矩阵,使用基于长短时记忆单元的势变基底映射,将SSL/TLS攻击网络流映射到流谱域空间。在自建SSL/TLS攻击网络流数据集上,通过分类性能对比、势变谱降维可视化、威胁行为特征权重评估、威胁行为谱系划分评估、势变基底矩阵热力图可视化等手段,验证了流谱理论的有效性。Network attack detection plays a vital role in network security.Existing detection approaches focus on typical attack behaviors,such as Botnets and SQL injection.The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol.With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks,a network traffic dataset including four SSL/TLS attacks,as well as benign flows was controlled.Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains,a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of"potential change"and obtain the "potential variation spectrum".The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows.The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator.Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase,and there are similarities between some SSL/TLS attacks,the detection of SSL/TLS attacks not only needs to consider timing context information,but also needs to consider the high-separation representation of TLS network flows.Based on the flow spectrum theory,the threat template idea was used to extract the potential basis matrix,and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space.On the self-built SSL/TLS attack network flow data set,the validity of the flow spectrum theory is verified by means of classification performance comparison,potential variation spectrum dimensionality reduction visualiza

关 键 词：安全套接层/安全传输层攻击 网络流检测 流谱理论 长短时记忆 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]