基于TCP流RTT测量的Tethering行为检测架构  

作　　者：戴显龙 程光 陆广垠[1,2,3] 金斌磊 DAI Xianlong;CHENG Guang;LU Guangyin;JIN Binlei(School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China;Jiangsu Province Engineering Research Center of Security for Ubiquitous Network,Southeast University,Nanjing 211189,China;Purple Mountain Laboratories,Nanjing 211111,China)

机构地区：[1]东南大学网络空间安全学院,南京211189 [2]东南大学江苏省泛在网络安全工程研究中心,南京211189 [3]紫金山实验室,南京211111

出　　处：《北京航空航天大学学报》2023年第6期1414-1423,共10页Journal of Beijing University of Aeronautics and Astronautics

基　　金：国家重点研发计划(2018YFB1800602)。

摘　　要：Tethering行为是一种移动设备通过自身传输介质共享其互联网连接服务的行为,其不仅对移动互联网造成运营压力和收益影响,还对移动互联网隐藏其内部网络结构,造成网络安全隐患。由于Tethering存在诸多混淆和规避方法,现有Tethering行为检测技术难以有效检测。鉴于此,分析了移动互联网通信基站中,Tethering行为终端在数据流量的处理、转发等特征,以及移动互联网用户流量中传输控制协议(TCP)流往返时延(RTT)的相关特性,提出一种基于TCP流RTT测量的Tethering检测架构,构建了所提架构的测试网络环境。实验结果表明:所提架构在检测Tethering行为中具有有效性,实现了利用无监督学习和被动监测网络流量对移动互联网中Tethering行为的有效检测,对Tethering行为检测的准确率达到97.50%。Tethering behaviour is the sharing of an Internet connection service with other connected devices by using a mobile smart device as a NAT gateway.It will share the smartphone's data plan,especially the unlimited data plan.So,it can put ISPs under additional pressure to operate mobile Internet and have an impact on their revenue.It can hide the internal network structure from the public network same as Network Address Translation(NAT).It also provides the possibility for illegal devices to access anonymously.Due to many limitations and circumventing methods in tethering detection,the existing NAT detection technology is difficult to detect tethering behavior.In order to process and forward data traffic,we examine the features of tethering behaviors terminal devices in mobile Internet communication base station.We also analyze the relevant characteristics of RTT in TCP flows in mobile Internet traffic.Then,we propose a tethering detection method based on unsupervised analysis of RTT in TCP flows,and construct the test network environment of this method.The experimental results verify the effectiveness of this method in detecting tethering behavior,and realize the effective detection of tethering behavior in mobile Internet by passive network traffic monitoring,with an accuracy of 97.50%.

关 键 词：Tethering检测 往返时延 网络地址转换检测 无监督学习 移动互联网 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]