加密恶意流量检测及对抗综述  被引量：8

作　　者：侯剑 鲁辉 刘方爱 王兴伟 田志宏 HOU Jian;LU Hui;LIU Fang-Ai;WANG Xing-Wei;TIAN Zhi-Hong(Informatization Office,Shandong Normal University,Jinan 250014,China;Cyberspace Institute of Advanced Technology,Guangzhou University,Guangzhou 510799,China;School of Computer Science and Engineering,Northeastern University,Shenyang 110169,China)

机构地区：[1]山东师范大学信息化工作办公室,山东济南250014 [2]广州大学网络空间安全学院,广东广州510799 [3]东北大学计算机科学与工程学院,辽宁沈阳110169

出　　处：《软件学报》2024年第1期333-355,共23页Journal of Software

基　　金：国家自然科学基金(U20B2046);广东省高校创新团队项目(2020KCXTD007);广州市高校创新团队项目(202032854);山东自然科学基金(ZR2020KF021)。

摘　　要：网络流量加密在保护企业数据和用户隐私的同时,也为恶意流量检测带来新的挑战.根据处理加密流量的方式不同,加密恶意流量检测可分为主动检测和被动检测.主动检测包括对流量解密后的检测和基于可搜索加密技术的检测,其研究重点是隐私安全的保障和检测效率的提升,主要分析可信执行环境和可控传输协议等保障措施的应用.被动检测是在用户无感知且不执行任何加密或解密操作的前提下,识别加密恶意流量的检测方法,其研究重点是特征的选择与构建,主要从侧信道特征、明文特征和原始流量等3类特征分析相关检测方法,给出有关模型的实验评估结论.最后,从混淆流量特征、干扰学习算法和隐藏相关信息等角度,分析加密恶意流量检测对抗研究的可实施性.Network traffic encryption not only protects corporate data and user privacy but also brings new challenges to malicious traffic detection.According to different ways of processing encrypted traffic,encrypted malicious traffic detection technology can be divided into active and passive detection.Active detection technology includes detection after traffic decryption and that based on searchable encryption technology.Its research focuses on privacy protection and detection efficiency improvement,and mainly analyzes the application of trusted execution environments and controllable transmission protocols.Passive detection technology is a method of identifying encrypted malicious traffic without perception for users and without performing any encryption or decryption operations.The research focuses on the selection and construction of features.It analyzes relevant detection methods from three types of features such as side channel features,plaintext features,and raw traffic,and then the experimental evaluation conclusions of relevant models are given.Finally,the feasibility of the research on the countermeasures of encrypted malicious traffic detection is analyzed from the perspectives of obfuscating traffic characteristics,interference learning algorithms,and hiding relevant information.

关 键 词：加密流量 恶意流量检测 中间盒 可搜索加密 机器学习 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]