基于信息熵与服务器识别的DoH流量检测  被引量：1

作　　者：徐魁 海洋[1] 李晓辉 陶军 XU Kui;HAI Yang;LI Xiao-hui;TAO Jun(Communication Office of Baoji Public Security Bureau,Baoji 721014,China;Baoji Chuangtian Qinghang Technology Development Co.,Ltd.,Baoji 721000,China;School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China)

机构地区：[1]宝鸡市公安局通信处,陕西宝鸡721014 [2]宝鸡创天清航科技发展有限责任公司,陕西宝鸡721000 [3]东南大学网络空间安全学院,江苏南京211189

出　　处：《计算机技术与发展》2024年第4期132-138,共7页Computer Technology and Development

基　　金：中国高校产学研创新基金-阿里云高校数字化创新专项(2021ALA03006)。

摘　　要：DNS over HTTPS(DoH)协议是一种针对域名系统(DNS)的最新改进方案,然而用户可使用第三方DoH服务规避内网原有的监管,所以异常流量检测方法不再适用于检测DoH流量。针对该问题提出了一种DTESI算法。首先,基于信息熵将DoH流量作为异常流量从全部网络流量中筛选出来;然后,利用DoH服务器与同一客户端建立TLS连接时响应方式总是相同的特性,用指纹识别检测客户端与DoH服务器之间的TLS协商,确定DoH服务器身份;最后,使用Top-K抽样算法选出一定时段内网络中前K台活跃主机着重进行流量检测,使算法能应用于中大型组织的网络。实验结果表明,针对发现的异常流量,DTESI算法检测出的DoH服务提供商准确率超过94%。在此基础上比较了在不同K值下的算法检测时间和对网络中全部DoH流量的检测覆盖率,结果表明合理选择K值可以提升算法的整体效能。The DNS over HTTPS(DoH)protocol is the latest improved solution for the Domain Name System(DNS).However,users can use third-party DoH services to avoid the original supervision of the intranet,so the abnormal traffic detection method is no longer suitable for detecting DoH traffic.Aiming at this problem,a DTESI algorithm is proposed.Firstly,DoH traffic is screened as abnormal traffic from all network traffic based on information entropy.Then,according to the characteristic that the response mode is always the same when the DoH server establishes a TLS connection with the same client,the TLS negotiation between the client and the DoH server is detected by fingerprint identification to determine the identity of the DoH server.Finally,the Top-K sampling algorithm is used to select the top K active hosts in the network within a certain period of time to focus on traffic detection,so that the proposed algorithm can be applied to the network of medium and large organizations.The experimental results show that the accuracy rate of DoH service providers detected by DTESI algorithm exceeds 94%for the abnormal traffic found.On this basis,the detection time and the detection coverage of all DoH traffic in the network are compared under different K values,and it is showed that a reasonable choice of K value can improve the overall performance of the algorithm.

关 键 词：DNS over HTTPS 网络流量检测 信息熵 指纹识别 TLS协议 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]