一种基于测速行为的VPN服务器节点识别  被引量：1

作　　者：汪洋 梁丁 查志成 邱秀连 彭艳兵 WANG Yang;LIANG Ding;ZHA Zhicheng;QIU Xiulian;PENG Yanbing(Nanjing Fiberhome Software Technology Co.,Ltd.,Nanjing 210019,China)

机构地区：[1]南京烽火星空通信发展有限公司,南京210019

出　　处：《网络空间安全科学学报》2023年第3期59-67,共9页Journal of Cybersecurity

基　　金：国家重点研发计划项目(2023YFB3106900)。

摘　　要：随着互联网络的快速发展与应用普及,虚拟专用网络(VPN,virtual private network)技术被越来越多的企业和个人用于规避网络审查,这给网络空间监管与治理带来了巨大挑战,VPN加密流量的识别对于网络空间的治理愈发重要。因此,针对VPN流量识别问题,受VPN软件测速的启发,提出了一种多策略混合VPN节点识别方法,该方法融合了基于随机森林算法的测速单元发现、基于DBSCAN聚类算法的VPN节点推荐以及基于主动探测的VPN节点验证等多种策略,实现了从VPN发现到验证的闭环;在真实千亿级超大规模网络流量元数据集上,对提出的方法进行验证;实验结果表明,基于随机森林算法的分类模型,对测速行为识别的泛化准确率可在90%以上;基于主动探测验证机制对疑似VPN进行验证,准确比例达90.6%;多策略混合VPN识别方法可有效识别VPN节点,为VPN加密流量识别研究提供了新的视角。With the rapid development and wide popularization of the Internet,more and more enterprises and individuals adopt virtual private network(VPN)technology to avoid network censorship,which brings an enormous challenge to cyberspace management and governance.It is more and more important for cyberspace governance to identify the VPN encrypted traffic.Therefore,for the VPN traffic identification,a multi-strategy hybrid VPN node identification method is proposed.This method combines various strategies of speed test unit discovery based on the random forest(RF)algorithm,VPN node recommendation based on density-based spatial clustering of applications with noise(DBSCAN)clustering algorithm,and VPN node verification based on active probing,achieving a closed-loop process from the discovery to the verification of VPN.The proposed method is verified on a real large-scale network traffic metadata set of billions,the experimental results show that the generalization accuracy rate of the classification model based on the RF algorithm reaches over 90%for speed test behavior identification,and the accuracy rate of the active detection verification mechanism to the VPN is 90.6%for suspected VPNs.The multi-strategy hybrid method can effectively identify VPN nodes,providing a novel perspective research on VPN traffic identification.

关 键 词：VPN测速 加密流量识别 多策略混合方法 元数据 主动探测 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]