低维快速DNS-over-HTTPS隧道流量检测方法  

作　　者：王涛[1,2] 翟江涛 王子豪 张凯杰 刘光杰 WANG Tao;ZHAI Jiangtao;WANG Zihao;ZHANG Kaijie;LIU Guangjie(Key Laboratory of Intelligent Support Technology for Complex Environments,Ministry of Education,Nanjing 210044,China;School of Electronic&Information Engineering,Nanjing University of Information Science&Technology,Nanjing 210044,China)

机构地区：[1]复杂环境智能保障技术教育部重点实验室,南京210044 [2]南京信息工程大学电子信息与工程学院,南京210044

出　　处：《网络空间安全科学学报》2024年第6期123-130,共8页Journal of Cybersecurity

基　　金：国家重点研发计划(2021QY0700);国家自然科学基金(U21B2003,62072250)。

摘　　要：安全DNS协议DNS-over-HTTPS(DoH)的标准化和部署应用,使DoH隧道成为一种新的隐蔽性网络威胁并受到广泛关注。在云网络环境中对大规模DoH业务流量中潜在的隧道流量进行甄别,需要同时兼顾计算效率和准确率。针对当前基于机器学习的DoH隧道检测算法特征效率低、计算复杂度高的问题,设计了一组数据包块长度特征并提出了一种基于最大相关最小冗余(max-Relevance and Min-Re-dundancy,mRMR)特征筛选算法和随机森林算法的低维快速DoH隧道检测方法,该方法通过特征筛选选取对DoH隧道检测任务贡献大的特征,并使用随机森林分类器进行DoH隧道检测任务。实验结果表明,该方法在仅使用10维特征的情况下,达到了与使用24~34维特征的其他算法相当的准确率,可有效降低部署应用的计算复杂度,更好地适应大规模DoH业务流量分析的应用场景。The standardization and deployment applications of the secure DNS protocol DNS-over-HTTPS(DoH)have brought DoH tunnels to the forefront as a new insidious network threat.Screening potential tunneling traffic among the large-scale DoH service traffic in the cloud network environments requires both computational efficiency and accuracy.Aiming at the low feature efficiency and high computational complexity of the current machine learning-based DoH tunnel detection algorithms,a set of packet block length features was designed and a low-dimensional fast DoH tunnel detection method was proposed based on the max-Relevance and Min-Redundancy(mRMR)feature screening algorithm and the random forest algorithm.The features greatly contributing to the DoH tunnel detection task were selected through feature screening and a random forest classifier was used in the DoH tunnel detection task in the proposed method.Experimental results showed that this method achieved a comparable accuracy to other algorithms with using 24 to 34 features,even with using only 10 features.This could effectively reduce the computational complexity of the deployed applications and better adapt to the application scenarios of the large-scale DoH service traffic analysis.

关 键 词：DNS-over-HTTPS 隧道流量 mRMR算法 随机森林 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]