基于行为特征的SSH流分类系统研究与实现

发布时间：2018-05-29 19:09

本文选题：数据隐私 + SSH隧道技术　；参考：《山东大学》2014年硕士论文

【摘要】：最近几年网络技术发展迅速,信息网络在保障社会发展方面扮演着愈来愈重要角色,但各类黑客攻击事件、隐私泄露事件时有发生,网络安全愈来愈受到重视。而仅通过使用各种杀毒软件和安全卫士来已经难以保证计算机系统运行的安全性,尤其是通信时的隐私安全问题,越来越多的应用开始采用加密通信数据的方式来保护用户的通信隐私,其中使用应用层隧道(如SSH)来加密通信数据变得越来越普遍,一方面,人们想通过加密隧道来保护他们的通信数据的隐私性,另一方面,他们希望以此来保护他们使用的应用类型等行为的隐私性,还有一些人通过SSH等隧道隐藏自己的一些非法活动。因此,加密的隧道流量的识别变得越来越重要。随着各种应用协议数量越来越多,网络应用难以再严格地遵循使用统一分配的端口提供服务的规则,基于端口的流量识别方法识别效果急剧下降,而SSH协议通信过程中的数据报文是经过加密的,协议模型匹配和基于载荷检测等识别方法均不再适用。虽然SSH协议通信过程中数据报文是密文的,但在正式的数据传输之前,为建立安全连接所发送的报文是明文的,且通信过程中的包长、包到达时间间隔、报文方向和到达顺序是可知的。本文根据SSH协议通信的以上几个主要特征设计算法,首先,将基于端口的识别方法和基于载荷特征的识别方法相结合识别出网络中的SSH流,然后,使用基于行为特征的应用协议识别方法对SSH流进行分类,选取流的正向、反向和双向流的TCP载荷长度和报文到达时间间隔,以及反向报文所占比重这七个特征,使用训练集分别计算出每类要识别的应用类别流的特征的期望和方差。对于给定流,计算流的每个特征的期望和方差,然后计算该流属于给定分类的概率,取最大值,则该流属于该类别。以本文所提出的识别算法为核心,构造了一个SSH流分类系统。该系统分为数据采集模块,SSH流分类模块,数据库模块和展示模块四部分。该系统通过数据采集模块获取网络中的通信数据报文,并将获取到的通信数据报文传送给分类系统的核心模块——SSH流分类模块进行识别和分类。分类模块将报文的预处理结果和识别结果分别写入数据库模块供展示模块使用。展示模块通过读取数据库内存储的报文预处理结果和识别结果可以将网络中的流变化和SSH流识别结果直观展现给用户。
[Abstract]:In recent years, with the rapid development of network technology, information network plays a more and more important role in ensuring social development. However, all kinds of hacking attacks and privacy leaks have occurred from time to time, and network security has been paid more and more attention. However, it is difficult to guarantee the security of computer system by using all kinds of antivirus software and security guards, especially the privacy security in communication. More and more applications begin to use the way of encrypting communication data to protect the user's communication privacy, among them, using application layer tunnel (such as SSH) to encrypt the communication data becomes more and more common, on the one hand, People want to protect the privacy of their communications data through encrypted tunnels, and on the other hand, they want to protect the privacy of behaviors such as the types of applications they use. Others hide their illegal activities through tunnels such as SSH. Therefore, the identification of encrypted tunnel traffic becomes more and more important. With the increasing number of application protocols, it is difficult for network applications to strictly follow the rules of using uniformly allocated ports to provide services. However, the data packets in the communication process of SSH protocol are encrypted, and the identification methods such as protocol model matching and load based detection are no longer applicable. Although the data message is ciphertext in the communication process of SSH protocol, before the formal data transmission, the message sent to establish the secure connection is clear text, and the packet length in the communication process, the packet arrival time interval, The direction of the message and the order of arrival are known. According to the above main features of SSH protocol communication, this paper designs algorithms. Firstly, the port based identification method and the load feature based recognition method are combined to identify the SSH flow in the network. This paper classifies SSH flows by using behavioral feature based application protocol recognition method, selects seven features: forward flow, TCP load length and message arrival time interval of reverse and bidirectional flows, and the proportion of reverse packets. The expectation and variance of the features of the application class flow to be identified by each class are calculated by using the training set. For a given flow, the expectation and variance of each characteristic of the flow are calculated, and then the probability of the flow belonging to a given classification is calculated, and the maximum value is taken, then the flow belongs to the class. Based on the recognition algorithm proposed in this paper, a SSH stream classification system is constructed. The system is divided into four parts: data acquisition module, SSH stream classification module, database module and display module. The system acquires the communication data message in the network through the data acquisition module, and transmits the obtained communication data message to the SSH stream classification module, the core module of the classification system, for identification and classification. The classification module writes the message preprocessing result and the recognition result into the database module for display module. By reading the preprocessing result and the recognition result of the message stored in the database, the display module can show the flow change and the SSH stream recognition result directly to the user.
【学位授予单位】：山东大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】