摘要
恶意加密流量检测对关键信息基础设施的可靠运行至关重要,也是应对DDoS攻击等网络威胁的有效手段。利用时空主成分分析技术,构建了时间维度和空间维度的网络流量变化模型,实现恶意加密流量的实时检测和追踪溯源。在时间维度,利用历史积累的网络流量监测信息进行主成分分析,构建瞬时流量预测模型与实际监测流量之间的平方预测误差,判定网络中出现恶意加密流量的时刻。在空间维度,利用历史积累的各国家和地区的网络流量监测数据,构建区域流量预测模型与实际监测流量之间的平方预测误差,对恶意加密流量的来源地进行追踪溯源。最后,设计了一种可用于现网部署的算法实现流程,并分析了相比其他已有算法带来的能力提升。
Monitoring and warning of malicious encrypted network traffic is essential for the reliability of critical information infrastructure,which is also an effective method against cyber-attacks,such as Distributed Denial of Service(DDoS)attacks.In this paper,malicious encrypted network traffic is monitored and traced by constructing the temporal and spatial network traffic variation model with the Principal Component Analysis(PCA)technique.From a temporal perspective,the PCA technique is operated on historical network traffic monitoring information to construct the Squared Prediction Error(SPE)between temporal model prediction and the measurement of network traffic.The moment that malicious encrypted network traffic behavior occurs can be declared as instantaneous SPE exceeds the pre-defined threshold.From a spatial perspective,the PCA technique is operated on historical network traffic monitoring information of various countries and regions.The source region of malicious encrypted network traffic can be traced by evaluating the SPE between the spatial model prediction and the measurement of network traffic of each country or region.Finally,a practical algorithm for malicious encrypted network traffic behavior detection is designed.The capacity improvement of the proposed algorithm comparing with existing algorithms is analyzed.
作者
孟楠
周成胜
赵勋
王斌
姜乔木
Meng Nan;Zhou Chengsheng;Zhao Xun;Wang Bin;Jiang Qiaomu(Institute of Security,The China Academy of Information and Communications Technology,Beijing 100191,China;Guangzhou Intelligence Communication Technology Co.,Ltd.,Guangzhou 510639,China)
出处
《网络安全与数据治理》
2023年第10期33-39,共7页
CYBER SECURITY AND DATA GOVERNANCE
基金
2022年工业和信息化部制造业专项项目(20230049)。
关键词
时空主成分分析
恶意加密流量检测
追踪溯源
平方预测误差
temporal and spatial principal component analysis
monitoring of malicious encrypted network traffic
trace
squared prediction error
作者简介
孟楠(1982-),女,博士,高级工程师,主要研究方向:网络和数据安全、ICT新技术安全领域科研和技术创新、政策和标准制定等。;通信作者:周成胜(1982-),男,硕士,高级工程师,主要研究方向:网络安全、工业互联网安全、车联网安全、物联网安全等。E-mail:zhouchengsheng@caict.ac.cn。;赵勋(1991-),男,硕士,工程师,主要研究方向:网络安全、密码技术、工业互联网安全等。
