CN111526100B - Cross-network traffic identification method and device based on dynamic identification and path hiding - Google Patents

Cross-network traffic identification method and device based on dynamic identification and path hiding Download PDF

Info

Publication number
CN111526100B
CN111526100B CN202010298646.8A CN202010298646A CN111526100B CN 111526100 B CN111526100 B CN 111526100B CN 202010298646 A CN202010298646 A CN 202010298646A CN 111526100 B CN111526100 B CN 111526100B
Authority
CN
China
Prior art keywords
scrambler
network
address
data
identification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010298646.8A
Other languages
Chinese (zh)
Other versions
CN111526100A (en
Inventor
何世文
袁军
熊绍文
张健
黄凤青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Central South University
Original Assignee
Central South University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Central South University filed Critical Central South University
Priority to CN202010298646.8A priority Critical patent/CN111526100B/en
Publication of CN111526100A publication Critical patent/CN111526100A/en
Application granted granted Critical
Publication of CN111526100B publication Critical patent/CN111526100B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a cross-network flow identification method and a device based on dynamic identification and path hiding, which are used for a scene that private networks with different service purposes use a public network for communication. In the invention, a gateway of a special network sub-network generates a flow characteristic and an initial state of a scrambler by utilizing a fixed field of a synthetic IP data packet header; the service data, the target IP address and the flow characteristics are connected and scrambled by a scrambler to be used as service data borne by a synthetic IP data packet, and the IP address of a disguised host in a public network is used as the target IP address; and the flow identification and forwarding equipment in the public network identifies whether the received IP data packet is the synthesized IP data packet, if so, the borne service data is restored and forwarded to the target sub-network, and otherwise, the borne service data is forwarded to the disguised host. The invention carries out service data characteristic identification and data packet identification based on the IP header fixed field and the scrambler, and has the advantages of high precision, high performance, real communication path hiding and the like.

Description

Cross-network traffic identification method and device based on dynamic identification and path hiding
Technical Field
The invention relates to the technical field of cross-network traffic identification, in particular to a cross-network traffic identification method and device based on dynamic identification and path hiding.
Background
The traffic identification technology has important functions in the aspects of network monitoring and management, traffic charging, user behavior analysis and the like. For example, the intrusion prevention system and the firewall use the technology to identify malicious traffic and block malicious connections in time; network Service providers use it to analyze network traffic distribution to assist Quality of Service (QoS) management; controlling application access by enterprises by means of a flow identification technology; the correlation mechanism infers user information and behavior, etc. by identifying user mobile device traffic.
Conventional traffic identification technologies mainly include port number-based traffic identification, Deep Packet Inspection (DPI), and Deep Flow Inspection (DFI). However, as the randomness and concurrency of the ports used by P2P (Peer to Peer) applications and the wide use of dynamic port numbers, the identification effect of the port number identification traffic method is obviously deteriorated. Then, DPI flow identification technology with extremely high accuracy by detecting load characteristics has been proposed. However, the increasing encrypted traffic hides the load characteristics, which in turn results in the inability of DPI traffic identification techniques to effectively identify data traffic. Moreover, encapsulation technologies such as tunneling further limit the application of DPI traffic identification technologies. DPI traffic identification techniques also have problems with high computational complexity, concerns about violating user privacy, and the like. The DFI traffic recognition technology is a technology for performing traffic recognition based on traffic behavior, that is, states of different application types appearing on session connections or data flows are different. The data flow state includes flow duration distribution, message arrival interval distribution, message length distribution, etc. However, DFI traffic recognition techniques that only analyze traffic behavior can only classify application types generally, such as uniformly identifying applications that satisfy the P2P traffic model as P2P traffic. In order to solve the technical problems, in recent years, a traffic identification method based on machine learning is proposed, and the traffic identification method has the characteristics of no load dependence, high accuracy, rapid calculation, strong expandability and the like. However, the flow recognition method based on machine learning requires a large number of data sets for model training, and also requires continuous updating of the data sets and retraining of the models, and is weak in continuous real-time flow recognition.
Furthermore, the above-described techniques are generally used for data traffic identification in the same network architecture. In real life, there are not only public networks (such as internet) facing the public, but also private networks (such as power grid) of some special industries. Due to the spatially distributed nature of the territory, the sub-networks of the private network may belong to different spatial locations. Different private network sub-networks communicate directly through a special private line. However, when a private network-specific private line is damaged or fails, normal communication between private network sub-networks is not possible. In order to ensure that normal communication is possible between sub-networks in the private network in case of a failure of the private network line, it is an option to build communication links between sub-networks in the private network by means of the public network. However, this solution exposes the communication data between the sub-networks in the private network to the public network, which in turn causes information leakage, i.e. if mishandled, causes important data to be intercepted by network attackers and more serious loss.
The existing cross-network secure communication technology based on the network layer: GRE VPNs based on generic routing encapsulation protocol (GRE), MPLS/BGP VPNs based on multiprotocol label switching (MPLS), and IPSec VPNs based on IP Security protocol (IPSec). GRE VPN encapsulates data packets of some network layer protocols (such as IP and IPX) so that the encapsulated data packets can be transmitted in another network layer protocol (such as IP), but GRE lacks an encryption mechanism and has no standard control protocol to maintain GRE tunnel, so that the safe transmission of the encapsulated data packets cannot be guaranteed; MPLS/BGP VPN is a VPN realization method based on operator network, the technique uses a mode similar to traditional route to forward IP packet, and uses LSP (Label Switching Path) transmission tunnel established in advance to transmit IP data packet across operator backbone at high speed. However, MPLS does not define any process related to data encryption, and has yet to be improved in terms of security, and the BGP protocol is complex and not conducive to network management, maintenance, and routing failure discovery and repair; IPSec VPN ensures the confidentiality and authenticity of IP packets in transit through a range of standard encryption schemes and encryption negotiation procedures, as well as security systems including digital signatures, digital certificates, public key management and authentication authorization, etc. The main working mode is that the original IP data packet is added with verification and safety header and then encapsulated into a new IP data packet, and then the new IP data packet is transmitted in a backbone network. However, the IPSec VPN communication mechanism only defines control on data security, and cannot meet requirements on quality of service, network management, reliability, and the like, and the encryption scheme and other security protection measures adopted by the technique have high time complexity, which may seriously affect communication delay. It should be noted that the security and authenticity of the data packet encapsulated by the above-mentioned several cross-network communication technologies transmitted in the public network depends on the protocol used by the technology itself, and if the protocol has a security hole, the security of the cross-network communication cannot be guaranteed.
Disclosure of Invention
The purpose of the invention is as follows: in view of the above drawbacks of the prior art, the present invention provides a method and an apparatus for cross-network traffic identification based on dynamic identification and path hiding, which are applicable to a technical background that a communication link needs to be established by means of a public network in case of a fault of a private communication line between private network subnetworks, and can ensure the safety and effectiveness of communication.
The technical scheme is as follows: in order to achieve the above object, the present invention provides a method for cross-network traffic identification based on dynamic identification and path hiding, comprising the following steps:
when a gateway of a private network sub-network receives an IP data packet sent to another private network sub-network, the whole IP data packet is regarded as service data, an IP header is added to generate a synthesized IP data packet, and a first traffic characteristic and a first scrambler initial state are generated by using a fixed field comprising an identification field in the IP header; connecting the service data, a target IP address in an IP header and a first flow characteristic, and scrambling the connected data sequence by using a scrambler with an initial state being the initial state of the first scrambler; replacing the service data carried by the synthetic IP data packet with the output of the scrambler, and modifying the destination IP address into the IP address of the disguised host in the public network;
the flow identification and forwarding equipment in the public network generates a second flow characteristic and a second scrambler initial state by using a fixed field comprising an identification field in a header of a received IP data packet, and descrambles service data carried by the received IP data packet by using the scrambler of which the initial state is the second scrambler initial state; and extracting a first bit sequence corresponding to a first traffic characteristic position in the data sequence connected before scrambling by the gateway from the output result of the scrambler, comparing the first bit sequence with a second traffic characteristic, if the first bit sequence is the same as the second traffic characteristic, continuously extracting a second bit sequence corresponding to a target IP address position in the data sequence connected before scrambling by the gateway, restoring the service data, modifying the target IP address into the second bit sequence, and then forwarding the modified target IP address to a target subnetwork of the private network, otherwise, directly forwarding the modified target IP address to the disguised host in the public network.
Preferably, the traffic characteristics and scrambler init state are generated from the header length, version number, protocol type and identification fields in the IP header.
Preferably, the method for generating the traffic characteristics and the initial state of the scrambler comprises the following steps:
carrying out confusion processing on a bit sequence consisting of the selected fields to generate a new sequence;
and selecting k bits in the new sequence as the initial state of the scrambler according to the index vector, and complementing the rest part of the new sequence by 0 or 1 according to a set rule to be used as flow characteristics, wherein k is the order of the selected scrambler.
Preferably, the method for performing the aliasing process on the bit sequence comprises the following steps: dividing a bit sequence into a plurality of sub-blocks in sequence, wherein each sub-block is 4 bits; and for the jth sub-block, carrying out XOR summation on the jth sub-block and all the previous sub-blocks, taking the result of the XOR summation as a new sequence of the jth sub-block, combining the new sequences of the sub-blocks from small to large according to an index j to generate a new sequence, and completing the confusion processing of the bit sequence.
Preferably, the masquerading host in the public network has a public network IP address and is connected only to the traffic identification and forwarding device.
The invention relates to a cross-network traffic recognition device based on dynamic identification and path hiding, which comprises a cross-network traffic characteristic generator and a cross-network traffic characteristic demodulator; the cross-network traffic feature generator comprises:
a first characteristic generating module, configured to process a composite IP packet carrying service data sent between private network subnets, and generate a first traffic characteristic and a first scrambler initial state using a fixed field including an identification field in an IP header of the composite IP packet;
the data scrambling module is used for connecting a target IP address in the IP header of the service data with the first flow characteristic and scrambling the connected data sequence by using a scrambler with the initial state being the initial state of the first scrambler;
the data packet modification module is used for replacing the service data carried by the synthetic IP data packet with the output of the scrambler of the data scrambling module, and the target IP address is modified into the IP address of the disguised host in the public network;
the cross-network traffic characteristic demodulator comprises:
the second characteristic generating module is used for generating a second traffic characteristic and a second scrambler initial state by utilizing a fixed field which comprises an identification field in a header of the received IP data packet;
the data descrambling module is used for descrambling the service data carried by the received IP data packet by using the scrambler of which the initial state is the initial state of the second scrambler;
and the identification and forwarding module is used for extracting a first bit sequence corresponding to a first traffic characteristic position in a data sequence connected before scrambling by the gateway from an output result of a scrambler of the data descrambling module, comparing the first bit sequence with a second traffic characteristic, if the first bit sequence and the second traffic characteristic are the same, continuously extracting a second bit sequence corresponding to a destination IP address position in the data sequence connected before scrambling by the gateway, restoring the service data, modifying the destination IP address into the second bit sequence and forwarding the modified destination IP address to a target sub-network of the private network, and otherwise, directly forwarding the modified destination IP address to the disguised host in the public network.
Based on the same inventive concept, the cross-network traffic recognition device based on dynamic identification and path hiding comprises a first computing device and a second computing device; the first computing device comprises a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing:
when an IP data packet sent between private network sub-networks is received, the whole IP data packet is taken as service data, an IP header is added to generate a synthesized IP data packet, and a first traffic characteristic and a first scrambler initial state are generated by using a fixed field comprising an identification field in the IP header; connecting the service data, a target IP address in an IP header and a first flow characteristic, and scrambling the connected data sequence by using a scrambler with an initial state being the initial state of the first scrambler; replacing the service data carried by the synthetic IP data packet with the output of the scrambler, and modifying the destination IP address into the IP address of the disguised host in the public network;
the second computing device comprises a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing:
generating a second traffic characteristic and a second scrambler initial state by using a fixed field comprising an identification field in a header of the received IP data packet, and descrambling the service data carried by the received IP data packet by using the scrambler of which the initial state is the second scrambler initial state; and extracting a first bit sequence corresponding to the first traffic characteristic position in the data sequence connected before scrambling by the gateway from the output result of the scrambler, comparing the first bit sequence with the second traffic characteristic, if the first bit sequence is the same as the second traffic characteristic, continuously extracting a second bit sequence corresponding to a target IP address in the data sequence connected before scrambling by the gateway, restoring the service data, modifying the target IP address into the second bit sequence, and then forwarding the modified target IP address to a target sub-network of the private network, otherwise, directly forwarding the modified target IP address to the disguised host in the public network.
Has the advantages that: compared with the prior art, the invention has the advantages that:
1. the invention can hide the real communication path between the private network sub-networks, and externally shows that the private network sub-networks are communicated with the public network, thereby ensuring the safe communication between the private network sub-networks;
2. the computation amount of the dynamic identification and the feature extraction operation is small, the feature identification and identification process based on the scrambler is mainly exclusive or operation, and the increase of time delay is restrained to a certain extent;
3. the flow characteristics and the initial state of the scrambler have strong dynamics, and different IP data packet headers have different 'identification' fields, so the introduction of the 'identification' fields enhances the dynamics of the initial state and the flow characteristics of the scrambler;
4. the initial state and the flow characteristics of the scrambler are selected by utilizing the fixed field of the IP data packet header, so that strong association is generated between the scrambler initial state and the flow characteristics, and the high accuracy and the high performance of network flow identification can be effectively guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic diagram of an architecture for cross-network traffic identification based on dynamic identification and path hiding according to an embodiment of the present invention.
Fig. 2 is a flowchart of cross-network traffic identification based on dynamic identification and path hiding according to an embodiment of the present invention.
Fig. 3 is a flowchart of gateway a or gateway b generating a first traffic characteristic and a first scrambler initial state according to an embodiment of the present invention.
Fig. 4 shows a specific structure of a scrambler according to an embodiment of the present invention.
Fig. 5 is a composite IP packet constructed in an embodiment of the invention.
Fig. 6 is a flowchart of the traffic recognizing and forwarding device M generating the second traffic characteristic and the second scrambler initial state according to the specific embodiment of the present invention.
Fig. 7 is an IP data packet to be forwarded constructed after the traffic identification and forwarding device M successfully identifies in the embodiment of the present invention.
Fig. 8 is a schematic structural diagram of a cross-network traffic recognition apparatus based on dynamic identification and path hiding according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Fig. 1 is a schematic diagram of an architecture for cross-network traffic identification processing based on dynamic identification and path hiding according to an embodiment of the present invention.
As shown in fig. 1, the architecture may include: private network sub-network a, private network sub-network B, public network C, terminal 1, terminal 2, terminal 3, terminal 4, gateway a, gateway B, router 1, router 2, hub 1, hub 2, traffic identification and forwarding device M, masquerading host H.
It should be understood that the number of devices in fig. 1 is merely illustrative, and the system architecture can be flexibly adjusted according to implementation needs. The following embodiments may apply the system architecture for data interaction or processing.
The embodiment of the invention respectively deploys a gateway a and a gateway B which are connected with a public network C for a private network sub-network A and a private network sub-network B, and deploys a flow identification and forwarding device M and a disguised host H in the public network C, wherein the flow identification and forwarding device M is one hop above the gateway B, and the disguised host H has a public network IP address and is only connected with the flow identification and forwarding device M. After an IP data packet sent by the private network sub-network a or the private network sub-network B arrives at the gateway a or the gateway B, the whole IP data packet is regarded as service data, and an IP header is added to generate a composite IP data packet. Adding flow characteristics to the synthetic IP data packet by the gateway a or the gateway b, and modifying a target IP address in the head part of the synthetic IP data packet into an IP address of the disguised host H; the flow identification and forwarding device M identifies whether the data packet flowing through the device is a synthetic IP data packet, if so, the service data carried in the data packet is restored and forwarded to a target sub-network of the private network, and if not, the service data is directly forwarded to the disguised host H.
A flowchart of cross-network traffic identification processing based on dynamic identification and path hiding according to an embodiment of the present invention is shown in fig. 2. Taking the communication process from the private network sub-network a to the private network sub-network B as an example, the cross-network traffic identification method of the embodiment of the present invention includes the following steps:
step 100: gateway a in private network subnetwork A uses the bearer for traffic data m destined for private network subnetwork B1Generates a first traffic characteristic f for a fixed field in the header of the resultant IP packet P _ send1And a first scrambler initial state t1
In step 100, gateway a in private network sub-network a uses a bearer for traffic data m destined to private network sub-network B1Generates a first traffic characteristic f for a fixed field in the header of the resultant IP packet P _ send1And a first scrambler initial state t1As shown in fig. 3, the specific steps are as follows:
step 110: selecting the fixed field header length, version number, protocol type and identification field data in the header of the synthetic IP data packet P _ send to form a 32-bit sequence N in sequence;
step 120: carrying out confusion processing on the bit sequence N to generate a new sequence N _ fuzzy;
in step 120, the bit sequence N is subjected to aliasing processing to generate a new sequence N _ fuzzy, which specifically includes the following steps:
step 121: the bit sequence N is divided into 8 sub-blocks in turn, each sub-block is 4 bits, and the sub-blocks are respectively
Figure BDA0002453157370000061
Wherein, v is 32, NnIs the nth position from the left of the sequence N (N is 0,1, …, v-1),
Figure BDA0002453157370000062
the ith sub-block is divided for the sequence N from left to right.
Step 122: by the formula
Figure BDA0002453157370000071
For the ith sub-block
Figure BDA0002453157370000072
Sub-blocks
Figure BDA0002453157370000073
Performing XOR summation, and taking the result of XOR summation as a sub-block
Figure BDA0002453157370000074
New sequence of (A)
Figure BDA0002453157370000075
For all sub-blocks
Figure BDA0002453157370000076
Performing the above treatment, and then
Figure BDA0002453157370000077
And generating a new sequence N _ fuzzy by combining the index i from small to large, and generating the new sequence N _ fuzzy by performing confusion processing on the bit sequence N.
Step 130: in the new sequence N _ fuzzy according to the index vector (1,1+ p, …,1+ (k-1) p) (wherein p is
Figure BDA0002453157370000078
K is the order of the selected scrambler in order to round down the symbols) k bits are selected as the initial state t of the first scrambler1Supplementing k bits 0 (or adopting other set completion rules) at the tail of the remaining 32-k bits of the new sequence N _ fuzzy as the first flow characteristic f1. In this example, k is 7, that is, 7 bits are selected as the first scrambler initial state t in the new sequence N _ fuzzy according to the index vector (1,5,9,13,17,21,25)1And supplementing 7 bits 0 at the tail of the remaining 25 bits of the new sequence N _ fuzzy as a first flow characteristic f1. The scrambler employed in the embodiment of the present invention is a 7-stage longest linear shift register, which can be expressed as f (x) -1 + x by a primitive polynomial as shown in fig. 43+x4+x5+x7It can reach the longest period 127, so as to generate the longest linear shift registerA sequence of devices.
Step 200: to transmit service data m1Destination IP address IP _ dest and first traffic characteristics f in header of composite IP packet P _ send1Cascaded in sequence, then using an initial state of t1The scrambler scrambles the concatenated data sequence as shown in FIG. 4, and the output result of the scrambler is recorded as o1. As shown in fig. 5, the service data carried by the composite IP packet P _ send is replaced by the scrambler output result o1Modifying the destination IP address of the synthesized IP data packet P _ send into the IP address of the disguised host H in the public network C;
step 300: the traffic recognition and forwarding device M in the public network C generates a second traffic characteristic f using a fixed field in the header of the received IP data packet P _ rcv2And a second scrambler initial state t2And further using an initial state of t2The scrambler of the data packet P _ rcv carries the service data m2Descrambling is carried out, and the output result is recorded as o2Then outputs the result o at the scrambler2Extracting a 32-bit first bit sequence f from the tail of the sequence3
In step 300, the traffic identification and forwarding device M in the public network C generates a second traffic characteristic f using a fixed field in the header of the received IP data packet P _ rcv2And a second scrambler initial state t2As shown in fig. 6, the specific steps are as follows:
step 310: selecting data with fixed field header length, version number, protocol type and identification field from a data packet P _ rcv header to form a 32-bit sequence R in sequence;
step 320: carrying out confusion processing on the bit sequence R to generate a new sequence R _ fuzzy;
in step 320, the bit sequence R is subjected to aliasing processing to generate a new sequence R _ fuzzy, which specifically includes the following steps:
step 321: the bit sequence R is divided into 8 sub-blocks in turn, each sub-block is 4 bits, and the sub-blocks are respectively
Figure BDA0002453157370000081
Wherein s is 32, RnIs the n-th position from the left of the sequence R (n-0, 1, …, s-1),
Figure BDA0002453157370000082
the j-th sub-block is divided from left to right for the sequence R.
Step 322: by the formula
Figure BDA0002453157370000083
For the j sub-block
Figure BDA0002453157370000084
Sub-blocks
Figure BDA0002453157370000085
Performing XOR summation, and taking the result of XOR summation as a sub-block
Figure BDA0002453157370000086
New sequence of (A)
Figure BDA0002453157370000087
For all sub-blocks
Figure BDA0002453157370000088
Performing the above treatment, and then
Figure BDA0002453157370000089
And generating a new sequence R _ fuzzy by combining the small index j and the large index j, and generating the new sequence R _ fuzzy by performing confusion processing on the bit sequence R.
Step 330: in the new sequence R _ fuzzy according to the index vector (1,1+ p, …,1+ (k-1) p) (wherein p is
Figure BDA00024531573700000810
K is the order of the selected scrambler in order to round down the symbols) k bits are selected as the initial state t of the second scrambler2At the remaining 32-k bits of the new sequence R _ fuzzyThe tail part supplements k bits 0 as a second flow characteristic f2. In this example, k is 7, that is, 7 bits are selected as the second scrambler initial state t in the new sequence R _ fuzzy according to the index vector (1,5,9,13,17,21,25)2And supplementing 7 bits 0 at the tail of the remaining 25 bits of the new sequence R _ fuzzy as a second flow characteristic f2. The scrambler employed in the embodiment of the present invention is a 7-stage longest linear shift register, which can be expressed as f (x) -1 + x by a primitive polynomial as shown in fig. 43+x4+x5+x7The longest period 127 can be reached, thereby generating the longest linear shift register sequence.
Step 400: if the first bit sequence f3And a second flow characteristic f2If the two signals are the same, the traffic identification and forwarding device M outputs a result o at the scrambler2Extracting a first bit sequence f3A 32-bit second bit sequence Ip _ temp on the left, modifies the destination Ip address in the header of the data packet P _ rcv into the second bit sequence Ip _ temp, and modifies the service data m2Reverting to service data m1Forwarding to the sub-network B; otherwise, directly forwarding the data packet P _ rcv to the masquerading host H in the public network C.
In step 400, the traffic identification and forwarding device M sends service data M2Restoring and forwarding service data m1The method comprises the following specific steps: output result o at scrambler2The extracted 32-bit second bit sequence Ip _ temp and the 32-bit first bit sequence f are removed3The remaining data is the service data m1And constructing the IP data packet to be forwarded as shown in fig. 7.
Fig. 8 is a block diagram of a cross-network traffic recognition apparatus based on dynamic identification and path hiding according to an embodiment of the present invention. The cross-network traffic recognition device based on the dynamic identification and the path hiding comprises a cross-network traffic feature generator and a cross-network traffic feature demodulator.
Cross-network traffic characteristics generator: processing a composite IP packet P _ send carrying traffic data from private network sub-network A to private network sub-network B or from private network sub-network B to private network sub-network A, generating a traffic profile, determining a scrambler initialAnd modifying the destination IP address of the synthetic IP data packet P _ send. The device comprises a first characteristic generation module, a data scrambling module and a data packet modification module. Specifically, taking the communication process from the private network sub-network a to the private network sub-network B as an example, the first feature generation module is configured to process the traffic data m carrying the traffic data from the private network sub-network a to the private network sub-network B1Generates a first traffic characteristic f1And the initial state t of the first scrambler1(ii) a The data scrambling module uses the initial state as t1For traffic data m by scrambler1Destination IP address IP _ dest in header of composite IP packet and first traffic characteristics f1Scrambling the data sequence after the sequential cascade connection, and recording the output result as o1(ii) a The data packet modifying module is used for constructing service data as o1And the destination IP address points to the synthesized IP data packet of the disguised host H in the public network C.
An inter-network traffic characteristic demodulator: the device is used for processing the IP data packet P _ rcv received by the flow identification and forwarding device M in the public network C and identifying whether the received IP data packet P _ rcv is a synthetic IP data packet P _ send. The system comprises a second characteristic generation module, a data descrambling module and an identification and forwarding module. Specifically, taking the communication process from the private network sub-network a to the private network sub-network B as an example, the second characteristic generating module is configured to process the received IP data packet and generate the second traffic characteristic f2And a second scrambler initial state t2(ii) a The data descrambling module is used for processing the service data m borne by the received IP data packet2Service data m2Using an initial state of t2Descrambled by the scrambler, and the output result is recorded as o2And is in o2Tail extraction of 32-bit first bit sequence f3(ii) a The identification and forwarding module is used for comparing the second traffic characteristics f2And a first bit sequence f3Whether the data packets are the same or not is further identified, whether the received IP data packets are synthetic IP data packets or not is further identified, and if yes, the output result o of the scrambler is extracted2First bit sequence f in (1)3A 32-bit second bit sequence Ip _ temp on the left, modifies the destination Ip address in the header of the received Ip data packet into the second bit sequence Ip _ temp, and changes the serviceData m2Reverting to service data m1Then forwarding to the target private network sub-network B, otherwise directly forwarding to the masquerading host H in the public network C.
For details of the implementation of each module in the above device embodiment, reference is made to the foregoing method embodiment, and details are not repeated here. Those skilled in the art will appreciate that the modules in the embodiments may be adaptively changed and disposed in one or more devices different from the embodiments. The modules in the embodiments may be combined into one module or divided into a plurality of sub-modules. The use of the terms first, second, etc. are used for descriptive purposes and not necessarily for describing a sequential or chronological order.
Based on the same inventive concept, the specific embodiment of the invention also discloses a cross-network traffic identification device based on dynamic identification and path hiding, which comprises a first computing device and a second computing device; wherein the first computing device comprises a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing:
when receiving IP data packet sent by private network sub-network A to private network sub-network B, processing service data m carrying service data sent by private network sub-network A to private network sub-network B1Generates a first traffic characteristic f1And the initial state t of the first scrambler1(ii) a Using an initial state of t1For traffic data m by scrambler1Destination IP address IP _ dest in header of composite IP packet and first traffic characteristics f1Scrambling the data sequence after the sequential cascade connection, and recording the output result as o1(ii) a For constructing service data as o1The destination IP address points to a synthetic IP data packet of the disguised host H in the public network C;
the second computing device comprises a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing:
processing the received IP data packet to generate a second flow characteristic f2And a second scrambler initial state t2(ii) a Processing service data m carried by received IP data packet2Service data m2Using an initial state of t2Descrambled by the scrambler, and the output result is recorded as o2And is in o2Tail extraction of 32-bit first bit sequence f3(ii) a Comparing the second flow characteristic f2And a first bit sequence f3Whether the data packets are the same or not is further identified, whether the received IP data packets are synthetic IP data packets or not is further identified, and if yes, the output result o of the scrambler is extracted2Bit sequence f in (1)3A 32-bit second bit sequence Ip _ temp on the left, modifies the destination Ip address in the header of the received Ip data packet into the second bit sequence Ip _ temp, and changes the service data m2Reverting to service data m1Then forwarding to the target private network sub-network B, otherwise directly forwarding to the masquerading host H in the public network C.
The cross-network flow identification device based on the dynamic identification and the path hiding selects the initial state and the flow characteristics of the scrambler by using the fixed field in the IP data packet header, so that strong association is generated between the scrambler and the flow characteristics, and the high accuracy and the high performance of network flow identification can be effectively guaranteed; meanwhile, the technical scheme has small operand, and the feature identification and feature extraction based on the scrambler are mainly exclusive-or operation, so that the increase of time delay is inhibited to a certain extent; in addition, different IP data packet headers have different 'identification' fields, and the introduction of the 'identification' fields enhances the dynamicity of the initial state and the traffic characteristics of the scrambler; most importantly, the technical scheme can hide the real communication path between the private network sub-network A and the private network sub-network B, and the communication path is externally shown as that the private network sub-network A and the private network sub-network B are communicated with the public network C, so that the safe communication between the private network sub-networks is guaranteed.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. A cross-network traffic identification method based on dynamic identification and path hiding is characterized by comprising the following steps:
when a gateway of a private network sub-network receives an IP data packet sent to another private network sub-network, the whole IP data packet is regarded as service data, an IP header is added to generate a synthesized IP data packet, and a first traffic characteristic and a first scrambler initial state are generated by using a fixed field comprising an identification field in the IP header; connecting the service data, a target IP address in an IP header and a first flow characteristic, and scrambling the connected data sequence by using a scrambler with an initial state being the initial state of the first scrambler; replacing the service data carried by the synthetic IP data packet with the output of the scrambler, and modifying the destination IP address into the IP address of the disguised host in the public network;
the flow identification and forwarding equipment in the public network generates a second flow characteristic and a second scrambler initial state by using a fixed field comprising an identification field in a header of a received IP data packet, and descrambles service data carried by the received IP data packet by using the scrambler of which the initial state is the second scrambler initial state; and extracting a first bit sequence corresponding to a first traffic characteristic position in the data sequence connected before scrambling by the gateway from the output result of the scrambler, comparing the first bit sequence with a second traffic characteristic, if the first bit sequence is the same as the second traffic characteristic, continuously extracting a second bit sequence corresponding to a target IP address position in the data sequence connected before scrambling by the gateway, restoring the service data, modifying the target IP address into the second bit sequence, and then forwarding the modified target IP address to a target subnetwork of the private network, otherwise, directly forwarding the modified target IP address to the disguised host in the public network.
2. The method of claim 1, wherein traffic characteristics and scrambler init state are generated based on header length, version number, protocol type and identification field in the IP header.
3. The method of claim 1, wherein the method for traffic feature and scrambler initial state generation comprises:
carrying out confusion processing on a bit sequence consisting of the selected fields to generate a new sequence;
and selecting k bits in the new sequence as the initial state of the scrambler according to the index vector, and complementing the rest part of the new sequence by 0 or 1 according to a set rule to be used as flow characteristics, wherein k is the order of the selected scrambler.
4. The method for cross-network traffic recognition based on dynamic identification and path hiding according to claim 3, wherein the method for performing obfuscation processing on the bit sequence comprises: dividing a bit sequence into a plurality of sub-blocks in sequence, wherein each sub-block is 4 bits; and for the jth sub-block, carrying out XOR summation on the jth sub-block and all the previous sub-blocks, taking the result of the XOR summation as a new sequence of the jth sub-block, combining the new sequences of the sub-blocks from small to large according to an index j to generate a new sequence, and completing the confusion processing of the bit sequence.
5. The method of claim 1, wherein the masquerading host in the public network has a public network IP address and is connected only to the traffic recognition and forwarding device.
6. A cross-network traffic identification device based on dynamic identification and path hiding is characterized by comprising a cross-network traffic characteristic generator and a cross-network traffic characteristic demodulator;
the cross-network traffic feature generator comprises:
a first characteristic generating module, configured to process a composite IP packet carrying service data sent between private network subnets, and generate a first traffic characteristic and a first scrambler initial state using a fixed field including an identification field in an IP header of the composite IP packet;
the data scrambling module is used for connecting the service data, the target IP address in the IP header and the first flow characteristic and scrambling the connected data sequence by using the scrambler of which the initial state is the initial state of the first scrambler;
the data packet modification module is used for replacing the service data carried by the synthetic IP data packet with the output of the scrambler of the data scrambling module, and the target IP address is modified into the IP address of the disguised host in the public network;
the cross-network traffic characteristic demodulator comprises:
the second characteristic generating module is used for generating a second traffic characteristic and a second scrambler initial state by utilizing a fixed field which comprises an identification field in a header of the received IP data packet;
the data descrambling module is used for descrambling the service data carried by the received IP data packet by using the scrambler of which the initial state is the initial state of the second scrambler;
and the identification and forwarding module is used for extracting a first bit sequence corresponding to a first traffic characteristic position in a data sequence connected before scrambling by the gateway from an output result of a scrambler of the data descrambling module, comparing the first bit sequence with a second traffic characteristic, if the first bit sequence and the second traffic characteristic are the same, continuously extracting a second bit sequence corresponding to a destination IP address position in the data sequence connected before scrambling by the gateway, restoring the service data, modifying the destination IP address into the second bit sequence and forwarding the modified destination IP address to a target sub-network of the private network, and otherwise, directly forwarding the modified destination IP address to the disguised host in the public network.
7. The cross-network traffic recognition device based on dynamic identification and path hiding is characterized by comprising a first computing device and a second computing device; the first computing device comprises a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing:
when an IP data packet sent between private network sub-networks is received, the whole IP data packet is taken as service data, an IP header is added to generate a synthesized IP data packet, and a first traffic characteristic and a first scrambler initial state are generated by using a fixed field comprising an identification field in the IP header; connecting the service data, a target IP address in an IP header and a first flow characteristic, and scrambling the connected data sequence by using a scrambler with an initial state being the initial state of the first scrambler; replacing the service data carried by the synthetic IP data packet with the output of the scrambler, and modifying the destination IP address into the IP address of the disguised host in the public network;
the second computing device comprises a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program when loaded into the processor implementing:
generating a second traffic characteristic and a second scrambler initial state by using a fixed field comprising an identification field in a header of the received IP data packet, and descrambling the service data carried by the received IP data packet by using the scrambler of which the initial state is the second scrambler initial state; and extracting a first bit sequence corresponding to a first traffic characteristic position in the data sequence connected before scrambling by the gateway from the output result of the scrambler, comparing the first bit sequence with a second traffic characteristic, if the first bit sequence is the same as the second traffic characteristic, continuously extracting a second bit sequence corresponding to a target IP address position in the data sequence connected before scrambling by the gateway, restoring the service data, modifying the target IP address into the second bit sequence, and then forwarding the modified target IP address to a target subnetwork of the private network, otherwise, directly forwarding the modified target IP address to the disguised host in the public network.
8. The device for cross-network traffic identification based on dynamic identification and path hiding according to claim 6 or 7, wherein the traffic characteristics and scrambler initial state are generated according to header length, version number, protocol type and identification field in IP header.
9. The device for cross-network traffic identification based on dynamic identification and path hiding according to claim 6 or 7, wherein the method for generating traffic characteristics and initial states of scrambler comprises:
carrying out confusion processing on a bit sequence consisting of the selected fields to generate a new sequence;
and selecting k bits in the new sequence as the initial state of the scrambler according to the index vector, and complementing the rest part of the new sequence by 0 or 1 according to a set rule to be used as flow characteristics, wherein k is the order of the selected scrambler.
10. The device for cross-network traffic recognition based on dynamic identification and path hiding according to claim 6 or 7, wherein the method for performing obfuscation processing on the bit sequence comprises: dividing a bit sequence into a plurality of sub-blocks in sequence, wherein each sub-block is 4 bits; and for the jth sub-block, carrying out XOR summation on the jth sub-block and all the previous sub-blocks, taking the result of the XOR summation as a new sequence of the jth sub-block, combining the new sequences of the sub-blocks from small to large according to an index j to generate a new sequence, and completing the confusion processing of the bit sequence.
CN202010298646.8A 2020-04-16 2020-04-16 Cross-network traffic identification method and device based on dynamic identification and path hiding Active CN111526100B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010298646.8A CN111526100B (en) 2020-04-16 2020-04-16 Cross-network traffic identification method and device based on dynamic identification and path hiding

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010298646.8A CN111526100B (en) 2020-04-16 2020-04-16 Cross-network traffic identification method and device based on dynamic identification and path hiding

Publications (2)

Publication Number Publication Date
CN111526100A CN111526100A (en) 2020-08-11
CN111526100B true CN111526100B (en) 2021-08-24

Family

ID=71901342

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010298646.8A Active CN111526100B (en) 2020-04-16 2020-04-16 Cross-network traffic identification method and device based on dynamic identification and path hiding

Country Status (1)

Country Link
CN (1) CN111526100B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114499976B (en) * 2021-12-28 2022-11-04 航天科工智慧产业发展有限公司 Data exchange method for realizing cross-network exchange

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631064A (en) * 2008-07-14 2010-01-20 华为技术有限公司 Method, device and system for sending and receiving data
CN105071987A (en) * 2015-07-28 2015-11-18 中国工程物理研究院计算机应用研究所 Path quality analysis method of encrypted network based on flow analysis
CN105450395A (en) * 2015-12-30 2016-03-30 中科创达软件股份有限公司 Information encryption and decryption processing method and system
GB201715507D0 (en) * 2017-02-21 2017-11-08 Cirrus Logic Int Semiconductor Ltd Pulse code modulation (PCM) data-marking
CN108293025A (en) * 2015-12-10 2018-07-17 意大利电信股份公司 Traffic monitoring in communication network
US10097464B1 (en) * 2015-12-29 2018-10-09 Amazon Technologies, Inc. Sampling based on large flow detection for network visibility monitoring
CN110113338A (en) * 2019-05-08 2019-08-09 北京理工大学 A kind of encryption traffic characteristic extracting method based on Fusion Features
CN110545263A (en) * 2019-08-15 2019-12-06 咪咕视讯科技有限公司 Decryption method, encryption method, terminal device, server and readable storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101631064A (en) * 2008-07-14 2010-01-20 华为技术有限公司 Method, device and system for sending and receiving data
CN105071987A (en) * 2015-07-28 2015-11-18 中国工程物理研究院计算机应用研究所 Path quality analysis method of encrypted network based on flow analysis
CN108293025A (en) * 2015-12-10 2018-07-17 意大利电信股份公司 Traffic monitoring in communication network
US10097464B1 (en) * 2015-12-29 2018-10-09 Amazon Technologies, Inc. Sampling based on large flow detection for network visibility monitoring
CN105450395A (en) * 2015-12-30 2016-03-30 中科创达软件股份有限公司 Information encryption and decryption processing method and system
GB201715507D0 (en) * 2017-02-21 2017-11-08 Cirrus Logic Int Semiconductor Ltd Pulse code modulation (PCM) data-marking
CN110113338A (en) * 2019-05-08 2019-08-09 北京理工大学 A kind of encryption traffic characteristic extracting method based on Fusion Features
CN110545263A (en) * 2019-08-15 2019-12-06 咪咕视讯科技有限公司 Decryption method, encryption method, terminal device, server and readable storage medium

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
加密网络流量类型识别研究;李尧,郝文;《计算机应用》;20090601;全文 *
基于GA-BP模糊神经网络在电梯群控交通流量识别中的应用;张健 ,王艳秋;《微电机》;20080526;全文 *
网络协议流量识别方法研究;孟博,何旭东,王德军,刘加兵;《郑州大学学报(理学版)》;20191230;全文 *

Also Published As

Publication number Publication date
CN111526100A (en) 2020-08-11

Similar Documents

Publication Publication Date Title
Chen et al. TARANET: Traffic-analysis resistant anonymity at the network layer
Cao et al. A survey on encrypted traffic classification
US11075892B2 (en) Fully cloaked network communication model for remediation of traffic analysis based network attacks
Amante et al. IPv6 flow label specification
EP3254418B1 (en) Packet obfuscation and packet forwarding
Zhao et al. SDN-based double hopping communication against sniffer attack
CN110011786B (en) High-safety IP secret communication method
Lai et al. Practical encrypted network traffic pattern matching for secure middleboxes
CN111526100B (en) Cross-network traffic identification method and device based on dynamic identification and path hiding
Xu et al. ME-Box: A reliable method to detect malicious encrypted traffic
Alston et al. Neutralizing interest flooding attacks in named data networks using cryptographic route tokens
He et al. A survey of privacy protection and network security in user on-demand anonymous communication
Amante et al. RFC 6437: IPv6 flow label specification
CN110213257B (en) High-safety IP secret communication method based on true random stream exclusive or encryption
Kumar Security enhancement in mobile ad-hoc network using novel data integrity based hash protection process
Zuo et al. A novel software-defined network packet security tunnel forwarding mechanism
Su et al. Privacy preserving IP traceback
Fukushima et al. Minimum disclosure routing for network virtualization and its experimental evaluation
Alenezi et al. IP traceback methodologies
CN110572827A (en) Safety access gateway and identity authentication method
Priya Secure defense mechanism against data leakage and distributed denial of service attacks in software defined networks
Soltani et al. Mid-defense: Mitigating protocol-level attacks in TOR using indistinguishability obfuscation
Almohaimeed et al. Incorporating Monitoring Points in SDN to Ensure Trusted Links Against Misbehaving Traffic Flows
Dilruba Quantum-safe switch-controller communication in software-defined network
US20230188336A1 (en) Automatic Key Rolling for Link Encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant