CN105406993A - Encrypted stream recognition method and device - Google Patents
Encrypted stream recognition method and device Download PDFInfo
- Publication number
- CN105406993A CN105406993A CN201510710376.6A CN201510710376A CN105406993A CN 105406993 A CN105406993 A CN 105406993A CN 201510710376 A CN201510710376 A CN 201510710376A CN 105406993 A CN105406993 A CN 105406993A
- Authority
- CN
- China
- Prior art keywords
- data message
- testing data
- window
- stream
- assessed value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an encrypted stream recognition method and a device. The method comprises steps: 1, a to-be-detected data packet is selected in a data stream based on window transition; 2, an evaluation value is calculated according to the to-be-detected data packet; and 3, based on the evaluation value, whether the data stream is encrypted is judged. The device comprises a selection module, a calculation module and a judgment module. Various encrypted data streams can be quickly and accurately recognized, and the universality problem for encrypted flow recognition in the prior art can be solved.
Description
Technical field
The present invention relates to network communication technology field, particularly relate to a kind of recognition methods and device of encryption stream.
Background technology
Online unlawful activities and climb over the walls and penetrate behavior and generally adopt coded communication.In order to Strengthens network management, realize the target of the orderly management and control of network, need ONLINE RECOGNITION encipher flux.Encryption stream identification faces three difficult problems: 1) content of encipher flux varies, and does not possess unified content characteristic, is difficult to coupling; 2) business that the message length of encipher flux, arrival interval and transmission direction are carried by it completely determines there is similar traffic characteristic with clear stream measurer; 3) variation of cryptographic protocol makes the extensibility being completed identification by analysis agreement connection procedure poor.
Existing encryption stream recognition technology, mostly from the feature of shaking hands of cryptographic protocol, utilizing agreement shaking hands and the communication characteristic of key agreement phase, identifying in conjunction with machine learning algorithm.These methods are only effective to the particular version of specific encryption protocol, do not have universality.
Summary of the invention
The technical problem to be solved in the present invention is, provides a kind of recognition methods and device of encryption stream, to solve the Problem of Universality to various encipher flux identification in prior art.
The technical solution used in the present invention is, the recognition methods of described encryption stream, comprising:
Step 1, selects testing data message in a stream based on window transition;
Step 2, calculates assessed value according to testing data message;
Based on assessed value, step 3, judges whether described data flow encrypts.
Further, step 1 specifically comprises:
Arrange the window of a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;
For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.
Further, the length of window of corresponding during each selection testing data message transition all follows the functional relation of setting.
Further, when the functional relation of described setting is arithmetic progression, if the length of described window is d, meet following condition: the testing data message selected for the I time, length d=D × (I-1) of the window of required transition, D are the delay constant of setting, I be greater than 1 integer.
Further, step 2 specifically comprises: perform WARE (Weighting-basedAdaptiveRandomnessEstimation, the self-adapting random assessment algorithm based on weighted cumulative) for each testing data message, comprise following process:
A1: all 0 in the binary sequence of testing data message is replaced with-1, generates Deformation Series η
i;
A2: for Deformation Series η
ifront k item and
1≤k≤n, calculates Deformation Series η
imaximum deviation value z=max [S
1, S
2..., S
n], n is the length of the binary sequence of testing data message, then assessed value is
Wherein, Φ (x) is Standard Normal Distribution,
Further, step 2 also comprises:
A3, the assessed value obtain steps A 2 and historical evaluation value are weighted comprehensively, obtain final for judging the assessed value whether described data flow encrypts;
The acquisition process of described historical evaluation value comprises: the assessed value obtained during execution of step A3 preserved as historical evaluation value, the historical evaluation value of once preserving before replacement.
Further, step 3 specifically comprises:
Judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.
Further, step 3 specifically comprises:
B1, judges whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise performs step B2;
B2, judges whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judges that described data traffic is as clear stream, otherwise reselects a testing data message according to step 1 and perform described method.
The present invention also provides a kind of recognition device of encryption stream, comprising:
Select module, for selecting testing data message in a stream based on window transition;
Computing module, for calculating assessed value according to testing data message;
Judge module, for judging based on assessed value whether described data flow encrypts.
Adopt technique scheme, the present invention at least has following advantages:
The recognition methods of encryption stream of the present invention and device, can identify the data flow of various encryption fast and accurately, solves the Problem of Universality to various encipher flux identification in prior art.
Accompanying drawing explanation
Fig. 1 is the recognition methods flow chart of the encryption stream of first embodiment of the invention;
Fig. 2 is the recognition device composition schematic diagram of the encryption stream of second embodiment of the invention;
Fig. 3 is the uncorrelated encryption stream of the agreement based on the window transition recognition methods flow chart of third embodiment of the invention;
Fig. 4 is the particular flow sheet of the enforcement of the data message to the desirable identification point WARE algorithm of third embodiment of the invention;
Fig. 5 is the uncorrelated encryption stream of the agreement based on the window transition recognition device structural representation of third embodiment of the invention.
Embodiment
For further setting forth the present invention for the technological means reaching predetermined object and take and effect, below in conjunction with accompanying drawing and preferred embodiment, the present invention is described in detail as after.
First embodiment of the invention, a kind of recognition methods of encryption stream, as shown in Figure 1, comprises following concrete steps:
Step S101, selects testing data message in a stream based on window transition.
Concrete, step S101 comprises:
Arrange the window of a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;
For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.
Further, the length of window of corresponding during each selection testing data message transition all follows the functional relation of setting.Such as, when the functional relation of this setting is arithmetic progression, if the length of described window is d, meet following condition: the testing data message selected for the I time, length d=D × (I-1) of the window of required transition, D are the delay constant of setting, I be greater than 1 integer.
Step S102, calculates assessed value according to testing data message.
Concrete, step S102 comprises: perform WARE algorithm for each testing data message, comprise following process:
A1: all 0 in the binary sequence of testing data message is replaced with-1, generates Deformation Series η
i;
A2: for Deformation Series η
ifront k item and
1≤k≤n, calculates Deformation Series η
imaximum deviation value z=max [S
1, S
2..., S
n], n is the length of the binary sequence of testing data message, then assessed value is
Wherein, Φ (x) is Standard Normal Distribution,
Preferably, in order to improve the accuracy of judgement degree to encrypting traffic further, the step S102 of the present embodiment also comprises following concrete steps:
A3, the assessed value obtain steps A 2 and historical evaluation value are weighted comprehensively, obtain final for judging the assessed value whether described data flow encrypts;
The acquisition process of described historical evaluation value comprises: the assessed value obtained during execution of step A3 preserved as historical evaluation value, the historical evaluation value of once preserving before replacement.
Based on assessed value, step S103, judges whether described data flow encrypts.
Concrete, step S103 specifically comprises:
Judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.
Preferably, in order to improve the efficiency of the judgement to encrypting traffic further, step S103 can also implement according to following detailed process:
B1, judges whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise performs step B2;
B2, judges whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judges that described data traffic is as clear stream, otherwise reselects a testing data message according to step 1 and perform described method.
Second embodiment of the invention, the recognition device that provide a kind of encryption stream corresponding with the first embodiment, as shown in Figure 2, comprises following part:
1) module 10 is selected, for selecting testing data message in a stream based on window transition;
Concrete, select module 10 for the window arranging a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;
For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.
2) computing module 20, for calculating assessed value according to testing data message;
Concrete, computing module 20 for: perform WARE algorithm for each testing data message, concrete implementation is described in detail in a first embodiment.
3) judge module 30, for judging based on assessed value whether described data flow encrypts.
Concrete, judge module 30 for: judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.
Preferably, in order to improve the efficiency of the judgement to encrypting traffic further, judge module 30 for: can also be used for:
Whether the first-selected assessed value judging that described testing data message is corresponding is greater than the assessment threshold value of setting, if be greater than the assessment threshold value of setting, then judges that described data flow is as encryption stream; If be less than or equal to the assessment threshold value of setting, then judge whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judge that described data traffic is as clear stream, otherwise call and select module 10 to reselect a testing data message and process.
Third embodiment of the invention, the present embodiment provides an application example on the basis of above-described embodiment, introduce the uncorrelated encryption stream recognition methods of a kind of agreement based on window transition, technical scheme in the embodiment of the present application is understood better in order to make those skilled in the art person, and enable the object of the present embodiment, feature and advantage become apparent more, be described in further detail below in conjunction with technical scheme in accompanying drawing 3 ~ 5 pairs of the embodiment of the present application.
Before detailed description the present embodiment, first the symbol that may relate in the present embodiment is illustrated as follows:
WARE: based on the self-adapting random assessment algorithm of weighted cumulative;
D: the delay constant of setting, i.e. window size
W: default for judging whether as the assessment threshold values of encryption stream
N: the number of times threshold values of window transition
See Fig. 3, for the flow process of the uncorrelated encryption stream of the agreement based on the window transition recognition methods of the present embodiment is as follows:
Step 101: the desirable identification point examination choosing based on window transition is carried out to the data message received.
Concrete, first data message of the data flow received is elected in first desirable identification point examination as, and follow-up examination choosing carries out transition sized by window d.
The examination choosing of desirable identification point is here similar to the selection of the testing data message in above-described embodiment,
Step 102: the randomness assessment test based on weighted cumulative is carried out to data message at desirable identification point.
Concrete, WARE algorithm is implemented to the data message of desirable identification point, draws assessment test result, and be buffered in data temporary storage block.
Step 103: comparative evaluation test result and setting threshold values.
Concrete, if assessment test result is greater than default assessment threshold values W, then export as positive, and terminate to identify; If assessment result is less than or equal to default assessment threshold values W, then judge whether whether the transition times of window d reaches the number of times threshold values N of window transition further, if arrived, then export as negative, and terminate to identify, otherwise proceed window transition, examination selects next desirable identification point to perform above-mentioned steps.
Here, the positive refers to and is judged to be encryption stream, and feminine gender refers to and is judged to be clear stream.
Step 104: terminate judge and export result of determination.
Concrete, as long as once test Identification display to go out enciphered data, then complete the identification of data flow, recognition result is positive.If identify enciphered data not yet after exceeding the number of times threshold values N of window transition, then recognition result is negative.The setting of the number of times threshold values N of window transition is determined by system processing power.
See Fig. 4, in a step 102, WARE algorithm is implemented to the data message of desirable identification point, draws the idiographic flow of assessment test result, as follows:
Step 201: receive testing data message.
Step 202: single packet stored counts.
Concrete, step 202 comprises:
C1: all 0 in the binary sequence of this testing data message is replaced with-1, generates new Deformation Series.
C2: calculate Deformation Series front k item and
1≤k≤n, calculates Deformation Series η
imaximum deviation value z=max [S
1, S
2..., S
n], n is the length of the binary sequence of testing data message, then entry evaluation value is
Wherein, Φ (x) is Standard Normal Distribution,
Step 203: read historical data.
Concrete, the randomness assessment result history of reading data flow from data temporary storage block, for first time operation, historical evaluation value is 0.
Step 204: weighted comprehensive evaluation operation.
Concrete, entry evaluation value and historical evaluation value being weighted comprehensively, obtaining final for judging the assessed value whether described data flow encrypts.
Step 205: upgrade historical data.
Concrete, the assessed value obtained during execution of step C3 is saved in data temporary storage block as historical evaluation value, the historical evaluation value of once preserving before replacement.
Step 205: export final for judging the assessed value whether described data flow encrypts.
See Fig. 5, the uncorrelated encryption stream of the agreement based on the window transition recognition device of the present embodiment, comprises: window transition module 301, randomness evaluation module 302 and encryption stream determination module 303.
Wherein, window transition module 301, for reading link flow, carries out transition independently with window d=D × (I-1) on link flow, D be setting delay constant, the number of times I of transition be greater than 1 integer.
Randomness evaluation module 302, for the self-adapting random assessment algorithm based on weighted cumulative, carries out randomness assessment to link flow.
Encryption stream determination module 303, for judging flow whether as encryption stream, concrete, if assessment test result is greater than default assessment threshold values W, then export as positive, and terminate to identify; If assessment result is less than or equal to default assessment threshold values W, then judge whether whether the transition times of window d reaches the number of times threshold values N of window transition further, if arrived, then export as negative, and terminate to identify, otherwise proceed window transition and judgement.
As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the application can add required general hardware platform by software and realizes.Based on such understanding, the technical scheme of the application can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a network equipment (can be server, router, route master control etc.) perform the method described in some part of each embodiment of the application or embodiment.
By the explanation of embodiment, should to the present invention for the technological means reaching predetermined object and take and effect be able to more deeply and concrete understanding, but appended diagram be only to provide with reference to and the use of explanation, be not used for being limited the present invention.
Claims (9)
1. a recognition methods for encryption stream, is characterized in that, comprising:
Step 1, selects testing data message in a stream based on window transition;
Step 2, calculates assessed value according to testing data message;
Based on assessed value, step 3, judges whether described data flow encrypts.
2. the recognition methods of encryption stream according to claim 1, is characterized in that, step 1 specifically comprises:
Arrange the window of a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;
For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.
3. the recognition methods of encryption stream according to claim 2, is characterized in that, the length of window of transition corresponding during each selection testing data message all follows the functional relation of setting.
4. the recognition methods of encryption stream according to claim 3, it is characterized in that, when the functional relation of described setting is arithmetic progression, if the length of described window is d, meet following condition: the testing data message selected for the I time, length d=D × (I-1) of the window of required transition, D are the delay constant of setting, I be greater than 1 integer.
5. the recognition methods of encryption stream according to claim 1, is characterized in that, step 2 specifically comprises: perform the self-adapting random assessment algorithm WARE based on weighted cumulative for each testing data message, comprise following process:
A1: all 0 in the binary sequence of testing data message is replaced with-1, generates Deformation Series η
i;
A2: for Deformation Series η
ifront k item and
1≤k≤n, calculates Deformation Series η
imaximum deviation value z=max [S
1, S
2..., S
n], n is the length of the binary sequence of testing data message, then assessed value is
wherein, Φ (x) is Standard Normal Distribution,
6. the recognition methods of encryption stream according to claim 5, is characterized in that, step 2 also comprises:
A3, the assessed value obtain steps A 2 and historical evaluation value are weighted comprehensively, obtain final for judging the assessed value whether described data flow encrypts;
The acquisition process of described historical evaluation value comprises: the assessed value obtained during execution of step A3 preserved as historical evaluation value, the historical evaluation value of once preserving before replacement.
7. the recognition methods of the encryption stream according to any one of claim 1 ~ 6, is characterized in that, step 3 specifically comprises:
Judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.
8. the recognition methods of the encryption stream according to any one of claim 1 ~ 6, is characterized in that, step 3 specifically comprises:
B1, judges whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise performs step B2;
B2, judges whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judges that described data traffic is as clear stream, otherwise reselects a testing data message according to step 1 and perform described method.
9. a recognition device for encryption stream, is characterized in that, comprising:
Select module, for selecting testing data message in a stream based on window transition;
Computing module, for calculating assessed value according to testing data message;
Judge module, for judging based on assessed value whether described data flow encrypts.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510710376.6A CN105406993A (en) | 2015-10-28 | 2015-10-28 | Encrypted stream recognition method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510710376.6A CN105406993A (en) | 2015-10-28 | 2015-10-28 | Encrypted stream recognition method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105406993A true CN105406993A (en) | 2016-03-16 |
Family
ID=55472256
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510710376.6A Pending CN105406993A (en) | 2015-10-28 | 2015-10-28 | Encrypted stream recognition method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105406993A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110999256A (en) * | 2018-05-23 | 2020-04-10 | Oppo广东移动通信有限公司 | Communication method, terminal equipment and core network equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101827089A (en) * | 2009-03-02 | 2010-09-08 | 冲电气工业株式会社 | Coded communication amount recognition device and have the coded communication amount recognition system of this device |
CN102164049A (en) * | 2011-04-28 | 2011-08-24 | 中国人民解放军信息工程大学 | Universal identification method for encrypted flow |
CN103873320A (en) * | 2013-12-27 | 2014-06-18 | 北京天融信科技有限公司 | Encrypted flow rate recognizing method and device |
-
2015
- 2015-10-28 CN CN201510710376.6A patent/CN105406993A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101827089A (en) * | 2009-03-02 | 2010-09-08 | 冲电气工业株式会社 | Coded communication amount recognition device and have the coded communication amount recognition system of this device |
CN102164049A (en) * | 2011-04-28 | 2011-08-24 | 中国人民解放军信息工程大学 | Universal identification method for encrypted flow |
CN103873320A (en) * | 2013-12-27 | 2014-06-18 | 北京天融信科技有限公司 | Encrypted flow rate recognizing method and device |
Non-Patent Citations (2)
Title |
---|
赵博 等: "基于加权累积和检验的加密流量盲识别算法", 《软件学报》 * |
赵博: "网络加密流量的协议不相关在线识别技术研究", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110999256A (en) * | 2018-05-23 | 2020-04-10 | Oppo广东移动通信有限公司 | Communication method, terminal equipment and core network equipment |
CN110999256B (en) * | 2018-05-23 | 2021-12-03 | Oppo广东移动通信有限公司 | Communication method, terminal equipment and core network equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105095588B (en) | The Forecasting Methodology and device of mobile Internet customer complaint | |
CN110276210A (en) | Based on the determination method and device of the model parameter of federation's study | |
CN112100679B (en) | Data processing method and device based on privacy protection and server | |
CN106991095B (en) | Machine exception handling method, learning rate adjusting method and device | |
CN104023352B (en) | A kind of instant communication software side channel testing system towards mobile communication platform | |
CN110264172B (en) | Transaction processing method and device based on blockchain | |
CN113762525B (en) | Federal learning model training method with differential privacy protection | |
CN111181930A (en) | DDoS attack detection method, device, computer equipment and storage medium | |
CN104506356A (en) | Method and device for determining credibility of IP (Internet protocol) address | |
Idris et al. | A deep learning approach for active S-box prediction of lightweight generalized feistel block ciphers | |
CN110944016A (en) | DDoS attack detection method, device, network equipment and storage medium | |
Chen et al. | Neural-Aided Statistical Attack for Cryptanalysis | |
Hnath et al. | Differential power analysis side-channel attacks in cryptography | |
CN117272386A (en) | Internet big data information security encryption method, device, equipment and system | |
CN114155083A (en) | Transaction detection method, device and equipment based on block chain and readable storage medium | |
CN114531302A (en) | Data encryption method, device and storage medium | |
Behdadnia et al. | Leveraging deep learning to increase the success rate of DOS attacks in PMU-based automatic generation control systems | |
CN105406993A (en) | Encrypted stream recognition method and device | |
CN111092723A (en) | Data privacy protection quantum computing method | |
JP2005134478A (en) | Encryption processing device, encryption processing method, and computer program | |
EP3955149A1 (en) | Method and apparatus for securing real-time data transfer from a device | |
CN112019547B (en) | Network traffic evaluation method, attack detection method, server, and storage medium | |
CN106912066B (en) | A kind of calculation method and device of KPI Key Performance Indicator | |
CN113076561A (en) | Data block splitting and recombining system | |
CN104901944B (en) | Security protocol cipher-text information estimating method based on main body interbehavior |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160316 |
|
RJ01 | Rejection of invention patent application after publication |