CN105406993A - Encrypted stream recognition method and device - Google Patents

Abstract

The invention provides an encrypted stream recognition method and a device. The method comprises steps: 1, a to-be-detected data packet is selected in a data stream based on window transition; 2, an evaluation value is calculated according to the to-be-detected data packet; and 3, based on the evaluation value, whether the data stream is encrypted is judged. The device comprises a selection module, a calculation module and a judgment module. Various encrypted data streams can be quickly and accurately recognized, and the universality problem for encrypted flow recognition in the prior art can be solved.

Description

A kind of recognition methods of encryption stream and device

Technical field

The present invention relates to network communication technology field, particularly relate to a kind of recognition methods and device of encryption stream.

Background technology

Online unlawful activities and climb over the walls and penetrate behavior and generally adopt coded communication.In order to Strengthens network management, realize the target of the orderly management and control of network, need ONLINE RECOGNITION encipher flux.Encryption stream identification faces three difficult problems: 1) content of encipher flux varies, and does not possess unified content characteristic, is difficult to coupling; 2) business that the message length of encipher flux, arrival interval and transmission direction are carried by it completely determines there is similar traffic characteristic with clear stream measurer; 3) variation of cryptographic protocol makes the extensibility being completed identification by analysis agreement connection procedure poor.

Existing encryption stream recognition technology, mostly from the feature of shaking hands of cryptographic protocol, utilizing agreement shaking hands and the communication characteristic of key agreement phase, identifying in conjunction with machine learning algorithm.These methods are only effective to the particular version of specific encryption protocol, do not have universality.

Summary of the invention

The technical problem to be solved in the present invention is, provides a kind of recognition methods and device of encryption stream, to solve the Problem of Universality to various encipher flux identification in prior art.

The technical solution used in the present invention is, the recognition methods of described encryption stream, comprising:

Step 1, selects testing data message in a stream based on window transition;

Step 2, calculates assessed value according to testing data message;

Based on assessed value, step 3, judges whether described data flow encrypts.

Further, step 1 specifically comprises:

Arrange the window of a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;

For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.

Further, the length of window of corresponding during each selection testing data message transition all follows the functional relation of setting.

Further, when the functional relation of described setting is arithmetic progression, if the length of described window is d, meet following condition: the testing data message selected for the I time, length d=D × (I-1) of the window of required transition, D are the delay constant of setting, I be greater than 1 integer.

Further, step 2 specifically comprises: perform WARE (Weighting-basedAdaptiveRandomnessEstimation, the self-adapting random assessment algorithm based on weighted cumulative) for each testing data message, comprise following process:

A1: all 0 in the binary sequence of testing data message is replaced with-1, generates Deformation Series η _i;

A2: for Deformation Series η _ifront k item and 1≤k≤n, calculates Deformation Series η _imaximum deviation value z=max [S ₁, S ₂..., S _n], n is the length of the binary sequence of testing data message, then assessed value is $I\left(z\right)=1-\underset{j=\left(\frac{-n}{z}+1\right)/4}{\overset{\left(\frac{n}{z}-1\right)/4}{\Σ}}\[\mathrm{\Φ}\left(\frac{\left(4j+1\right)z}{\sqrt{n}}\right)-\mathrm{\Φ}\left(\frac{\left(4j-1\right)z}{\sqrt{n}}\right)\]+\underset{j=\left(\frac{-n}{z}-3\right)/4}{\overset{\left(\frac{n}{z}-1\right)/4}{\Σ}}\[\mathrm{\Φ}\left(\frac{\left(4j+3\right)z}{\sqrt{n}}\right)-\mathrm{\Φ}\left(\frac{\left(4j+1\right)z}{\sqrt{n}}\right)\],$ Wherein, Φ (x) is Standard Normal Distribution,

Further, step 2 also comprises:

A3, the assessed value obtain steps A 2 and historical evaluation value are weighted comprehensively, obtain final for judging the assessed value whether described data flow encrypts;

The acquisition process of described historical evaluation value comprises: the assessed value obtained during execution of step A3 preserved as historical evaluation value, the historical evaluation value of once preserving before replacement.

Further, step 3 specifically comprises:

Judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.

Further, step 3 specifically comprises:

B1, judges whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise performs step B2;

B2, judges whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judges that described data traffic is as clear stream, otherwise reselects a testing data message according to step 1 and perform described method.

The present invention also provides a kind of recognition device of encryption stream, comprising:

Select module, for selecting testing data message in a stream based on window transition;

Computing module, for calculating assessed value according to testing data message;

Judge module, for judging based on assessed value whether described data flow encrypts.

Adopt technique scheme, the present invention at least has following advantages:

The recognition methods of encryption stream of the present invention and device, can identify the data flow of various encryption fast and accurately, solves the Problem of Universality to various encipher flux identification in prior art.

Accompanying drawing explanation

Fig. 1 is the recognition methods flow chart of the encryption stream of first embodiment of the invention;

Fig. 2 is the recognition device composition schematic diagram of the encryption stream of second embodiment of the invention;

Fig. 3 is the uncorrelated encryption stream of the agreement based on the window transition recognition methods flow chart of third embodiment of the invention;

Fig. 4 is the particular flow sheet of the enforcement of the data message to the desirable identification point WARE algorithm of third embodiment of the invention;

Fig. 5 is the uncorrelated encryption stream of the agreement based on the window transition recognition device structural representation of third embodiment of the invention.

Embodiment

For further setting forth the present invention for the technological means reaching predetermined object and take and effect, below in conjunction with accompanying drawing and preferred embodiment, the present invention is described in detail as after.

First embodiment of the invention, a kind of recognition methods of encryption stream, as shown in Figure 1, comprises following concrete steps:

Step S101, selects testing data message in a stream based on window transition.

Concrete, step S101 comprises:

Arrange the window of a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;

For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.

Further, the length of window of corresponding during each selection testing data message transition all follows the functional relation of setting.Such as, when the functional relation of this setting is arithmetic progression, if the length of described window is d, meet following condition: the testing data message selected for the I time, length d=D × (I-1) of the window of required transition, D are the delay constant of setting, I be greater than 1 integer.

Step S102, calculates assessed value according to testing data message.

Concrete, step S102 comprises: perform WARE algorithm for each testing data message, comprise following process:

A1: all 0 in the binary sequence of testing data message is replaced with-1, generates Deformation Series η _i;

A2: for Deformation Series η _ifront k item and 1≤k≤n, calculates Deformation Series η _imaximum deviation value z=max [S ₁, S ₂..., S _n], n is the length of the binary sequence of testing data message, then assessed value is $I\left(z\right)=1-\underset{j=\left(\frac{-n}{z}+1\right)/4}{\overset{\left(\frac{n}{z}-1\right)/4}{\Σ}}\[\mathrm{\Φ}\left(\frac{\left(4j+1\right)z}{\sqrt{n}}\right)-\mathrm{\Φ}\left(\frac{\left(4j-1\right)z}{\sqrt{n}}\right)\]+\underset{j=\left(\frac{-n}{z}-3\right)/4}{\overset{\left(\frac{n}{z}-1\right)/4}{\Σ}}\[\mathrm{\Φ}\left(\frac{\left(4j+3\right)z}{\sqrt{n}}\right)-\mathrm{\Φ}\left(\frac{\left(4j+1\right)z}{\sqrt{n}}\right)\],$ Wherein, Φ (x) is Standard Normal Distribution,

Preferably, in order to improve the accuracy of judgement degree to encrypting traffic further, the step S102 of the present embodiment also comprises following concrete steps:

A3, the assessed value obtain steps A 2 and historical evaluation value are weighted comprehensively, obtain final for judging the assessed value whether described data flow encrypts;

The acquisition process of described historical evaluation value comprises: the assessed value obtained during execution of step A3 preserved as historical evaluation value, the historical evaluation value of once preserving before replacement.

Based on assessed value, step S103, judges whether described data flow encrypts.

Concrete, step S103 specifically comprises:

Judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.

Preferably, in order to improve the efficiency of the judgement to encrypting traffic further, step S103 can also implement according to following detailed process:

B1, judges whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise performs step B2;

B2, judges whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judges that described data traffic is as clear stream, otherwise reselects a testing data message according to step 1 and perform described method.

Second embodiment of the invention, the recognition device that provide a kind of encryption stream corresponding with the first embodiment, as shown in Figure 2, comprises following part:

1) module 10 is selected, for selecting testing data message in a stream based on window transition;

Concrete, select module 10 for the window arranging a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;

For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.

2) computing module 20, for calculating assessed value according to testing data message;

Concrete, computing module 20 for: perform WARE algorithm for each testing data message, concrete implementation is described in detail in a first embodiment.

3) judge module 30, for judging based on assessed value whether described data flow encrypts.

Concrete, judge module 30 for: judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.

Preferably, in order to improve the efficiency of the judgement to encrypting traffic further, judge module 30 for: can also be used for:

Whether the first-selected assessed value judging that described testing data message is corresponding is greater than the assessment threshold value of setting, if be greater than the assessment threshold value of setting, then judges that described data flow is as encryption stream; If be less than or equal to the assessment threshold value of setting, then judge whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judge that described data traffic is as clear stream, otherwise call and select module 10 to reselect a testing data message and process.

Third embodiment of the invention, the present embodiment provides an application example on the basis of above-described embodiment, introduce the uncorrelated encryption stream recognition methods of a kind of agreement based on window transition, technical scheme in the embodiment of the present application is understood better in order to make those skilled in the art person, and enable the object of the present embodiment, feature and advantage become apparent more, be described in further detail below in conjunction with technical scheme in accompanying drawing 3 ~ 5 pairs of the embodiment of the present application.

Before detailed description the present embodiment, first the symbol that may relate in the present embodiment is illustrated as follows:

WARE: based on the self-adapting random assessment algorithm of weighted cumulative;

D: the delay constant of setting, i.e. window size

W: default for judging whether as the assessment threshold values of encryption stream

N: the number of times threshold values of window transition

See Fig. 3, for the flow process of the uncorrelated encryption stream of the agreement based on the window transition recognition methods of the present embodiment is as follows:

Step 101: the desirable identification point examination choosing based on window transition is carried out to the data message received.

Concrete, first data message of the data flow received is elected in first desirable identification point examination as, and follow-up examination choosing carries out transition sized by window d.

The examination choosing of desirable identification point is here similar to the selection of the testing data message in above-described embodiment,

Step 102: the randomness assessment test based on weighted cumulative is carried out to data message at desirable identification point.

Concrete, WARE algorithm is implemented to the data message of desirable identification point, draws assessment test result, and be buffered in data temporary storage block.

Step 103: comparative evaluation test result and setting threshold values.

Concrete, if assessment test result is greater than default assessment threshold values W, then export as positive, and terminate to identify; If assessment result is less than or equal to default assessment threshold values W, then judge whether whether the transition times of window d reaches the number of times threshold values N of window transition further, if arrived, then export as negative, and terminate to identify, otherwise proceed window transition, examination selects next desirable identification point to perform above-mentioned steps.

Here, the positive refers to and is judged to be encryption stream, and feminine gender refers to and is judged to be clear stream.

Step 104: terminate judge and export result of determination.

Concrete, as long as once test Identification display to go out enciphered data, then complete the identification of data flow, recognition result is positive.If identify enciphered data not yet after exceeding the number of times threshold values N of window transition, then recognition result is negative.The setting of the number of times threshold values N of window transition is determined by system processing power.

See Fig. 4, in a step 102, WARE algorithm is implemented to the data message of desirable identification point, draws the idiographic flow of assessment test result, as follows:

Step 201: receive testing data message.

Step 202: single packet stored counts.

Concrete, step 202 comprises:

C1: all 0 in the binary sequence of this testing data message is replaced with-1, generates new Deformation Series.

C2: calculate Deformation Series front k item and 1≤k≤n, calculates Deformation Series η _imaximum deviation value z=max [S ₁, S ₂..., S _n], n is the length of the binary sequence of testing data message, then entry evaluation value is $I\left(z\right)=1-\underset{j=\left(\frac{-n}{z}+1\right)/4}{\overset{\left(\frac{n}{z}-1\right)/4}{\Σ}}\[\mathrm{\Φ}\left(\frac{\left(4j+1\right)z}{\sqrt{n}}\right)-\mathrm{\Φ}\left(\frac{\left(4j-1\right)z}{\sqrt{n}}\right)\]+\underset{j=\left(\frac{-n}{z}-3\right)/4}{\overset{\left(\frac{n}{z}-1\right)/4}{\Σ}}\[\mathrm{\Φ}\left(\frac{\left(4j+3\right)z}{\sqrt{n}}\right)-\mathrm{\Φ}\left(\frac{\left(4j+1\right)z}{\sqrt{n}}\right)\],$ Wherein, Φ (x) is Standard Normal Distribution,

Step 203: read historical data.

Concrete, the randomness assessment result history of reading data flow from data temporary storage block, for first time operation, historical evaluation value is 0.

Step 204: weighted comprehensive evaluation operation.

Concrete, entry evaluation value and historical evaluation value being weighted comprehensively, obtaining final for judging the assessed value whether described data flow encrypts.

Step 205: upgrade historical data.

Concrete, the assessed value obtained during execution of step C3 is saved in data temporary storage block as historical evaluation value, the historical evaluation value of once preserving before replacement.

Step 205: export final for judging the assessed value whether described data flow encrypts.

See Fig. 5, the uncorrelated encryption stream of the agreement based on the window transition recognition device of the present embodiment, comprises: window transition module 301, randomness evaluation module 302 and encryption stream determination module 303.

Wherein, window transition module 301, for reading link flow, carries out transition independently with window d=D × (I-1) on link flow, D be setting delay constant, the number of times I of transition be greater than 1 integer.

Randomness evaluation module 302, for the self-adapting random assessment algorithm based on weighted cumulative, carries out randomness assessment to link flow.

Encryption stream determination module 303, for judging flow whether as encryption stream, concrete, if assessment test result is greater than default assessment threshold values W, then export as positive, and terminate to identify; If assessment result is less than or equal to default assessment threshold values W, then judge whether whether the transition times of window d reaches the number of times threshold values N of window transition further, if arrived, then export as negative, and terminate to identify, otherwise proceed window transition and judgement.

As seen through the above description of the embodiments, those skilled in the art can be well understood to the mode that the application can add required general hardware platform by software and realizes.Based on such understanding, the technical scheme of the application can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product can be stored in storage medium, as ROM/RAM, magnetic disc, CD etc., comprising some instructions in order to make a network equipment (can be server, router, route master control etc.) perform the method described in some part of each embodiment of the application or embodiment.

By the explanation of embodiment, should to the present invention for the technological means reaching predetermined object and take and effect be able to more deeply and concrete understanding, but appended diagram be only to provide with reference to and the use of explanation, be not used for being limited the present invention.

Claims (9)

1. a recognition methods for encryption stream, is characterized in that, comprising:

Step 1, selects testing data message in a stream based on window transition;

Step 2, calculates assessed value according to testing data message;

Based on assessed value, step 3, judges whether described data flow encrypts.

2. the recognition methods of encryption stream according to claim 1, is characterized in that, step 1 specifically comprises:

Arrange the window of a reading data message, the length of described window is the data message quantity at interval between adjacent two testing data messages;

For the data flow received, select the first data message of described data flow as first testing data message, then utilize the transition in a stream of described window to select follow-up testing data message successively.

3. the recognition methods of encryption stream according to claim 2, is characterized in that, the length of window of transition corresponding during each selection testing data message all follows the functional relation of setting.

4. the recognition methods of encryption stream according to claim 3, it is characterized in that, when the functional relation of described setting is arithmetic progression, if the length of described window is d, meet following condition: the testing data message selected for the I time, length d=D × (I-1) of the window of required transition, D are the delay constant of setting, I be greater than 1 integer.

5. the recognition methods of encryption stream according to claim 1, is characterized in that, step 2 specifically comprises: perform the self-adapting random assessment algorithm WARE based on weighted cumulative for each testing data message, comprise following process:

A1: all 0 in the binary sequence of testing data message is replaced with-1, generates Deformation Series η _i;

A2: for Deformation Series η _ifront k item and 1≤k≤n, calculates Deformation Series η _imaximum deviation value z=max [S ₁, S ₂..., S _n], n is the length of the binary sequence of testing data message, then assessed value is wherein, Φ (x) is Standard Normal Distribution,

6. the recognition methods of encryption stream according to claim 5, is characterized in that, step 2 also comprises:

A3, the assessed value obtain steps A 2 and historical evaluation value are weighted comprehensively, obtain final for judging the assessed value whether described data flow encrypts;

The acquisition process of described historical evaluation value comprises: the assessed value obtained during execution of step A3 preserved as historical evaluation value, the historical evaluation value of once preserving before replacement.

7. the recognition methods of the encryption stream according to any one of claim 1 ~ 6, is characterized in that, step 3 specifically comprises:

Judge whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise judges that described data traffic is as clear stream.

8. the recognition methods of the encryption stream according to any one of claim 1 ~ 6, is characterized in that, step 3 specifically comprises:

B1, judges whether assessed value that described testing data message is corresponding is greater than the assessment threshold value of setting, if so, then judges that described data flow is as encryption stream, otherwise performs step B2;

B2, judges whether the number of times of window transition reaches the frequency threshold value of setting, if so, then judges that described data traffic is as clear stream, otherwise reselects a testing data message according to step 1 and perform described method.

9. a recognition device for encryption stream, is characterized in that, comprising:

Select module, for selecting testing data message in a stream based on window transition;

Computing module, for calculating assessed value according to testing data message;

Judge module, for judging based on assessed value whether described data flow encrypts.