CN109981485A - V2ray method for recognizing flux based on shot and long term memory network - Google Patents
V2ray method for recognizing flux based on shot and long term memory network Download PDFInfo
- Publication number
- CN109981485A CN109981485A CN201910225762.4A CN201910225762A CN109981485A CN 109981485 A CN109981485 A CN 109981485A CN 201910225762 A CN201910225762 A CN 201910225762A CN 109981485 A CN109981485 A CN 109981485A
- Authority
- CN
- China
- Prior art keywords
- data
- v2ray
- data packet
- shot
- long term
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Abstract
The present invention relates to the V2ray method for recognizing flux based on shot and long term memory network, belong to computer network security field.Be converted into mainly for solving the problem of the method based on convolutional neural networks for data trained after picture model interpretation it is poor and do not use encryption flow in time series feature.The present invention obtains the data link layer packets of V2ray flow and common discharge from interchanger first and is labeled to data packet, and secondly removal does not include the data packet of useful information and redundancy;Then the byte zero setting that model training impacts will likely be adjusted the length of data packet;Finally using these pretreated data training shot and long term memory networks.This method learns the time series relationship of V2ray flow, has preferable recognition effect without carrying out feature extraction and selection.
Description
Technical field
The present invention relates to the V2ray method for recognizing flux based on shot and long term memory network, belong to computer network security neck
Domain.
Background technique
V2ray is a kind of novel network communication encryption software.It supports a variety of cryptographic protocols, and ties up with dynamic port
The functions such as fixed, port forwarding, flexibility with higher, concealment.Encryption method for recognizing flux is broadly divided at present and is based on
The method of rule match, the method based on machine learning and the method based on deep learning.
1. rule-based matched method
Rule-based matched method is believed by the encryption traffic characteristic in comparison database such as port information, specified byte
The identification coded communication software such as breath.This method step is simple, deterministic process is exceedingly fast, but port forwarding, random port distribution and stream
The appearance of the technologies such as amount camouflage significantly reduces the accuracy of the recognition methods based on port.
2. the method based on machine learning
Achieved the purpose that by the statistical nature of study encryption flow to encryption flow identification based on the method for machine learning,
This method accuracy with higher, independent of some feature that can be easily changed such as port number informations etc..But it is based on
The method of machine learning needs to carry out feature extraction and feature selecting, and the process time cost and cost of labor are higher, and part
Machine learning algorithm such as K-NN classifier has that recognition rate is slow.
3. the method based on deep neural network
V2ray method for recognizing flux based on deep learning can learn automatically and extract the feature for including in encryption flow
Information, without carrying out manual features extraction and selection, thus the favor by industrial circle, wherein most with convolutional neural networks application
It is extensive.
In conclusion recently as the continuous development of machine learning and depth learning technology, more and more depth
Habit technology starts to be applied to computer safety field.The existing method based on convolutional neural networks has the following problems: (1) base
Data are converted to training convolutional neural networks after picture in the method for convolutional neural networks, and the interpretation of model is poor;(2)
Feature of the encryption flow in time series is not used.
Summary of the invention
The present invention for it is existing using deep neural network progress V2ray flow monitoring model interpretation it is poor, do not utilize
V2ray flow proposes the V2ray method for recognizing flux based on shot and long term memory network the time series feature the problem of.
The technical scheme is that be achieved by the steps of:
Step 1, data link layer packets are obtained from switch device and are labeled.
It step 1.1, is V2ray flow or other flows by these packet markings.
Step 2, the data packet for not including useful information and redundancy in data is removed.
Step 2.1, TCP three-way handshake data packet is removed.
Step 2.2, DNS name resolution data packet is removed.
Step 2.3, retain preceding 16 data packets communicated every time, and using this 16 data packets as one in data set
Data.
Step 3, data link layer packets are handled.
Step 3.1, removal data link layer header obtains network layer data packet.
Step 3.2, being filled to UDP header is consistent its length with TCP header.
Step 3.3, the information of the expression IP address and port in network layer data header is removed.
Step 3.4, data packet length is adjusted, is consistent it.
Step 4, using these pretreated data training shot and long term memory networks.
Beneficial effect
Compared to rule-based matched method, the present invention independent of port diagnostic and data packet content characteristic, have compared with
Low rate of false alarm and rate of failing to report.
Compared to the method based on machine learning, the present invention reduces V2ray stream without carrying out feature extraction and feature selecting
Measure the complexity and cost of labor of identification.
Compared to the method based on convolutional neural networks, the present invention can record and learn to data flow sequential relationship,
Improve the accuracy rate of V2ray flow identification.
Detailed description of the invention
Fig. 1 is that the present invention is based on the V2ray method for recognizing flux schematic diagrams of shot and long term memory network.
Specific embodiment
Objects and advantages in order to better illustrate the present invention below do further in detail the embodiment of the method for the present invention
It describes in detail bright.
1) data needed for are obtained from interchanger mirror port.The data packet format got using this method is unified, with
Communication equipment model is unrelated.And when being used on being deployed to switch device without carrying out additional modification to this method.It obtains
To data need to be labeled as V2ray flow or other flows.
2) data packet for not including useful information and redundancy in data is removed.When TCP connection for ensure reliability need into
The TCP data packet of row three-way handshake, SYN, ACK, FIN type generated in three-way handshake process does not include any data, can not
Useful information is provided for the identification of V2ray flow, this kind of data packet can be rejected safely.DNS data packet is responsible for carrying out domain name solution
Analysis, does not equally help flow monitoring, it should reject.
3) it needs to exchange key in advance when V2ray server-side is communicated every time with client, thus communicates every time more
Forward data packet has notable feature, and generated data packet is then encrypted information thereafter, and content is more random.Thus
We only retain preceding 16 data packets communicated every time and carry out flow identification.
4) packet header obtained from data link layer is mac address information, different and different by equipment, is needed
It removes.
5) UDP header length is 8 bytes, and TCP header length is 20 bytes, and in order to keep data packet format unified, UDP is reported
Head zero padding is extended for 20 bytes.
6) TCP header and UDP header include destination address, destination port, source address, source port, are obtaining data packet
During, we use a limited number of clients and server-side, thus these information are relatively fixed.In order to make nerve net
Network does not learn in the training process to these features, it should which these information are filled with 0.
7) input that deep neural network needs length fixed, since the most data packets on internet are of length no more than
1500 bytes, thus the length of each data packet is revised as 1500 bytes by the method for zero padding and truncation by us.
8) the data training shot and long term memory network completed using processing, obtains final model.
9) schematic diagram of the model as shown in Figure 1 can carry out V2ray flow identification.
Above-described specific descriptions have carried out further specifically the purpose of invention, technical scheme and beneficial effects
It is bright, it should be understood that the above is only a specific embodiment of the present invention, the protection model being not intended to limit the present invention
It encloses, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should be included in the present invention
Protection scope within.
Claims (5)
1. the V2ray method for recognizing flux based on shot and long term memory network, it is characterised in that described method includes following steps:
Step 1, data link layer packets are obtained from switch device and are labeled as V2ray flow or other flows;
Step 2, the data packet for not including useful information and redundancy in data is removed, TCP three-way handshake data packet, removal are removed
DNS name resolution data packet retains preceding 16 data packets communicated every time, and using this 16 data packets as one in data set
Data;
Step 3, data link layer packets are handled, removal data link layer header obtains network layer data packet, to UDP
Header, which is filled, is consistent its length with TCP header, removes the expression IP address in network layer data header and port
Information, data packet length is adjusted, it is consistent;
Step 4, using these pretreated data training shot and long term memory networks.
2. the V2ray method for recognizing flux according to claim 1 based on shot and long term memory network, it is characterised in that: step
TCP three-way handshake data packet is removed in rapid 2, removes DNS name resolution data packet, retains preceding 16 data packets communicated every time.
3. the V2ray method for recognizing flux according to claim 1 based on shot and long term memory network, it is characterised in that: step
UDP header zero padding is extended for 20 bytes by rapid 3.
4. the V2ray method for recognizing flux according to claim 1 based on shot and long term memory network, it is characterised in that: step
TCP header and UDP header are indicated that destination address, destination port, source address, the byte of source port are revised as 0 by rapid 3.
5. the V2ray method for recognizing flux according to claim 1 based on shot and long term memory network, it is characterised in that: step
The length of each data packet is revised as by 1500 bytes by the method for zero padding and truncation in rapid 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910225762.4A CN109981485A (en) | 2019-03-25 | 2019-03-25 | V2ray method for recognizing flux based on shot and long term memory network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910225762.4A CN109981485A (en) | 2019-03-25 | 2019-03-25 | V2ray method for recognizing flux based on shot and long term memory network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109981485A true CN109981485A (en) | 2019-07-05 |
Family
ID=67080376
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910225762.4A Withdrawn CN109981485A (en) | 2019-03-25 | 2019-03-25 | V2ray method for recognizing flux based on shot and long term memory network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109981485A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110896381A (en) * | 2019-11-25 | 2020-03-20 | 中国科学院深圳先进技术研究院 | Deep neural network-based traffic classification method and system and electronic equipment |
| CN113301041A (en) * | 2021-05-21 | 2021-08-24 | 东南大学 | V2Ray flow identification method based on sectional entropy and time characteristics |
| CN117097674A (en) * | 2023-10-20 | 2023-11-21 | 南京邮电大学 | Sampling time insensitive frequency dimension configurable network feature extraction method |
-
2019
- 2019-03-25 CN CN201910225762.4A patent/CN109981485A/en not_active Withdrawn
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110896381A (en) * | 2019-11-25 | 2020-03-20 | 中国科学院深圳先进技术研究院 | Deep neural network-based traffic classification method and system and electronic equipment |
| CN113301041A (en) * | 2021-05-21 | 2021-08-24 | 东南大学 | V2Ray flow identification method based on sectional entropy and time characteristics |
| CN113301041B (en) * | 2021-05-21 | 2022-06-14 | 东南大学 | V2Ray flow identification method based on sectional entropy and time characteristics |
| CN117097674A (en) * | 2023-10-20 | 2023-11-21 | 南京邮电大学 | Sampling time insensitive frequency dimension configurable network feature extraction method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981485A (en) | V2ray method for recognizing flux based on shot and long term memory network | |
| CN105491060B (en) | Method, apparatus, client and the equipment of defending distributed denial of service attack | |
| CN104272674B (en) | Multiple tunnel VPN | |
| CN106789259A (en) | A kind of LoRa core network systems and implementation method | |
| CN108769031A (en) | The material object of edge calculations service based on block chain deposits card traceability system | |
| CN104967610B (en) | A kind of timeslot-based watermark hopping communication means | |
| CN110602078B (en) | Application encryption traffic generation method and system based on generation countermeasure network | |
| CN110247930A (en) | A kind of refined net method for recognizing flux based on deep neural network | |
| CN112311814B (en) | Malicious encrypted traffic identification method and system based on deep learning and electronic equipment | |
| CN109063777A (en) | Net flow assorted method, apparatus and realization device | |
| CN102739473A (en) | Network detecting method using intelligent network card | |
| CN106453303A (en) | Method and system for storing user login status for IOS client | |
| CN104486304B (en) | A kind of wireless sensor network data method for security protection based on digital watermarking | |
| CN110460502A (en) | Application rs traffic recognition methods under VPN based on distribution characteristics random forest | |
| CN109120602A (en) | A kind of IPv6 attack source tracing method | |
| CN107181605A (en) | Message detecting method and system, contents extraction device, flow matches device | |
| CN109756526A (en) | Chicken cultivation traceability system and method based on block chain technology | |
| CN106789728A (en) | A kind of voip traffic real-time identification method based on NetFPGA | |
| CN105991559A (en) | User safety login method based on image encryption technology | |
| CN109495583A (en) | A kind of data safety exchange method that Intrusion Detection based on host feature is obscured | |
| CN104660591B (en) | IP address-based packet length feedback network concealed communication method | |
| CN106686654B (en) | The method and device of low-speed wireless network multiple gateway message duplicate removal | |
| CN107104919A (en) | The processing method of firewall box, SCTP SCTP packet | |
| CN108600231A (en) | A kind of network security transmission method based on simultaneous techniques | |
| CN108696713A (en) | Safety detecting method, device and the test equipment of code stream |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20190705 |
|
| WW01 | Invention patent application withdrawn after publication |