CN110868409A - Passive operating system identification method and system based on TCP/IP protocol stack fingerprint - Google Patents
Passive operating system identification method and system based on TCP/IP protocol stack fingerprint Download PDFInfo
- Publication number
- CN110868409A CN110868409A CN201911086474.1A CN201911086474A CN110868409A CN 110868409 A CN110868409 A CN 110868409A CN 201911086474 A CN201911086474 A CN 201911086474A CN 110868409 A CN110868409 A CN 110868409A
- Authority
- CN
- China
- Prior art keywords
- operating system
- tcp
- data
- session
- passive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/142—Network analysis or design using statistical or mathematical methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Algebra (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Mathematical Physics (AREA)
- Probability & Statistics with Applications (AREA)
- Pure & Applied Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for passively identifying an operating system based on TCP/IP protocol stack fingerprints, which are used for identifying the type and the main version information of the operating system of a client by utilizing header field information of an IP protocol, a TCP protocol and a TLS protocol and statistical information of network stream packet length and packet transmission time sequence on the premise of not decrypting network encryption flow, further evaluating the network security vulnerability risk of each host in a target network and deducing the number of NAT equipment in the internet. The invention uses the prior achievement in the field of flow classification for reference, introduces the statistical information characteristics of the network flow in characteristic concentration, and enhances the distinguishability between flows of different operating systems; and the LightGBM model is used as a machine learning model for completing the recognition task for the first time, and the characteristic that the model supports class feature input is utilized, so that the problem of feature dimension explosion caused by one-hot coding of multi-dimensional class features is solved.
Description
Technical Field
The invention relates to a passive identification method and a passive identification system of an operating system based on TCP/IP protocol stack fingerprints, and belongs to the technical field of computer software.
Background
In recent years, network monitoring and management techniques have faced increasing problems and challenges due to the growth in the usage of various smart devices and the development of network encryption techniques. As is well known, knowing operating system information of all hosts in a local network is an essential link for completing tasks such as guaranteeing network security and optimizing network management. On one hand, most of network vulnerabilities are related to specific operating system types and versions, so that the operation system information of each host in the local network is mastered, potential vulnerabilities can be repaired in time, and malicious attacks can be avoided; on the other hand, the Network Address Translation (NAT) devices are increasingly deployed in the internet, the end-to-end characteristics of the IP protocol are seriously damaged, the complexity of the network topology is increased, and the research on the operating system identification method can be used for measuring the NAT size in the network.
The method for identifying the information of the client operating system in the network is mainly divided into two types: active and passive. The active identification method is characterized in that a specific network message is constructed and sent to a host to be detected, and the relevant information of an operating system of the host to be detected is deduced according to the response of the host to be detected, so that the method has the characteristics of strong pertinence, high accuracy and the like. However, the active recognition behavior is easily detected and intercepted by security devices such as an intrusion detection system or a network firewall, and the probe packet cannot be sent to the target host, so that the active recognition behavior is only suitable for a small number of scenes. Compared with the active identification method, the passive identification method does not need to interact with the target host, only needs to monitor the data packet in the network, and identifies the operating system of the target host by extracting and utilizing the protocol header information, the load information and other information in the network data packet. The passive identification method is not influenced by security equipment such as a firewall and the like, so that the passive identification method is wider in application range, but has the limitation that the identification accuracy is relatively poor.
The research objects of the operating system passive identification method can be divided into plaintext traffic and encrypted traffic according to whether the traffic is encrypted or not. For plaintext flow, the mainstream method for passively identifying the operating system is to acquire a characteristic character string of an application layer in a network data packet by using a Deep Packet Inspection (DPI) technology, and obtain operating system information of a client through query in a built dictionary or database by combining a regular matching technology. For example, the operating system information of the client can be obtained by using a User-Agent field in the HTTP protocol, a related domain name of an operating system developer in the DNS protocol, a server address of the NTP protocol, and the like.
For encrypted traffic, the operating system passive identification method typically takes advantage of slight differences in the operating system's implementation of the TCP/IP protocol stack and differences in device performance. For different types of operating systems, a large amount of operating system information is hidden in a TCP handshake message and a TLS Client Hello message sent by a Client to a server. For example, TTL initial value and message length value of the IP layer, WIN initial value and MSS initial value of the TCP layer, Options initial sequence, TLS version of the TLS layer, encryption suite sequence, extension type sequence, and other information may form a fingerprint for identifying operating system information.
However, the above methods are not suitable for fine-grained identification task of large-scale host operating system information in the encrypted network. Only by using the IP layer and TCP layer information of the TCP handshake message, the accuracy, recall rate and precision in identifying the major version task of the client operating system are very low, and the requirements are difficult to meet. Therefore, introducing new fingerprint features, such as parameter information of the TLS layer and statistical information of the network flow, from the network flow information, and combining a machine learning model with better performance is a key to solve the problem of fine-grained identification of information of a large-scale host operating system in the encrypted network.
Disclosure of Invention
The invention aims to combine the prior achievements in the prior art and introduce a new network flow characteristic processing method to overcome the defects of poor information identification precision and granularity of an encryption flow client operating system in a dynamic network in the prior art. On the premise of not needing to decrypt the encrypted network flow, the type and the main version information of an operating system of a client are identified by utilizing header field information of an IP protocol, a TCP protocol and a TLS protocol and statistical information of network stream packet length and packet transmission time sequence, so that the network security vulnerability risk of each host in a target network is evaluated, and the existence quantity of NAT equipment in the internet is deduced.
The technical scheme of the invention is as follows:
a passive identification method of an operating system based on TCP/IP protocol stack fingerprints comprises the following steps:
(1) acquiring encrypted flow data to be detected, and completing attribute labeling on all samples in a data set by a main and passive method;
(2) taking the tuple < IP source, IP destination, Port source, Port destination > as the unique identifier of one network session, and extracting the IP layer, TCP layer head parameter, TLS layer head parameter of the TCP SYN message in each session and the statistical information of the whole session about the packet length and the packet arrival time adjacency difference to obtain a feature set;
(3) inputting the extracted characteristic data into a trained passive recognition model of the operating system to obtain operating system information of the flow client to be tested; wherein the content of the first and second substances,
the passive recognition model of the operating system is obtained by the following training method:
(a) acquiring encrypted flow data of different operating system types and versions as a sample data set, and completing attribute labeling on all samples in the sample data set by a primary and passive method;
(b) extracting flow characteristics of the marked flow data: taking tuple < IP source, IP destination, Port source, Port destination > as a unique identifier of a primary network session, extracting an IP layer, a TCP layer head parameter and a TLS layer head parameter of a TCP SYN message in each session to obtain a head field characteristic set of the primary session, and constructing a Markov state transfer probability matrix based on a packet length and a packet arrival time sequence in the whole session to obtain a statistic characteristic set of the primary session;
(c) training the LightGBM model with the feature set data as input.
Further, the operating system types for collecting the encrypted flow data in the method include Windows, MacOS, Linux, Android, and iOS; the operating system versions comprise main stream versions of the five types of operating systems, and 21 main stream versions are collected in one embodiment of the invention.
Further, before the model is input, the feature data extracted in the method further comprises preprocessing: and completing the operations of filling missing data, normalizing data, converting text characteristics into discrete numerical characteristics and the like.
Further, the step (c) of training the model further comprises continuously adjusting and optimizing the model through K-fold cross validation, and evaluating the performance of the model by combining indexes such as accuracy, recall rate, precision, P-R curve and confusion matrix.
Further, the operating system information in step (3) includes an operating system type and version.
An operating system passive identification system based on TCP/IP protocol stack fingerprint, comprising:
a data acquisition module: acquiring encrypted flow data to be detected, and completing attribute labeling on all samples in a data set by a main and passive method;
the characteristic data extraction module: taking the tuple < IP source, IP destination, Port source, Port destination > as the unique identifier of one network session, and extracting the IP layer, TCP layer header parameter, TLS layer header parameter of the TCP SYN message in each session, and the statistical information of the whole session about the packet length and the packet arrival time adjacency difference to obtain a feature set;
an identification module: inputting the extracted characteristic data into a trained passive recognition model of the operating system to obtain operating system information of the flow client to be tested;
a model training module: acquiring encrypted flow data of different operating system types and versions as a sample data set, completing attribute labeling on all samples in the sample data set by a primary and passive method, and extracting flow characteristics of the labeled flow data: taking tuple < IP source, IP destination, Port source, Port estimation > as the unique identification of one-time network session, extracting the IP layer, TCP layer head parameter and TLS layer head parameter of the TCP SYN message in each session to obtain the head field characteristic set of one-time session, and constructing a Markov state transition probability matrix based on the packet length and packet arrival time sequence in the whole session to obtain the statistic characteristic set of one-time session, and taking the characteristic set data as the input training LightGBM model.
A server comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, characterized in that the computer program comprises instructions for performing the steps of the above-mentioned method.
A computer-readable storage medium, characterized by storing a computer program comprising instructions for the steps of the above-described method.
The main creativity of the invention comprises:
on the basis of utilizing the header information of an IP protocol and a TCP protocol, information such as a version number, an encryption suite sequence, an extension type sequence and the like in the TLS protocol is introduced, and the effect and the performance of a machine learning model on the information identification of an operating system are improved;
by using the existing achievements in the field of flow classification, the statistical information characteristics of the network flow are introduced into the characteristic set, and the distinctiveness among the flows of different operating systems is enhanced;
the LightGBM model is used as a machine learning model for completing an identification task for the first time, and the characteristic that the model supports class feature input is utilized, so that the problem of feature dimension explosion caused by one-hot coding of multi-dimensional class features is solved.
When the method provided by the invention is used for identifying the client operating system information in the encrypted flow, the method has the following advantages:
(1) information such as version number, encryption suite sequence, extension type sequence and the like in the TLS protocol is utilized, the characteristic types in the fingerprint identification task of the operating system are enriched, and meanwhile, the effect and performance of a machine learning model on the information identification of the operating system are improved.
(2) In the statistical class characteristic extraction of the network flow, the transmission relation between the messages in each data flow is considered by constructing a Markov state transition probability matrix, and the internal transition characteristics of the network flow are reserved.
(3) By integrating the field characteristics of the network protocol header and the statistical characteristics of the network flow, the identification of the operating system information with higher precision, finer granularity and wider coverage is realized on the premise of not decrypting the ciphertext flow.
Drawings
FIG. 1 is a diagram of an operating system passive identification framework based on TCP/IP protocol stack fingerprinting.
Detailed Description
The technical solution of the present invention will be further explained with reference to the accompanying drawings:
referring to a method frame diagram shown in fig. 1, HTTPS traffic for a week is collected in a campus in 4 months in 2019, wherein the types of operating systems of a client are mainly five types, such as Windows, MacOS, Linux, Android, and iOS, and the major versions of the operating systems are 21 major versions of the five types of operating systems.
The collected data set contains 2157 ten thousand samples in total, each sample being characteristic data of each network flow. The feature set comprises three types of features such as a time to live field, a total length field and a fragment flag field of an IP layer, four types of features such as a window size field, a window scale field, a maximum segment size field and an Option type sequence field of a TCP layer, six types of features such as a version field, an extensions length field, a ciphertext code sequence information, an extension type code sequence information, a supported group codes sequence information and an application layer protocol sequence information of an TlS layer, and seven types of network flow statistical features such as a packet number, a byte number, a packet length mean, a packet length variance, a packet length distribution, a packet arrival time interval mean and a packet arrival time interval variance.
The established LightGBM model is fully trained and optimized by taking the data of the first 5 days in the sample data set as a training set, the data of the 6 th day as a verification set and the data of the 7 th day as a test set. The parameters for obtaining the final model are shown in table 1.
TABLE 1 LightGBM model parameters
The trained model is used for testing the data in the test set, the recognition accuracy rate of the model on the type of the operating system is 96.35%, and the recognition accuracy rate of the model on the major version of the operating system is 84.72%.
Although specific details of the invention are disclosed for purposes of illustration and in order to facilitate an understanding of the contents of the invention and its implementation, those skilled in the art will appreciate that: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. It is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will include all embodiments falling within the scope of the appended claims.
Claims (10)
1. A passive identification method of an operating system based on TCP/IP protocol stack fingerprints comprises the following steps:
(1) acquiring encrypted flow data to be detected, and completing attribute labeling on all samples in a data set by a main and passive method;
(2) taking the tuple < IP source, IP destination, Port source, Port destination > as the unique identifier of one network session, and extracting the IP layer, TCP layer header parameter, TLS layer header parameter of the TCP SYN message in each session, and the statistical information of the whole session about the packet length and the packet arrival time adjacency difference to obtain a feature set;
(3) inputting the characteristic data in the characteristic set into a trained passive recognition model of the operating system to obtain operating system information of the flow client to be tested;
wherein the content of the first and second substances,
the passive recognition model of the operating system is obtained by the following training method:
(a) acquiring encrypted flow data of different operating system types and versions as a sample data set, and completing attribute labeling on all samples in the sample data set by a primary and passive method;
(b) extracting flow characteristics of the marked flow data: taking tuple < IP source, IP destination, Port source, Port destination > as a unique identifier of a primary network session, extracting an IP layer, a TCP layer head parameter and a TLS layer head parameter of a TLS Client Hello message of a TCP SYN message in each session to obtain a head field characteristic set of the primary session, and constructing a Markov state transition probability matrix based on a packet length and a packet arrival time sequence in the whole session to obtain a statistical class characteristic set of the primary session;
(c) training the LightGBM model with the feature set data as input.
2. The method for passively identifying an operating system based on TCP/IP stack fingerprints as claimed in claim 1, wherein the operating system types for collecting encrypted traffic data include Windows, MacOS, Linux, Android and iOS.
3. The method for passively recognizing an operating system based on TCP/IP protocol stack fingerprint as claimed in claim 2, wherein 21 operating system version types are collected.
4. The method for passively recognizing an operating system based on the TCP/IP stack fingerprint as claimed in claim 1, wherein the feature set data in step (3) further includes a preprocessing before being input into the recognition model: and completing filling of missing data, data normalization and conversion of text features into discrete numerical features.
5. The method of claim 1, wherein step (c) further comprises optimizing model parameters by K-fold cross validation during model training.
6. The method for passively identifying an operating system based on TCP/IP protocol stack fingerprint as claimed in claim 1, wherein said operating system information of step (3) includes operating system type and version.
7. An operating system passive identification system based on TCP/IP protocol stack fingerprint, comprising:
a data acquisition module: acquiring encrypted flow data to be detected, and completing attribute labeling on all samples in a data set by a main and passive method;
the characteristic data extraction module: taking the tuple < IP source, IP destination, Port source, Port destination > as the unique identifier of one network session, and extracting the IP layer, TCP layer header parameter, TLS layer header parameter of the TCP SYN message in each session, and the statistical information of the whole session about the packet length and the packet arrival time adjacency difference to obtain a feature set;
an identification module: and inputting the extracted feature set data into the trained passive identification model of the operating system to obtain the operating system information of the flow client to be detected.
8. The TCP/IP protocol stack fingerprint based operating system passive identification system of claim 7, wherein the system further comprises a model training module: acquiring encrypted flow data of different operating system types and versions as a sample data set, completing attribute labeling on all samples in the sample data set by a main and passive method, extracting flow characteristics of the labeled flow data, taking tuple < IP source, IP destination, Port source, Port destination > as a unique identifier of a network session, extracting an IP layer, a TCP layer head parameter of a TCP SYN message and a TLS layer head parameter of a TLS Client Hello message in each session, obtaining a head field characteristic set of the session, constructing a Markov state transition probability matrix based on a packet length and a packet arrival time sequence in the whole session, obtaining a statistic characteristic set of the session, and taking characteristic set data as an input training LightGBM.
9. A server comprising a memory and a processor, the memory storing a computer program configured to be executed by the processor, characterized in that the computer program comprises instructions for carrying out the steps of the method according to any of claims 1-7.
10. A computer-readable storage medium storing a computer program, wherein the computer program comprises instructions for the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911086474.1A CN110868409A (en) | 2019-11-08 | 2019-11-08 | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911086474.1A CN110868409A (en) | 2019-11-08 | 2019-11-08 | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110868409A true CN110868409A (en) | 2020-03-06 |
Family
ID=69653743
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911086474.1A Pending CN110868409A (en) | 2019-11-08 | 2019-11-08 | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110868409A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111464510A (en) * | 2020-03-18 | 2020-07-28 | 华南理工大学 | Network real-time intrusion detection method based on rapid gradient lifting tree model |
| CN111756598A (en) * | 2020-06-23 | 2020-10-09 | 北京凌云信安科技有限公司 | Asset discovery method based on combination of active detection and flow analysis |
| CN113194043A (en) * | 2021-03-18 | 2021-07-30 | 成都深思科技有限公司 | Network traffic classification method under NAT environment |
| CN113905364A (en) * | 2021-10-25 | 2022-01-07 | 广州通则康威智能科技有限公司 | Router uplink data tracing method and device, computer equipment and storage medium |
| CN114172980A (en) * | 2021-12-08 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for identifying type of operating system |
| CN114189350A (en) * | 2021-10-20 | 2022-03-15 | 北京交通大学 | LightGBM-based train communication network intrusion detection method |
| CN114449064A (en) * | 2022-01-26 | 2022-05-06 | 普联技术有限公司 | Application identification method and device for TLS encrypted traffic and application identification equipment |
| CN115051977A (en) * | 2022-06-24 | 2022-09-13 | 绿盟科技集团股份有限公司 | Web robot identification method, device, equipment and medium |
| WO2023173790A1 (en) * | 2022-03-18 | 2023-09-21 | 广州大学 | Data packet-based encrypted traffic classification system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086522A1 (en) * | 2003-10-15 | 2005-04-21 | Cisco Technology, Inc. | Method and system for reducing the false alarm rate of network intrusion detection systems |
| US7519954B1 (en) * | 2004-04-08 | 2009-04-14 | Mcafee, Inc. | System and method of operating system identification |
| CN102307123A (en) * | 2011-09-06 | 2012-01-04 | 电子科技大学 | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic |
| CN105959321A (en) * | 2016-07-13 | 2016-09-21 | 中国人民解放军理工大学 | Passive identification method and apparatus for network remote host operation system |
| CN110213124A (en) * | 2019-05-06 | 2019-09-06 | 清华大学 | Passive operation system identification method and device based on the more sessions of TCP |
| CN110363439A (en) * | 2019-07-19 | 2019-10-22 | 山东浪潮人工智能研究院有限公司 | A kind of credit-graded approach based on consumer demographics' portrait |
-
2019
- 2019-11-08 CN CN201911086474.1A patent/CN110868409A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050086522A1 (en) * | 2003-10-15 | 2005-04-21 | Cisco Technology, Inc. | Method and system for reducing the false alarm rate of network intrusion detection systems |
| CN1864182A (en) * | 2003-10-15 | 2006-11-15 | 思科技术公司 | Method and system for reducing the false alarm rate of network intrusion detection systems |
| US7519954B1 (en) * | 2004-04-08 | 2009-04-14 | Mcafee, Inc. | System and method of operating system identification |
| CN102307123A (en) * | 2011-09-06 | 2012-01-04 | 电子科技大学 | NAT (Network Address Translation) flow identification method based on transmission layer flow characteristic |
| CN105959321A (en) * | 2016-07-13 | 2016-09-21 | 中国人民解放军理工大学 | Passive identification method and apparatus for network remote host operation system |
| CN110213124A (en) * | 2019-05-06 | 2019-09-06 | 清华大学 | Passive operation system identification method and device based on the more sessions of TCP |
| CN110363439A (en) * | 2019-07-19 | 2019-10-22 | 山东浪潮人工智能研究院有限公司 | A kind of credit-graded approach based on consumer demographics' portrait |
Non-Patent Citations (3)
| Title |
|---|
| XINLEI FAN,ET: "Identify OS from encrypted traffic with TCP/IP stack", 《IEEE XPLORE》 * |
| 徐卜灵: "lightgbm调参的关键参数", 《HTTPS://WWW.JIANSHU.COM/P/3F114699C6ED》 * |
| 王芳杰等: "基于LightGBM算法的公交行程时间预测", 《交通运输系统工程与信息》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111464510A (en) * | 2020-03-18 | 2020-07-28 | 华南理工大学 | Network real-time intrusion detection method based on rapid gradient lifting tree model |
| CN111464510B (en) * | 2020-03-18 | 2021-06-08 | 华南理工大学 | Network real-time intrusion detection method based on rapid gradient lifting tree classification model |
| CN111756598A (en) * | 2020-06-23 | 2020-10-09 | 北京凌云信安科技有限公司 | Asset discovery method based on combination of active detection and flow analysis |
| CN113194043A (en) * | 2021-03-18 | 2021-07-30 | 成都深思科技有限公司 | Network traffic classification method under NAT environment |
| CN113194043B (en) * | 2021-03-18 | 2022-09-02 | 成都深思科技有限公司 | Network traffic classification method under NAT environment |
| CN114189350A (en) * | 2021-10-20 | 2022-03-15 | 北京交通大学 | LightGBM-based train communication network intrusion detection method |
| CN113905364A (en) * | 2021-10-25 | 2022-01-07 | 广州通则康威智能科技有限公司 | Router uplink data tracing method and device, computer equipment and storage medium |
| CN113905364B (en) * | 2021-10-25 | 2023-07-04 | 广州通则康威智能科技有限公司 | Router uplink data tracing method, device, computer equipment and storage medium |
| CN114172980A (en) * | 2021-12-08 | 2022-03-11 | 北京天融信网络安全技术有限公司 | Method, system, device, equipment and medium for identifying type of operating system |
| CN114449064A (en) * | 2022-01-26 | 2022-05-06 | 普联技术有限公司 | Application identification method and device for TLS encrypted traffic and application identification equipment |
| CN114449064B (en) * | 2022-01-26 | 2023-12-29 | 普联技术有限公司 | Application identification method and device for TLS encrypted traffic and application identification equipment |
| WO2023173790A1 (en) * | 2022-03-18 | 2023-09-21 | 广州大学 | Data packet-based encrypted traffic classification system |
| CN115051977A (en) * | 2022-06-24 | 2022-09-13 | 绿盟科技集团股份有限公司 | Web robot identification method, device, equipment and medium |
| CN115051977B (en) * | 2022-06-24 | 2023-09-19 | 绿盟科技集团股份有限公司 | Web robot identification method, device, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110868409A (en) | Passive operating system identification method and system based on TCP/IP protocol stack fingerprint | |
| CN111277578B (en) | Encrypted flow analysis feature extraction method, system, storage medium and security device | |
| Feng et al. | Characterizing industrial control system devices on the internet | |
| Wang et al. | Seeing through network-protocol obfuscation | |
| US8065722B2 (en) | Semantically-aware network intrusion signature generator | |
| US9210181B1 (en) | Detection of anomaly in network flow data | |
| CN107733851A (en) | DNS tunnels Trojan detecting method based on communication behavior analysis | |
| Sija et al. | A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view | |
| Shen et al. | Certificate-aware encrypted traffic classification using second-order markov chain | |
| CN104506484A (en) | Proprietary protocol analysis and identification method | |
| CN113259313A (en) | Malicious HTTPS flow intelligent analysis method based on online training algorithm | |
| Ye et al. | NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces. | |
| CN111030941A (en) | Decision tree-based HTTPS encrypted flow classification method | |
| CN103155487A (en) | Methods and systems for detecting suspected data leakage using traffic samples | |
| CN111224946A (en) | TLS encrypted malicious traffic detection method and device based on supervised learning | |
| CN110611640A (en) | DNS protocol hidden channel detection method based on random forest | |
| US20240064107A1 (en) | System for classifying encrypted traffic based on data packet | |
| CN112217763A (en) | Hidden TLS communication flow detection method based on machine learning | |
| Li et al. | Understanding the usage of industrial control system devices on the internet | |
| CN113923026A (en) | Encrypted malicious flow detection model based on TextCNN and construction method thereof | |
| CN107209834A (en) | Malicious communication pattern extraction apparatus, malicious communication schema extraction system, malicious communication schema extraction method and malicious communication schema extraction program | |
| Kumar et al. | Light weighted CNN model to detect DDoS attack over distributed scenario | |
| Matoušek et al. | On reliability of JA3 hashes for fingerprinting mobile applications | |
| CN116192527A (en) | Attack flow detection rule generation method, device, equipment and storage medium | |
| Hejun et al. | Online and automatic identification and mining of encryption network behavior in big data environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200306 |