CN114531381B - Detection method for encryption traffic of confused KCP protocol - Google Patents

Detection method for encryption traffic of confused KCP protocol Download PDF

Info

Publication number
CN114531381B
CN114531381B CN202011218367.2A CN202011218367A CN114531381B CN 114531381 B CN114531381 B CN 114531381B CN 202011218367 A CN202011218367 A CN 202011218367A CN 114531381 B CN114531381 B CN 114531381B
Authority
CN
China
Prior art keywords
load
information
kcp
protocol
flow
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011218367.2A
Other languages
Chinese (zh)
Other versions
CN114531381A (en
Inventor
钱友文
刘光杰
刘伟伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Science and Technology
Original Assignee
Nanjing University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Science and Technology filed Critical Nanjing University of Science and Technology
Priority to CN202011218367.2A priority Critical patent/CN114531381B/en
Publication of CN114531381A publication Critical patent/CN114531381A/en
Application granted granted Critical
Publication of CN114531381B publication Critical patent/CN114531381B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/18Protocol analysers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/164Adaptation or special uses of UDP protocol

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a detection method for an encrypted flow of a mixed KCP protocol. The method comprises the following steps: and carrying out shunting processing on the UDP mixed flow based on quintuple and time information, extracting data packet load information to identify camouflage application types and KCP confusion protocol information fields aiming at the UDP flow based on DPI deep message analysis technology, extracting the first 20 load packet sequences of the uplink flow to check a KCP confusion protocol communication mechanism, extracting heartbeat packets in flow data transmission, and verifying heartbeat behavior characteristics by using the load information. The invention adopts the multi-feature detection of UDP data flow, can effectively realize the detection of the confused KCP protocol encryption agent channel.

Description

Detection method for encryption traffic of confused KCP protocol
Technical Field
The invention relates to the technical field of information processing in the technical field of network security, in particular to a KCP protocol-based encryption proxy channel detection method.
Background
KCP is a fast and reliable protocol based on UDP transport protocol, and can reduce the average delay by 30% -40% in exchange for 10% -20% of the bandwidth wasted by TCP, and the maximum delay reduces the transmission effect of three parts.
The KCP protocol mainly provides functions of acceleration, delay reduction, reliable transmission and congestion control, so that it is widely used in network transmission.
The aliased KCP protocol is a streaming protocol implemented based on the KCP protocol, and is modified by the KCP protocol, so that any data stream can be sequentially transmitted, and can be used as a bearer protocol of HTTP to provide security services for the data stream. The existing technologies such as data packet flow analysis and the like can not realize the identification of the confusing KCP protocol flow, and can not meet the supervision requirement of a network supervisor, so that a new screening method is urgently needed to be researched.
Disclosure of Invention
The invention aims to provide a method for detecting an encryption proxy channel of a mixed KCP protocol, which is used for effectively detecting the KCP mixed encryption proxy channel.
The technical solution for realizing the purpose of the invention is as follows: a detection method for the encryption traffic of the confused KCP protocol comprises the following steps:
Step 1: capturing UDP mixed traffic, carrying out shunting processing on the UDP mixed traffic based on a Libpcap network bank, and sending UDP data traffic information to a cache queue one by one;
step 2: reading UDP flow information of the buffer queue one by one, and performing camouflage and confusion protocol detection on the load data packet information based on DPI technology to obtain suspected confusion KCP flow information;
Step 3: extracting suspicious uplink traffic load length information, and checking communication behaviors of suspicious aliased KCP traffic;
step 4: and extracting suspicious uplink flow load data information, and checking the heartbeat behavior of the suspicious aliased KCP flow to obtain the flow which is finally judged to be the aliased KCP protocol flow.
Step 5: and collecting KCP protocol flow quadruple, protocol and time information, and collecting the message as a hit record.
Compared with the prior art, the invention has the remarkable advantages that: the invention is partially deployed in a border monitoring inspection system platform, has the capability of analyzing a large amount of data, and has the full detection rate and the accuracy rate of more than 90 percent.
Drawings
Fig. 1 is a flow chart of a method for detecting KCP confusion protocol encrypted traffic according to the present invention.
Fig. 2 is a diagram of a relationship between the number of data packets and the accuracy of classification results in the feature calculation according to the embodiment.
Detailed Description
The invention discloses a method for detecting an encryption proxy channel of a mixed KCP protocol, which specifically comprises the following steps:
Step 1: based on the libpcap network library, the UDP mixed flow is split according to the source address, the destination address, the source port, the destination port, the protocol five-tuple and the time information, the split UDP data flow information is obtained, and the split UDP data flow information is sent to the buffer queue in a flow-by-flow mode.
Step 2: reading UDP flow information of the buffer queue one by one, extracting load information of a data load packet, and identifying a disguised application type; extracting data packet load information, filtering application protocol fields, extracting 1 st-22 nd byte load information after a camouflage layer, detecting KCP protocol standardability, and if the KCP protocol standardability does not accord with KCP protocol format, further identifying whether load content is a confusing KCP protocol filling rule, thereby screening suspected confusing KCP protocol; and extracting data loads after the disguise layer and the confusion layer, calculating a load information entropy value, checking data randomness, and screening flow information of the data layer subjected to random encryption.
Step 3: extracting load length information of a plurality of load packets before UDP uplink flow, preprocessing the load length information, filtering retransmission packets in the load length information, adding missing packets in the retransmission packets, obtaining a final uplink load length sequence, and verifying a KCP confusion protocol request periodicity rule of the final uplink load length sequence. The detection method needs to consider that a certain fault tolerance rate exists, and the error conditions can be as follows: (1) the same group of load length sequences may occur in reverse order once; (2) one of the length values is lost from one of the sets; (3) one of the groups is added with a new length value.
Step 4: and filtering the KCP flow uplink load packet period request part, obtaining heartbeat packet load information according to whether the 5 th byte and the 9 th byte of the KCP confusion protocol information are consistent or not, detecting the heartbeat packet load information, filtering the KCP flow of which the heartbeat packet has data information, comparing the load information content of adjacent heartbeat packets, screening the KCP flow with the consistent load content of the adjacent heartbeat packets, and finally obtaining suspicious confusion KCP protocol encryption proxy flow.
Step 5: and collecting suspicious confusion KCP protocol encryption agent flow information, and storing four-tuple time information of the suspicious confusion KCP protocol encryption agent flow information into a hit record and storing the hit record into a database.
In step 1, the UDP mixed traffic is split based on the quintuple and the timestamp, and classified according to information such as direction, number of uplink and downlink load packets, and load amount.
In step 2, application protocol association is performed for a plurality of data packet masquerading application type data, and validity of a masquerading application protocol is verified; after the 1 st to 22 nd bytes of the protocol layer load information are extracted, the normalization of the KCP protocol is detected, whether the KCP protocol filling information is mixed is further judged, and whether the 7 th, 11 th, 15 th, 19 th bytes and the 8 th, 12 th, 16 th, 20 th bytes are consistent with the 9 th, 13 th, 17 th, 21 th bytes and the 10 th, 14 th, 18 th and 22 th bytes are identified.
In step 3, the length of the uplink load packet is greater than 22 bytes, the number of the uplink load packets is not less than 20, the number of the uplink load packets is properly prolonged to be detected and verified again if verification is not passed, the period value "+1" is detected, the single-period error value is cleared, and the single-period error value "+1" is detected when the phenomena of packet missing and multi-packet are detected.
In step 4, the number of the heartbeat packets is not less than 5, the load confidence of the complete heartbeat packets is verified, the heartbeat characteristics are detected, no data load is ensured, and the load information of the adjacent heartbeat packets is associated.
The invention is further described below with reference to the drawings.
Fig. 1 is a flow chart of a method for detecting an encrypted traffic of a mixed KCP protocol according to the present invention. As shown in fig. 1, the detection method includes the steps of:
Step 1: KCP obfuscated protocol traffic and non-KCP obfuscated protocol traffic are captured using wireshark traffic capturers.
Step 2: based on the libpcap network library, the meta information { source ip+destination ip+source port+destination port+protocol+set time+end time } is formed according to the source address, destination address, source port, destination port, protocol five-tuple and time information, the UDP mixed flow is split to obtain split UDP data flow information, and the split UDP data flow information is sent to a buffer queue stream by stream, and the data flow is classified according to the direction, the total uplink and downlink transmission data quantity and the transmission data packet quantity information.
Step 3: and constructing a producer-consumer model based on pthread, caching UDP streaming information data into a queue, and reading UDP streaming information one by one through a consuming thread. The UDP data stream information is stored through a linked list structure, and the linked list head node stores stream information such as data stream quintuple and the like.
Step 4: extracting a disguised application field in the data load packet load information, identifying a disguised application type, extracting a load sequence (fi,pi)=[(fi,p1),(fi,p2),(fi,p3),(fi,p4)], composed of 1 st to 4 th bytes of KCP flow, and identifying whether the application type is utp, srtp, wireguard application type or not; extracting a load sequence (fi,pi)=[(fi,p1),(fi,p2),…,(fi,p13)], formed by 1 st to 13 th bytes of KCP flow, identifying whether the application type is weixin-video and dtls application type, carrying out application protocol association aiming at data of a plurality of data packet camouflage application types, and verifying the validity of the camouflage application protocol.
Step 5: and (3) extracting a KCP protocol field in the data load information, detecting the legality of the KCP protocol field, extracting 1 st-22 nd byte load information after the disguise layer is extracted, respectively checking the overlapping degree of four groups of data by taking the 7 th, 11 th, 15 th, 19 th bytes, 8 th, 12 th, 16 th, 20 th bytes, 9 th, 13 th, 17 th, 21 th bytes and 10 th, 14 th, 18 th and 22 nd bytes as four groups of information (fi,li)=[(fi,l1),(fi,l2),(fi,l3),(fi,l4)],, and checking the field consistency of the data sequences of the first three groups of data, and checking the field similarity of the data of the fourth group of data.
Step 6: and detecting the randomness of the data information, extracting the data load after the disguise layer and the confusion layer, calculating the entropy of the load information, and checking the randomness of the data.
Step 7: load length information of a plurality of load packets before KCP uplink flow is extracted, the load length information is preprocessed, retransmission packets in the load length information are screened, missing packets in the load length information are added, and a final uplink load length sequence (fi,Li)=[(fi,L1),(fi,L2),(fi,L3),…], is obtained to check whether a load length rule change with a period of 2-7 and a period number of 3-5 is carried out.
Step 8: filtering the length circulation part of the uplink load packet of the KCP flow, obtaining heartbeat packet load information according to whether the 5 th byte and the 9 th byte of the KCP confusion protocol information are consistent or not, detecting the heartbeat packet load information, filtering the KCP flow of which the heartbeat packets have data information, comparing the load information content of adjacent heartbeat packets, screening the KCP flow with the consistent load content of the adjacent heartbeat packets, extracting the number of the heartbeat packets to be not less than 5, verifying the load confidence of the complete heartbeat packets, detecting the heartbeat characteristics and simultaneously ensuring no data load, and finally obtaining the suspicious confusion KCP protocol encryption proxy flow in association with the load information of the adjacent heartbeat packets.
In order to verify the effectiveness of the inventive protocol, the following simulation experiments were performed.
In this embodiment, for the method for detecting the encrypted traffic of the aliased KCP protocol, firstly, the aliased KCP protocol traffic and the non-aliased KCP protocol traffic are captured, and the detection is performed for the load information, the length and the heartbeat behavior of the aliased KCP protocol traffic, and the specific flow is as follows:
Step 1: KCP obfuscated protocol traffic and non-KCP obfuscated protocol traffic are captured, and normal utp, srtp, weixin-video, dtls, wireguard and other normal application protocol traffic are selected as the reverse samples.
Step 2: based on the libpcap network library, the UDP mixed flow is split according to the source address, the destination address, the source port, the destination port, the protocol five-tuple and the time information, the split UDP data flow information is obtained, the split UDP data flow information is sent to the buffer queue in a flow-by-flow mode, and the data flow is classified according to the direction and the uplink and downlink flow data information.
Step 3: and reading the data flow information in the producer-consumer queue to perform flow identification.
Step 4: identifying a disguised application type, extracting a load sequence (fi,pi)=[(fi,p1),(fi,p2),(fi,p3),(fi,p4)], consisting of 1 st to 4 th bytes of KCP flow, and identifying whether the application type is utp, srtp, wireguard application type or not; extracting the 1 st-13 th byte of KCP flow to form a load sequence (fi,pi)=[(fi,p1),(fi,p2),…,(fi,p13)], identifies whether the application type is weixin-video and dtls application type.
Step 5: identifying KCP confusion filling field, extracting 1 st-22 th byte load information after disguising layer, and respectively checking the overlapping degree of four groups of data by using 7 th, 11 th, 15 th, 19 th bytes, 8 th, 12 th, 16 th, 20 th bytes, 9 th, 13 th, 17 th, 21 st bytes and 10 th, 14 th, 18 th and 22 nd bytes as four groups of information (fi,li)=[(fi,l1),(fi,l2),(fi,l3),(fi,l4)],.
Step 6: and detecting the randomness of the data information, extracting the data load after the disguise layer and the confusion layer, calculating the load entropy value, and checking the randomness of the data.
Step 7: extracting load length information of a plurality of load packets before KCP uplink flow, preprocessing the load length information, screening retransmission packets in the load length information, adding missing packets in the retransmission packets, obtaining a final uplink load length sequence (fi,Li)=[(fi,L1),(fi,L2),(fi,L3),…],, if the load cycle period is 1 and the cycle n (3 is less than or equal to 5) times, extracting the lengths of the uplink load packets 1,2, 3, … … and n as length sequences, and judging whether the length values are consistent; if the duty cycle period is 2 and the cycle n (3 is less than or equal to n is less than or equal to 5) times, extracting the lengths of the uplink 1 st, 3 rd, 5 th, … … th, 2 (k-1) +1 (k=1, 2 nd, … … th and n) load packets as a length sequence, and judging whether the length values are consistent; if the duty cycle period is 3 and the cycle n (3 is less than or equal to n is less than or equal to 5) times, extracting the lengths of the uplink 1 st, 3 rd, 5 th, … … th, 3 (k-1) +1 (k=1, 2 nd, … … th and n) load packets as a length sequence, and judging whether the length values are consistent; if the duty cycle period is 4 and the cycle n (3 is less than or equal to n is less than or equal to 5) times, extracting the lengths of the uplink 1 st, 3 rd, 5 th, … … th, 4 (k-1) +1 (k=1, 2 nd, … … th and n) load packets as a length sequence, and judging whether the length values are consistent; if the duty cycle period is 5 and the cycle n (3 is less than or equal to n is less than or equal to 5) times, extracting the lengths of the uplink 1 st, 3 rd, 5 th, … … th, 5 (k-1) +1 (k=1, 2 nd, … … th and n) load packets as a length sequence, and judging whether the length values are consistent; if the duty cycle is 6 and the cycle n (3 is less than or equal to n is less than or equal to 5), extracting the lengths of the uplink 1 st, 3 rd, 5 th, … … th, 6 (k-1) +1 (k=1, 2 nd, … … th and n) load packets as a length sequence, and judging whether the length values are consistent; if the duty cycle period is 7 and the cycle n (3 is less than or equal to n is less than or equal to 5), extracting the lengths of the uplink 1 st, 3 rd, 5 th, … … th, 7 (k-1) +1 (k=1, 2 nd, … … th and n) load packets as a length sequence, and judging whether the length values are consistent.
Step 8: and filtering a KCP flow uplink load packet length circulation part, obtaining heartbeat packet load information according to whether filling of the 5 th byte and the 9 th byte of KCP confusion protocol information is consistent, detecting the heartbeat packet load information, filtering the KCP flow of which the heartbeat packet has data information, comparing the load information content of adjacent heartbeat packets, screening the KCP flow with the consistent load content of the adjacent heartbeat packets, and finally obtaining suspicious confusion KCP protocol encryption proxy flow.
In the embodiment, the number of the extracted uplink load packet length sequence packets is set to be n more than or equal to 20, the checking effect is shown in fig. 2, the numerical value on the vertical axis represents the classification accuracy, and in the process of n from 15 to 30, the load length period regularity is checked to obtain the result of the accuracy, so that the invention has good effect in detecting the confused KCP protocol encryption flow.

Claims (4)

1. The detection method for the encryption traffic of the confused KCP protocol is characterized by comprising the following steps:
Step 1: capturing UDP mixed traffic, carrying out shunting processing on the UDP mixed traffic based on a Libpcap network bank, and sending UDP data traffic information to a cache queue one by one;
Step 2: reading UDP data flow information of the buffer queue one by one, and performing camouflage and confusion protocol detection on the load data packet information based on DPI technology to obtain suspected confusion KCP flow information;
The method comprises the following specific steps:
Step 2-1: extracting an application protocol field in the load data packet information, and identifying the camouflage application type of the UDP data flow information;
Step 2-2: extracting KCP protocol field in the load data packet information, detecting the standardability of the KCP protocol field, and judging whether the KCP protocol filling information is confusing or not;
The detecting KCP protocol standardability specifically comprises: filtering camouflage application field information, extracting front 22 bytes of KCP protocol information, detecting whether the difference value of the content of the 5 th byte and the 9 th byte is smaller than or equal to 1, detecting whether the content of the 7 th byte to the 22 th byte is highly overlapped with 4 cycles, if so, confusing KCP protocol flow, otherwise, normal KCP protocol flow;
Step 2-2-1: extracting the 7 th, 11 th, 15 th and 19 th byte contents, detecting whether the content is consistent, if so, continuing the detection flow, otherwise, judging that the KCP flow is not confused;
step 2-2-2: extracting 8 th, 12 th, 16 th and 20 th byte contents, detecting whether the content is consistent, if so, continuing the detection flow, otherwise, judging that the KCP protocol flow is not confused;
Step 2-2-3: extracting contents of the 9 th, 13 th, 17 th and 21 st bytes, detecting whether the contents are consistent, if so, continuing the detection flow, otherwise, judging that the KCP flow is not confused;
Step 2-2-4: extracting 10 th, 14 th, 18 th and 22 th byte contents, detecting whether the difference value is within 5 th, if so, continuing the detection flow, otherwise, judging that the KCP flow is not confused;
step 2-3: extracting data content in the load data packet information, carrying out randomness detection on a load value, and judging whether the load data packet is encrypted and randomized or not;
the detecting the randomness of the load value specifically comprises the following steps:
step 2-3-1: filtering a KCP protocol part and a disguised application type information part in the load, and extracting data part load information;
Step 2-3-2: calculating load information entropy, detecting the randomness of data, and judging whether the data is encrypted data or not; assuming that the load information has M characters in total, the number of times of occurrence of the character x is N (x), the probability of occurrence of each character is N (x)/M, and the load information entropy calculation formula is as follows:
Step 3: extracting suspicious uplink traffic load length information, and checking communication behaviors of suspicious aliased KCP traffic; detecting whether a load length sequence of an uplink data packet has periodical change, if the period is 4, the 1 st, 5 th, 9 th or 2 nd, 6 th, 10 th or 3 rd, 7 th, 11 th or 4 th, 8 th and 12 th load lengths are consistent, and if the group number is 3;
Step 4: extracting suspicious uplink flow load data information, and checking the heartbeat behavior of the suspicious aliased KCP flow to obtain the flow which is finally judged to be the aliased KCP protocol flow;
the detecting suspected aliased KCP flow heartbeat behavior includes:
step 4-1: in the flow packet-by-packet analysis process, carrying out packet-by-packet identification on load data packet information, screening out heartbeat packets, and recording load information of the first 5 heartbeat packets;
the step of screening out the heartbeat package specifically comprises the following steps:
Step 4-1-1: after the load data packet information is filtered to disguise application field information, detecting whether the difference between the 5 th byte and the 9 th byte of the KCP confusion protocol part is 1, if so, marking the data packet as a suspicious heartbeat packet, otherwise, discarding the data packet;
step 4-1-2: detecting suspicious heartbeat packet load information, judging whether the suspicious heartbeat packet load information contains an encrypted data part except a KCP confusion field, if not, marking the suspicious heartbeat packet load information as a heartbeat packet, and recording the heartbeat packet information, otherwise, discarding the suspicious heartbeat packet load information;
Step 4-2: detecting the consistency of the load information of adjacent heartbeat packets aiming at the recorded load information of the first 5 heartbeat packets;
step 5: and collecting KCP protocol flow quadruple, protocol and time information, and collecting the message as a hit record.
2. The method for detecting the encrypted traffic of the aliased KCP protocol according to claim 1, wherein: in step 1, based on the libpcap network library, the UDP mixed traffic is split according to the source address, the destination address, the source port, the destination port, the protocol five-tuple and the time information, so as to obtain split UDP data traffic information, and the split UDP data traffic information is sent to the buffer queue one by one.
3. The method for detecting encrypted traffic according to claim 1, wherein the application type disguised in step 2-1 comprises: the application type BT download utp protocol based on UDP transmission, the video call srtp protocol, the WeChat video wechat-video protocol, the DTLS1.2 data packet DTLS protocol and the WireGuard VPN data packet wireguard protocol.
4. A method for detecting an encrypted traffic according to claim 1 or 3, identifying a masquerading application type, characterized in that the method for identifying a masquerading application type specifically comprises:
If the masquerading is utp application types, the masquerading field is the 1 st-4 th byte of the application layer load, the 1 st-4 th byte sequence of the uplink application layer load is expressed as [ x1, y1,0x01,0x00] by 16 scale, wherein x1 and y1 are fixed fields of the same stream uplink; the 1 st-4 th byte sequence of the downlink application layer load is expressed as [ x2, y2,0x01,0x00] by 16 scale, wherein x2 and y2 are fixed fields of the same downlink;
if the application type is disguised as the srtp application type, the disguised field is the 1 st-4 th byte of the application layer load, which represents the sequence of the data packets, and the data packets are distinguished according to uplink and downlink, and the increment of the data packets is 1 by 1;
If the camouflage is wechat-video, namely the WeChat video application type, the camouflage field is the 1 st-13 th byte of the application layer load, the 1 st-13 th byte sequence of the uplink application layer load is expressed as [0xa1,0x08,0x00, x1', y1',0x00,0x10,0x11,0x18,0x30,0x22,0x30] by 16 system, wherein the field value formed by two bytes of x1', y1' is a self-increasing sequence to express the sequence of uplink data packets, and each increasing value is 1; the 1 st-13 th byte sequence of the downlink application layer load is expressed as [0xa1,0x08,0x00, x2', y2',0x00,0x10,0x11,0x18,0x30,0x22,0x30] by 16 scale, wherein the field value formed by two bytes of x2 'and y2' is a self-increasing sequence and represents the sequence of the downlink data packet, and each increasing value is 1;
If the data packet is camouflage to be DTLS, namely the DTLS1.2 data packet application type, the camouflage field is the 1 st-13 th byte of the application layer load, the 1 st-13 th byte sequence of the uplink application layer load is expressed as [0x17,0xfe,0xfd, x1, y1,0x00, x1', y1',0x00, z1] by 16 system, wherein x1 and y1 are the fixed fields of the same stream uplink, the field value formed by two bytes of x1', y1' represents the sequence of the uplink data packet, the increment is 1 at each time, and z1 bytes are unknown; the downlink application layer load 1-13 byte sequence is expressed in 16 bins as [0x17,0xfe,0xfd, x2, y2,0x00, x2', y2',0x00, z2],
Wherein x2 and y2 are fixed fields of the same downstream, field values formed by two bytes of x2 'and y2' represent the sequence of downstream data packets, the increment is 1 each time, and z2 bytes are unknown;
if camouflaged into wireguard or WireGuard data packets, the camouflage field loads 1-4 bytes for the application layer, and is expressed as [0x04,0x00 ] in 16 scale.
CN202011218367.2A 2020-11-04 2020-11-04 Detection method for encryption traffic of confused KCP protocol Active CN114531381B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011218367.2A CN114531381B (en) 2020-11-04 2020-11-04 Detection method for encryption traffic of confused KCP protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011218367.2A CN114531381B (en) 2020-11-04 2020-11-04 Detection method for encryption traffic of confused KCP protocol

Publications (2)

Publication Number Publication Date
CN114531381A CN114531381A (en) 2022-05-24
CN114531381B true CN114531381B (en) 2024-07-09

Family

ID=81618665

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011218367.2A Active CN114531381B (en) 2020-11-04 2020-11-04 Detection method for encryption traffic of confused KCP protocol

Country Status (1)

Country Link
CN (1) CN114531381B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106452978A (en) * 2016-11-25 2017-02-22 深圳怡化电脑股份有限公司 Method and device for detecting communication abnormity
CN109672687A (en) * 2018-12-31 2019-04-23 南京理工大学 HTTP based on suspicious degree assessment obscures flow rate testing methods

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110855402A (en) * 2016-09-30 2020-02-28 瞬已网络科技(上海)有限公司 Network real-time video transmission method and device
CN109547489B (en) * 2018-12-31 2021-08-03 南京理工大学 Detection method for Obfuscated-Openssh protocol traffic
CN110489606B (en) * 2019-07-31 2023-06-06 云南师范大学 Packet Hilbert coding and decoding method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106452978A (en) * 2016-11-25 2017-02-22 深圳怡化电脑股份有限公司 Method and device for detecting communication abnormity
CN109672687A (en) * 2018-12-31 2019-04-23 南京理工大学 HTTP based on suspicious degree assessment obscures flow rate testing methods

Also Published As

Publication number Publication date
CN114531381A (en) 2022-05-24

Similar Documents

Publication Publication Date Title
Sekar et al. A high-performance network intrusion detection system
CN107733851A (en) DNS tunnels Trojan detecting method based on communication behavior analysis
CN107995162A (en) Network security sensory perceptual system, method and readable storage medium storing program for executing
CN101714952B (en) Method and device for identifying traffic of access network
CN102045305B (en) Method and system for monitoring and tracking multimedia resource transmission
CN109120602B (en) IPv6 attack tracing method
JP2006279930A (en) Method and device for detecting and blocking unauthorized access
CN104967610B (en) A kind of timeslot-based watermark hopping communication means
CN105103496A (en) System and method for extracting and preserving metadata for analyzing network communications
CN103428224A (en) Method and device for intelligently defending DDoS attacks
CN106330584A (en) Identification method and identification device of business flow
KR20110070464A (en) Apparatus for capturing traffic and apparatus, system and method for analyzing traffic
CN103475653A (en) Method for detecting network data package
CN103841096A (en) Intrusion detection method with matching algorithm automatically adjusted
CN107666486A (en) A kind of network data flow restoration methods and system based on message protocol feature
CN106789728A (en) A kind of voip traffic real-time identification method based on NetFPGA
CN109547489B (en) Detection method for Obfuscated-Openssh protocol traffic
CN104852914B (en) A kind of watermark hopping communication means based on packet interval
CN110166480A (en) A kind of analysis method and device of data packet
CN102571946A (en) Realization method of protocol identification and control system based on P2P (peer-to-peer network)
CN116781315A (en) Attack detection method based on EGD protocol
CN114531381B (en) Detection method for encryption traffic of confused KCP protocol
CN101854366B (en) Peer-to-peer network flow-rate identification method and device
JP5328131B2 (en) Method and device for managing allocation of memory blocks, data transmission network system, computer readable medium, and computer program
CN113765849B (en) Abnormal network flow detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant