网络流量密态匿迹与体系对抗综述

doi:10.3969/j.issn.1671-1122.2024.10.002

信息网络安全 ›› 2024, Vol. 24 ›› Issue (10): 1484-1492.doi: 10.3969/j.issn.1671-1122.2024.10.002

网络流量密态匿迹与体系对抗综述

王强¹^,², 刘奕智³, 李涛³^,⁴, 贺小川⁵^,⁶()

1.中国科学院信息工程研究所，北京 100093
2.中国科学院大学网络空间安全学院，北京 100049
3.东南大学网络空间安全学院，南京 210000
4.网络通信与安全紫金山实验室，南京 210000
5.奇安信科技集团股份有限公司，北京 100044
6.中国电子网络空间安全研究院，北京 100088

收稿日期:2024-06-15 出版日期:2024-10-10 发布日期:2024-09-27
通讯作者: 贺小川, hexiaochuan@qianxin.com
作者简介:王强（1997—），男，江苏，博士研究生，主要研究方向为网络流量分析|刘奕智（2000—），男，江苏，硕士研究生，主要研究方向为网络流量对抗|李涛（1984—），男，江苏，副教授，博士，主要研究方向为信息系统安全、内生安全、可信计算|贺小川（1977—），男，安徽，正高级工程师，博士，主要研究方向为网络攻防体系对抗
基金资助:
国家重点研发计划(2021YFB3101400)

Review of Encrypted Network Traffic Anonymity and Systemic Defense Tactics

WANG Qiang¹^,², LIU Yizhi³, LI Tao³^,⁴, HE Xiaochuan⁵^,⁶()

1. Institute of Information Enginering, Chinese Academy of Sciences, Beijing 100093, China
2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
3. School of Cyber Science and Engineering, Southeast University, Nanjing 210000, China
4. Purple Mountain Laboratories, Nanjing 210000, China
5. Qi’anxin Technology Group Co., Ltd., Beijing 100044, China
6. China Electronics Corporation CyberSecurity Research Institute, Beijing 100088, China

Received:2024-06-15 Online:2024-10-10 Published:2024-09-27

摘要/Abstract

摘要：

组织性复杂、计划性高效和指向性明确的高级持续性威胁（APT）攻击是我国面临的主要威胁之一，APT组织的行动隐匿化、攻击常态化趋势愈加明显。近年来，我国掌握主要的APT活动越来越困难，与APT组织将攻击行为匿迹于正常信息服务和网络活动中，以及将攻击流量藏匿于正常通信流量中不无关系。这种高隐蔽攻击行为隐匿后所处的状态，称之为密态。如何检测发现密态行为并实施体系对抗，是当前网络空间防御要解决的瓶颈性难题之一。文章从澄清网络空间高级攻击活动的流量传输隐匿技术机理角度出发，围绕匿名通信链路构建和流量特征行为检测两个维度，提出流量密态匿迹对抗的研究框架和对抗能力评估指标体系，全面阐述近年来相关研究工作进展、研究方法及解决方案，以期探索网络空间密态对抗能力新的发展方向。

关键词: 密态匿迹, 流量混淆, 体系对抗

Abstract:

Advanced persistent threat (APT) attacks with complex organization, efficient planning and clear directivity are one of the main threats facing our country, and the trend of covert action and regular attack of APT organizations is becoming more and more obvious. In recent years, it has become more and more difficult for our country to master the main APT activities, which is not unrelated to the fact that APT organizations disappear their attacks into normal information services and network activities, and hide their attack traffic in normal communication traffic. The state in which this kind of highly concealed attack behavior is concealed is called dense state. How to detect dense state behavior and implement system confrontation is one of the bottleneck problems to be solved in the current cyber space defense. From the perspective of clarifying the mechanism of traffic transmission hiding technology for advanced attack activities in cyberspace, this paper puts forward a research framework and countermeasure capability evaluation index system of traffic dense disappearing countermeasure based on two dimensions of anonymous communication link construction and traffic characteristic behavior detection, and comprehensively expounds the relevant research progress, research methods and solutions in recent years. In order to explore the new development direction of dense state countermeasure capability in cyberspace.

Key words: encrypted anonymity, network traffic obfuscation, systemic defense tactics

中图分类号:

TP309

王强, 刘奕智, 李涛, 贺小川. 网络流量密态匿迹与体系对抗综述[J]. 信息网络安全, 2024, 24(10): 1484-1492.

WANG Qiang, LIU Yizhi, LI Tao, HE Xiaochuan. Review of Encrypted Network Traffic Anonymity and Systemic Defense Tactics[J]. Netinfo Security, 2024, 24(10): 1484-1492.

图/表 2

表1

表2

针对流量特征的方法效能评估

类别	文献	方法特点	检测算法	数据集	评估
随机化	文献[9]	采用流量可视化的方法将网络流量转换为灰度图像，分别采用3种不同算法向图像中添加干扰噪声生成伪装流量，使分类器错误分类	LeNet-5卷积神经网络模型	Moore 数据集	流量的应用类型被错误分类的概率大大提高，以FGSM方法为例，攻击者使用LeNet-5对生成的欺骗网络流量进行分类时错误率达到99%
随机化	文献[10]	设计特殊的映射函数和正则化器来满足实时流量生成情况下的约束条件，通过修改包大小、插入填充数据包的方式生成对抗样本	DF	DeepCorr、DF和Var-CNN数据集	算法针对基于深度学习的指纹检测方法具有较好的防御效果，鲁棒性和样本的场景适应能力增强
拟态	文献[11]	针对现有流量变形/协议隧道技术主要依赖于学习特定流量的模式，缺乏动态性、被识别可能性高这一问题，提出FlowGAN算法，将流量特征动态变形为白流量	SVM、NB和其他论文提出的评价参数	自采	采用不可区分性来评价混淆有效性，该参数由算子特征曲线下的面积来确定（曲线由真阳性率与假阳性率构成）。实验证明flowgan的有效性
	文献[12]	针对数据包大小这一关键特征进行混淆操作，对拟态目标的数据包长度概率分布进行建模，并将源应用程序的数据包长度突变为目标应用程序中具有相似二进制概率的数据包长度	SVM、决策树、KNN、随机森林	自采（来源其他论文）	以Game流量转为Viber类型为例，可以将SVM分类器的准确率从76.7%降至0.48%，将Bagged Trees分类器的准确率从90%降至0.19%，将KNN分类器的准确率从83.9%降至2.18%
	文献[13]	针对网站指纹识别问题提出了WF-GAN方法，自动学习并生成对抗样本实现指纹识别防御，流量突发特征作为生成器模型原始输入，梯度信息来优化对抗样本	CNN	自采	该方法实现了有目标和无目标两种防御模型，使用5%~15%的开销获得了90%的对抗成功率，优于W-T模型
	文献[14]	基于对抗样本思想提出MockingBird算法，不关注检测器的损失函数，产生的对抗样本具有随机性，使算法具有更好的鲁棒性	DF、Var-CNN、CUMUL、k-FP和KNN	自采	与WTF-PAD算法相比，DF和Var-CNN检测方法的Top-1准确率至少低28%，识别错误率提高了两倍
	文献[15]	针对物联网设备的流量保护问题，提出MITRA方法，根据上下文动态生成不同级别的伪装流量，避免不必要的网络开销	XGBoost、随机森林	自采	与其他文献方法相比，检出率结果稍差，但网络开销极低，相比其他工作网络开销仅有百分之一甚至千分之一

表2

参考文献 39

[1]	ZHANG Fan, ZHAO Xinjie, Guo Shize. Secret State Confrontation-The Development Direction of High Concealment Threat Perspective in Cyberspace[J]. Chinese Computer Society Communications, 2023, 19 (3): 97-103.
	张帆, 赵新杰, 郭世泽. 密态对抗—网络空间高隐蔽威胁透视的发展方向[J]. 中国计算机学会通讯, 2023, 19(3):97-103.
[2]	CHEN Zihan, CHENG Guang, XU Ziheng, et al. A Survey on Internet Encrypted Traffic Detection, Classification and Identification[J]. Chinese Journal of Computers, 2023, 46(5): 1060-1085.
	陈子涵, 程光, 徐子恒, 等. 互联网加密流量检测、分类与识别研究综述[J]. 计算机学报, 2023, 46(5):1060-1085.
[3]	JIANG Kaolin, BAI Wei, REN Chuanlun, et al. Identification Method of Encrypted Data Flow Based on Chain-Building Information[J]. Journal of Data Acquisition and Processing, 2021, 36(3): 595-604.
	蒋考林, 白玮, 任传伦, 等. 基于建链信息的密数据流识别方法[J]. 数据采集与处理, 2021, 36(3):595-604.
[4]	YAO Zhongjiang, GE Jingguo, ZHANG Xiaodan, et al. Research Review on Traffic Obfuscation and Its Corresponding Identification and Tracking Technologies[J]. Journal of Software, 2018, 29(10): 3205-3222.
	姚忠将, 葛敬国, 张潇丹, 等. 流量混淆技术及相应识别、追踪技术研究综述[J]. 软件学报, 2018, 29(10):3205-3222.
[5]	LI Fenghua, LI Chaoyang, GUO Chao, et al. Survey on key technologies of covert channel in ubiquitous network environment[J]. Journal on Communications, 2022, 43(4): 186-201. doi: 10.11959/j.issn.1000-436x.2022072
	李凤华, 李超洋, 郭超, 等. 泛在网络环境下隐蔽通道关键技术研究综述[J]. 通信学报, 2022, 43(4):186-201. doi: 10.11959/j.issn.1000-436x.2022072
[6]	WANG Ying, GAO Haichang. Analysis and Prospect of Anonymous Communication Technology[J]. Information Security and Communications Privacy, 2023, 21(1): 60-70.
	王鹰, 高海昌. 匿名通信技术现状分析与展望[J]. 信息安全与通信保密, 2023, 21(1):60-70.
[7]	WINTER P, PULLS T, FUSS J. ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship[C]// ACM. Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society. New York: ACM, 2013: 213-224.
[8]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[EB/OL]. (2013-12-21)[2024-04-30]. https://arxiv.org/abs/1312.6199v4.
[9]	HU Yongjin, GUO Yuanbo, MA Jun, et al. Method to Generate Cyber Deception Traffic Based on Adversarial Sample[J]. Journal on Communications, 2020, 41(9): 59-70. doi: 10.11959/j.issn.1000-436x.2020166
	胡永进, 郭渊博, 马骏, 等. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9):59-70. doi: 10.11959/j.issn.1000-436x.2020166
[10]	NASR M, BAHRAMALI A, HOUMANSADR A. Defeating DNN-Based Traffic Analysis Systems in Real-Time with Blind Adversarial Perturbations[C]// USENIX. 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 2705-2722.
[11]	LI Jie, ZHOU Lu, LI Huaxin, et al. Dynamic Traffic Feature Camouflaging via Generative Adversarial Networks[C]// IEEE. 2019 IEEE Conference on Communications and Network Security (CNS). New York: IEEE, 2019: 268-276.
[12]	CHADDAD L, CHEHAB A, ELHAJJ I H, et al. Network Obfuscation for Net Worth Security[C]// IEEE. 2020 Seventh International Conference on Software Defined Systems (SDS). New York: IEEE, 2020: 83-88.
[13]	HOU Chengshang, GOU Gaopeng, SHI Junzheng, et al. WF-GAN: Fighting Back against Website Fingerprinting Attack Using Adversarial Learning[C]// IEEE. 2020 IEEE Symposium on Computers and Communications (ISCC). New York: IEEE, 2020: 1-7.
[14]	RAHMAN M S, IMANI M, MATHEWS N, et al. Mockingbird: Defending against Deep-Learning-Based Website Fingerprinting Attacks with Adversarial Traces[J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 1594-1609.
[15]	DOS S B V, VERGUTZ A, MACEDO R T, et al. A Dynamic Method to Protect User Privacy against Traffic-Based Attacks on Smart Home[EB/OL]. (2023-01-02)[2024-06-10]. https://ieeexplore.ieee.org/document/10000503.
[16]	HUANG Shuangshuang, MA Xiaobo, BIAN Huafeng. Effectively and Efficiently Defending Shadowsocks against Website Fingerprinting Attacks[C]// IEEE. 2021 8th International Conference on Dependable Systems and Their Applications (DSA). New York: IEEE, 2021: 251-256.
[17]	SHIRALI M, TEFKE T, STAUDEMEYER R C, et al. A Survey on Anonymous Communication Systems with a Focus on Dining Cryptographers Networks[J]. IEEE Access, 2023, 11: 18631-18659.
[18]	TOLLEY W J, KUJATH B, KHAN M T, et al. Blind {In/On-Path} Attacks and Applications to {VPNs}[C]// USENIX. 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 3129-3146.
[19]	GAO Zhen, CHEN Fucai, WANG Yawen, et al. VPN Traffic Hijacking Defense Technology Based on Mimic Defense[J]. Computer Science, 2023, 50(11): 340-347. doi: 10.11896/jsjkx.221000091
	高振, 陈福才, 王亚文, 等. 基于拟态防御的VPN流量劫持防御技术[J]. 计算机科学, 2023, 50(11):340-347. doi: 10.11896/jsjkx.221000091
[20]	STAUDEMEYER R C, PÖHLS H C, WÓJCIK M. What It Takes to Boost Internet of Things Privacy Beyond Encryption with Unobservable Communication: A Survey and Lessons Learned from the First Implementation of DC-Net[J]. Journal of Reliable Intelligent Environments, 2019, 5(1): 41-64.
[21]	PIOTROWSKA A M, HAYES J, ELAHI T, et al. The Loopix Anonymity System[C]// USENIX.26th USENIX Security Symposium (USENIX Security 17). Berkeley: USENIX, 2017: 1199-1216.
[22]	CHAUM D, DAS D, JAVANI F, et al. cMix: Mixing with Minimal Real-Time Asymmetric Cryptographic Operations[C]// Springer. Applied Cryptography and Network Security:15th International Conference, ACNS 2017. Heidelberg: Springer, 2017: 557-578.
[23]	GUIRAT I B, GOSAIN D, DIAZ C. MiXiM: A General Purpose Simulator for Mixnet[EB/OL]. (2021-11-15)[2024-06-10]. https://doi.org/10.1145/3463676.3485613.
[24]	DIAZ C, HALPIN H, KIAYIAS A. The Nym Network: The Next Generation of Privacy Infrastructure[EB/OL]. [2024-06-10]. https://api.semanticscholar.org/CorpusID:233218535.
[25]	DINGLEDINE R, MATHEWSON N, SYVERSON P F. Tor: The Second-Generation Onion Router[EB/OL]. (2004-08-13)[2024-06-10]. https://api.semanticscholar.org/CorpusID:8274154.
[26]	REN Jian, WU Jie. Survey on Anonymous Communications in Computer Networks[J]. Computer Communications, 2010, 33(4): 420-431.
[27]	ZHANG Jin. Research on Routing Technology of Tor Anonymous Communication System[D]. Beijing: Beijing Jiaotong University, 2021.
	张瑾. Tor匿名通信系统路由选择技术研究[D]. 北京: 北京交通大学, 2021.
[28]	HUANG Yaya. Research on Traffic Feature Hiding Technology for Encryption Traffic[D]. Guangzhou: Guangzhou University, 2023.
	黄雅雅. 面向加密流量的流量特征隐藏技术研究[D]. 广州: 广州大学, 2023.
[29]	ROCHET F, PEREIRA O. Waterfilling: Balancing the Tor Network with Maximum Diversity[EB/OL]. (2016-09-14)[2024-06-10]. https://doi.org/10.48550/arXiv.1609.04203.
[30]	VAN D H J, LAZAR D, ZAHARIA M, et al. Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis[C]// ACM. Proceedings of the 25th Symposium on Operating Systems Principles. New York: ACM, 2015: 137-152.
[31]	LU Tianbo, DU Zeyu, JANE W Z. A Survey on Measuring Anonymity in Anonymous Communication Systems[J]. IEEE Access, 2019, 7: 70584-70609. doi: 10.1109/ACCESS.2019.2919322
[32]	KOTZANIKOLAOU P, CHATZISOFRONIOU G, BURMESTER M. Broadcast Anonymous Routing (BAR): Scalable Real-Time Anonymous Communication[J]. International Journal of Information Security, 2017, 16(3): 313-326.
[33]	CHAUM D. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability[J]. Journal of Cryptology, 1988, 1(1): 65-75.
[34]	BARMAN L, DACOSTA I, ZAMANI M, et al. PriFi: Low-Latency Anonymity for Organizational Networks[EB/OL]. (2017-10-27)[2024-06-10]. https://arxiv.org/abs/1710.10237.
[35]	MODINGER D, HEB A, HAUCK F J. Arbitrary Length K-Anonymous Dining-Cryptographers Communication[EB/OL]. (2021-03-31)[2024-06-10]. https://arxiv.org/abs/2103.17091.
[36]	PFITZMANN A, HANSEN M. A Terminology for Talking about Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management[EB/OL]. (2010-08-10)[2024-06-10]. https://api.semanticscholar.org/CorpusID:150929990.
[37]	EDMAN M, YENER B. On Anonymity in an Electronic Society[J]. ACM Computing Surveys, 2009, 42(1): 1-35.
[38]	STAUDEMEYER R C, POHLS H C, WOJCIK M. The Road to Privacy in IoT: Beyond Encryption and Signatures, towards Unobservable Communication[C]// IEEE. 2018 IEEE 19th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM). New York: IEEE, 2018: 14-20.
[39]	ALEXOPOULOS N, KIAYIAS A, TALVISTE R, et al. {MCMix}: Anonymous Messaging via Secure Multiparty Computation[C]// USENIX. 26th USENIX Security Symposium (USENIX Security 17). Berkeley: USENIX, 2017: 1217-1234.

类别	方法	匿名性	不可关联性	不可观测性	计算开销	延迟
代理	Shadowsocks	不稳定（仅具备关系匿名性）	无	无	低	低
隧道	MVPN	不稳定（仅具备关系匿名性）	无	无	低	低
Mix 网络	Loopix	稳定	稳定	接收者不稳定，其他稳定	高	可改变
	cMix	稳定	稳定	无	部署中等，通信低	中
	Nym	稳定	稳定	稳定	N/A	N/A
匿名路由	Tor	不稳定	无	无	高	低
匿名路由	Vuvuzela	不稳定	不稳定	不稳定	高	高
广播/多播	BAR	稳定	不稳定	无	高	部署高，通信中等
	DC网络	不稳定	不稳定	不稳定	中	高
	PriFi	不稳定	不稳定	不稳定	高	中
	K匿名DC 网络	稳定	稳定	稳定	中	中

网络流量密态匿迹与体系对抗综述

Review of Encrypted Network Traffic Anonymity and Systemic Defense Tactics

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 2

参考文献 39

相关文章 15

编辑推荐

Metrics

本文评价

[1]	印杰, 陈浦, 杨桂年, 谢文伟, 梁广俊. 基于人工智能的物联网DDoS攻击检测[J]. 信息网络安全, 2024, 24(11): 1615-1623.
[2]	李鹏超, 张全涛, 胡源. 基于双注意力机制图神经网络的智能合约漏洞检测方法[J]. 信息网络安全, 2024, 24(11): 1624-1631.
[3]	陈宝刚, 张毅, 晏松. 民航空管信息系统用户多因子持续身份可信认证方法研究[J]. 信息网络安全, 2024, 24(11): 1632-1642.
[4]	兰浩良, 王群, 徐杰, 薛益时, 张勃. 基于区块链的联邦学习研究综述[J]. 信息网络安全, 2024, 24(11): 1643-1654.
[5]	张志强, 暴亚东. 融合RF和CNN的异常流量检测算法[J]. 信息网络安全, 2024, 24(11): 1655-1664.
[6]	夏玲玲, 马卓, 郭向民, 倪雪莉. 基于改进加权LeaderRank的目标人员重要度排序算法[J]. 信息网络安全, 2024, 24(11): 1665-1674.
[7]	胡文涛, 徐靖凯, 丁伟杰. 基于溯因学习的无监督网络流量异常检测[J]. 信息网络安全, 2024, 24(11): 1675-1684.
[8]	马卓, 陈东子, 何佳涵, 王群. 基于多因素解纠缠的用户—兴趣点联合预测[J]. 信息网络安全, 2024, 24(11): 1685-1695.
[9]	周胜利, 徐睿, 陈庭贵, 蒋可怡. 基于事理图谱的受骗网络行为风险演进研究[J]. 信息网络安全, 2024, 24(11): 1696-1709.
[10]	马如坡, 王群, 尹强, 高谷刚. Modbus TCP协议安全风险分析及对策研究[J]. 信息网络安全, 2024, 24(11): 1710-1720.
[11]	裴炳森, 李欣, 樊志杰, 蒋章涛. 视频监控数据跨域安全共享传输控制系统设计与实现[J]. 信息网络安全, 2024, 24(11): 1721-1730.
[12]	顾海艳, 柳琪, 马卓, 朱涛, 钱汉伟. 基于可用性的数据噪声添加方法研究[J]. 信息网络安全, 2024, 24(11): 1731-1738.
[13]	张鹏, 罗文华. 基于布隆过滤器查找树的日志数据区块链溯源机制[J]. 信息网络安全, 2024, 24(11): 1739-1748.
[14]	栾润生, 蒋平, 孙银霞, 张沁芝. 电子数据取证技术研究进展和趋势分析[J]. 信息网络安全, 2024, 24(11): 1749-1762.
[15]	高光亮, 梁广俊, 洪磊, 高谷刚, 王群. 融合实例和标记相关性增强消歧的偏多标记学习算法[J]. 信息网络安全, 2024, 24(11): 1763-1772.