Review of Encrypted Network Traffic Anonymity and Systemic Defense Tactics

doi:10.3969/j.issn.1671-1122.2024.10.002

Abstract

Abstract:

Advanced persistent threat (APT) attacks with complex organization, efficient planning and clear directivity are one of the main threats facing our country, and the trend of covert action and regular attack of APT organizations is becoming more and more obvious. In recent years, it has become more and more difficult for our country to master the main APT activities, which is not unrelated to the fact that APT organizations disappear their attacks into normal information services and network activities, and hide their attack traffic in normal communication traffic. The state in which this kind of highly concealed attack behavior is concealed is called dense state. How to detect dense state behavior and implement system confrontation is one of the bottleneck problems to be solved in the current cyber space defense. From the perspective of clarifying the mechanism of traffic transmission hiding technology for advanced attack activities in cyberspace, this paper puts forward a research framework and countermeasure capability evaluation index system of traffic dense disappearing countermeasure based on two dimensions of anonymous communication link construction and traffic characteristic behavior detection, and comprehensively expounds the relevant research progress, research methods and solutions in recent years. In order to explore the new development direction of dense state countermeasure capability in cyberspace.

Key words: encrypted anonymity, network traffic obfuscation, systemic defense tactics

CLC Number:

TP309

WANG Qiang, LIU Yizhi, LI Tao, HE Xiaochuan. Review of Encrypted Network Traffic Anonymity and Systemic Defense Tactics[J]. Netinfo Security, 2024, 24(10): 1484-1492.

Figures/Tables 2

类别	文献	方法特点	检测算法	数据集	评估
随机化	文献[9]	采用流量可视化的方法将网络流量转换为灰度图像，分别采用3种不同算法向图像中添加干扰噪声生成伪装流量，使分类器错误分类	LeNet-5卷积神经网络模型	Moore 数据集	流量的应用类型被错误分类的概率大大提高，以FGSM方法为例，攻击者使用LeNet-5对生成的欺骗网络流量进行分类时错误率达到99%
随机化	文献[10]	设计特殊的映射函数和正则化器来满足实时流量生成情况下的约束条件，通过修改包大小、插入填充数据包的方式生成对抗样本	DF	DeepCorr、DF和Var-CNN数据集	算法针对基于深度学习的指纹检测方法具有较好的防御效果，鲁棒性和样本的场景适应能力增强
拟态	文献[11]	针对现有流量变形/协议隧道技术主要依赖于学习特定流量的模式，缺乏动态性、被识别可能性高这一问题，提出FlowGAN算法，将流量特征动态变形为白流量	SVM、NB和其他论文提出的评价参数	自采	采用不可区分性来评价混淆有效性，该参数由算子特征曲线下的面积来确定（曲线由真阳性率与假阳性率构成）。实验证明flowgan的有效性
	文献[12]	针对数据包大小这一关键特征进行混淆操作，对拟态目标的数据包长度概率分布进行建模，并将源应用程序的数据包长度突变为目标应用程序中具有相似二进制概率的数据包长度	SVM、决策树、KNN、随机森林	自采（来源其他论文）	以Game流量转为Viber类型为例，可以将SVM分类器的准确率从76.7%降至0.48%，将Bagged Trees分类器的准确率从90%降至0.19%，将KNN分类器的准确率从83.9%降至2.18%
	文献[13]	针对网站指纹识别问题提出了WF-GAN方法，自动学习并生成对抗样本实现指纹识别防御，流量突发特征作为生成器模型原始输入，梯度信息来优化对抗样本	CNN	自采	该方法实现了有目标和无目标两种防御模型，使用5%~15%的开销获得了90%的对抗成功率，优于W-T模型
	文献[14]	基于对抗样本思想提出MockingBird算法，不关注检测器的损失函数，产生的对抗样本具有随机性，使算法具有更好的鲁棒性	DF、Var-CNN、CUMUL、k-FP和KNN	自采	与WTF-PAD算法相比，DF和Var-CNN检测方法的Top-1准确率至少低28%，识别错误率提高了两倍
	文献[15]	针对物联网设备的流量保护问题，提出MITRA方法，根据上下文动态生成不同级别的伪装流量，避免不必要的网络开销	XGBoost、随机森林	自采	与其他文献方法相比，检出率结果稍差，但网络开销极低，相比其他工作网络开销仅有百分之一甚至千分之一

References 39

[1]	ZHANG Fan, ZHAO Xinjie, Guo Shize. Secret State Confrontation-The Development Direction of High Concealment Threat Perspective in Cyberspace[J]. Chinese Computer Society Communications, 2023, 19 (3): 97-103.
	张帆, 赵新杰, 郭世泽. 密态对抗—网络空间高隐蔽威胁透视的发展方向[J]. 中国计算机学会通讯, 2023, 19(3):97-103.
[2]	CHEN Zihan, CHENG Guang, XU Ziheng, et al. A Survey on Internet Encrypted Traffic Detection, Classification and Identification[J]. Chinese Journal of Computers, 2023, 46(5): 1060-1085.
	陈子涵, 程光, 徐子恒, 等. 互联网加密流量检测、分类与识别研究综述[J]. 计算机学报, 2023, 46(5):1060-1085.
[3]	JIANG Kaolin, BAI Wei, REN Chuanlun, et al. Identification Method of Encrypted Data Flow Based on Chain-Building Information[J]. Journal of Data Acquisition and Processing, 2021, 36(3): 595-604.
	蒋考林, 白玮, 任传伦, 等. 基于建链信息的密数据流识别方法[J]. 数据采集与处理, 2021, 36(3):595-604.
[4]	YAO Zhongjiang, GE Jingguo, ZHANG Xiaodan, et al. Research Review on Traffic Obfuscation and Its Corresponding Identification and Tracking Technologies[J]. Journal of Software, 2018, 29(10): 3205-3222.
	姚忠将, 葛敬国, 张潇丹, 等. 流量混淆技术及相应识别、追踪技术研究综述[J]. 软件学报, 2018, 29(10):3205-3222.
[5]	LI Fenghua, LI Chaoyang, GUO Chao, et al. Survey on key technologies of covert channel in ubiquitous network environment[J]. Journal on Communications, 2022, 43(4): 186-201. doi: 10.11959/j.issn.1000-436x.2022072
	李凤华, 李超洋, 郭超, 等. 泛在网络环境下隐蔽通道关键技术研究综述[J]. 通信学报, 2022, 43(4):186-201. doi: 10.11959/j.issn.1000-436x.2022072
[6]	WANG Ying, GAO Haichang. Analysis and Prospect of Anonymous Communication Technology[J]. Information Security and Communications Privacy, 2023, 21(1): 60-70.
	王鹰, 高海昌. 匿名通信技术现状分析与展望[J]. 信息安全与通信保密, 2023, 21(1):60-70.
[7]	WINTER P, PULLS T, FUSS J. ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship[C]// ACM. Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society. New York: ACM, 2013: 213-224.
[8]	SZEGEDY C, ZAREMBA W, SUTSKEVER I, et al. Intriguing Properties of Neural Networks[EB/OL]. (2013-12-21)[2024-04-30]. https://arxiv.org/abs/1312.6199v4.
[9]	HU Yongjin, GUO Yuanbo, MA Jun, et al. Method to Generate Cyber Deception Traffic Based on Adversarial Sample[J]. Journal on Communications, 2020, 41(9): 59-70. doi: 10.11959/j.issn.1000-436x.2020166
	胡永进, 郭渊博, 马骏, 等. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9):59-70. doi: 10.11959/j.issn.1000-436x.2020166
[10]	NASR M, BAHRAMALI A, HOUMANSADR A. Defeating DNN-Based Traffic Analysis Systems in Real-Time with Blind Adversarial Perturbations[C]// USENIX. 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 2705-2722.
[11]	LI Jie, ZHOU Lu, LI Huaxin, et al. Dynamic Traffic Feature Camouflaging via Generative Adversarial Networks[C]// IEEE. 2019 IEEE Conference on Communications and Network Security (CNS). New York: IEEE, 2019: 268-276.
[12]	CHADDAD L, CHEHAB A, ELHAJJ I H, et al. Network Obfuscation for Net Worth Security[C]// IEEE. 2020 Seventh International Conference on Software Defined Systems (SDS). New York: IEEE, 2020: 83-88.
[13]	HOU Chengshang, GOU Gaopeng, SHI Junzheng, et al. WF-GAN: Fighting Back against Website Fingerprinting Attack Using Adversarial Learning[C]// IEEE. 2020 IEEE Symposium on Computers and Communications (ISCC). New York: IEEE, 2020: 1-7.
[14]	RAHMAN M S, IMANI M, MATHEWS N, et al. Mockingbird: Defending against Deep-Learning-Based Website Fingerprinting Attacks with Adversarial Traces[J]. IEEE Transactions on Information Forensics and Security, 2021, 16: 1594-1609.
[15]	DOS S B V, VERGUTZ A, MACEDO R T, et al. A Dynamic Method to Protect User Privacy against Traffic-Based Attacks on Smart Home[EB/OL]. (2023-01-02)[2024-06-10]. https://ieeexplore.ieee.org/document/10000503.
[16]	HUANG Shuangshuang, MA Xiaobo, BIAN Huafeng. Effectively and Efficiently Defending Shadowsocks against Website Fingerprinting Attacks[C]// IEEE. 2021 8th International Conference on Dependable Systems and Their Applications (DSA). New York: IEEE, 2021: 251-256.
[17]	SHIRALI M, TEFKE T, STAUDEMEYER R C, et al. A Survey on Anonymous Communication Systems with a Focus on Dining Cryptographers Networks[J]. IEEE Access, 2023, 11: 18631-18659.
[18]	TOLLEY W J, KUJATH B, KHAN M T, et al. Blind {In/On-Path} Attacks and Applications to {VPNs}[C]// USENIX. 30th USENIX Security Symposium (USENIX Security 21). Berkeley: USENIX, 2021: 3129-3146.
[19]	GAO Zhen, CHEN Fucai, WANG Yawen, et al. VPN Traffic Hijacking Defense Technology Based on Mimic Defense[J]. Computer Science, 2023, 50(11): 340-347. doi: 10.11896/jsjkx.221000091
	高振, 陈福才, 王亚文, 等. 基于拟态防御的VPN流量劫持防御技术[J]. 计算机科学, 2023, 50(11):340-347. doi: 10.11896/jsjkx.221000091
[20]	STAUDEMEYER R C, PÖHLS H C, WÓJCIK M. What It Takes to Boost Internet of Things Privacy Beyond Encryption with Unobservable Communication: A Survey and Lessons Learned from the First Implementation of DC-Net[J]. Journal of Reliable Intelligent Environments, 2019, 5(1): 41-64.
[21]	PIOTROWSKA A M, HAYES J, ELAHI T, et al. The Loopix Anonymity System[C]// USENIX.26th USENIX Security Symposium (USENIX Security 17). Berkeley: USENIX, 2017: 1199-1216.
[22]	CHAUM D, DAS D, JAVANI F, et al. cMix: Mixing with Minimal Real-Time Asymmetric Cryptographic Operations[C]// Springer. Applied Cryptography and Network Security:15th International Conference, ACNS 2017. Heidelberg: Springer, 2017: 557-578.
[23]	GUIRAT I B, GOSAIN D, DIAZ C. MiXiM: A General Purpose Simulator for Mixnet[EB/OL]. (2021-11-15)[2024-06-10]. https://doi.org/10.1145/3463676.3485613.
[24]	DIAZ C, HALPIN H, KIAYIAS A. The Nym Network: The Next Generation of Privacy Infrastructure[EB/OL]. [2024-06-10]. https://api.semanticscholar.org/CorpusID:233218535.
[25]	DINGLEDINE R, MATHEWSON N, SYVERSON P F. Tor: The Second-Generation Onion Router[EB/OL]. (2004-08-13)[2024-06-10]. https://api.semanticscholar.org/CorpusID:8274154.
[26]	REN Jian, WU Jie. Survey on Anonymous Communications in Computer Networks[J]. Computer Communications, 2010, 33(4): 420-431.
[27]	ZHANG Jin. Research on Routing Technology of Tor Anonymous Communication System[D]. Beijing: Beijing Jiaotong University, 2021.
	张瑾. Tor匿名通信系统路由选择技术研究[D]. 北京: 北京交通大学, 2021.
[28]	HUANG Yaya. Research on Traffic Feature Hiding Technology for Encryption Traffic[D]. Guangzhou: Guangzhou University, 2023.
	黄雅雅. 面向加密流量的流量特征隐藏技术研究[D]. 广州: 广州大学, 2023.
[29]	ROCHET F, PEREIRA O. Waterfilling: Balancing the Tor Network with Maximum Diversity[EB/OL]. (2016-09-14)[2024-06-10]. https://doi.org/10.48550/arXiv.1609.04203.
[30]	VAN D H J, LAZAR D, ZAHARIA M, et al. Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis[C]// ACM. Proceedings of the 25th Symposium on Operating Systems Principles. New York: ACM, 2015: 137-152.
[31]	LU Tianbo, DU Zeyu, JANE W Z. A Survey on Measuring Anonymity in Anonymous Communication Systems[J]. IEEE Access, 2019, 7: 70584-70609. doi: 10.1109/ACCESS.2019.2919322
[32]	KOTZANIKOLAOU P, CHATZISOFRONIOU G, BURMESTER M. Broadcast Anonymous Routing (BAR): Scalable Real-Time Anonymous Communication[J]. International Journal of Information Security, 2017, 16(3): 313-326.
[33]	CHAUM D. The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability[J]. Journal of Cryptology, 1988, 1(1): 65-75.
[34]	BARMAN L, DACOSTA I, ZAMANI M, et al. PriFi: Low-Latency Anonymity for Organizational Networks[EB/OL]. (2017-10-27)[2024-06-10]. https://arxiv.org/abs/1710.10237.
[35]	MODINGER D, HEB A, HAUCK F J. Arbitrary Length K-Anonymous Dining-Cryptographers Communication[EB/OL]. (2021-03-31)[2024-06-10]. https://arxiv.org/abs/2103.17091.
[36]	PFITZMANN A, HANSEN M. A Terminology for Talking about Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management[EB/OL]. (2010-08-10)[2024-06-10]. https://api.semanticscholar.org/CorpusID:150929990.
[37]	EDMAN M, YENER B. On Anonymity in an Electronic Society[J]. ACM Computing Surveys, 2009, 42(1): 1-35.
[38]	STAUDEMEYER R C, POHLS H C, WOJCIK M. The Road to Privacy in IoT: Beyond Encryption and Signatures, towards Unobservable Communication[C]// IEEE. 2018 IEEE 19th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM). New York: IEEE, 2018: 14-20.
[39]	ALEXOPOULOS N, KIAYIAS A, TALVISTE R, et al. {MCMix}: Anonymous Messaging via Secure Multiparty Computation[C]// USENIX. 26th USENIX Security Symposium (USENIX Security 17). Berkeley: USENIX, 2017: 1217-1234.

类别	方法	匿名性	不可关联性	不可观测性	计算开销	延迟
代理	Shadowsocks	不稳定（仅具备关系匿名性）	无	无	低	低
隧道	MVPN	不稳定（仅具备关系匿名性）	无	无	低	低
Mix 网络	Loopix	稳定	稳定	接收者不稳定，其他稳定	高	可改变
	cMix	稳定	稳定	无	部署中等，通信低	中
	Nym	稳定	稳定	稳定	N/A	N/A
匿名路由	Tor	不稳定	无	无	高	低
匿名路由	Vuvuzela	不稳定	不稳定	不稳定	高	高
广播/多播	BAR	稳定	不稳定	无	高	部署高，通信中等
	DC网络	不稳定	不稳定	不稳定	中	高
	PriFi	不稳定	不稳定	不稳定	高	中
	K匿名DC 网络	稳定	稳定	稳定	中	中