微信服务号

微信订阅号

2025-4-6- 7
Home > Archive>Volume 35, Issue 1, 2024 >333-355. DOI:10.13328/j.cnki.jos.006891
PDF HTML XML Export Cite reminder
Detection and Countermeasure of Encrypted Malicious Traffic: A Survey
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [137]
    • |
  • Related [20]
    • | | |
  • Comments
    Abstract:

    Network traffic encryption not only protects corporate data and user privacy but also brings new challenges to malicious traffic detection. According to different ways of processing encrypted traffic, encrypted malicious traffic detection technology can be divided into active and passive detection. Active detection technology includes detection after traffic decryption and that based on searchable encryption technology. Its research focuses on privacy protection and detection efficiency improvement, and mainly analyzes the application of trusted execution environments and controllable transmission protocols. Passive detection technology is a method of identifying encrypted malicious traffic without perception for users and without performing any encryption or decryption operations. The research focuses on the selection and construction of features. It analyzes relevant detection methods from three types of features such as side channel features, plaintext features, and raw traffic, and then the experimental evaluation conclusions of relevant models are given. Finally, the feasibility of the research on the countermeasures of encrypted malicious traffic detection is analyzed from the perspectives of obfuscating traffic characteristics, interference learning algorithms, and hiding relevant information.

    Reference
    [1] 2020年中国互联网网络安全报告. 2021. https://www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf
    2020 Annual Report. 2021 (in Chinese). https://www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf
    [2] Zscaler. 2020 State of Encrypted Attacks. 2020. https://www.zscaler.com/resources/industry-reports/state-of-encrypted-attacks-summary-report.pdf
    [3] Wagner D, Schneier B. Analysis of the SSL 3.0 protocol. In: Proc. of the 2nd Conf. on USENIX Workshop on Electronic Commerce. Oakland: USENIX Association, 1996. 4.
    [4] Poh GS, Divakaran DM, Lim HW, Ning JT, Desai A. A survey of privacy-preserving techniques for encrypted traffic inspection over network middleboxes. arXiv:2101.04338, 2021.
    [5] Cheng TH, Lin YD, Lai YC, Lin PC. Evasion techniques: Sneaking through your intrusion detection/prevention systems. IEEE Communications Surveys & Tutorials, 2012, 14(4): 1011–1020. [doi: 10.1109/SURV.2011.092311.00082]
    [6] Corona I, Giacinto G, Roli F. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues. Information Sciences, 2013, 239: 201–225. [doi: 10.1016/j.ins.2013.03.022]
    [7] Carpenter B, Brim S. Middleboxes: Taxonomy and issues. RFC, 2002.
    [8] Jarmoc J. SSL/TLS interception proxies and transitive trust. In: Black Hat Europe, 2012.
    [9] Huang LS, Rice A, Ellingsen E, Jackson C. Analyzing forged SSL certificates in the wild. In: Proc. of the 2014 IEEE Symp. on Security and Privacy. Berkeley: IEEE, 2014. 83–97.
    [10] Aldo Cortesi, Maximilian Hils, Thomas Kriechbaumer, and contributors. mitmproxy: A free and open source interactive HTTPS proxy [Version 7.0]. 2010. https://mitmproxy.org/
    [11] Broadcom. Manage encrypted traffic with SSL visibility appliance. 2020. https://www.broadcom.com/products/cyber-security/network/encrypted-traffic-management
    [12] de Carné de Carnavalet X, Mannan M. Killed by Proxy: Analyzing client-end TLS interce. In: Proc. of the 23rd Annual Network and Distributed Systems Security Symp. San Diego: NDSS, 2016.
    [13] Durumeric Z, Ma Z, Springall D, Barnes R, Sullivan N, Bursztein E, Bailey M, Halderman JA, Paxson V. The security impact of HTTPS interception. In: Proc. of the 24th Annual Network and Distributed Systems Security Symp. San Diego: NDSS, 2017.
    [14] Han J, Kim S, Ha J, Han DS. SGX-Box: Enabling visibility on encrypted traffic using a secure middlebox module. In: Proc. of the 1st Asia-Pacific Workshop on Networking. Hong Kong: ACM, 2017. 99–105.
    [15] Sherry J, Hasan S, Scott C, Krishnamurthy A, Ratnasamy S, Sekar V. Making middleboxes someone else's problem: Network processing as a cloud service. ACM SIGCOMM Computer Communication Review, 2012, 42(4): 13–24. [doi: 10.1145/2377677.2377680]
    [16] Trach B, Krohmer A, Gregor F, Arnautov S, Bhatotia P, Fetzer C. ShieldBox: Secure middleboxes using shielded execution. In: Proc. of the 2018 Symp. on SDN Research. Los Angeles: ACM, 2018. 2.
    [17] Goltzsche D, Rüsch S, Nieke M, Vaucher S, Weichbrodt N, Schiavoni V, Aublin PL, Cosa P, Fetzer C, Felber P, Pietzuch P, Kapitza R. EndBox: Scalable middlebox functions using client-side trusted execution. In: Proc. of the 48th Annual IEEE/IFIP Int’l Conf. on Dependable Systems and Networks (DSN). Luxembourg: IEEE, 2018. 386–397.
    [18] Naylor D, Schomp K, Varvello M, Leontiadis I, Blackburn J, López DR, Papagiannaki K, Rodriguez PR, Steenkiste P. Multi-Context TLS (mcTLS): Enabling secure in-network functionality in TLS. ACM SIGCOMM Computer Communication Review, 2015, 45(4): 199–212. [doi: 10.1145/2829988.2787482]
    [19] ETSI. Middlebox Security Protocol—Part 2: Transport layer MSP, profile for fine grained access control. ETSI TS 103 523-2 V0.1.0. 2019, https://portal.etsi.org/webapp/workProgram/Report_WorkItem.asp?wki_id=52930
    [20] Naylor D, Li R, Gkantsidis C, Karagiannis T, Steenkiste P. And then there were more: Secure communication for more than two parties. In: Proc. of the 13th Int’l Conf. on Emerging Networking Experiments and Technologies. Incheon: ACM, 2017. 88–100.
    [21] Lee H, Smith Z, Lim J, Choi G, Chun S, Chung T, Kwon T. maTLS: How to make TLS middlebox-aware? In: Proc. of the 2019 Network and Distributed Systems Security (NDSS) Symp. San Diego: NDSS, 2019.
    [22] Li J, Chen RM, Su JS, Huang XY, Wang XF. ME-TLS: Middlebox-Enhanced TLS for internet-of-things devices. IEEE Internet of Things Journal, 2020, 7(2): 1216–1229. [doi: 10.1109/JIOT.2019.2953715]
    [23] 曾勇, 吴正远, 董丽华, 刘志宏, 马建峰, 李赞. 加密流量中的恶意流量识别技术. 西安电子科技大学学报, 2021, 48(3): 170–187. [doi: 10.19665/j.issn1001-2400.2021.03.022]
    Zeng Y, Wu ZY, Dong LH, Liu ZH, Ma JF, Li Z. Research on malicious traffic identification technology in encrypted traffic. Journal of Xidian University, 2021, 48(3): 170–187 (in Chinese with English abstract). [doi: 10.19665/j.issn1001-2400.2021.03.022]
    [24] Justine S, Lan C, Popa RA, Ratnasamy S. BlindBox: Deep packet inspection over encrypted traffic. ACM SIGCOMM Computer Communication Review, 2015, 45(4): 213–226. [doi: 10.1145/2829988.2787502]
    [25] Lan C, Sherry J, Popa RA, Ratnasamy S, Liu Z. Embark: Securely outsourcing middleboxes to the cloud. In: Proc. of the 13th USENIX Conf. on Networked Systems Design and Implementation. Santa Clara: USENIX Association, 2016. 255–273.
    [26] Yuan XL, Wang XY, Lin JX, Wang C. Privacy-preserving deep packet inspection in outsourced middleboxes. In: Proc. of the 35th Annual IEEE Int’l Conf. on Computer Communications. San Francisco: IEEE, 2016. 1–9.
    [27] Asghar HJ, Melis L, Soldani C, De Cristofaro E, Kaafar MA, Mathy L. SplitBox: Toward efficient private network function virtualization. In: Proc. of the 2016 Workshop on Hot Topics in Middleboxes and Network Function Virtualization. Florianopolis: ACM, 2016. 7–13.
    [28] Fan JY, Guan CW, Ren K, Cui Y, Qiao CM. SPABox: Safeguarding privacy during deep packet inspection at a MiddleBox. IEEE/ACM Transactions on Networking, 2017, 25(6): 3753–3766. [doi: 10.1109/TNET.2017.2753044]
    [29] Canard S, Diop A, Kheir N, Paindavoine M, Sabt M. BlindIDS: Market-compliant and privacy-friendly intrusion detection system over encrypted traffic. In: Proc. of the 2017 ACM on Asia Conf. on Computer and Communications Security. Abu Dhabi: ACM, 2017. 561–574.
    [30] Ren H, Litt H, Liu DX, Shen XS. Toward efficient and secure deep packet inspection for outsourced middlebox. In: Proc. of the 2019 IEEE Int’l Conf. on Communications (ICC). Shanghai: IEEE, 2019. 1–6.
    [31] Ning JT, Poh GS, Loh JC, Chia J, Chang EC. PrivDPI: Privacy-preserving encrypted traffic inspection with reusable obfuscated rules. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London: ACM, 2019. 1657–1670.
    [32] Ning JT, Huang XY, Poh GS, Xu SM, Loh JC, Weng J, Deng RH. Pine: Enabling privacy-preserving deep packet inspection on TLS with rule-hiding and fast connection establishment. In: Proc. of the 25th European Symp. on Research in Computer Security. Guildford: Springer, 2020. 3–22.
    [33] Zhu YC, Zheng Y. Retracted article: Traffic identification and traffic analysis based on support vector machine. Neural Computing & Applications, 2020, 32(7): 1903–1911. [doi: 10.1007/s00521-019-04493-2]
    [34] Yao ZJ, Ge JG, Wu YL, Lin XS, He RK, Ma YX. Encrypted traffic classification based on Gaussian mixture models and Hidden Markov Models. Journal of Network and Computer Applications, 2020, 166: 102711. [doi: 10.1016/j.jnca.2020.102711]
    [35] Shen M, Liu YT, Zhu LH, Du XJ, Hu JK. Fine-grained webpage fingerprinting using only packet length information of encrypted traffic. IEEE Transactions on Information Forensics and Security, 2021, 16: 2046–2059. [doi: 10.1109/TIFS.2020.3046876]
    [36] Liu C, He LT, Xiong G, Cao ZG, Li Z. FS-Net: A flow sequence network for encrypted traffic classification. In: Proc. of the 2019 IEEE Conf. on Computer Communications. Paris: IEEE, 2019. 1171–1179.
    [37] Gu GF, Zhang JJ, Lee WK. BotSniffer: Detecting botnet command and control channels in network traffic. In: Proc. of the 15th Annual Network and Distributed System Security Symp. San Diego: NDSS, 2008.
    [38] Gu GF, Perdisci R, Zhang JJ, Lee WK. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proc. of the 17th Conf. on Security Symp. San Jose: USENIX Association, 2008. 139–154.
    [39] Boukhtouta A, Lakhdari NE, Mokhov SA, Debbabi M. Towards fingerprinting malicious traffic. Procedia Computer Science, 2013, 19: 548–555. [doi: 10.1016/j.procs.2013.06.073]
    [40] Alshammari R, Zincir-Heywood AN. A flow based approach for SSH traffic detection. In: Proc. of the 2007 IEEE Int’l Conf. on Systems, Man and Cybernetics (ISIC). Montreal: IEEE, 2007. 296–301.
    [41] Alshammari R, Zincir-Heywood AN. Investigating two different approaches for encrypted traffic classification. In: Proc. of the 6th Annual Conf. on Privacy, Security and Trust. Fredericton: IEEE, 2008. 156–166.
    [42] Alshammari R, Zincir-Heywood AN, Farrag A. Performance comparison of four rule sets: An example for encrypted traffic classification. In: Proc. of the 2009 World Congress on Privacy, Security, Trust and the Management of e-Business. St. John’s: IEEE, 2009. 21–28.
    [43] Alshammari R, Zincir-Heywood AN. Generalization of signatures for SSH encrypted traffic identification. In: Proc. of the 2009 IEEE Symp. on Computational Intelligence in Cyber Security. Nashville: IEEE, 2009. 167–174.
    [44] Alshammari R, Zincir-Heywood AN. Machine learning based encrypted traffic classification: Identifying SSH and Skype. In: Proc. of the 2009 IEEE Symp. on Computational Intelligence for Security and Defense Applications. Ottawa: IEEE, 2009. 1–8.
    [45] Alshammari R, Zincir-Heywood AN. Can encrypted traffic be identified without port numbers, IP addresses and payload inspection?. Computer Networks, 2011, 55(6): 1326–1350. [doi: 10.1016/j.comnet.2010.12.002]
    [46] Boukhtouta A, Mokhov SA, Lakhdari NE, Debbabi M, Paquet J. Network malware classification comparison using DPI and flow packet headers. Journal of Computer Virology and Hacking Techniques, 2016, 12(2): 69–100. [doi: 10.1007/s11416-015-0247-x]
    [47] Anderson B, McGrew D. Identifying encrypted malware traffic with contextual flow data. In: Proc. of the 2016 ACM Workshop on Artificial Intelligence and Security. Vienna: ACM, 2016. 35–46.
    [48] McGrew D, Anderson B. Enhanced telemetry for encrypted threat analytics. In: Proc. of the 24th IEEE Int’l Conf. on Network Protocols. Singapore: IEEE, 2016. 1–6.
    [49] Bilge L, Balzarotti D, Robertson W, Kirda E, Kruegel C. Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In: Proc. of the 28th Annual Computer Security Applications Conf. Orlando: ACM, 2012. 129–138.
    [50] Williams N, Zander S, Armitage G. A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification. ACM SIGCOMM Computer Communication Review, 2006, 36(5): 5–16. [doi: 10.1145/1163593.1163596]
    [51] Anderson B, McGrew D. Machine learning for encrypted malware traffic classification: Accounting for noisy labels and non-stationarity. In: Proc. of the 23rd ACM SIGKDD Int’l Conf. on Knowledge Discovery and Data Mining. Halifax: ACM, 2017. 1723–1732.
    [52] Shekhawat AS, Troia FD, Stamp M. Feature analysis of encrypted malicious traffic. Expert Systems With Applications, 2019, 125: 130–141. [doi: 10.1016/j.eswa.2019.01.064]
    [53] Chen S, Wang R, Wang XF, Zhang KH. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In: Proc. of the 2010 IEEE Symp. on Security and Privacy. Oakland: IEEE, 2010. 191–206.
    [54] Stergiopoulos G, Talavari A, Bitsikas E, Gritzalis D. Automatic detection of various malicious traffic using side channel features on TCP packets. In: Proc. of the 23rd European Symp. on Research in Computer Security. Barcelona: Springer, 2018. 346–362.
    [55] Lokoč J, Kohout J, Čech P, Skopal T, Pevný T. k-NN classification of malware in HTTPS traffic using the metric space approach. In: Proc. of the 11th Pacific Asia Workshop. Auckland: Springer, 2016. 131–145.
    [56] Kohout J, Komárek T, Čech P, Bodnár J, Lokoč J. Learning communication patterns for malware discovery in HTTPs data. Expert Systems with Applications, 2018, 101: 129–142.
    [57] Liu JY, Tian ZY, Zheng RF, Liu L. A distance-based method for building an encrypted malware traffic identification framework. IEEE Access, 2019, 7: 100014–100028. [doi: 10.1109/ACCESS.2019.2930717]
    [58] Ankerst M, Breunig MM, Kriegel HP, Sander J. OPTICS: Ordering points to identify the clustering structure. ACM SIGMOD Record, 1999, 28(2): 49–60. [doi: 10.1145/304181.304187]
    [59] AlAhmadi BA, Martinovic I. MalClassifier: Malware family classification using network flow sequence behaviour. In: Proc. of the 2018 APWG Symp. on Electronic Crime Research (eCrime). San Diego: IEEE, 2018. 1–13.
    [60] Pastor A, Mozo A, Vakaruk S, Canavese D, López DR, Regano L, Gómez-Canaval S, Lioy A. Detection of encrypted cryptomining malware connections with machine and deep learning. IEEE Access, 2020, 8: 158036–158055. [doi: 10.1109/ACCESS.2020.3019658]
    [61] Finamore A, Mellia M, Meo M, Munafo MM, Torino PD, Rossi D. Experiences of internet traffic monitoring with tstat. IEEE Network, 2011, 25(3): 8–14. [doi: 10.1109/MNET.2011.5772055]
    [62] Čech P, Kohout J, Lokoč J, Komárek T, Maroušek J, Pevný T. Feature extraction and malware detection on large HTTPS data using mapreduce. In: Proc. of the 9th Int’l Conf. on Similarity Search and Applications. Tokyo: Springer, 2016. 311–324.
    [63] Piskozub M, Spolaor R, Martinovic I. MalAlert: Detecting malware in large-scale network traffic using statistical features. ACM SIGMETRICS Performance Evaluation Review, 2018, 46(3): 151–154. [doi: 10.1145/3308897.3308961]
    [64] Anderson B, Paul S, McGrew D. Deciphering malware's use of TLS (without decryption). Journal of Computer Virology and Hacking Techniques, 2018, 14(3): 195–211. [doi: 10.1007/s11416-017-0306-6]
    [65] Schoinianakis D, Götze N, Lehmann G. MDiET: Malware detection in encrypted traffic. In: Proc. of the 6th Int’l Symp. for ICS & SCADA Cyber Security Research 2019 (ICS-CSR). 2019.
    [66] Chao DC. A fingerprint enhancement and second-order Markov chain based malicious encrypted traffic identification scheme. In: Proc. of the 6th Int’l Conf. on Computing and Artificial Intelligence. Tianjin: ACM, 2020. 328–333.
    [67] Chao DC. A mining policy based malicious encrypted traffic detection scheme. In: Proc. of the 9th Int’l Conf. on Computing and Pattern Recognition. Xiamen: ACM, 2020. 130–135.
    [68] Zheng RF, Liu JY, Li K, Liao S, Liu L. Detecting malicious TLS network traffic based on communication channel features. In: Proc. of the 8th IEEE Int’l Conf. on Information, Communication and Networks (ICICN). Xi’an: IEEE, 2020. 14–19.
    [69] Prasse P, Machlica L, Pevný T, Havelka J, Scheffer T. Malware detection by analysing encrypted network traffic with neural networks. In: Proc. of the 2017 European Conf. on Machine Learning and Knowledge Discovery in Databases. Skopje: Springer, 2017. 73–88.
    [70] Torroledo I, Camacho LD, Bahnsen AC. Hunting malicious TLS certificates with deep neural networks. In: Proc. of the 11th ACM Workshop on Artificial Intelligence and Security. Toronto: ACM, 2018. 64–73.
    [71] Shah J. Detection of malicious encrypted Web traffic using machine learning [MS. Thesis]. Victoria: University of Victoria, 2018.
    [72] Liu JY, Zeng YZ, Shi JY, Yang YX, Wang R, He LZ. MalDetect: A structure of encrypted malware traffic detection. Computers, Materials & Continua, 2019, 60(2): 721–739. [doi: 10.32604/cmc.2019.05610]
    [73] Weng ZQ, Chen TM, Zhu TT, Dong H, Zhou D, Alfarraj O. TLSmell: Direct identification on malicious HTTPs encryption traffic with simple connection-specific indicators. Computer Systems Science and Engineering, 2021, 37(1): 105–119.
    [74] Zheng RF, Liu JY, Liu L, Liao S, Li K, Wei JH, Li L, Tian ZY. Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol. PLoS ONE, 2020, 15(5): e0232696. [doi: 10.1371/journal.pone.0232696]
    [75] Chen LC, Gao S, Liu BX, Lu ZG, Jiang ZW. THS-IDPC: A three-stage hierarchical sampling method based on improved density peaks clustering algorithm for encrypted malicious traffic detection. The Journal of Supercomputing, 2020, 76(9): 7489–7518. [doi: 10.1007/s11227-020-03372-1]
    [76] Wang W, Zhu M, Zeng XW, Ye XZ, Sheng YQ. Malware traffic classification using convolutional neural network for representation learning. In: Proc. of the 2017 Int’l Conf. on Information Networking (ICOIN). Da Nang: IEEE, 2017. 712–717
    [77] Hwang RH, Peng MC, Nguyen VL, Chang YL. An LSTM-based deep learning approach for classifying malicious traffic at the packet level. Applied Sciences, 2019, 9(16): 3414. [doi: 10.3390/app9163414]
    [78] Goldberg Y, Levy O. Word2Vec explained: Deriving Mikolov et al.’s negative-sampling word-embedding method. arXiv:1402.3722, 2014.
    [79] Marín G, Casas P, Capdehourat G. DeepMAL—Deep learning models for malware traffic detection and classification. arXiv:2003.04079, 2020.
    [80] Wang B, Su Y, Zhang MS, Nie JK. A deep hierarchical network for packet-level malicious traffic detection. IEEE Access, 2020, 8: 201728–201740. [doi: 10.1109/ACCESS.2020.3035967]
    [81] Thapa KNK, Duraipandian N. Malicious Traffic classification Using Long Short-Term Memory (LSTM) model. Wireless Personal Communications, 2021, 119(3): 2707–2724. [doi: 10.1007/s11277-021-08359-6]
    [82] Yang J, Lim H. Deep learning approach for detecting malicious activities over encrypted secure channels. IEEE Access, 2021, 9: 39229–39244. [doi: 10.1109/ACCESS.2021.3064561]
    [83] García S, Grill M, Stiborek J, Zunino A. An empirical comparison of botnet detection methods. Computers & Security, 2014, 45: 100–123. [doi: 10.1016/j.cose.2014.05.011]
    [84] Erquiaga MJ, García S, Garino CG. Observer effect: How intercepting HTTPS traffic forces malware to change their behavior. In: Proc. of the 23rd Argentine Congress. La Plata: Springer, 2018. 272–281.
    [85] Shiravi A, Shiravi H, Tavallaee M, Ghorbani AA. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers & Security, 2012, 31(3): 357–374. [doi: 10.1016/j.cose.2011.12.012]
    [86] Sharafaldin I, Lashkari AH, Ghorbani AA. Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proc. of the 4th Int’l Conf. on Information Systems Security & Privacy. 2018. 108–116.
    [87] Draper-Gil G, Lashkari AH, Mamun MSI, Ghorbani AA. Characterization of encrypted and VPN traffic using time-related features. In: Proc. of the 2nd Int’l Conf. on Information Systems Security and Privacy (ICISSP). 2016. 407–414.
    [88] McGrew D, Anderson B. JOY. 2016. https://github.com/davidmcgrew/joy
    [89] Huang H, Deng HJ, Sheng YQ, Ye XZ. Accelerating convolutional neural network-based malware traffic detection through ant-colony clustering. Journal of Intelligent & Fuzzy Systems, 2019, 37(1): 409–423. [doi: 10.3233/JIFS-179096]
    [90] Khraisat A, Gondal I, Vamplew P, Kamruzzaman J. Survey of intrusion detection systems: Techniques, datasets and challenges. Cybersecurity, 2019, 2(1): 20–22. [doi: 10.1186/s42400-019-0038-7]
    [91] Li FF, Razaghpanah A, Kakhki AM, Niaki AA, Choffnes D, Gill P, Mislove A. lib·erate, (n): A library for exposing (traffic-classification) rules and avoiding them efficiently. In: Proc. of the 2017 Internet Measurement Conf. London: ACM, 2017. 128–141.
    [92] Bock K, Hughey G, Qiang X, Levin D. Geneva: Evolving censorship evasion strategies. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London: ACM, 2019. 2199–2214.
    [93] Wang ZJ, Zhu ST, Cao Y, Qian ZY, Song CY, Krishnamurthy SV, Chan KS, Braun TD. SymTCP: Eluding stateful deep packet inspection with automated discrepancy discovery. In: Proc. of the 2020 Network and Distributed Systems Security (NDSS) Symp. San Diego: NDSS, 2020.
    [94] Wright CV, Coull SE, Monrose F. Traffic morphing: An efficient defense against statistical traffic analysis. In: Proc. of the 2009 Network and Distributed Systems Security (NDSS) Symp. San Diego: NDSS, 2009.
    [95] Dyer KP, Coull SE, Ristenpart T, Shrimpton T. Peek-a-boo, I still see you: Why efficient traffic analysis countermeasures fail. In: Proc. of the 2012 IEEE Symp. on Security and Privacy. San Francisco: IEEE, 2012. 332–346.
    [96] Luo XP, Zhou P, Chan EWW, Lee W, Chang RKC, Perdisci R. HTTPOS: Sealing information leaks with browser-side obfuscation of encrypted flows. In: Proc. of the 2011 Network and Distributed Systems Security (NDSS) Symp. San Diego: NDSS, 2011.
    [97] Cai X, Zhang XC, Joshi B, Johnson R. Touching from a distance: Website fingerprinting attacks and defenses. In: Proc. of the 2012 ACM Conf. on Computer and Communications Security. Raleigh: ACM, 2012. 605–616.
    [98] Cai X, Nithyanand R, Johnson R. CS-BuFLO: A congestion sensitive website fingerprinting defense. In: Proc. of the 13th Workshop on Privacy in the Electronic Society. Scottsdale: ACM, 2014. 121–130.
    [99] Cai X, Nithyanand R, Wang T, Johnson R, Goldberg I. A systematic approach to developing and evaluating website fingerprinting defenses. In: Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security. Scottsdale: ACM, 2014. 227–238.
    [100] Nithyanand R, Cai X, Johnson R. GloVe: A bespoke website fingerprinting defense. In: Proc. of the 13th Workshop on Privacy in the Electronic Society. Scottsdale: ACM, 2014. 131–134.
    [101] Wang T, Cai X, Nithyanand R, Johnson R, Goldberg I. Effective attacks and provable defenses for website fingerprinting. In: Proc. of the 23rd USENIX Conf. on Security Symp. San Diego: USENIX Association, 2014. 143–157.
    [102] Juarez M, Imani M, Perry M, Diaz C, Wright M. Toward an efficient website fingerprinting defense. In: Proc. of the 21st European Symp. on Research in Computer Security. Heraklion: Springer, 2016. 27–46.
    [103] Wang T, Goldberg I. Walkie-talkie: An efficient defense against passive website fingerprinting attacks. In: Proc. of the 26th USENIX Conf. on Security Symp. Vancouver: USENIX Association, 2017. 1375–1390.
    [104] Gong JJ, Wang T. Zero-delay lightweight defenses against website fingerprinting. In: Proc. of the 29th USENIX Conf. on Security Symp. Vancouver: USENIX Association, 2020. 717–734.
    [105] Jahani H, Jalili S. Effective defense against fingerprinting attack based on autocorrelation property minimization approach. Journal of Intelligent Information Systems, 2020, 54(2): 341–362. [doi: 10.1007/s10844-019-00553-0]
    [106] Feghhi S, Leith DJ. A web traffic analysis attack using only timing information. IEEE Transactions on Information Forensics and Security, 2016, 11(8): 1747–1759. [doi: 10.1109/TIFS.2016.2551203]
    [107] Feghhi S, Leith DJ. An efficient web traffic defence against timing-analysis attacks. IEEE Transactions on Information Forensics and Security, 2019, 14(2): 525–540. [doi: 10.1109/TIFS.2018.2855655]
    [108] Abusnaina A, Jang R, Khormali A, Nyang D, Mohaisen D. DFD: Adversarial learning-based approach to defend against website fingerprinting. In: Proc. of the 2020 IEEE Conf. on Computer Communications. Toronto: IEEE, 2020. 2459–2468.
    [109] Al-Naami K, El-Ghamry A, Islam MS, Khan L, Thuraisingham B, Hamlen KW, Alrahmawy M, Rashad MZ. BiMorphing: A bi-directional bursting defense against website fingerprinting attacks. IEEE Transactions on Dependable and Secure Computing, 2021, 18(2): 505–517. [doi: 10.1109/TDSC.2019.2907240]
    [110] De la Cadena W, Mitseva A, Hiller J, Pennekamp J, Reuter S, Filter J, Engel T, Wehrle K, Panchenko A. TrafficSliver: Fighting website fingerprinting attacks with traffic splitting. In: Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. Virtual Event: ACM, 2020. 1971–1985.
    [111] Chan-Tin E, Kim T, Kim J. Website fingerprinting attack mitigation using traffic morphing. In: Proc. of the 38th IEEE Int’l Conf. on Distributed Computing Systems (ICDCS). Vienna: IEEE, 2018. 1575–1578.
    [112] Cui WQ, Yu JM, Gong YM, Chan-Tin E. Realistic cover traffic to mitigate website fingerprinting attacks. In: Proc. of the 38th IEEE Int’l Conf. on Distributed Computing Systems (ICDCS). Vienna: IEEE, 2018. 1579–1584.
    [113] Rahman MS, Sirinam P, Mathews N, Gangadhara KG, Wright M. Tik-Tok: The utility of packet timing in website fingerprinting attacks. Proceedings on Privacy Enhancing Technologies, 2020, 2020(3): 5–24. [doi: 10.2478/popets-2020-0043]
    [114] Pinheiro AJ, Bezerra JM, Campelo DR. Packet padding for improving privacy in consumer IoT. In: Proc. of the 2018 IEEE Symp. on Computers and Communications (ISCC). Natal: IEEE, 2018. 925–929.
    [115] Hafeez I, Antikainen M, Tarkoma S. Protecting IoT-environments against traffic analysis attacks with traffic morphing. In: Proc. of the 2019 IEEE Int’l Conf. on Pervasive Computing and Communications Workshops. Kyoto: IEEE, 2019. 196–201.
    [116] Pinheiro AJ, De Araujo-Filho PF, De M. Bezerra J, Campelo DR. Adaptive packet padding approach for smart home networks: A tradeoff between privacy and performance. IEEE Internet of Things Journal, 2021, 8(5): 3930–3938. [doi: 10.1109/JIOT.2020.3025988]
    [117] Acar A, Fereidooni H, Abera T, Sikder AK, Miettinen M, Aksu H, Conti M, Sadeghi AR, Uluagac S. Peek-a-boo: I see your smart home activities, even encrypted! In: Proc. of the 13th ACM Conf. on Security and Privacy in Wireless and Mobile Networks. Linz: ACM, 2020. 207–218.
    [118] Dwork C, Roth A. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, 2014, 9(3–4): 211–407.
    [119] Xiong SJ, Sarwate AD, Mandayam NB. Defending against packet-size side-channel attacks in IoT networks. In: Proc. of the 2018 IEEE Int’l Conf. on Acoustics, Speech and Signal Processing (ICASSP). Calgary: IEEE, 2018. 2027–2031.
    [120] Liu JQ, Zhang C, Fang YG. EPIC: A differential privacy framework to defend smart homes against internet traffic analysis. IEEE Internet of Things Journal, 2018, 5(2): 1206–1217. [doi: 10.1109/JIOT.2018.2799820]
    [121] Sirinam P, Imani M, Juarez M, Wright M. Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. In: Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto: ACM, 2018. 1928–1943.
    [122] Nasr M, Bahramali A, Houmansadr A. Defeating DNN-based traffic analysis systems in real-time with blind adversarial perturbations. In: Proc. of the 30th USENIX Security Symp. USENIX Association, 2021. 2705–2722.
    [123] Salman O, Elhajj IH, Kayssi A, Chehab A. Denoising adversarial autoencoder for obfuscated traffic detection and recovery. In: Proc. of the 2020 Machine Learning for Networking. Paris: Springer, 2020. 99–116.
    [124] Goodfellow IJ, Shlens J, Szegedy C. Explaining and harnessing adversarial examples. arXiv:1412.6572, 2015.
    [125] Kurakin A, Goodfellow I, Bengio S. Adversarial examples in the physical world. arXiv:1607.02533, 2017.
    [126] Madry A, Makelov A, Schmidt L, Tsipras D, Vladu A. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083, 2019.
    [127] Zhang XK, Hamm J, Reiter MK, Zhang YQ. Statistical privacy for streaming traffic. In: Proc. of the 26th ISOC Symp. on Network and Distributed System Security (NDSS) Symp. San Diego: NDSS, 2019.
    [128] Li J, Zhou L, Li HX, Yan L, Zhu HJ. Dynamic traffic feature camouflaging via generative adversarial networks. In: Proc. of the 2019 IEEE Conf. on Communications and Network Security (CNS). Washington: IEEE, 2019. 268–276.
    [129] Fathi-Kazerooni S, Rojas-Cessa R. GAN Tunnel: Network traffic steganography by using GANs to counter internet traffic classifiers. IEEE Access, 2020, 8: 125345–125359. [doi: 10.1109/ACCESS.2020.3007577]
    [130] Hou CS, Gou GP, Shi JZ, Fu PP, Xiong G. WF-GAN: Fighting back against website fingerprinting attack using adversarial learning. In: Proc. of the 2020 IEEE Symp. on Computers and Communications (ISCC). Rennes: IEEE, 2020. 1–7.
    [131] Rahman MS, Imani M, Mathews N, Wright M. Mockingbird: Defending against deep-learning-based website fingerprinting attacks with adversarial traces. IEEE Transactions on Information Forensics and Security, 2021, 16: 1594–1609. [doi: 10.1109/TIFS.2020.3039691]
    [132] Tramèr F, Kurakin A, Papernot N, Goodfellow I, Boneh D, McDaniel P. Ensemble adversarial training: Attacks and defenses. arXiv:1705.07204, 2020.
    [133] Cremers C, Horvat M, Hoyland J, Scott S, van der Merwe T. A comprehensive symbolic analysis of TLS 1.3. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. Dallas: ACM, 2017. 1773–1788.
    [134] Langley A, Riddoch A, Wilk A, et al. The QUIC transport protocol: Design and internet-scale deployment. In: Proc. of the 2017 Conf. of the ACM Special Interest Group on Data Communication. Los Angeles: ACM, 2017. 183–196.
    [135] Henri S, Garcia-Aviles G, Serrano P, Banchs A, Thiran P. Protecting against website fingerprinting with multihoming. Proceedings on Privacy Enhancing Technologies, 2020, 2020(2): 89–110. [doi: 10.2478/popets-2020-0019]
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

侯剑,鲁辉,刘方爱,王兴伟,田志宏.加密恶意流量检测及对抗综述.软件学报,2024,35(1):333-355

Copy
Share
Article Metrics
  • Abstract:2530
  • PDF: 5738
  • HTML: 3056
  • Cited by: 0
History
  • Received:September 27,2021
  • Revised:February 20,2022
  • Online: July 28,2023
  • Published: January 06,2024
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2033307Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063