基于机器学习的移动代理应用流量识别方法

摘要/Abstract

摘要： 随着移动网络的迅速发展，越来越多的用户选择使用代理应用，以保护个人网络隐私，隐藏上网行为或绕开网络活动限制，给网络管理与审计带来了新的挑战。与此同时，恶意攻击者可利用代理应用隐藏身份，使得恶意行为更难以检测和防范。因此，代理应用流量识别对网络管理与安全具有重要的作用，但目前该问题并未得到充分的研究。由于代理应用流量通常经过加密或混淆处理，传统的流量识别技术无法被有效应用。为实现准确、快速的移动代理应用流量识别，提出一组与负载无关的流量特征，并首次加入TCP层option字段用于刻画流量。基于4种机器学习算法训练的分类器和2种流量识别对象，验证提出的特征对识别移动代理应用流量的有效性，并对各类特征的重要性进行分析。实验结果表明，提出的特征能有效识别代理应用流量。在识别流量是否经由代理时，基于随机森林的分类器可达到99%以上的整体准确率。识别流量所属代理应用时，整体准确率高于94%。在公开数据集ISCX VPN-nonVPN上与其他方法相比，提出的方法识别准确率更高，并具有更快的识别速度，适合实时流量识别场景。

关键词: 代理应用流量识别, 移动应用, 机器学习, 流量特征, 决策树

Abstract: With the rapid development of mobile networks, more users choose to protect privacy, hide online behavior and bypass the restrictions of networks by using proxy applications. As a result, new challenges are brought to network management and auditing. In addition, malicious attackers can use proxy to hide their identity, making it more difficult to detect and prevent such malicious behavior. Therefore, proxy application traffic identification plays an important role in network management and security, while this issue has not been fully studied at present. Because the proxy application traffic is usually encrypted and obfuscated, the traditional traffic identification methods can not be applied effectively. To achieve accurate and fast traffic identification of mobile proxy applications, a set of side- channel traffic features that are independent of the payload is proposed. The option field in the TCP header is used for the first time to describe the traffic characteristics. Four machine learning algorithms with two kinds of identification objects are utilized to validate the effectiveness and importance of the proposed feature set. The experimental results show that the proposed features can effectively identify proxy application traffic. More than 99% accuracy can be achieved when identifying whether traffic is forwarded by proxy applications based on random forest. Moreover, the average accuracy is higher than 94% when identifying which proxy application the traffic belongs to. Compared with other methods, the proposed method has better accuracy and faster classification speed on the public dataset ISCX VPN- nonVPN. Hence, it is more suitable for real-time traffic identification scenarios.

Key words: proxy application traffic identification, mobile application, machine learning, traffic feature, decision tree

崔弘, 赵双, 张广胜, 苏金树. 基于机器学习的移动代理应用流量识别方法[J]. 计算机工程与科学, 2022, 44(04): 654-664.

CUI Hong, ZHAO Shuang, ZHANG Guang-sheng, SU Jin-shu. A mobile proxy application traffic identification method based on machine learning[J]. Computer Engineering & Science, 2022, 44(04): 654-664.

参考文献［24］

［1］	The 44th China statistical report on Internet development［EB/OL］.［2019-08-31］.http:∥www.cnnic.net.cn/hlwfzyj/hlwxzbg/hlwtjbg/201908/P020190830356787490958.pdf.
［2］	Janbeglou M, Brownlee N. Identifying tunnelled proxies through passively monitoring network traffic［C］∥Proc of 2016 IEEE 18th International Conference on High Performance Computing and Communications；IEEE 14th International Conference on Smart City；IEEE 2nd International Conference on Data Science and Systems,2016:63-69.
［3］	Miller S, Curran K, Lunney T. Multilayer perceptron neural network for detection of encrypted VPN network traffic［C］∥Proc of International Conference on Cyber Situational Awareness,Data Analytics and Assessment,2018:1-8.
［4］	Deng Z Y, Liu Z H,Chen Z G,et al.The random forest based detection of Shadowsocks traffic［C］∥Proc of 2017 9th International Conference on Intelligent Human-Machine Systems and Cybernetics,2017:75-78.
［5］	Zeng X M, Chen X S, Shao G L,et al.Flow context and host behavior based Shadowsocks’s traffic identification［J］.IEEE Access,2019,7:41017-41032.
［6］	Cheng J X, Li Y, Huang C, et al.ACER:Detecting Shadowsocks server based on active probe technology［J］.Journal of Computer Virology and Hacking Techniques,2020,16:217-227.
［7］	Tang Shu-ye, Cheng Guang,Jiang Bo-miao,et al.Detection and recognition of VPN encrypted traffic based on segmented entropy distribution［J］.Information Security and Technology,2020,11(8):23-27.(in Chinese)
［8］	Draper-Gil G,Lashkari A H,Mamun M S I,et al.Characterization of encrypted and VPN traffic using time-related features［C］∥Proc of the International Conference on Information Systems Security and Privacy,2016:94-98.
［9］	Chen Y G, Zang T N,Zhang Y Z,et al.Rethinking encrypted traffic classification:A multi-attribute associated fingerprint approach［C］∥Proc of IEEE 27th International Conference on Network Protocols,2019:1-11.
［10］	Sengupta S,Ganguly N, De P, et al.Exploiting diversity in Android TLS implementations for mobile app traffic classification［C］∥Proc of the World Wide Web Conference,2019:1657-1668.
［11］	Lotfollahi M, Siavoshani M J, Zade R S H,et al.Deep packet:A novel approach for encrypted traffic classification using deep learning［J］.Soft Computing,2020,24:1999-2012.
［12］	Guo L L, Wu Q Q, Liu S L,et al.Deep learning-based real-time VPN encrypted traffic identification methods［J］.Journal of Real-Time Image Processing,2020,17:103-114.
［13］	Cui S S, Jiang B, Cai Z Z, et al.A session-packets-based encrypted traffic classification using capsule neural networks［C］∥Proc of 2019 IEEE 21st International Conference on High Performance Computing and Communications；IEEE 17th International Conference on Smart City；IEEE 5th International Conference on Data Science and Systems,2019:429-436.
［14］	Bagui S,Fang X G,Kalaimannan E,et al.Comparison of machine-learning algorithms for classification of VPN network traffic flow using time-related features［J］.Journal of Cyber Security Technology,2017,1(2):108-126.
［15］	Casino F,Choo K-K R, Patsakis C. HEDGE:Efficient traffic classification of encrypted and compressed packets［J］.IEEE Transactions on Information Forensics and Security,2019,14(11):2916-2926.
［16］	Zou Z, Ge J G, Zheng H B,et al.Encrypted traffic classification with a convolutional long short-term memory neural network［C］∥Proc of IEEE 20th International Conference on High Performance Computing and Communications；IEEE 16th International Conference on Smart City；IEEE 4th International Conference on Data Science and Systems,2018:329-334.
［17］	Dong C, Zhang C, Lu Z G,et al.CETAnalytics:Comprehensive effective traffic information analytics for encrypted traffic classification［J］.Computer Networks,2020,176:107258.
［18］	Clowwindy M,Max L.Shadowsocks:A secure socks5 proxy,designed to protect your Internet traffic ［EB/OL］.［2020-06-30］.http:∥www.shadowsocks.org/.
［19］	Vincent F T,Riccardo S,Mauro C,et al.Robust smartphone app identification via encrypted network traffic analysis［J］.IEEE Transactions on Information Forensics and Security,2017,13(1):63-78.
［20］	Chen T Q,Carlos G.XGBoost:A scalable tree boosting system［EB/OL］.［2016-03-09］.https:∥arXiv.org/abs/1603.02754.
［21］	Foroushani V A, Zincir-Heywood A N.A proxy identifier based on patterns in traffic flows［C］∥Proc of IEEE 16th International Symposium on High Assurance Systems Engineering,2015:118-125.
［22］	Wang Z X, Wang P, Zhou X K,et al.FLOWGAN:Unbalanced network encrypted traffic identification method based on GAN［C］∥Proc of IEEE International Conference on Parallel and Distributed Processing with Applications,Big Data and Cloud Computing,Sustainable Computing and Communications,Social Computing and Networking,2019:975-983.
［23］	Vu L, Thuy H V, Nguyen Q U,et al.Time series analysis for encrypted traffic classification:A deep learning approach［C］∥Proc of 2018 28th International Symposium on Communications and Information Technologies,2018:121-126.
［24］	Wang Lin, Feng Hua-min,Liu Biao,et al.SSL VPN encrypted traffic identification based on hybrid method［J］.Computer Applications and Software,2019,36(2):315-322.(in Chinese)
［25］	Aceto G, Ciuonzo D, Montieri A, et al.Multi-classification approaches for classifying mobile app traffic［J］.Journal of Network and Computer Applications,2018,103:131-145.
［26］	Wireshark ［EB/OL］.［2020-07-01］.https:∥www.wireshark.org/.
［27］	scikit-learn:Machine learning in Python［EB/OL］.［2020-07-01］.http:∥scikit-learn.org/stable/.
［28］	V2Ray ［EB/OL］.［2020-12-10］.https:∥github.com/v2ray/v2ray-core/releases/.
	附中文参考文献：
［7］	唐舒烨,程光,蒋泊淼,等.基于分段熵分布的VPN加密流量检测与识别方法［J］.网络空间安全,2020,11(8):23-27.
［24］	王琳,封化民,刘飚,等.基于混合方法的SSL VPN加密流量识别研究［J］.计算机应用与软件,2019,36(2):315-322.

[1]	赵振宇, 杨天豪, 蒋汶乘, 张书政. 基于机器学习的多压多温多参标准单元延迟快速计算方法[J]. 计算机工程与科学, 2023, 45(08): 1331-1338.
[2]	李小玲, 方建滨, 马俊, 谭霜, 谭郁松. 基于监督学习的稀疏矩阵自动任务分配[J]. 计算机工程与科学, 2023, 45(05): 782-789.
[3]	胡艳芳, 熊文, 高炜. 基于 Spark 平台的网络游戏用户流失预测方法[J]. 计算机工程与科学, 2022, 44(10): 1730-1737.
[4]	唐阳坤, 鲜港, 杨文祥, 喻杰, 张晓蓉, 王耀彬. 基于用户行为的超级计算机作业失败预测方法[J]. 计算机工程与科学, 2022, 44(10): 1753-1761.
[5]	楚阳, 徐文龙. 基于计算机辅助诊断技术的阿尔兹海默症早期分类研究综述[J]. 计算机工程与科学, 2022, 44(05): 879-893.
[6]	刘国强, 赵振宇, 赵晨煜, 韩奥, 杨天豪. 基于机器学习的PCB布线电阻计算方法[J]. 计算机工程与科学, 2022, 44(03): 396-402.
[7]	李文丽. 基于朴素贝叶斯分类的网络谣言识别研究[J]. 计算机工程与科学, 2022, 44(03): 495-501.
[8]	贾俊杰, 段超强. 基于评分离散度的托攻击检测算法[J]. 计算机工程与科学, 2022, 44(03): 554-562.
[9]	曹良林, 贲可荣, 张献. 基于代理辅助多目标萤火虫算法的软件缺陷预测方法研究[J]. 计算机工程与科学, 2022, 44(02): 257-265.
[10]	张家灏, 邓科峰, 聂腾飞, 任开军, 宋君强. 基于机器学习的海洋中尺度涡检测识别研究综述[J]. 计算机工程与科学, 2021, 43(12): 2115-2125.
[11]	欧琦媛, 祝恩. 基于压缩子空间对齐的多核聚类算法[J]. 计算机工程与科学, 2021, 43(10): 1730-1735.
[12]	何静, 李晋文, 杨安毅. 基于机器学习方法的高速信道建模研究[J]. 计算机工程与科学, 2021, 43(06): 984-988.
[13]	曾杰, 贲可荣, 张献, 徐永士. 融合文本分布式表示的重复缺陷报告检测[J]. 计算机工程与科学, 2021, 43(04): 670-680.
[14]	王思齐, 胡婧韬, 余广, 祝恩, 蔡志平. 智能视频异常事件检测方法综述[J]. 计算机工程与科学, 2020, 42(08): 1393-1405.
[15]	余华鸿, 周凤艳, 陈毛毛. 基于机器学习的KDD-CUP99网络入侵检测数据集的分析[J]. 计算机工程与科学, 2019, 41(增刊S1): 91-97.