摘要
包间隔(inter-packetdelay,IPD)是流关联技术中应用最为广泛的流特征之一,通过在输出流中选取合适的报文样本,计算其基于IPD的统计特征值,并利用关联算法计算与输入流之间的相似性.然而,在传输过程中网络上的各种干扰会破坏流之间的同步性,导致关联起始时间、包间隔等对应关系的错位,严重影响流关联技术的检测率.详细分析了对流的各种干扰,提出基于匹配集的同步思想,为输入流中的每个关联点在输出流中指定若干可能的映射.以贪心法和递进法为基本思路分别提出了同步算法,可以有效提高流同步技术的效果.实验结果表明,该方法能够解决存在干扰的情况下的流同步问题,对提高流关联技术的检测率具有显著效果.
As one of the most important network flow characteristics, Inter-packet delay (IPD) is used by lots of flow correlation techniques. It selects appropriate packet samples in the output flow to calculate the statistical characteristics based on IPDs, and estimates the similarity to the input flow's characteristics using correlation algorithms. However, perturbations during flow transmission will destroy the synchronization among flows and mismatch the correlation start point and IPDs, which significantly decreases the detection rate. All types of perturbations are summarized in this paper and a new matching-set based synchronization idea is introduced, which assigns several possible mappings for each correlation point. Two synchronization algorithms based on greedy and progressive methods are proposed to improve the effect of flow correlation techniques. The experimental result shows that the proposal in this paper can effectively solve the synchronization problem in the case of flow perturbation and increase the detection rate of IPD based flow correlation techniques.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2011年第9期1643-1651,共9页
Journal of Computer Research and Development
基金
国家自然科学基金项目(60903161
60903162
90912002)
国家"九七三"重点基础研究发展计划基金项目(2010CB328104)
国家科技支撑计划课题(2010BAI88B03)
国家科技重大专项(2009ZX03004-004-04)
高等学校博士学科点专项科研基金项目(200802860031)
江苏省自然科学基金项目(BK2008030)
"信息安全"国家重点实验室(中国科学院研究生院)开放课题
江苏省"网络与信息安全"重点实验室(BM2003201)
"计算机网络和信息集成"教育部重点实验室(93K-9)
关键词
流关联
包间隔
匹配集
最佳匹配
同步算法
flow correlation
inter-packet delay~ matching set
best matching
synchronization algorithms
