摘要
准确高效地在骨干网流量中识别各种恶意流量一直都是网络安全领域的热点需求.分析设计了一种使用8种传输层会话特征的恶意流量检测及识别方法,并结合数据包固定特征检测实现了一个恶意流量实时识别引擎.系统选取的会话双向数据包长度分布、不同字节出现频率、字节数据重用值和时间间隔等会话行为特征通用性强、协议区分度高,能够很好地支持系统的扩展性.实验结果表明采用该引擎的恶意流量识别系统对具体会话协议的识别只需要处理对应会话的前20-30个数据包,在保证较高识别准确率的同时,较好地满足了实时性的要求.
Accurately and efficiently identifying malicious traffic in backbone traffic has always been a hot spot in the field of network security. The paper first proposes a method to detect and identify malicious traffic with a combination of eight kinds of transport layer session characteristics,then designs a real-time malicious traffic identification engine based on the combination of this method and packet fixed signatures. The general session behavioral characteristics in the system such as session bidirectional data packet length distribution, byte frequency, byte reoccurring value and time interval, have the high ability to distinguish the protocols, and can support the expansion of the system. Experimental results show that the malicious traffic identification system with this engine which just need the first 20-30 packets to identify a protocol, not only can ensure a highly accuracy of detection and identification,but also meet the realtime requirements.
出处
《小型微型计算机系统》
CSCD
北大核心
2015年第5期959-963,共5页
Journal of Chinese Computer Systems
基金
国家自然科学基金项目(61272422
61202353)资助
关键词
恶意流量
传输层
会话特征
检测识别
malicious traffic
transport layer
session characteristics
identification