[1]徐 魁,海 洋,李晓辉,等.基于信息熵与服务器识别的 DoH 流量检测[J].计算机技术与发展,2024,34(04):132-138.[doi:10. 3969 / j. issn. 1673-629X. 2024. 04. 020]
 XU Kui,HAI Yang,LI Xiao-hui,et al.DoH Traffic Detection Based on Entropy and Server Identification[J].,2024,34(04):132-138.[doi:10. 3969 / j. issn. 1673-629X. 2024. 04. 020]
点击复制

基于信息熵与服务器识别的 DoH 流量检测()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
34
期数:
2024年04期
页码:
132-138
栏目:
网络空间安全
出版日期:
2024-04-10

文章信息/Info

Title:
DoH Traffic Detection Based on Entropy and Server Identification
文章编号:
1673-629X(2024)04-0132-07
作者:
徐 魁1 海 洋1 李晓辉2 陶 军3
1. 宝鸡市公安局通信处,陕西 宝鸡 721014;
2. 宝鸡创天清航科技发展有限责任公司,陕西 宝鸡 721000;
3. 东南大学 网络空间安全学院,江苏 南京 211189
Author(s):
XU Kui1 HAI Yang1 LI Xiao-hui2 TAO Jun3
1. Communication Office of Baoji Public Security Bureau,Baoji 721014,China;
2. Baoji Chuangtian Qinghang Technology Development Co. ,Ltd. ,Baoji 721000,China;
3. School of Cyber Science and Engineering,Southeast University,Nanjing 211189,China
关键词:
DNS over HTTPS网络流量检测信息熵指纹识别TLS 协议
Keywords:
DNS over HTTPSnetwork traffic detectioninformation entropyfingerprint identificationTransport Layer Security Protocol
分类号:
TP393
DOI:
10. 3969 / j. issn. 1673-629X. 2024. 04. 020
摘要:
DNS over HTTPS( DoH)协议是一种针对域名系统( DNS) 的最新改进方案,然而用户可使用第三方 DoH 服务规避内网原有的监管,所以异常流量检测方法不再适用于检测 DoH 流量。 针对该问题提出了一种 DTESI 算法。 首先,基于信息熵将 DoH 流量作为异常流量从全部网络流量中筛选出来;然后,利用 DoH 服务器与同一客户端建立 TLS 连接时响应方式
总是相同的特性,用指纹识别检测客户端与 DoH 服务器之间的 TLS 协商,确定 DoH 服务器身份;最后,使用 Top-K 抽样算法选出一定时段内网络中前 K 台活跃主机着重进行流量检测,使算法能应用于中大型组织的网络。 实验结果表明,针对发现的异常流量,DTESI 算法检测出的 DoH 服务提供商准确率超过 94% 。 在此基础上比较了在不同 K 值下的算法检测时间和对网络中全部 DoH 流量的检测覆盖率,结果表明合理选择 K 值可以提升算法的整体效能。
Abstract:
The DNS over HTTPS ( DoH) protocol is the latest improved solution for the Domain Name System ( DNS) . However,userscan use third-party DoH services to avoid?
the original supervision of the intranet,so the abnormal traffic detection method is no longersuitable for detecting DoH traffic. Aiming at this problem,a DTESI algorithm is proposed. Firstly,DoH traffic is screened as abnormaltraffic from all network traffic based on information entropy. Then,according to the characteristic that the response mode?
is always thesame when the DoH server establishes a TLS connection with the same client,the TLS negotiation between the client and the DoH serveris detected by fingerprint identification to determine the identity of the DoH server. Finally,the Top -K sampling algorithm is used toselect the top K active hosts in the network within a certain period of time to focus on traffic detection,so that the proposed algorithm canbe applied to the network of medium and large organizations. The experimental results show that the accuracy rate of DoH serviceproviders detected by DTESI algorithm exceeds 94% for the abnormal traffic found. On this basis,the detection time and the detectioncoverage of all DoH traffic in the network are compared under different K values,and it is showed that a reasonable choice of K value canimprove the overall performance of the algorithm.
更新日期/Last Update: 2024-04-10