CN109728977B - JAP anonymous flow detection method and system - Google Patents
JAP anonymous flow detection method and system Download PDFInfo
- Publication number
- CN109728977B CN109728977B CN201910033681.4A CN201910033681A CN109728977B CN 109728977 B CN109728977 B CN 109728977B CN 201910033681 A CN201910033681 A CN 201910033681A CN 109728977 B CN109728977 B CN 109728977B
- Authority
- CN
- China
- Prior art keywords
- flow
- jap
- anonymous
- traffic
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a JAP (JAP) anonymous flow detection method and a JAP anonymous flow detection system, belongs to the technical field of anonymous flow monitoring and network security, and solves the problem that in the prior art, the hidden real IP of a user needs more flow data by taking time intervals as characteristics, so that the anonymous flow cannot be detected in real time. The method comprises the steps of acquiring TCP (transmission control protocol) flow and HTTP (hyper text transport protocol) flow in collected JAP (JAP) anonymous flow and normal user flow; classifying the TCP traffic and the HTTP traffic according to the source IP and the target IP, and performing traffic recombination on the classified TCP traffic and the classified HTTP traffic to obtain a classified recombined traffic packet; extracting communication characteristics of a user in the recombined flow packet with an infoService server and a Mix server respectively, and storing the communication characteristics in a vector form; after the communication characteristics stored in the vector form are processed, training various machine learning models, testing the models, and selecting the model with the best result as a test model; inputting the flow to be detected into the test model to complete JAP anonymous flow detection. The method and the device are used for detecting the real IP of the JAP anonymous flow.
Description
Technical Field
A JAP anonymous flow detection method and a system are used for detecting a real IP of JAP anonymous flow, and belong to the technical field of anonymous flow monitoring and network security.
Background
In order to prevent disclosure and interception of private information, more and more people are beginning to use anonymous communication software (such as Tor onion routing, VPN, JAP) to protect their private information, which can effectively disguise themselves and prevent disclosure of their confidential information, but which are also used by lawbreakers who encrypt their communication information and hide their true location by using them, which is a great inconvenience for the auditing agencies to track and monitor criminals.
JAP is cross-platform anonymous communication software based on a Mix encryption technology and used for providing a service of an anonymous proxy for a Web traffic flow device. The whole anonymous communication system mainly comprises a JAP client, an infoservice server and a Mix node. The lnfoService server is a distributed storage server, stores Mix node state information, user information and network information, and can be regarded as a distributed database. The Mix node is a server providing store-and-forward, three or more than three Mix nodes form a cascade, one cascade is an intermediate communication link except a starting point and an end point, one Mix node is at most in one cascade, JAP hides the real IP of a target server by adding the intermediate link, and can be used as a communication link for a plurality of users for one cascade, so that the real IP address of a client is difficult to find.
In the closest prior art CN201410535015, the detection is performed by detecting a time characteristic, that is, a time interval between a GET request and a POST request needs to be recorded, the time interval is a characteristic, specific contents in an anonymous traffic are not analyzed, a false alarm rate of the traffic meeting the time characteristic is high, and in the prior art, a time interval mode is adopted, so that more traffic data is needed to count characteristics of interval, the traffic data cannot be detected in a beginning stage of an anonymous network, the traffic can be detected after a part of operations of the anonymous network have been completed in an actual application, and the real-time property is not provided.
Disclosure of Invention
In view of the above research problems, an object of the present invention is to provide a method and a system for detecting a JAP anonymous traffic, which solve the problems in the prior art that a hidden real IP of a user needs more traffic data due to a characteristic of a time interval, so that the traffic of an anonymous network cannot be detected in real time, and the existing method cannot detect the traffic of a communication between the user and an infoService server when the anonymous network is built.
In order to achieve the purpose, the invention adopts the following technical scheme:
a JAP anonymous flow detection method is characterized by comprising the following steps:
step 1, acquiring TCP (transmission control protocol) flow and HTTP (hyper text transport protocol) flow in collected JAP anonymous flow and normal user flow;
step 2, classifying the collected TCP flow and HTTP flow according to the source IP and the target IP, and performing flow recombination on the classified TCP flow and HTTP flow to obtain a classified recombined flow packet;
step 3, extracting the communication characteristics of the user in the recombined flow packet with the infoService server and the Mix server respectively, and storing the communication characteristics in a vector form;
step 4, after the communication characteristics stored in the vector form are processed, training various machine learning models, testing the trained machine learning models, and selecting the machine learning model with the best result as a test model;
and 5, inputting the flow to be detected into the test model to complete JAP anonymous flow detection.
Further, the specific steps of step 1 are as follows:
step 1.1, simulating a real use environment of JAP anonymous proxy software;
step 1.2, using JAP anonymous proxy software to access a network, and collecting JAP anonymous traffic when the anonymous network is used;
step 1.3, closing JAP anonymous proxy software and collecting normal user flow when the network is normally accessed;
and step 1.4, screening TCP traffic and HTTP traffic in the traffic collected in the step 1.2 and the step 1.3.
Further, the specific steps of step 2 are as follows:
step 2.1: extracting data packets of two parties of the same communication according to the IP addresses to obtain TCP flow and HTTP flow of the two parties of the same communication, wherein the same communication refers to the same communication IP;
step 2.2: and carrying out flow recombination on the TCP flow and the HTTP flow of the same communication according to the communication sequence of each flow in the JAP anonymous flow and the normal user flow to obtain a classified recombined flow packet.
Further, the specific steps of step 3 are as follows:
step 3.1, analyzing the recombined traffic packet according to a protocol structure to find the communication characteristics of the user with the infoService server and the Mix server respectively, namely analyzing the position of each communication characteristic in the recombined traffic packet;
and 3.2, extracting the communication characteristics of the infoService server and the Mix server in the recombined traffic packet, wherein the communication characteristics comprise port numbers, special field ratios, statistical information, special port number ratios and whether the communication characteristics are domestic IP (Internet protocol), and storing the extracted communication characteristics of the infoService server and the Mix server in a vector form respectively.
Further, the specific steps of step 4 are as follows:
step 4.1, performing labeling processing on the communication characteristics stored in the vector form according to the IP of the infoService server and the IP of the Mix server, and randomly dividing a labeled communication characteristic set into a test set and a training set, namely extracting the characteristics of a part of two communication parties as the training set, and extracting the other part of the two communication parties as the test set;
4.2, training a plurality of machine learning models by adopting a training set to obtain a plurality of trained machine learning models, wherein the plurality of machine learning models comprise 8 types of logistic regression models, Gaussian Bayes models, hierarchical Bayes models, Bernoulli Bayes models, decision tree models, SVM classifiers, knn classifiers and multi-layer perceptrons;
4.3, testing the 8 trained machine learning models by adopting the test sets respectively, checking whether one trained machine learning model reaches an expected value, if so, obtaining 8 finally trained machine learning models, otherwise, changing the training sets again by adjusting the proportion of different label data or adding noise data, and repeating the step 4.2-the step 4.3;
and 4.4, comparing the obtained 8 finally trained machine learning models to select the model with the best result as the final test model.
Further, the expected value is 90%.
A JAP anonymous flow detection system is characterized by comprising a plurality of JAP flow detection modules for detecting network ports, wherein the JAP flow detection modules detect anonymous flow of network port flow based on a test model.
Compared with the prior art, the invention has the beneficial effects that:
1. the JAP anonymous network flow detection method and the system thereof firstly classify the collected flow according to the TCP flow and the HTTP flow of the collected JAP anonymous flow and the normal user flow and then recombine the data packet to obtain a classified recombined flow packet; analyzing the characteristics in the recombined traffic packet including the communication characteristics of the user and the infoService server and the communication characteristics of the user and the Mix server, and then extracting 12-dimensional characteristics (including the number of ports used by the host 1, the number of ports used by the host 2, the data segment 998 byte data packet duty ratio, the data packet duty ratio of the Mix field, the data packet duty ratio of the infoService field, the data packet duty ratio of the cascade field, the data packet duty ratio of the jondoym field, the port duty ratio of 443, the port duty ratio of 80, the port duty ratio of 6554, whether foreign ip and text/xml fields appear) according to the pcap files classified by both communication parties (namely, the stored recombined traffic packet). And labeling the communication characteristics according to the previously analyzed infoService server ip and Mix server ip for distinguishing normal flow, training the labeled communication characteristics by using a machine learning model, and selecting the model with the best test result as the final detection model. The method carries out anonymous network flow through JAP, can detect the real IP of a user using JAP anonymous communication software and the IP address of the first Mix node, and has good classification effect and high classification precision, wherein the classification precision can reach more than 98%.
2. The JAP anonymous proxy software used in the invention is open source software, a user can build a server by himself without using an official appointed server, and for the form, the method adopts communication characteristics and does not directly appoint a certain static IP as anonymous flow, so that the method has good detection effect on a self-defined JAP anonymous network;
3. the invention analyzes the specific content in the anonymous flow packet by collecting the anonymous flow, and the specific content contains some statistical information and total 12-dimensional characteristics, and the characteristics do not contain time interval, so that the detection can be carried out without too much flow data in the aspect of detection, even if only one piece of data can be detected, and meanwhile, the invention also contains the communication characteristics of the info service when JAP is connected, and the anonymous flow can be detected in the JAP connection stage.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and that for those skilled in the art, other relevant drawings can be obtained according to the drawings without inventive effort, wherein:
FIG. 1 is a flow chart of the JAP anonymous network traffic detection method of the present invention;
FIG. 2 is a schematic view of the detection system of the present invention;
FIG. 3 is a flow chart of the training of the machine learning model in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are intended for purposes of illustration only and are not intended to limit the scope of the invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It is noted that relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The method aims to solve the problems that users hide themselves by using JAP anonymous software in a network, and network supervisors cannot distinguish which normal traffic is and which anonymous traffic is; a method of detection is provided.
A JAP anonymous flow detection method comprises the following steps:
step 1, acquiring TCP (transmission control protocol) flow and HTTP (hyper text transport protocol) flow in collected JAP anonymous flow and normal user flow;
step 2, classifying the collected TCP traffic and HTTP traffic according to the source IP and the target IP, and performing traffic recombination on the classified TCP traffic and HTTP traffic to obtain a classified recombined traffic packet;
step 3, extracting the communication characteristics of the user in the recombined flow packet with the infoService server and the Mix server respectively, and storing the communication characteristics in a vector form;
step 4, after the communication characteristics stored in the vector form are processed, training various machine learning models, testing the trained machine learning models, and selecting the machine learning model with the best result as a test model;
and 5, inputting the flow to be detected into the test model to complete JAP anonymous flow detection.
Firstly, building a JAP anonymous flow network, collecting TCP flow and HTTP flow when JAP anonymous proxy software is used, then classifying the flows according to two communication parties, and recombining the classified TCP flow and HTTP flow to obtain a classified recombined flow packet; then analyzing the traffic characteristics of the user and the infoService server in the communication, and the user and the Mix server, and carrying out characteristic statistics according to the classified data packets (namely the classified recombined traffic packets) of the two communication parties; and finally, training by using 8 machine learning algorithms, judging whether to update the training set for retraining according to the training result until an expected result is achieved, and selecting the best model as a JAP anonymous network flow detection model.
A JAP anonymous flow detection system comprises a plurality of JAP flow detection modules for detecting network ports, wherein the JAP flow detection modules detect anonymous flow of network port flow based on a test model.
The features and properties of the present invention are described in further detail below with reference to examples.
Example one
Downloading JAP anonymous proxy software, and simulating the real use environment of the JAP anonymous proxy software;
using JAP anonymous proxy software to access a network, and collecting JAP anonymous flow when the anonymous network is used;
closing JAP anonymous proxy software, and collecting normal user flow when the network is normally accessed;
screening and collecting TCP traffic and HTTP traffic in JAP anonymous traffic and normal user traffic.
Extracting data packets of two parties of the same communication according to the IP addresses to obtain TCP flow and HTTP flow of the same communication, namely, using the IP of the same communication as a standard for distinguishing two parties of different communications;
and carrying out flow recombination on the TCP flow and the HTTP flow of the same communication according to the communication sequence of each flow in the JAP anonymous flow and the normal user flow to obtain a classified recombined flow packet.
Analyzing the recombined traffic packets according to the protocol structure to find the communication characteristics of the users with the infoService server and the Mix server respectively, namely analyzing the positions of the communication characteristics in the recombined traffic packets;
extracting the communication characteristics of the infoService server and the Mix server in the recombined traffic packet, wherein the communication characteristics comprise port numbers, special field ratios, statistical information, special port number ratios and whether the communication characteristics are domestic IP, and storing the extracted communication characteristics of the infoService server and the Mix server in a vector form respectively.
In this embodiment, the communication characteristics are specifically as follows:
1. the host 1 of both communication parties uses the port number: the number of ports used by the hosts 1 of both communication parties in the classified recombined traffic packets is indicated as follows:
2. the host 2 of both communication parties uses the port number: the number of ports used by the host 2 of the two communication parties in the classified recombined flow packets is specified;
3. using 443 port ratio: the flow rate of a port 443 in the grouped recombined flow packets is designated;
4. using 80 port ratio: the flow ratio of 80 ports in the classified recombined flow packets is indicated;
5. using 6554 port ratios: indicating the traffic proportion of which the port is 6554 in the classified recombined traffic packet, and a special port for JAP anonymous communication;
6. whether foreign ip appears: the IP address is relative to the domestic IP address, and a plurality of default nodes of JAP are abroad;
7. the data packet ratio of the infoService field is as follows: the field appearing when the user communicates with the infoService server counts the proportion of the infoService field data packet in the classified recombined flow packets;
8. the data packet ratio of the cascade field: counting the proportion of cascade field data packets in the classified recombined flow packets in fields appearing when a user communicates with an infoService server;
9. appearance text/xml field appearance ratio: the field appearing when the user communicates with the infoService server counts the proportion of a text/xml field data packet in the grouped recombined flow packets;
10. occurrence Mix field ratio: the method comprises the steps that fields appearing when a user communicates with a Mix/infoService server, and the proportion of Mix field data packets existing in classified recombined flow packets is counted;
11. data segment 998 byte packet ratio: in the anonymous communication process, the default maximum of the data segment is 998 bytes, and the data packet proportion with the data segment length of 998 in the grouped recombined flow packets is counted.
12. Packet ratio with the jondonym field: and (4) counting the proportion of data packets of the jondonym field in the classified recombined flow packets in fields appearing when the user communicates with the Mix server.
The communication features are stored in vector form in the following storage format:
[″19″,″1″,″0.0″,″0.102803738317757″,″0.018691588785046728″,″0.12149532710280374″,″0.0″,″0.0″,″1.0″,″0.0″,″1″,″0.0″,″185.239.227.177″,″136.243.148.184″,″test.pcap″]
wherein the respective corresponding features are:
the number of ports used by the host 1, the number of ports used by the host 2, the packet percentage of 998 bytes of a data segment, the packet percentage of a Mix field, the packet percentage of an infoService field, the packet percentage of a cascade field, the packet percentage of a jnondenym field, the port percentage of 443, the port percentage of 80, the port percentage of 6554, whether foreign ip exists or not, the percentage of a text/xml field, the ip addresses of a first party of two communication parties, the ip addresses of a second party of the two communication parties and the pcap file name.
As shown in fig. 3, the communication features stored in the vector form are labeled according to the IP of the infoService server and the IP of the Mix server, and the communication features with the labels found are divided into a test set and a training set, that is, the labels are added to the last dimension of the vector;
the labeled data are:
anonymous traffic packet:
[″19″,″1″,″0.0″,″0.102803738317757″,″0.018691588785046728″,″0.12149532710280374″,″0.0″,″0.0″,″1.0″,″0.0″,″1″,″0.0″,″1″,″185.239.227.177″,″136.243.148.184″,″test.pcap″]
and (4) normal flow packet:
[″1″,″1″,″0.0″,″0.0″,″0.0″,″0.0″,″0.0″,″1.0″,″0.0″,″0.0″,″0″,″0.0″,″0″,″222.192.186.111″,″113.54.222.175″,″test2.pcap″]
and randomly dividing the labeled communication feature set into a test set and a training set, namely extracting the features of a part of two communication parties as the training set, and the other part of the two communication parties as the test set, wherein the training set is used for training, and the test set is used for testing the accuracy and the false alarm rate of the model. The extracted communication features are the communication features of the user and the infoservice server and the communication features of the user and the Mix server in the flow collected by the two communication parties. Each party has a vector containing all the features mentioned. Here, the test set and the training set refer to a case where a part of vectors corresponding to both communication parties are used as a training set and the other part is used as a test set. Of course, such random division may also occur (with a very small probability) if there is no feature vector corresponding to the service communication or Mix communication in the test set. Some anonymous traffic may not be judged, but in this case, random assignment and training may be performed again.
Training a plurality of machine learning models by adopting a training set to obtain the trained plurality of machine learning models, wherein the plurality of machine learning models comprise 8 types of logistic regression models, Gaussian Bayes models, hierarchical Bayes models, Bernoulli Bayes models, decision tree models, SVM classifiers, knn classifiers and multi-layer perceptrons;
respectively testing the 8 trained machine learning models by adopting the test set, checking whether the expected value is reached, if so, obtaining the finally trained machine learning model, otherwise, judging whether to change the training set again according to the test result, and then retraining and testing, wherein the expected value is 90%;
in the stage of updating the training set, whether the false alarm rate is too high or the correct rate is not enough is analyzed according to the test result, and then the proper training set is updated according to the analysis result.
And aiming at the condition of too low correct rate, the anonymous flow ratio in the sample is too low, the anonymous flow ratio is increased, and the false alarm rate is too high, so that the specific weight of a certain feature is too high, and the sample needs to be trained when being adjusted.
And comparing the 8 finally trained machine learning models, selecting the model with the best result as a final test model, wherein the judgment standard is the model prediction accuracy and the false alarm rate.
Inputting the flow to be detected into a test model to complete JAP anonymous flow detection; the anonymous flow can be detected by placing the test model at a network port according to the port flow. And if the output is 1, JAP anonymous flow is represented, and if the output is 0, normal user flow is represented, and simultaneously, IP of both anonymous flow communication parties is stored and stored in the data storage module.
The invention adopts a machine learning method to detect JAP anonymous flow and normal flow, can well realize the classification of anonymous flow and normal flow, and has detection effect on the anonymous network built by the source code using JAP open source.
The above are merely representative of the many specific applications of the present invention, and do not limit the scope of the invention in any way. All the technical solutions formed by the transformation or the equivalent substitution fall within the protection scope of the present invention.
Claims (3)
1. A JAP anonymous flow detection method is characterized by comprising the following steps:
step 1, acquiring TCP flow and HTTP flow in collected JAP anonymous flow and normal user flow;
the step 1 comprises the following steps:
step 1.1, simulating a real use environment of JAP anonymous proxy software;
step 1.2, using JAP anonymous proxy software to access a network, and collecting JAP anonymous traffic when the anonymous network is used;
step 1.3, closing JAP anonymous proxy software and collecting normal user flow when the network is normally accessed;
step 1.4, screening TCP traffic and HTTP traffic in the traffic collected in step 1.2 and step 1.3;
step 2, classifying the collected TCP traffic and HTTP traffic according to the source IP and the target IP, and performing traffic recombination on the classified TCP traffic and HTTP traffic to obtain a classified recombined traffic packet;
step 3, extracting the communication characteristics of the user and the infoService server in the recombined traffic packet and the communication characteristics of the user and the Mix server;
analyzing the recombined traffic packets according to the protocol structure, and searching the communication characteristics of the user and the infoService server and the communication characteristics of the user and the Mix server, namely analyzing the positions of the communication characteristics in the recombined traffic packets;
extracting the communication characteristics of the infoService server and the Mix server, and respectively storing the extracted communication characteristics of the infoService server and the Mix server in a vector form;
step 4, after the communication characteristics of the infoService server and the Mix server stored in the vector form are processed, training various machine learning models, testing the trained machine learning models, and selecting the machine learning model with the best result as a test model;
the specific steps of the step 4 are as follows:
step 4.1, performing labeling processing on the communication characteristics of the infoService server and the Mix server stored in a vector form according to the IP of the infoService server and the IP of the Mix server, and randomly dividing a labeled communication characteristic set into a test set and a training set;
4.2, training a plurality of machine learning models by adopting a training set to obtain the trained plurality of machine learning models, wherein the plurality of machine learning models comprise 8 types of logistic regression models, Gaussian Bayesian models, hierarchical Bayesian models, Bernoulli Bayesian models, decision tree models, SVM classifiers, knn classifiers and multilayer perceptrons;
4.3, testing the 8 trained machine learning models by adopting the test sets respectively, checking whether one trained machine learning model reaches an expected value, if so, obtaining 8 finally trained machine learning models, otherwise, changing the training sets again by adjusting the proportion of different label data or adding noise data, and repeating the step 4.2-the step 4.3;
4.4, comparing the obtained 8 finally trained machine learning models, and selecting the model with the best result as a final test model;
and 5, inputting the flow to be detected into the test model to complete JAP anonymous flow detection.
2. The JAP anonymous traffic detection method according to claim 1, wherein: the specific steps of the step 2 are as follows:
step 2.1: extracting data packets of two identical communication parties according to the IP addresses to obtain TCP flow and HTTP flow of the two identical communication parties, wherein the identical communication means identical communication IP;
step 2.2: and according to the communication sequence of each flow in JAP anonymous flow and normal user flow, carrying out flow recombination on TCP flow and HTTP flow in the same communication to obtain a classified recombined flow packet.
3. The JAP anonymous traffic detection method of claim 2, wherein: the communication characteristics of the infoService server and the Mix server comprise port numbers, special field occupation ratios, statistical information, special port number occupation ratios and whether the communication characteristics are domestic IP.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910033681.4A CN109728977B (en) | 2019-01-14 | 2019-01-14 | JAP anonymous flow detection method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910033681.4A CN109728977B (en) | 2019-01-14 | 2019-01-14 | JAP anonymous flow detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109728977A CN109728977A (en) | 2019-05-07 |
| CN109728977B true CN109728977B (en) | 2022-09-27 |
Family
ID=66299748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910033681.4A Active CN109728977B (en) | 2019-01-14 | 2019-01-14 | JAP anonymous flow detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109728977B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112887291A (en) * | 2021-01-20 | 2021-06-01 | 中国科学院计算技术研究所 | I2P traffic identification method and system based on deep learning |
| CN113037709B (en) * | 2021-02-02 | 2022-03-29 | 厦门大学 | Webpage fingerprint monitoring method for multi-label browsing of anonymous network |
| CN114124468B (en) * | 2021-10-29 | 2023-06-09 | 中国电子科技集团公司第三十研究所 | I2P communication flow detection method and device based on multi-protocol joint analysis |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8838773B1 (en) * | 2006-09-29 | 2014-09-16 | Trend Micro Incorporated | Detecting anonymized data traffic |
| CN101202652B (en) * | 2006-12-15 | 2011-05-04 | 北京大学 | Device for classifying and recognizing network application flow quantity and method thereof |
| CN101741744B (en) * | 2009-12-17 | 2011-12-14 | 东南大学 | Network flow identification method |
| CN104135385B (en) * | 2014-07-30 | 2017-05-24 | 南京市公安局 | Method of application classification in Tor anonymous communication flow |
| CN106330611A (en) * | 2016-08-31 | 2017-01-11 | 哈尔滨工业大学(威海) | Anonymous protocol classification method based on statistical feature classification |
-
2019
- 2019-01-14 CN CN201910033681.4A patent/CN109728977B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN109728977A (en) | 2019-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112398779B (en) | Network traffic data analysis method and system | |
| Verma et al. | Evaluation of network intrusion detection systems for RPL based 6LoWPAN networks in IoT | |
| CN109728977B (en) | JAP anonymous flow detection method and system | |
| Yang et al. | Deep learning and zero-day traffic classification: Lessons learned from a commercial-grade dataset | |
| Peraković et al. | Model for detection and classification of DDoS traffic based on artificial neural network | |
| Farhan et al. | Performance analysis of intrusion detection for deep learning model based on CSE-CIC-IDS2018 dataset | |
| Fathi-Kazerooni et al. | Tracking user application activity by using machine learning techniques on network traffic | |
| Muliukha et al. | Analysis and classification of encrypted network traffic using machine learning | |
| Fan et al. | AutoIoT: Automatically updated IoT device identification with semi-supervised learning | |
| Yang et al. | Deep learning and traffic classification: Lessons learned from a commercial-grade dataset with hundreds of encrypted and zero-day applications | |
| Foremski | On different ways to classify Internet traffic: a short review of selected publications | |
| Wang et al. | A two-phase approach to fast and accurate classification of encrypted traffic | |
| Sun et al. | Deep learning-based anomaly detection in LAN from raw network traffic measurement | |
| Jakalan et al. | Profiling IP hosts based on traffic behavior | |
| Drozdenko et al. | Utilizing Deep Learning Techniques to Detect Zero Day Exploits in Network Traffic Flows | |
| Muzammil et al. | Comparative analysis of classification algorithms performance for statistical based intrusion detection system | |
| Cheng et al. | Network-based anomaly detection using an elman network | |
| CN111181756B (en) | Domain name security judgment method, device, equipment and medium | |
| Callegari et al. | On the proper choice of datasets and traffic features for real-time anomaly detection | |
| Chu et al. | A machine learning classification model using random forest for detecting DDoS attacks | |
| Střasák | Detection of HTTPS malware traffic | |
| CN117633665B (en) | Network data monitoring method and system | |
| Oliveira et al. | Do we need a perfect ground-truth for benchmarking Internet traffic classifiers? | |
| US20230188552A1 (en) | System and method for autonomously fingerprinting and enumerating internet of thing (iot) devices based on nated ipfix and dns traffic | |
| CN111565187B (en) | DNS (Domain name System) anomaly detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |