Detection of SSL/TLS protocol attacks based on flow spectrum theory

GUO Shize,ZHAO Ziming,ZHAO Xinjie; ZHANG Fan; SONG Zhuoxue; WANG Xiaojuan; LUO Xiangyang

doi:10.11959/j.issn.2096−109x.2022004

网络与信息安全学报 (Feb 2022)

Detection of SSL/TLS protocol attacks based on flow spectrum theory

GUO Shize,ZHAO Ziming,ZHAO Xinjie,
ZHANG Fan,
SONG Zhuoxue,
WANG Xiaojuan,
LUO Xiangyang

Affiliations

GUO Shize,ZHAO Ziming,ZHAO Xinjie: College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China ; School of Cyber Science and Technology, Zhejiang University, Hangzhou 310027, China ;College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, China
ZHANG Fan: College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China ; School of Cyber Science and Technology, Zhejiang University, Hangzhou 310027, China ;College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, China; Zhejiang Key Laboratory of Blockchain and Cyberspace Governance, Hangzhou 310027, China
SONG Zhuoxue: College of Computer Science and Technology, Zhejiang University, Hangzhou 310027, China ; School of Cyber Science and Technology, Zhejiang University, Hangzhou 310027, China ;College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, China;Engineering Laboratory of Mobile Security of Zhejiang Province, Hangzhou 310027, Chine
WANG Xiaojuan: School of Electronic Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China
LUO Xiangyang: Information Engineering University, Key Laboratory of Cyberspace Situation Awareness of Henan Province, Zhengzhou 450001, China

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022004
Journal volume & issue: Vol. 8, no. 1
pp. 30 – 40

Abstract

Read online

Network attack detection plays a vital role in network security. Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection. The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol. With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled. Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”. The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows. The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator. Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows. Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space. On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Published in 网络与信息安全学报

ISSN: 2096-109X (Print)
Publisher: POSTS&TELECOM PRESS Co., LTD
Country of publisher: China
LCC subjects: Science: Mathematics: Instruments and machines: Electronic computers. Computer science
Website: http://www.infocomm-journal.com/cjnis/CN/2096-109X/home.shtml

About the journal

Abstract

Keywords