Cloud Virtual Private Server (VPS) services provide the chance of rapid deployment of anonymous proxy services, becoming an important part of many anonymous proxy solutions. The anonymous system represented by ShadowSocks (SS), through proxy services deployed on VPSs provided by different cloud service providers, has become an important mean for illegal network activists to engage in illegal network activities such as cyber-attacks and darknet transactions. It is difficult for local network administrators to supervise SS traffic from the cloud. While from the local network, the task faces the challenges of Invisible Negotiation Process and Data Transparent Transmission. In this paper, we present a novel SS detection method based on flow context and host behavior. The method can not only accurately identify SS flows, but also be applicable to a large-scale network environment. In this method, we extract 12-dimensional features from three aspects: the relationship between flows, hosts' flow behavior, and hosts' DNS behavior to build the detection model. Among them, the four features about flow burst and the feature of unassociated domain names' number are innovatively proposed in this paper. Moreover, the big data statistical and association techniques are used in the method. To verify the effectiveness of the method, we first built a real SS running environment based on the campus network and two VPSs on two different public cloud platforms. Moreover, we conduct a series of experiments on the NTCI-BDP data platform which is a big data platform built by our team. The experimental results show that our method achieves 93.43% accuracy on experimental data sets and can effectively identify SS traffic.INDEX TERMS Big Data association, cloud-based anonymous proxy, flow burst, flow context, host behavior, traffic identification, shadowsocks.
Proxies can help users to bypass the network filtering system, leaving the network open to banned content, and can also enable users to anonymize themselves for terminal security protection. Proxies are widely used in the current network environment. However, certain spy proxies record user information for privacy theft. In addition, attackers can use such technologies to anonymize malicious behaviors and hide identities. Such behaviors have posed serious challenges to the internal defense and security threat assessment of an organization; however, the anonymity of the proxy makes it consistent with normal network communication, and general network traffic identification methods are not able to detect it. To accurately and effectively discover proxy users in the organization based on s, a proxy user detection method based on communication behavior portrait offers the following: (1) analysis of the communication behavior from the perspective of the portrait. Based on not abandoning the effective information of the traffic itself, the label system is established by introducing exogenous data to identify the difference between proxy communication and normal communication. (2) Construction of the portrait feature set of proxy user detection based on the traffic file and external data by studying the differences between the attribute sets of communication behavior labels for proxy users and non-proxy users. (3) Design and implementation a data-driven machine learning method to supply guidance for automatic recognition of such behavior. The experimental results show that, compared with state-of-the-art methods, the detection accuracy for the proxy user exceeds 95%, and that of real network traffic environment exceeds 85%. These results indicate that the detection method proposed in this paper can accurately distinguish proxy communication and normal communication and thus achieves precise proxy user detection.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.