高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

面向中文搜索的网络加密流量侧信道分析方法

李玎 林伟 芦斌 祝跃飞

李玎, 林伟, 芦斌, 祝跃飞. 面向中文搜索的网络加密流量侧信道分析方法[J]. 电子与信息学报, 2022, 44(5): 1763-1772. doi: 10.11999/JEIT210289
引用本文: 李玎, 林伟, 芦斌, 祝跃飞. 面向中文搜索的网络加密流量侧信道分析方法[J]. 电子与信息学报, 2022, 44(5): 1763-1772. doi: 10.11999/JEIT210289
LI Ding, LIN Wei, LU Bin, ZHU Yuefei. Network Encrypted Traffic Side-channel Analysis on Chinese Search[J]. Journal of Electronics & Information Technology, 2022, 44(5): 1763-1772. doi: 10.11999/JEIT210289
Citation: LI Ding, LIN Wei, LU Bin, ZHU Yuefei. Network Encrypted Traffic Side-channel Analysis on Chinese Search[J]. Journal of Electronics & Information Technology, 2022, 44(5): 1763-1772. doi: 10.11999/JEIT210289

面向中文搜索的网络加密流量侧信道分析方法

doi: 10.11999/JEIT210289
基金项目: 国家重点研发计划(2019QY1302)
详细信息
    作者简介:

    李玎:男,1992年生,博士生,研究方向为网络信息安全与机器学习

    林伟:男,1986年生,讲师,研究方向为网络信息安全与软件分析

    芦斌:男,1983年生,副教授,研究方向为网络信息安全与机器学习

    祝跃飞:男,1962年生,教授,研究方向为网络信息安全与公钥密码

    通讯作者:

    林伟 leebeep@126.com

  • 中图分类号: TN915; TN918

Network Encrypted Traffic Side-channel Analysis on Chinese Search

Funds: The National Key R&D Program of China (2019QY1302)
  • 摘要: 搜索引擎中的增量式搜索服务通过发送实时请求为用户更新建议列表。针对搜索加密流量存在的信息泄露,该文提出一种面向中文搜索的侧信道分析方法,利用搜索请求数据包长度增量和时间间隔的可区分性,构建了3阶段的分析模型以实现对用户输入查询的识别。实验结果表明,该方法在4个常用中文搜索引擎中的识别性能均达到理论量化值,对包含1.4×105查询监控集的综合识别准确率达到76%。最后通过评估4种针对性的缓解机制,证明了通过阻断信息泄露来源可有效防御侧信道分析。
  • 图  1  AJAX增量式搜索实例

    图  2  HTTP/2头部哈夫曼编码字符串

    图  3  数据包长度增量泄露信息量化

    图  4  数据包时间间隔泄露信息量化

    图  5  查询字符串长度增量DFA模型

    图  6  击键时间间隔预测双字母对的BRNN模型

    图  7  整体性能评估

    图  8  缓解机制评估

    表  1  常见单行模式拼音输入法

    操作系统输入法应用类型分隔符
    Windows微软拼音内置撇号
    WindowsQQ拼音安装撇号
    macOS简体拼音内置空格
    macOS搜狗拼音安装撇号
    macOS百度拼音安装撇号
    iOS简体拼音内置空格
    下载: 导出CSV

    表  2  URL参数对数据包长度增量可区分性的影响

    协议参数参数变化$d(x \in {\boldsymbol{A} })$$d(x \in {\boldsymbol{B} })$
    HTTP/1.114
    cp产生进位25
    pwd末尾增加${\boldsymbol{A} }$25
    pwd末尾增加${\boldsymbol{B} }$58
    HTTP/20, 12, 3
    cp模10大于20, 12, 3, 4
    cp产生进位1, 23, 4
    下载: 导出CSV

    表  3  击键探测算法

     输入:未知数据包长度序列$ \{ {s_1},{s_2}, \cdots ,{s_N}\} $,DFA模型$ M $
     输出:击键数据包状态序列$ {\boldsymbol{Q}} = \{ {q_1},{q_2}, \cdots ,{q_n}\} $
     (1) 初始化$ N $个数据包状态序列${ {\boldsymbol{Q} }_i} = \varnothing$;
     (2) for $ i $ in range($ N $) do
     (3)  DFA起始状态$ {q_i} = {q_0} $;
     (4)  for $ j $ in range($ i - 1 $) do
     (5)   数据包长度增量$ {d_i} = {s_i} - {s_j} $;
     (6)   if URL中含有pwd或cp参数 then
     (7)    根据$ {{\boldsymbol{Q}}_j} $上一接收状态$ {q_j} $调整$ {d_i} $;
     (8)    DFA状态转移$ {q_i} = \delta ({q_j},{d_i}) $;
     (9)   if ${q_i} \ne \varnothing$ and $ \left| {{{\boldsymbol{Q}}_i}} \right| < \left| {{{\boldsymbol{Q}}_j}} \right| $ then
     (10)    更新已接收的最长前缀$ {{\boldsymbol{Q}}_i} = {{\boldsymbol{Q}}_j} $;
     (11) 以第$ i $个包结尾的最长序列$ {{\boldsymbol{Q}}_i} = {{\boldsymbol{Q}}_i} + {q_i} $;
     (12) return 最长接收序列$ {\boldsymbol{Q}} \in \{ {{\boldsymbol{Q}}_i}\} $。
    下载: 导出CSV

    表  4  多层匹配算法

     输入:数据包状态序列$ {\boldsymbol{Q}} = \{ {q_1},{q_2}, \cdots ,{q_n}\} $,中文查询$ C $
     输出:$ C $是否匹配状态序列$ {\boldsymbol{Q}} $
     (1) 将$ C $转换为拼音字符串$ {\boldsymbol{X}} $;
     (2) if 拼音字母长度$ \left| {\boldsymbol{X}} \right| \ne n $ then
     (3)   return False;
     (4) if 约简状态序列$ {\boldsymbol{\bar Q'}} \ne {\boldsymbol{\bar Q}} $ then
     (5)   return False;
     (6) for r in range(8) do
     (7)   if 初始比特余数为$ r $的状态序列${ {\boldsymbol Q}'_r} = {\boldsymbol{Q} }$ then
     (8)     return True;
     (9) return False.
    下载: 导出CSV

    表  5  击键探测性能结果(%)及对比

    探测方法网站HTTPF1分数F1=100
    本文方法百度1.198.6398.22
    Monaco方法百度1.196.8586.70
    本文方法搜狗1.196.4095.17
    本文方法3601.199.5199.33
    本文方法必应299.7299.61
    Monaco方法谷歌297.2681.12
    下载: 导出CSV

    表  6  查询识别准确率结果(%)及对比

    分析方法网站样本数监控数准确率
    本文方法百度1800~1.4×10564.56
    Monaco方法百度400012.85
    本文方法搜狗1800~1.4×10561.32
    本文方法3601800~1.4×10565.94
    本文方法必应1800~1.4×10576.06
    Oh等人方法必应1001×10444.30
    Schaub等人方法谷歌10~6.8×10334.00
    Monaco方法谷歌400015.83
    下载: 导出CSV

    表  7  查询推断消融实验(%)

    推断模型百度搜狗360必应
    BRNN64.5661.3265.9476.06
    RNN64.1160.3965.2875.44
    HMM61.8958.2862.6173.56
    MLP61.2857.6761.5072.17
    Equal57.9454.7859.3369.83
    下载: 导出CSV
  • [1] 武思齐, 王俊峰. 基于数据流多维特征的移动流量识别方法研究[J]. 四川大学学报:自然科学版, 2020, 57(2): 247–254. doi: 10.3969/j.issn.0490-6756.2020.02.008

    WU Siqi and WANG Junfeng. Research on mobile traffic identification based on multidimensional characteristics of data flow[J]. Journal of Sichuan University:Natural Science Edition, 2020, 57(2): 247–254. doi: 10.3969/j.issn.0490-6756.2020.02.008
    [2] SIRINAM P, MATHEWS N, RAHMAN M S, et al. Triplet fingerprinting: More practical and portable website fingerprinting with N-shot learning[C]. The 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK, 2019: 1131–1148.
    [3] GU Jiaxi, WANG Jiliang, YU Zhiwen, et al. Traffic-based side-channel attack in video streaming[J]. IEEE/ACM Transactions on Networking, 2019, 27(3): 972–985. doi: 10.1109/TNET.2019.2906568
    [4] WHITE A M, MATTHEWS A R, SNOW K Z, et al. Phonotactic reconstruction of encrypted VoIP conversations: Hookt on fon-iks[C]. 2011 IEEE Symposium on Security and Privacy, Oakland, USA, 2011: 3–18.
    [5] LI Hong, HE Yunhua, SUN Limin, et al. Side-channel information leakage of encrypted video stream in video surveillance systems[C]. The 35th Annual IEEE International Conference on Computer Communications, San Francisco, USA, 2016: 1–9.
    [6] SONG D X, WAGNER D, and TIAN Xuqing. Timing analysis of keystrokes and timing attacks on SSH[C]. The 10th conference on USENIX Security Symposium, Washington, USA, 2001: 25.
    [7] CHEN Shuo, WANG Rui, WANG Xiaofeng, et al. Side-channel leaks in web applications: A reality today, a challenge tomorrow[C]. 2010 IEEE Symposium on Security and Privacy, Oakland, USA, 2010: 191–206.
    [8] SCHAUB A, SCHNEIDER E, HOLLENDER A, et al. Attacking suggest boxes in web applications over HTTPS using side-channel stochastic algorithms[C]. The International Conference on Risks and Security of Internet and Systems, Trento, Italy, 2014: 116–130.
    [9] OH S E, LI Shuai, and HOPPER N. Fingerprinting keywords in search queries over tor[J]. Proceedings on Privacy Enhancing Technologies, 2017, 2017(4): 251–270. doi: 10.1515/popets-2017-0048
    [10] MONACO J V. What are you searching for? a remote keylogging attack on search engine autocomplete[C]. The 28th USENIX Conference on Security Symposium, Santa Clara, USA, 2019: 959–976.
    [11] FITTS P M. The information capacity of the human motor system in controlling the amplitude of movement[J]. Journal of Experimental Psychology, 1954, 47(6): 381–391. doi: 10.1037/h0055392
    [12] DHAKAL V, FEIT A M, KRISTENSSON P O, et al. Observations on typing from 136 million keystrokes[C]. The 2018 CHI Conference on Human Factors in Computing Systems, Montreal, Canada, 2018: 646.
    [13] Verizon: IP latency statistics[EB/OL]. https://www.verizon.com/business/terms/latency/, 2021.
    [14] KILLOURHY K S and AXION R A. Free vs. transcribed text for keystroke-dynamics evaluations[C]. The 2012 Workshop on Learning from Authoritative Security Experiment Results, Arlington, USA, 2012: 1–8.
    [15] SCHUSTER M and PALIWAL K K. Bidirectional recurrent neural networks[J]. IEEE Transactions on Signal Processing, 1997, 45(11): 2673–2681. doi: 10.1109/78.650093
    [16] SCHWARZ M, LIPP M, GRUSS D, et al. KeyDrown: Eliminating software-based keystroke timing side-channel attacks[C]. The 25th Annual Network and Distributed System Security Symposium, San Diego, USA, 2018.
    [17] BALSA E, TRONCOSO C, and DIAZ C. OB-PWS: Obfuscation-based private web search[C]. 2012 IEEE Symposium on Security and Privacy, San Francisco, USA, 2012: 491–505.
    [18] ZHENG Li, ZHANG Liren, and XU Dong. Characteristics of network delay and delay jitter and its effect on voice over IP (VoIP)[C]. 2001 IEEE International Conference on Communications, Helsinki, Finland, 2001: 122–126.
  • 加载中
图(8) / 表(7)
计量
  • 文章访问数:  501
  • HTML全文浏览量:  528
  • PDF下载量:  73
  • 被引次数: 0
出版历程
  • 收稿日期:  2021-04-08
  • 修回日期:  2021-12-15
  • 录用日期:  2022-01-12
  • 网络出版日期:  2022-01-21
  • 刊出日期:  2022-05-25

目录

    /

    返回文章
    返回