《Effective Detection of Multimedia Protocol Tunneling using Machine Learning》译文（三）

正文之前

紧接上文：《Effective Detection of Multimedia Protocol Tunneling using Machine Learning》译文（二）
以及上上文 《Effective Detection of Multimedia Protocol Tunneling using Machine Learning》译文（一）

正文

5 Beyond Supervised Anomaly Detection

While decision tree-based classifiers show promising results for the detection of multimedia protocol tunneling covert channels, they require the adversary to obtain a labeled dataset, including both legitimate and covert traffic. This usually requires the adversary to have a unlimited access to a particular multimedia protocol tunneling tool with which it may generate covert traffic samples. However, even if an adversary, for instance a censor, would have an expedite access to these tools [19], it is interesting to understand if detection is possible without this knowledge. Note that covert channels may also be used by organized criminals that can succeed in delaying the dissemination of such tools. Secondly, albeit the adversary is assumed to possess a given tool, it is expected to spend a non-negligible time in synthesizing covert data samples for building a model. Overcoming such challenges opens a timeframe where the covert traffic generated by a given system would remain undetected.

虽然基于决策树的分类器显示出用于检测多媒体协议隧道隐蔽信道的有希望的结果，但是它们需要对手获得标记数据集，包括合法和隐蔽流量。这通常要求攻击者无限制地访问特定的多媒体协议隧道工具，利用该工具可以生成隐蔽的流量样本。然而，即使对手（例如审查员）可以快速访问这些工具[19]，有趣的是要了解在没有这些知识的情况下是否可以进行检测。请注意，有组织的犯罪分子也可能使用秘密渠道，这些犯罪分子可以成功推迟传播此类工具。其次，虽然假设对手拥有一个给定的工具，但预计它将花费不可忽略的时间来合成用于构建模型的隐蔽数据样本。克服这些挑战会打开一个时间框架，在这个时间范围内，给定系统产生的隐蔽流量将保持不被发现。

This section explores alternative approaches at covert traffic detection in the absence of a fully labeled dataset.

本节探讨了在没有完全标记的数据集的情况下隐蔽流量检测的替代方法。

5.1 Selected Anomaly Detection Methods

This section starts by describing several anomaly detection techniques which could be of interest for an adversary aiming at detecting covert traffic when it is deprived of labeled anomalies. First, we describe OCSVMs and autoencoders, two well-known approaches for anomaly detection, which are based on representational models of legitimate data and thus disregard the need of labeled anomaly data [50]. Then, we explore Isolation Forest, a competitive approach at unsupervised anomaly detection which does not require labeled data [4, 8, 26].

本节首先介绍几种异常检测技术，这些技术可能对于攻击隐蔽流量时被剥夺标记异常的对手感兴趣。首先，我们描述了OCSVM和自动编码器这两种众所周知的异常检测方法，这些方法基于合法数据的表示模型，因此忽略了标记异常数据的需要[50]。然后，我们探索隔离森林，这是一种无监督异常检测的竞争方法，不需要标记数据[4,8,26]。

One-class SVMs [45] define a decision boundary between normal samples and anomalies by fitting a function around normal samples during training. OCSVMs attempt to find the maximal margin hyperplane which separates the normal data from the origin, which is treated as the single member of a second class. If data cannot be easily separated by a linear function, OCSVMs project the original feature space into a new feature space through the use of kernel functions, introducing nonlinearity in the model. New data samples falling outside the decision boundary are considered anomalies.

单类SVM [45]通过在训练期间在正常样本周围拟合函数来定义正常样本和异常之间的决策边界。 OCSVM尝试找到最大边缘超平面，该超平面将正常数据与原点分开，该原始数据被视为第二类的单个成员。如果数据不能通过线性函数轻松分离，则OCSVM通过使用内核函数将原始特征空间投影到新的特征空间中，从而在模型中引入非线性。落在决策边界之外的新数据样本被视为异常。

Autoencoders [32] are a type of artificial neural networks which can approximate the identity function through a compressed representation of its inputs, forcing the algorithm to learn underlying structures in data. The ability to reconstruct inputs allows us to have a generative model of the training data. An autoencoder can be repurposed for anomaly detection by comparing the reconstruction error of training inputs with normal and anomalous data, where the latter is assumed to be larger.

Autoencoders [32]是一种人工神经网络，可以通过其输入的压缩表示来近似身份函数，迫使算法学习数据中的底层结构。重建输入的能力使我们能够拥有训练数据的生成模型。通过将训练输入的重建误差与正常和异常数据进行比较，可以将自动编码器重新用于异常检测，其中后者被假定为更大。

Isolation Forest [31] performs outlier detection by isolating anomalous samples. To isolate a sample, the algorithm starts by selecting a random feature and selects a split between its minimum and maximum values. This process continues recursively until the considered sample is isolated. Recursive partitioning is represented by a tree, where the number of partitions required to isolate a sample corresponds to the length of the path traversed from the root node to a leaf. The Isolation Forest is built by combining a number of isolation trees split on different attributes. Anomalies are expected to exhibit a smaller average path length than that of normal samples.

隔离森林[31]通过隔离异常样本进行离群检测。要隔离样本，算法首先选择随机要素并选择其最小值和最大值之间的分割。该过程以递归方式继续，直到所考虑的样本被隔离。递归分区由树表示，其中隔离样本所需的分区数对应于从根节点到叶子的路径长度。隔离林是通过组合分离在不同属性上的多个隔离树来构建的。预计异常的平均路径长度小于正常样本的平均路径长度。

Hyperparameters. The classification performance of the above algorithms depends upon the choice of hyperparameters, i.e., parameters whose value must be set prior to the execution of the algorithm. The optimality of such parameters is intrinsically dependent on the dataset and tipically requires cross-validation with labeled anomalous data [56]. However, we are interested in assessing the average classification performance that an adversary would be able to achieve using such algorithms – albeit the adversary would be unable to find the optimal hyperparameter configuration for an algorithm, sub-optimal parameterizations may still provide the adversary with accurate traffic classifiers. To this end, we conduct a search over a space of parameters for the above algorithms and collect the maximum and average AUC obtained when classifying Facet and DeltaShaper traffic.

超参数。上述算法的分类性能取决于超参数的选择，即必须在执行算法之前设置其值的参数。这些参数的最优性本质上取决于数据集，并且需要与标记的异常数据进行交叉验证[56]。但是，我们有兴趣评估攻击者使用此类算法能够实现的平均分类性能 - 尽管攻击者无法找到算法的最佳超参数配置，次优参数化仍然可以为对手提供准确的流量分类器。为此，我们对上述算法的参数空间进行搜索，并收集在对Facet和DeltaShaper流量进行分类时获得的最大和平均AUC。

For OCSVM, we perform a grid search on the space of ν and γ. We also build a shallow autoencoder containing one hidden layer between the input and its compressed representation, and between the compressed representation and the output layer. We conduct a grid search over the number of units populating each of these layers. As for Isolation Forest, we conduct a search over the number of trees composing the ensemble, as well as the number of samples for training each individual tree.

对于OCSVM，我们在ν和γ空间上执行网格搜索。我们还构建了一个浅自动编码器，在输入和压缩表示之间以及压缩表示和输出层之间包含一个隐藏层。我们对填充每个层的单元数进行网格搜索。对于隔离森林，我们搜索组成整体的树木数量，以及训练每棵树的样本数量。

Experimental settings. For OCSVM and autoencoder, we use 90% of all labeled legitimate samples to learn the models. The remaining 10% legitimate samples are combined with 10% of a given covert traffic configuration’s samples for creating a balanced testing set. For evaluating the model’s performance, we compare each label output by the model with the ground truth. To prevent the fitting of results to a particular split of the data, we repeat this process 10 times while randomly choosing the samples making part of the training / testing sets. For Isolation Forest, we create balanced training and testing sets in a 90 / 10 proportion. The model’s performance is evaluated following the same above procedure.

实验设置。对于OCSVM和自动编码器，我们使用90％的所有标记合法样本来学习模型。剩余的10％合法样本与给定隐蔽流量配置的样本的10％组合以创建平衡测试集。为了评估模型的性能，我们将模型的每个标签输出与基本事实进行比较。为了防止将结果拟合到特定的数据分割，我们重复此过程10次，同时随机选择构成训练/测试集的一部分的样本。对于隔离森林，我们以90/10的比例创建平衡的培训和测试集。按照上述相同程序评估模型的性能。

Our results reflect the use of the feature set based on the frequency distribution of packet lengths, with K = 5, as it was the one found to provide the highest AUC.

我们的结果反映了基于包长度的频率分布的特征集的使用，其中K = 5，因为它是发现提供最高AUC的那个。

5.2 Main Findings

Table 5 depicts the maximum and average AUC obtained when identifying Facet and DeltaShaper traffic when using OCSVM, our autoencoder, and Isolation Forest. Next, we present our main findings.

表5描述了使用OCSVM，我们的自动编码器和隔离林时识别Facet和DeltaShaper流量时获得的最大和平均AUC。接下来，我们介绍我们的主要发现。

1. OCSVMs possess a limited capability for correctly identifying covert traffic. This finding is supported by the fact that OCSVM attains an average AUC

between 0.576 and 0.584 when detecting Facet traffic, and between 0.518 and 0.531 when detecting DeltaShaper traffic. Moreover, OCSVM achieves a maximum AUC=0.639 when classifying Facet s=12.5% traffic. This suggests that OCSVM achieves a poor classification performance, even after a search for optimal hyperparameters. Thus, from an adversary’s point of view, a semi-supervised model based on OCSVMs shows little promise for performing the triage of covert traffic.

1. OCSVM具有正确识别隐蔽流量的有限能力。这一发现得到以下事实的支持：OCSVM在检测Facet流量时达到0.576和0.584之间的平均AUC，在检测DeltaShaper流量时达到0.518和0.531之间。此外，在对Facet s = 12.5％流量进行分类时，OCSVM达到最大AUC = 0.639。这表明即使在搜索最佳超参数之后，OCSVM也会实现较差的分类性能。因此，从对手的角度来看，基于OCSVM的半监督模型对于执行隐蔽流量的分类几乎没有希望。

2. Autoencoders show promising results for the identification of covert traffic. The numbers in Table 5 show that our autoencoder achieves, in average, a higher or comparable AUC than the maximum AUC obtained by OCSVM when classifying Facet or DeltaShaper traffic. The choice of parameters for our autoencoder benefits its maximum AUC. For instance, a better parameterization of the autoencoder translates into a maximum AUC=0.662 when classifying DeltaShaper traffic, approximately 0.1 higher than the average reported value for the same configuration. While an adversary making use of a classifier which exhibits an AUC=0.662 would sustain a large amount of false positives when attempting to detect covert traffic, we note that the obtained results have a wide margin of improvement. In particular, we use a rather shallow autoencoder structure for investigating the classification performance of this algorithm. For instance, it is possible that autoencoders with more sophisticated structures [55] may drive further improvements in classification accuracy.

2.自动编码器显示出用于识别隐蔽流量的有希望的结果。表5中的数字表明，我们的自动编码器平均实现了比OCSVM在对Facet或DeltaShaper流量进行分类时获得的最大AUC更高或相当的AUC。我们的自动编码器的参数选择有利于其最大AUC。例如，自动编码器的更好参数化在对DeltaShaper流量进行分类时转换为最大AUC = 0.662，比同一配置的平均报告值高约0.1。虽然使用表现出AUC = 0.662的分类器的对手在试图检测隐蔽流量时会维持大量的误报，但我们注意到所获得的结果有很大的改进余地。特别是，我们使用一个相当浅的自动编码器结构来研究该算法的分类性能。例如，具有更复杂结构的自动编码器[55]可能会进一步提高分类精度。

3. An adversary has no advantage in using Isolation Forest for detecting covert traffic. The results in Table 5 show that the prediction output of Isolation Forest is close to random guessing when attempting to identify covert traffic. For Facet traffic, Isolation Forest obtains an average AUC between 0.519 and 0.551 across all steganography factors. When classifying DeltaShaper traffic, the average AUC sits on 0.532 and 0.557 for different encoding configurations. A closer observation of the confusion matrix reveals that Isolation Forest labels few traffic samples as anomalies. Informally, this observation suggests that anomalies are able to conceal their presence in the dataset in such a way that the number of partitions required to isolate them is similar to the number of partitions needed to isolate legitimate samples.

3.对手在使用隔离森林检测隐蔽流量方面没有任何优势。表5中的结果表明，当试图识别隐蔽流量时，隔离森林的预测输出接近于随机猜测。对于Facet流量，Isolation Forest在所有隐写因素中获得的平均AUC在0.519和0.551之间。对DeltaShaper流量进行分类时，对于不同的编码配置，平均AUC位于0.532和0.557。仔细观察混淆矩阵可以发现隔离森林很少将流量样本标记为异常。非正式地，这一观察结果表明，异常能够隐藏它们在数据集中的存在，使得分离它们所需的分区数量与分离合法样本所需的分区数量相似。

6 Discussion

We now discuss several relevant findings from our study.

我们现在讨论我们研究中的几个相关发现。

Multimedia protocol tunneling. The outcomes of the experimental study conducted in Section 4 unveil that the unobservability claims of existing multimedia protocol tunneling systems were flawed. However, it is worth noticing that the vulnerability of such systems to supervised ML techniques, particularly decision tree-based algorithms, does not imply that multimedia protocol tunneling, as an approach, is fundamentally inviable. Our findings suggest that correctly detecting covert channels built with conservative data modulation schemes (e.g., DeltaShaper ⟨160 × 120, 4 × 4, 6, 1⟩) while sustaining low FPR still represents a challenge for adversaries. Additionally, we provide fine-grained details about the network behavior of currently deployed multimedia protocol tunneling tools which may be used for the construction of more robust implementations.

多媒体协议隧道。第4节进行的实验研究的结果揭示了现有多媒体协议隧道系统的不可观察性声明存在缺陷。然而，值得注意的是，这种系统对监督机器学习技术的脆弱性，特别是基于决策树的算法，并不意味着多媒体协议隧道这种方法从根本上是不可靠的。我们的研究结果表明，正确检测使用保守数据调制方案构建的隐蔽通道（例如，DeltaShaper⟨160×120,4×4,6,1⟩），同时维持低FPR仍然是对手的挑战。此外，我们还提供有关当前部署的多媒体协议隧道工具的网络行为的细粒度详细信息，这些工具可用于构建更强大的实现。

Legitimate traffic dataset. Adversaries face the nontrivial challenge of building a dataset which faithfully represents legitimate traffic. A na ̈ıve solution for building such a dataset would be for an adversary to take advantage of its privileged position in the network and collect all data originated by a given multimedia protocol. However, the very existence of multimedia protocol tunneling tools makes it hard for an adversary to know, before-hand, which data samples correspond either to legitimate or covert traffic. It is possible that covert data samples pollute the legitimate traffic model and bias the decisions of a classifier trained in such data [55]. A different alternative is the typical approach followed in the literature (and in our work), where datasets are synthesized by transmitting the media expected to be sent in such channels. However, such an approximation may fail to capture the underlying distribution of data in the wild.

合法的流量数据集。对手面临着构建忠实代表合法流量的数据集的重大挑战。构建此类数据集的简单解决方案是让对手利用其在网络中的特权位置并收集由给定多媒体协议产生的所有数据。然而，多媒体协议隧道工具的存在使得对手很难在手边知道哪些数据样本对应于合法或隐蔽的流量。隐蔽数据样本可能会污染合法流量模型，并使在此类数据中训练的分类器的决策产生偏差[55]。另一种选择是文献（以及我们的工作）中遵循的典型方法，其中通过传输预期在这些信道中发送的媒体来合成数据集。然而，这种近似可能无法捕获公共环境中数据的基础分布。

7 Related Work

Freewave [25] was the first system designed to embed covert data in multimedia protocols through the modulation of audio signals sent through VoIP streams. However, a simple statistical analysis of traffic patterns conducted by Geddes et al. [20] showed that FreeWave could be trivially detected by an adversary. Recent multimedia protocol tunneling systems such as Facet [30], CovertCast [34], and DeltaShaper [2] introduced new techniques for modulating data while striving to preserve the unobservability of the generated covert channels.

Freewave [25]是第一个通过调制通过VoIP流发送的音频信号，在多媒体协议中嵌入隐蔽数据的系统。然而，Geddes等人对流量模式进行了简单的统计分析。 [20]表明，对手可以轻易地发现FreeWave。最近的多媒体协议隧道系统，如Facet [30]，CovertCast [34]和DeltaShaper [2]引入了用于调制数据的新技术，同时努力保持所生成的隐蔽信道的不可观察性。

As noted earlier in the text, previous unobservability assessments performed on state-of-the-art multimedia protocol tunneling systems which rely on traffic classification make use of similarity-based classifiers. To the best of our knowledge, there is a limited body of work employing other machine learning techniques for the detection of covert channels in the Internet. Wang et al. [48] have resorted to decision tree-based classifiers to identify traffic flowing through Tor bridges. Their results have shown that this approach was promising for the identification of traffic obfuscated through domain fronting（概念不清） [18]. In our work, we perform the first systematic study of the unobservability of state-of-the-art multimedia protocol tunneling systems and find that such techniques are also effective for the detection of these covert channels.

(域前端是一种通过混淆HTTPS连接的域来绕过互联网审查的技术。在应用程序层工作，域前端允许用户连接到可能通过DNS，IP或深度数据包检查阻止的服务)

如前文所述，先前对依赖于流量分类的最先进的多媒体协议隧道系统进行的不可观察性评估使用基于相似性的分类器。据我们所知，使用其他机器学习技术检测互联网中的隐蔽通道的工作量有限。王等人[48]已经采用基于决策树的分类器来识别流经Tor桥的流量。他们的研究结果表明，这种方法有望用于识别通过域前端模糊的流量[18]。在我们的工作中，我们对最先进的多媒体协议隧道系统的不可观察性进行了第一次系统研究，并发现这些技术对于检测这些隐蔽信道也是有效的。

Related to the problem of covert channel detection is the problem of creating fingerprints for encrypted traffic. Particularly, the fingerprinting of websites accessed through Tor [11] is an important research topic [1, 22, 39, 42, 49]. Multiple works dwell on creating fingerprints for encrypted traffic using different combinations of features and classifiers, for instance, Schuster et al. [46] have designed an attack which enables a passive observer to fingerprint YouTube video streams. However, fingerprinting is fundamentally different from covert channel detection: we do not aim to unequivocally fingerprint a given media according to its traffic pattern, but to distinguish two broader classes of media which may or may not carry covert data. It is unclear how fingerprinting techniques can be adapted to our purpose.

与隐蔽信道检测问题相关的是为加密流量创建指纹的问题。特别是，通过Tor [11]访问的网站的指纹识别是一个重要的研究课题[1,22,39,42,49]。多项工作专注于使用不同的特征和分类器组合为加密流量创建指纹，例如Schuster等 [46]设计了一种攻击，使被动观察者能够为YouTube视频流标记指纹。然而，指纹识别与隐蔽信道检测根本不同：我们的目标不是根据其流量模式明确地指定给定媒体，而是区分可能携带或不携带隐蔽数据的两类更广泛的媒体。目前尚不清楚指纹识别技术如何适应我们的目的。

In this paper we have focused on covert channels based on multimedia protocol tunneling [2, 25, 30, 34], a popular approach at protocol tunneling. Other tunneling approaches have been attempted, including SWEET [57], CloudTransport [7], Castle [21], and meek [18]. It is worth mentioning that alternative approaches to build covert channels have been attempted in the past, such as protocol obfuscation [52]. However, obfuscation based on randomizing traffic fails in the presence of protocol whitelisting and is vulnerable to entropy analysis [48]. With protocol imitation, covert traffic is manipulated to mimic the behavior of protocols allowed across a censor’s border [13, 14, 36]. Alas, the faithful imitation of all behaviors of a protocol behavior is a complex undertaking which lays protocol imitation systems prone to multiple network attacks [20, 23].

在本文中，我们主要关注基于多媒体协议隧道的隐蔽信道[2,25,30,34]，这是一种流行的协议隧道方法。其他隧道方法已经尝试过，包括SWEET [57]，CloudTransport [7]，Castle [21]和Meek[18]。值得一提的是，过去曾尝试过构建隐蔽通道的替代方法，例如协议混淆[52]。然而，在存在协议白名单的情况下，基于随机化流量的混淆失败，并且易受熵分析的影响[48]。通过协议模仿，可以操纵隐蔽流量来模仿审查者边界允许的协议行为[13,14,36]。唉，忠实地模仿协议行为的所有行为是一项复杂的工作，它使协议模仿系统容易受到多种网络攻击[20,23]。

Finally, we would like to stress that although censorship circumvention is one of the main (and most noble) uses of covert channels, this type of channels can serve multiple purposes. Our work concentrates on covert channel detection and not on censorship circumvention per se. In fact, there are techniques to evade censorship, such as refraction networking [5, 15, 24, 27, 53, 54], which incorporates censorship resistance mechanisms in the network, rather than at end-hosts, that do not depend exclusively on the use of covert channels.

最后，我们要强调的是，尽管审查规避是隐蔽渠道的主要（也是最高贵）用途之一，但这种渠道可以用于多种目的。我们的工作集中在隐蔽的渠道检测上，而不是审查规避本身。事实上，有一些技术可以逃避审查，例如折射网络[5,15,24,27,53,54]，其中包含网络中的审查阻力机制，而不是终端主机，它们完全不依赖于使用隐蔽通道。

8 Conclusions

In this paper, we performed an extensive analysis over the unobservability evaluation of multimedia protocol tunneling systems. We proposed a novel method for assessing the unobservability of these systems, based on decision trees, which largely defies previous unobservability claims. Our work further explored the application of semi-supervised and unsupervised anomaly detection techniques in the same context. Our results indicate that an adversary is required to possess labeled data for performing an effective detection of covert channels.

在本文中，我们对多媒体协议隧道系统的不可观测性评估进行了广泛的分析。我们提出了一种基于决策树来评估这些系统的不可观察性的新方法，该决策树在很大程度上违背了先前的不可观察性声明。我们的工作进一步探讨了半监督和无监督异常检测技术在同一背景下的应用。我们的结果表明，攻击者需要拥有标记数据以执行隐蔽通道的有效检测。

9 Acknowledgments

This work was partially supported by national funds through Instituto Superior Te ́cnico, Universidade de Lisboa, and Fundac ̧a ̃o para a Cieˆncia e a Tecnologia (FCT) via projects PTDC/EEI-SCR/1741/2014, SFRH/BSAB/135236/2017, and UID/CEC/50021/2013.

这项工作得到了国家资金的部分支持，通过Instituto Superior Te cnico，Universidade de Lisboa和Fundac aa o para a Ciencia ea Tecnologia（FCT）通过项目PTDC / EEI-SCR / 1741/2014，SFRH / BSAB / 135236/2017，和UID / CEC / 50021/2013。

正文之后

done