基于TCP流RTT测量的Tethering行为检测架构

戴显龙; 程光; 陆广垠; 金斌磊

doi:10.13700/j.bh.1001-5965.2021.0463

基于TCP流RTT测量的Tethering行为检测架构

doi: 10.13700/j.bh.1001-5965.2021.0463

戴显龙^{1, 2, 3},
程光^{1, 2, 3, ,},
陆广垠^{1, 2, 3},
金斌磊^{1, 2, 3}

1.
东南大学网络空间安全学院，南京 211189
2.
东南大学江苏省泛在网络安全工程研究中心，南京 211189
3.
紫金山实验室，南京 211111

基金项目: 国家重点研发计划(2018YFB1800602)

详细信息

通讯作者:
E-mail：chengguang@seu.edu.cn

中图分类号: TP393
计量
- 文章访问数: 258
- HTML全文浏览量: 80
- PDF下载量: 19
- 被引次数: 0
出版历程
- 收稿日期: 2021-08-13
- 录用日期: 2021-11-14
- 网络出版日期: 2021-11-23
- 整期出版日期: 2023-06-30

Tethering behavior detection architecture based on RTT measurement of TCP flows

DAI Xianlong^{1, 2, 3},
CHENG Guang^{1, 2, 3
, ,},
LU Guangyin^{1, 2, 3},
JIN Binlei^{1, 2, 3}

1.
School of Cyber Science and Engineering，Southeast University，Nanjing 211189，China
2.
Jiangsu Province Engineering Research Center of Security for Ubiquitous Network，Southeast University，Nanjing 211189，China
3.
Purple Mountain Laboratories，Nanjing 211111，China

Funds: National Key R & D Program of China (2018YFB1800602)

More Information

Corresponding author: E-mail：chengguang@seu.edu.cn

摘要

摘要:
Tethering行为是一种移动设备通过自身传输介质共享其互联网连接服务的行为，其不仅对移动互联网造成运营压力和收益影响，还对移动互联网隐藏其内部网络结构，造成网络安全隐患。由于Tethering存在诸多混淆和规避方法，现有Tethering行为检测技术难以有效检测。鉴于此，分析了移动互联网通信基站中，Tethering行为终端在数据流量的处理、转发等特征，以及移动互联网用户流量中传输控制协议(TCP)流往返时延(RTT)的相关特性，提出一种基于TCP流RTT测量的Tethering检测架构，构建了所提架构的测试网络环境。实验结果表明：所提架构在检测Tethering行为中具有有效性，实现了利用无监督学习和被动监测网络流量对移动互联网中Tethering行为的有效检测，对Tethering行为检测的准确率达到97.50%。
- Tethering检测 /
- 往返时延 /
- 网络地址转换检测 /
- 无监督学习 /
- 移动互联网
Abstract:
Tethering behaviour is the sharing of an Internet connection service with other connected devices by using a mobile smart device as a NAT gateway. It will share the smartphone's data plan, especially the unlimited data plan. So, it can put ISPs under additional pressure to operate mobile Internet and have an impact on their revenue. It can hide the internal network structure from the public network same as Network Address Translation (NAT). It also provides the possibility for illegal devices to access anonymously. Due to many limitations and circumventing methods in tethering detection, the existing NAT detection technology is difficult to detect tethering behavior. In order to process and forward data traffic, we examine the features of tethering behaviors terminal devices in mobile Internet communication base station. We also analyze the relevant characteristics of RTT in TCP flows in mobile Internet traffic. Then, we propose a tethering detection method based on unsupervised analysis of RTT in TCP flows, and construct the test network environment of this method. The experimental results verify the effectiveness of this method in detecting tethering behavior, and realize the effective detection of tethering behavior in mobile Internet by passive network traffic monitoring ,with an accuracy of 97.50%.
- Tethering detection /
- round trip time /
- network address translation detection /
- unsupervised learning /
- mobile internet

HTML全文

图 1 智能终端Tethering行为场景描述

Figure 1. Tethering behavior scenario description for smart device

下载: 全尺寸图片幻灯片

图 2 本文架构

Figure 2. Framework of this paper

下载: 全尺寸图片幻灯片

图 3 全流量采集示意图

Figure 3. The description of the traffic measurement

下载: 全尺寸图片幻灯片

图 4 测试数据集采集与构建

Figure 4. Collection and establishment of test dataset

下载: 全尺寸图片幻灯片

图 5 去噪声有效性举例(DataSet12)

Figure 5. Examples of de-noising effectiveness (DataSet12)

下载: 全尺寸图片幻灯片

图 6 准确率混淆矩阵

Figure 6. Accuracy confusion matrix

下载: 全尺寸图片幻灯片

表 1 实验硬件平台的主要参数

Table 1. Main parameters of experiment hardware platform

序号	设备名称	型号	主要参数
1	模拟基站(PC)	Dell Vostro 14-5480	CPU：Core i5-5200U；RAM：4 GB；512 GB HDD；OS：Win 8 Pro
		Terrans Force X911	CPU：Core i7-4940MX；RAM：32 GB；1TB SSD；OS：Win 10 Pro
2	Tethering设备	Huawei P40	CPU：Kirin 990 5G；RAM：8 GB；OS：Android 10
		Mi10 Pro	CPU：snapdragon 865；RAM：12 GB；OS：Android 11
		Mi11 Ultra	CPU：snapdragon 888；RAM：12 GB；OS：Android 11
3	挂载设备(手机)	iPhone 6	CPU：Apple A8；OS：ios 12.5.4
		iPhone 8 Plus	CPU：Apple A11；OS：ios 14.6
		Redmi 7	CPU：snapdragon 632；OS：Android 9
		Mi10 Pro	CPU：snapdragon 865；OS：Android 11
		Mi11 Ultra	CPU：snapdragon 888；OS：Android 11
		Mi9	CPU：snapdragon 855；OS：Android 11
4	挂载设备(PC)	ThinkPad X1C 2016	CPU：Core i7-6600U；RAM：8 GB；OS：Win 10 Pro

下载: 导出CSV

表 2 实验数据集信息

Table 2. Information of datasets in the experiment

数据集	Tethering模式	手机设备型号	待测设备IP地址	大小/MB	分组个数
DataSet1	无Tethering	iphone6	192.168.137.109	1003	1000000
DataSet2	无Tethering	P40	192.168.137.157	912	1000000
DataSet3	无Tethering	P40	192.168.137.157	412	600000
DataSet4	TetheringD+A	P40、iphone6	192.168.137.157	973	1000000
DataSet5	TetheringD+A	P40、iphone6	192.168.137.157	910	1000000
DataSet6	TetheringD+A	P40、iphone6	192.168.137.157	900	1000000
DataSet7	TetheringD+A	P40、iphone6	192.168.137.157	943	1000000
DataSet8	TetheringD+A	P40、iphone6	192.168.137.157	466	500000
DataSet9	TetheringD+A	P40、iphone6	192.168.137.157	439	500000
DataSet10	TetheringD+A+B	P40、iphone6、iphone8 Plus	192.168.137.157	961	1000000
DataSet11	TetheringD+A+B+C	P40、iphone6、iphone8 Plus、Redmi7	192.168.137.157	1935	2000000
DataSet12	无Tethering	Mi10 Pro	192.168.137.238	984	1000000
DataSet13	无Tethering	Mi11 Ultra	192.168.137.142	1024	903103
DataSet14	TetheringD+A	Mi10 Pro、Mi11 Ultra	192.168.137.238	1136	1200000
DataSet15	TetheringD+A	Mi11 Ultra、Mi10 Pro	192.168.137.142	1218	1400000
DataSet16	TetheringD+A+B+C	Mi10 Pro、Mi11 Ultra、Mi9、X1C	192.168.137.238	1157	1200000
DataSet17	TetheringD+A+B+C	Mi11 Ultra、Mi10 Pro、Mi9、X1C	192.168.137.142	1372	1500000
DataSet18	TetheringD+A	P40、X1C	192.168.137.157	859	909785
DataSet19	无Tethering	P40	192.168.137.157	376	403776

下载: 导出CSV

表 3 数据集实验结果

Table 3. Experimental results of data sets

数据集	Tethering模式	RTT数量	n_clusters
DataSet1	无Tethering	1176	1
DataSet2	无Tethering	6347	1
DataSet3	无Tethering	7850	1
DataSet4	TetheringD+A	3435	2
DataSet5	TetheringD+A	1979	2
DataSet6	TetheringD+A	2754	2
DataSet7	TetheringD+A	2358	9
DataSet8	TetheringD+A	423	2
DataSet9	TetheringD+A	1820	2
DataSet10	TetheringD+A+B	3251	2
DataSet11	TetheringD+A+B+C	6377	2
DataSet12	无Tethering	2279	1
DataSet13	无Tethering	1877	1
DataSet14	TetheringD+A	5168	4
DataSet15	TetheringD+A	4497	2
DataSet16	TetheringD+A+B+C	4171	7
DataSet17	TetheringD+A+B+C	2606	19

下载: 导出CSV

表 4 DataSet18和DataSet19构建测试集分类结果

Table 4. Classification results of test dataset built by DataSet18 and DataSet19

标签名称	标签总个数	分类结果		准确率/%
标签名称	标签总个数	Tethering	无Tethering	准确率/%
Tethering	4312	4204	108	97.50
无Tethering	3400	1006	2394	70.41

下载: 导出CSV

参考文献(21)

[1]	WIKI. Tethering[EB/OL]. (2020-03-08) [2021-03-21]. https://en.wikipedia.org/wiki/Tethering.
[2]	CHOI J. Detection of misconfigured Wi-Fi tethering in managed networks[J/OL]. Preprints, 2020, (2020-03-08) [2021-03-21]. https://www.preprints.org/manuscript/202002.0189/v1. DOI: 10.20944/PREPRINTS202002.0189.V1.
[3]	We Are Social. Digital 2023: China[EB/OL]. (2021-02-09) [2021-03-21].https://datareportal.com/reports/digital-2023-China.
[4]	胡治国, 田春岐, 杜亮, 等. IP网络性能测量研究现状和进展[J]. 软件学报, 2017, 28(1): 105-134. HU Z G, TIAN C Q, DU L, et al. Current research and future perspective on IP network performance measurement[J]. Journal of Software, 2017, 28(1): 105-134(in Chinese).
[5]	DALAL P, SARKAR M, KOTHARI N, et al. Refining TCP’s RTT dependent mechanism by utilizing link retransmission delay measurement in wireless LAN[J]. International Journal of Communication Systems, 2017, 30(5): 1-20.
[6]	CISCO. Cisco ASR 5000 ECS Administration Guide StarOS Release 21.18[EB/OL]. (2020-10-05)[2021-03-21]. https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/21-18_6-12/ECS-Admin/21-18-ECS-Admin/21-17-ECS-Admin_chapter_011000.html#id_39377.
[7]	STRAKA K, MANES G. Passive detection of nat routers and client counting[C]//Advances in Digital Forensics II: IFIP international Conference on Digital Forensics. Berlin: Springer , 2006: 239-246.
[8]	MAIER G, SCHNEIDER F, FELDMANN A. NAT usage in residential broadband networks[C]//International Conference on Passive and Active Network Measurement. Berlin: Springer, 2011: 32-41.
[9]	PARK H, SHIN S, ROH B, et al. Identification of hosts behind a NAT device utilizing multiple fields of IP and TCP[C]//2016 International Conference on Information and Communication Technology Convergence. Piscataway: IEEE Press, 2016: 484-486.
[10]	ZHANG B, GUAN Y, NIU W, et al. A hybrid packet clustering approach for NAT host analysis[C]//2015 IEEE International Conference on Communication Software and Networks. Piscataway: IEEE Press, 2015: 432-438.
[11]	ABT S, DIETZ C, BAIER H, et al. Passive remote source NAT detection using behavior statistics derived from netflow[C]//IFIP International Conference on Autonomous Infrastructure, Management and Security. Berlin: Springer, 2013: 148-159.
[12]	GOKCEN Y, FOROUSHANI V A, HEYWOOD A N Z. Can we identify NAT behavior by analyzing traffic flows?[C]//2014 IEEE Security and Privacy Workshops. Piscataway: IEEE Press, 2014: 132-139.
[13]	KOMAREK T, GRILL M, PEVNY T. Passive NAT detection using HTTP access logs[C]//2016 IEEE International Workshop on Information Forensics and Security. Piscataway: IEEE Press, 2016: 1-6.
[14]	SALOMONSSON S. Exploring NAT host counting using network traffic flows[D]. Karlstad : Sweden Karlstad University, 2017: 59-73.
[15]	KHATOUNI A S, ZHANG L, AZIZ K, et al. Exploring NAT detection and host identification using machine learning[C]//2019 15th International Conference on Network and Service Management. Piscataway: IEEE Press, 2019: 1-8.
[16]	IBRAHIM M, LIU H, JAWAHAR M, et al. Verification: Accuracy evaluation of Wi-Fi fine time measurements on an open platform [C]//Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. New York: ACM , 2018: 417-427.
[17]	HAN K, YU S M, KIM S L, et al. Exploiting user mobility for Wi-Fi RTT positioning: A geometric approach[J]. IEEE Internet of Things Journal, 2021, 8(19): 14589-14606. doi: 10.1109/JIOT.2021.3070367
[18]	ROY A K, KHAN A K. Privacy preservation with RTT-based detection for wireless mesh networks[J]. IET Information Security, 2020, 14(4): 391-400. doi: 10.1049/iet-ifs.2019.0492
[19]	HOU B, HOU C, ZHOU T, et al. Detection and characterization of network anomalies in large-scale RTT time series[J]. IEEE Transactions on Network and Service Management, 2021, 18(1): 793-806. doi: 10.1109/TNSM.2021.3050495
[20]	CHENG Y. Mean shift, mode seeking, and clustering[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1995, 17(8): 790-799. doi: 10.1109/34.400568
[21]	COMANICIU D. An algorithm for data-driven bandwidth selection[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2003, 25(2): 281-288.