Find Behaviors of Network Evasion and Protocol Obfuscation Using Traffic Measurement

With the development of computer network, security has become more and more important. Intrusion Detection Systems (IDS) and firewalls have been used to detect and block malicious applications and specific protocols. As a result, some malicious applications begin to mimic common application protocol or obfuscate themselves to get rid of detection, which is called Network Evasion. Evasion hazards the Internet security seriously. So it is necessary to find a method to detect behavior of network evasion and protocol obfuscation. In this paper, we analyzed and listed some common network evasion techniques and protocol obfuscation examples. We proposed a method based on measurement and statistics to find protocol obfuscation behavior. We took web crawler as an example. We measured massive of traffic in the real high speed network, found the differences of statistical characteristics between Google web crawlers and the private web crawlers. A model was proposed to detect obfuscation of web crawlers. With this model, we found some web crawlers with the behavior of protocol obfuscation. And we think this method is useful to discover and verify other behaviors of network evasion and protocol obfuscation.