| 摘要 |
An encrypted-traffic discrimination device includes an input interface, a flow discrimination section, a data accumulation section, a selective data calculation section, a calculation result determination section, and an output interface. The flow discrimination section discriminates the input traffic into separate flows based on at least a transmission origin address and a transmission destination address. The data accumulation section accumulates characteristic amount data of the traffic for each of the separate flows. The selective data calculation section executes an evaluation computation utilizing specific data from the characteristic amount data. The calculation result determination section that, based on a calculated evaluation computation value, executes threshold value determination to determine whether or not the traffic is encrypted, and, if the traffic is determined to be encrypted, which encryption format the traffic is encrypted with. |
| 主权项 |
1. An encrypted-traffic discrimination device, comprising:
a hardware computing device, and a non-transitory medium having instructions stored thereon, execution of which by the hardware computing device causes the encrypted-traffic discrimination device to provide the functions of: an input interface to which traffic is input; a flow discrimination section that discriminates the input traffic into separate flows based on at least a transmission origin address and a transmission destination address; a data accumulation section that accumulates characteristic amount data of the traffic for each of the separate flows; a selective data calculation section that executes an evaluation computation utilizing specific data from the accumulated characteristic amount data; a calculation result determination section that, based on a calculated evaluation computation value, executes a threshold value determination to determine whether or not the traffic is encrypted, and, if the traffic is determined to be encrypted, with which encryption format is the traffic encrypted; and an output interface that outputs a result of the determination, where the accumulated characteristic amount data comprises an arrival interval duration between arrivals of packets included in the traffic; the selective data calculation section sorts a data set of the arrival interval durations by length, and takes, as an evaluation computation value, arrival interval durations of a specific section of the sorted data set of arrival interval durations, or computes, as the evaluation computation value, an average value of a specific range of the data set of arrival interval durations; and from the data set of arrival interval durations sorted by length, the selective data calculation section takes, as the evaluation computation value, an arrival interval duration in the vicinity of the 75th percentile from the shortest arrival interval duration, or computes, as the evaluation computation value, the average value of arrival interval durations in a range of the 0th percentile to the 75th percentile from the shortest arrival interval duration of the data set. |
