基于层次时空特征与多头注意力的恶意加密流量识别

doi:10.19678/j.issn.1000-3428.0058517

计算机工程 ›› 2021, Vol. 47 ›› Issue (7): 101-108. doi: 10.19678/j.issn.1000-3428.0058517

基于层次时空特征与多头注意力的恶意加密流量识别

蒋彤彤¹, 尹魏昕², 蔡冰³, 张琨¹

1. 南京理工大学计算机科学与工程学院, 南京 210094;
2. 国家计算机网络与信息安全管理中心江苏分中心网络安全处, 南京 210019;
3. 国家计算机网络与信息安全管理中心江苏分中心技术保障处, 南京 210019

收稿日期:2020-06-02 修回日期:2020-07-03 发布日期:2020-07-10
作者简介:蒋彤彤(1996-),女,硕士研究生,主研方向为网络安全、深度学习;尹魏昕、蔡冰,高级工程师;张琨,教授、博士、博士生导师。
基金资助:
江苏省研究生科研与实践创新计划（SJCX18_0149）；南京理工大学自主科研专项（1181060420）；南京理工大学横向课题（1191061083）。

Encrypted Malicious Traffic Identification Based on Hierarchical Spatiotemporal Feature and Multi-Head Attention

JIANG Tongtong¹, YIN Weixin², CAI Bing³, ZHANG Kun¹

1. School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China;
2. Department of Network Security, Jiangsu Branch of National Computer Network and Information Security Management Center, Nanjing 210019, China;
3. Department of Technical Support, Jiangsu Branch of National Computer Network and Information Security Management Center, Nanjing 210019, China

Received:2020-06-02 Revised:2020-07-03 Published:2020-07-10

摘要/Abstract

摘要： 为实现互联网全面加密环境下的恶意加密流量精确检测，针对传统识别方法较依赖专家经验且对加密流量特征的区分能力不强等问题，提出一种基于层次时空特征与多头注意力（HST-MHSA）模型的端到端恶意加密流量识别方法。基于流量层次结构，结合长短时记忆网络和TextCNN有效整合加密流量的多尺度局部特征和双层全局特征，并引入多头注意力机制进一步增强关键特征的区分度。在公开数据集CICAndMal2017上的实验结果表明，HST-MHSA模型的流量识别F1值相较基准模型最高提升了16.77个百分点，漏报率比HAST-Ⅱ和HABBiLSTM模型分别降低了3.19和2.18个百分点，说明其对恶意加密流量具有更强的表征和识别能力。

关键词: 加密流量识别, 多头注意力机制, 恶意流量识别, 卷积神经网络, 长短时记忆网络

Abstract: To implement the full encryption of Internet,the accurate detection of encrypted malicious traffic is required,but traditional detection methods rely heavily on expert experience and perform poorly in distiguishment of encrypted traffic feature is not strong the representation of encrypted traffic.To address the problem,an end-to-end malicious encrypted traffic identification method based on Hierarchical Spatiotemporal feature and Multi-Head Self-Attention(HST-MHSA) model is proposed.By utilizing the hierarchical structure of traffic,the advantages of LSTM and TextCNN to integrate the multi-scale local features and two-layer global features of encrypted traffic are combined.In addition,the multi-head attention mechanism is introduced to further enhance the discrimination of the key features.Experimental results on the public dataset CICAndMal2017 show that the F1 value of HST-MHSA model is at most 16.77 percentage points higher than that of the benchmark model,and its Missed Alarm Rate(MAR) is 3.19 and 2.18 percentage points lower than that of the hierarchical model HAST-Ⅱ and HABBiLSTM model respectively,displaying its stronger ability to represent and identify encrypted malicious traffic.

Key words: encrypted traffic identification, multi-head attention mechanism, malicious traffic identification, Convolutional Neural Network(CNN), Long Short-Term Memory(LSTM) network

中图分类号:

TP393.08

蒋彤彤, 尹魏昕, 蔡冰, 张琨. 基于层次时空特征与多头注意力的恶意加密流量识别[J]. 计算机工程, 2021, 47(7): 101-108.

JIANG Tongtong, YIN Weixin, CAI Bing, ZHANG Kun. Encrypted Malicious Traffic Identification Based on Hierarchical Spatiotemporal Feature and Multi-Head Attention[J]. Computer Engineering, 2021, 47(7): 101-108.

http://www.ecice06.com/CN/Y2021/V47/I7/101

图/表 11

20210721090235

20210721090239

20210721090242

20210721090245

20210721090249

20210721090252

20210721090255

20210721090259

20210721090303

20210721090306

20210721090309

参考文献

[1] Cisco.Encrypted traffic analytics white paper[EB/OL].[2020-05-07].https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf.
[2] 王健.基于HTTP的僵尸网络C&C流量检测方法研究[D].成都:电子科技大学,2019. WANG J.Research on HTTP botnet C&C Traffic Detection Method[D].Chengdu:University of Electronic Science and Technology,2019.(in Chinese)
[3] Gartner.Encrypted Web traffic[EB/OL].[2020-05-07].https://www.gartner.com/en/documents/3869861.
[4] REZAEI S,LIU X.Deep learning for encrypted traffic classification:an overview[J].IEEE Communications Magazine,2019,57(5):76-81.
[5] ANDERSON B,PAUL S,MCGREW D.Deciphering malware's use of TLS(without decryption)[J].Journal of Computer Virology and Hacking Techniques,2018,14(3):195-211.
[6] LIU J,ZENG Y,SHI J,et al.MalDetect:a structure of encrypted malware traffic detection[J].CMC-Computers,Materials & Continua,2019,60(2):721-739.
[7] YU T D,ZOU F T,LI L S,et al.An encrypted malicious traffic detection system based on neural network[C]//Proceedings of 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.Washington D.C.,USA:IEEE Press,2019:62-70.
[8] BAZUHAIR W,LEE W.Detecting malign encrypted network traffic using Perlin noise and convolutional neural network[EB/OL].[2020-05-07].https://www.researchgate.net/publication/339903495_Detecting_Malign_Encrypted_Network_Traffic_Using_Perlin_Noise_and_Convolutional_Neural_Network.
[9] 胡斌,周志洪,姚立红,等.基于报文负载和流指纹联合特征的TLS恶意流量检测[J].计算机工程,2020,46(11):157-163. HU B,ZHOU Z H,YAO L H,et al.TLS malicious traffic detection based on combined features of packet payload and stream fingerprints[J].Computer Engineering,2020,46(11):157-163.(in Chinese)
[10] WANG W,ZHU M,ZENG X W,et al.Malware traffic classification using convolutional neural network for representation learning[C]//Proceedings of International Conference on Information Networking.Washington D.C.,USA:IEEE Press,2017:712-717.
[11] 王攀,陈雪娇.基于堆栈式自动编码器的加密流量识别方法[J].计算机工程,2018,44(11):140-147,153. WANG P,CHEN X J.SAE-based encrypted traffic identification method[J].Computer Engineering,2018,44(11):140-147,153.(in Chinese)
[12] CHENG H,XIE J X,CHEN L H.CNN-based encrypted C&C communication traffic identification method[J].Computer Engineering,2019,45(8):31-34,41.(in Chinese)程华,谢金鑫,陈立皇.基于CNN的加密C&C通信流量识别方法[J].计算机工程,2019,45(8):31-34,41.
[13] ILIYASU A S,DENG H.Semi-supervised encrypted traffic classification with deep convolutional generative adversarial networks[J].IEEE Access,2020,8:118-126.
[14] GUO L L,WU Q Q,LIU S L,et al.Deep learning-based real-time VPN encrypted traffic identification methods[J].Journal of Real-Time Image Processing,2020,17(1):103-114.
[15] VASWANI A,SHAZEER N,PARMAR N,et al.Attention is all you need[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems.Berlin,Germany:Springer,2017:5998-6008.
[16] WANG W,SHENG Y Q,WANG J J,et al.HAST-IDS:learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection[J].IEEE Access,2018,6:1792-1806.
[17] KIM Y.Convolutional neural networks for sentence classification[EB/OL].[2020-05-07].https://arxiv.org/abs/1408.5882.
[18] LASHKARI A H,KADIR A F A,TAHERI L,et al.Toward developing a systematic approach to generate benchmark android malware datasets and classification[C]//Proceedings of 2018 International Carnahan Conference on Security Technology.Washington D.C.,USA:IEEE Press,2018:1-8.
[19] WANG W,ZHU M,WANG J,et al.End-to-end encrypted traffic classification with one-dimensional convolution neural networks[C]//Proceedings of 2017 IEEE International Conference on Intelligence and Security Informatics.Washington D.C.,USA:IEEE Press,2017:22-27.
[20] 刘冲.基于深度学习的流量分类系统[D].北京:北京邮电大学,2019. LIU C.Traffic classification system based on deep learning[D].Beijing:Beijing University of Posts and Telecommunications,2019.(in Chinese)

选择文件类型/文献管理软件名称

选择包含的内容

基于层次时空特征与多头注意力的恶意加密流量识别

Encrypted Malicious Traffic Identification Based on Hierarchical Spatiotemporal Feature and Multi-Head Attention

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	曹坪, 杨怀志, 薄一军, 尤嘉, 张淳杰, 李丹勇. 面向低质量裂缝图像的多知识蒸馏分类[J]. 计算机工程, 2023, 49(7): 204-213.
[2]	白明昌. 基于折叠路径聚合的属性网络节点嵌入方法[J]. 计算机工程, 2023, 49(7): 76-84.
[3]	陈明, 刘蓉, 张晔. 基于多重注意力机制的中文医疗实体识别[J]. 计算机工程, 2023, 49(6): 314-320.
[4]	代祖华, 刘园园, 狄世龙. 语义增强的图神经网络方面级文本情感分析[J]. 计算机工程, 2023, 49(6): 71-80.
[5]	沈学利, 田桂源, 姜彦吉, 马琳琳. 基于双阶段Conv-Transformer的时频域语音增强算法[J]. 计算机工程, 2023, 49(6): 123-130.
[6]	丁子轩, 俞雷, 张娟, 李想, 王新宇. 基于深度残差自适应注意力网络的图像超分辨率重建[J]. 计算机工程, 2023, 49(5): 231-238.
[7]	陈治旭, 靳雁霞, 芦烨, 杨晶, 刘亚变, 史志儒. 基于子图卷积神经网络的多精度服装建模方法[J]. 计算机工程, 2023, 49(4): 174-181.
[8]	徐康, 李霏, 姬东鸿. 结合依存图卷积与文本片段搜索的方面情感三元组抽取[J]. 计算机工程, 2023, 49(4): 61-67.
[9]	衡红军, 苗菁. 语义与句法信息加强的二元标记实体关系联合抽取[J]. 计算机工程, 2023, 49(4): 77-84.
[10]	钟宝荣, 吴夏灵. 基于高分辨率网络的轻量型人体姿态估计研究[J]. 计算机工程, 2023, 49(4): 226-232,239.
[11]	杨晶晶, 谢海燕, 薛妮妮, 张傲明. 基于双通道残差网络的水下图像去噪研究[J]. 计算机工程, 2023, 49(4): 188-198.
[12]	刘晶晶, 黄浩. 引入非局部模块卷积神经网络的基频提取模型[J]. 计算机工程, 2023, 49(3): 128-133,160.
[13]	邹长龙, 安敬民, 李冠宇. 基于邻域聚合与CNN的知识图谱实体类型补全[J]. 计算机工程, 2023, 49(3): 134-141.
[14]	翟社平, 张宇航, 柏晓夏. 融合实体邻域信息的知识图谱嵌入负采样方法[J]. 计算机工程, 2023, 49(3): 95-104.
[15]	程小辉, 李钰, 康燕萍. 基于中间图特征提取的卷积网络双标准剪枝[J]. 计算机工程, 2023, 49(3): 105-112.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

基于层次时空特征与多头注意力的恶意加密流量识别

Encrypted Malicious Traffic Identification Based on Hierarchical Spatiotemporal Feature and Multi-Head Attention

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献

相关文章 15

编辑推荐

Metrics

本文评价