基于上下文感知语言模型的C2流量检测

doi:10.19678/j.issn.1000-3428.0070472

摘要/Abstract

摘要：

命令与控制(C2)通信在现代高级持续性威胁(APT)中扮演着核心角色, 是APT实现长期潜伏和持续控制的关键通信纽带。C2流量检测对于防御APT攻击、保护网络安全至关重要。然而, 现有的C2流量检测方法主要基于传统机器学习与深度学习, 其中特征工程依赖专家经验, 主观性强且极易产生遗漏, 对快速演变的攻击形态和流量模式适应性较差; 而传统深度学习模型对深层复杂特征捕捉能力较差, 同时对标注数据和训练资源具有较强依赖。为解决以上问题, 提出一种基于Transformer双向编码表示(BERT)的C2流量检测方法C2BT, 不同于传统基于特征工程的检测方法, 利用BERT大语言模型自动学习并捕获网络远程控制流量上下文深层特征, 进一步引入单独训练的Transformer解码器进行重构和误差计算, 以评估编码器的表现质量, 并将重构误差融入编码器后续优化训练过程, 进一步提升模型的检测效果和鲁棒性。通过在多个不同C2流量数据集上的广泛实验, 所提方法展现出卓越的性能和强大的泛化能力, 准确率、精确率、F1值分别达98.47%、95.82%和95.91%, 并在全新的数据集上保持稳定的效果, 证明了该方法在C2流量检测中的有效性。此外, 通过引入解码器重构误差评估机制, 验证编码器的鲁棒性, 进一步提升了检测结果的有效性, 为构建更高效的网络安全检测防御体系提供了新的技术路径。

关键词: 命令与控制, 流量检测, 双向编码表示, 多头注意力机制, 重构误差

Abstract:

Command and Control (C2) communication plays an essential role in modern Advanced Persistent Threats (APTs) and is the key communication link for achieving long-term lurking and continuous control. C2 traffic detection is crucial for defending against APT attacks and protecting network security. However, existing C2 traffic detection methods are mainly based on conventional machine learning and deep learning. In these methods, feature engineering relies on expert experience, is highly subjective and prone to omissions, and has poor adaptability to rapidly evolving attack forms and traffic patterns. Conversely, traditional deep learning models show poor performance in capturing deep and complex features and show a strong dependence on labeled data and training resources. To address these issues, this paper proposes a C2 traffic detection method (C2BT) based on Transformer bidirectional encoding representation. Unlike conventional detection methods based on feature engineering, this method uses the Bidirectional Encoder Representations from Transformers (BERT) large model to automatically learn and capture the depth features of the remote control traffic context. It further introduces a separately trained Transformer decoder for reconstruction and error calculation to evaluate the performance quality of the encoder and incorporates the reconstruction error into the subsequent optimization training process of the encoder to further improve the detection effect and robustness of the model. Extensive experiments are conducted on multiple different C2 traffic datasets. The proposed method demonstrates excellent performance and strong generalization capabilities, with its accuracy, precision, and F1 value reaching 98.47%, 95.82%, and 95.91%, respectively. It maintains stable results on new datasets, demonstrating its effectiveness in C2 traffic detection. The introduction of a decoder reconstruction error evaluation mechanism to verify the robustness of the encoder improves detection efficiency. The proposed method provides a new technical pathway for building a more efficient network security detection and defense system.

Key words: Command and Control (C2), traffic detection, bidirectional encoding representation, multi-head attention mechanism, reconstruction error

吴沛颖, 李晓慧, 王俊峰. 基于上下文感知语言模型的C2流量检测[J]. 计算机工程, 2026, 52(5): 270-280.

WU Peiying, LI Xiaohui, WANG Junfeng. C2 Traffic Detection Based on Context-aware Language Model[J]. Computer Engineering, 2026, 52(5): 270-280.

https://www.ecice06.com/CN/Y2026/V52/I5/270

图/表 19

图1 C2BT整体框架流程

Fig.1 C2BT overall framework process

图2 BERT微调训练架构

Fig.2 BERT fine-tuning training architecture

图3 解码器训练及使用流程

Fig.3 Decoder training and usage process

图4 EarlyCrow数据集重构误差结果

Fig.4 Reconstruction error results of EarlyCrow dataset

图5 IcedID BackConnect数据集重构误差结果

Fig.5 Reconstruction error results of IcedID BackConnect dataset

图6 CobaltStrike C2数据集重构误差结果

Fig.6 Reconstruction error results of CobaltStrike C2 dataset

图7 VNAT数据集重构误差结果

Fig.7 Reconstruction error results of VNAT dataset

参考文献 35

1	杨秀璋, 彭国军, 刘思德, 等. 面向APT攻击的溯源和推理研究综述. 软件学报, 2025, 36 (1): 203- 252.
	YANG X Z , PENG G J , LIU S D , et al. A survey on traceability and reasoning for APT attacks. Journal of Software, 2025, 36 (1): 203- 252.
2	王郅伟, 何睎杰, 易鑫, 等. 基于APT活动全生命周期的攻击与检测综述. 通信学报, 2024, 45 (9): 206- 228. doi: 10.11959/j.issn.1000-436x.2024128
	WANG Z W , HE X J , YI X , et al. A review of attacks and detection based on the full lifecycle of APT activities. Journal of Communications, 2024, 45 (9): 206- 228. doi: 10.11959/j.issn.1000-436x.2024128
3	HAIDER R Z, ASLAM B, ABBAS H, et al. C2-DNSWatch: endpoint framework for detecting Command and Control (C2) connection of advanced persistent threats (APTs)[C]//Proceedings of the 13th International Conference on Communications, Circuits and Systems. Xiamen, China: IEEE Press, 2024: 64-69.
4	VUGRIN E D , HANSON S , CRUZ J , et al. Experimental validation of a command and control traffic detection model. IEEE Transactions on Dependable and Secure Computing, 2024, 21 (3): 1084- 1097. doi: 10.1109/TDSC.2023.3266139
5	AZAB A , KHASAWNEH M , ALRABAEE S , et al. Network traffic classification: Techniques, datasets, and challenges. Digital Communications and Networks, 2024, 10 (3): 676- 692. doi: 10.1016/j.dcan.2022.09.009
6	TIAN Y, LI Z. Dom-BERT: detecting malicious domains with pre-training model[C]//Proceedings of International Conference on Passive and Active Network Measurement. Berlin, Germany: Springer, 2024: 133-158.
7	ZHAO W C , HU H Z , ZHOU W G , et al. BEST: BERT pre-training for sign language recognition with coupling tokenization. Proceedings of the AAAI Conference on Artificial Intelligence, 2023, 37 (3): 3597- 3605. doi: 10.1609/aaai.v37i3.25470
8	ROESCH M. Snort: lightweight intrusion detection for networks[C]//Proceedings of LISA'99. New York, USA: ACM Press, 1999: 229-238.
9	RIVALDI O , MARPAUNG N L . Penerapan sistem keamanan jaringan menggunakan intrusion prevention system berbasis suricata. Jurnal Inovtek Polbeng Seri Informatika, 2023, 8 (1): 141- 153. doi: 10.35314/isi.v8i1.3269
10	FLORES J A M . Breve análisis comparativo de Snort y Suricata. Investigación y Ciencia Aplicada ala Ingeniería, 2023, 6 (37): 61- 66.
11	ALQAHTANI H, SARKER I H, KALIM A, et al. Cyber intrusion detection using machine learning classification techniques[C]//Proceedings of International Conference on Computing Science, Communication and Security. Singapore: Springer Singapore, 2020: 121-131.
12	UCI. KDD Cup 1999 Data[EB/OL]. [2024-05-10]. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
13	ALMUTHANNA A, MAFFEIS S. EarlyCrow: detecting APT malware command and control over HTTP(S) using contextual summaries[C]//Proceedings of International Conference on Information Security. Berlin, Germany: Springer, 2022: 1-10.
14	DU Y , ZHANG S B , WAN G G , et al. RRCNN: request response-based convolutional neural network for ICS network traffic anomaly detection. Computers, Materials & Continua, 2023, 75 (3): 5743- 5759.
15	ELSAYED M S, LE-KHAC N A, JAHROMI H Z, et al. A hybrid CNN-LSTM based approach for anomaly detection systems in SDNs[C]//Proceedings of the 16th International Conference on Availability, Reliability and Security. New York, USA: ACM Press, 2021: 17-20.
16	ZAIDI S S A , ANSARI M S , ASLAM A , et al. A survey of modern deep learning based object detection models. Digital Signal Processing, 2022, 126, 103514. doi: 10.1016/j.dsp.2022.103514
17	MUTALIB N H A , SABRI A Q M , WAHAB A W A , et al. Explainable deep learning approach for advanced persistent threats (APTs) detection in cybersecurity: a review. Artificial Intelligence Review, 2024, 57 (11): 297. doi: 10.1007/s10462-024-10890-4
18	LIU J , YAN J J , JIANG J , et al. TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network. Cybersecurity, 2022, 5 (1): 8. doi: 10.1186/s42400-022-00110-3
19	WANG X R, LIU R S, YANG J, et al. Cyber threat intelligence entity extraction based on deep learning and field knowledge engineering[C]//Proceedings of the IEEE 25th International Conference on Computer Supported Cooperative Work in Design. Hangzhou, China: IEEE Press, 2022: 406-413.
20	ZIEMS N, WU S E. Security vulnerability detection using deep learning natural language processing[C]//Proceedings of the IEEE Conference on Computer Communications Workshops. Vancouver, Canada: IEEE Press, 2021: 1-6.
21	UDDIN M A, SARKER I H. An explainable transformer-based model for phishing email detection: a large language model approach[EB/OL]. [2024-05-10]. http://arxiv.org/pdf/2402.13871.
22	KENTON J D M W C, TOUTANOVA L K. BERT: pre-training of deep bidirectional transformers for language understanding[C]//Proceedings of NAACL-HLT. Washington D. C., USA: IEEE Press, 2019: 2.
23	VASWANI A. Attention is all you need[EB/OL]. [2024-05-10]. https://arxiv.org/abs/1706.03762?ref=andrealarosa.org.
24	杜林, 许传淇. 基于BERT的漏洞文本特征分类技术研究. 信息安全研究, 2023, 9 (7): 687- 692.
	DU L , XU C . Research on vulnerability text feature classification technology based on BERT. Journal of Information Security Research, 2023, 9 (7): 687- 692.
25	LIN X J, XIONG G, GOU G P, et al. ET-BERT: a contextualized datagram representation with pre-training transformers for encrypted traffic classification[C]//Proceedings of the ACM Web Conference 2022. New York, USA: ACM Press, 2022: 633-642.
26	HJELMVIK E. IcedID BackConnect protocol[EB/OL]. [2024-05-10]. https://www.netresec.com/?page=Blog&month=2022-10&post=IcedID-BackConnect-Protocol.
27	Strategic Cyber LLC. Cobalt strike PCAP dataset[EB/OL]. [2024-05-10]. https://dissect-cobaltstrike.readthedocs.io/en/latest/tutorials/decrypt_cobaltstrike_pcaps.html.
28	STEVEN J. VPN/Non-VPN Network Application Traffic Dataset (VNAT)[EB/OL]. [2024-05-10]. https://www.ll.mit.edu/r-d/datasets/vpnnonvpn-network-application-traffic-dataset-vnat.
29	SHI W C , SUN H M . DeepBot: a time-based botnet detection with deep learning. Soft Computing, 2020, 24 (21): 16605- 16616. doi: 10.1007/s00500-020-04963-z
30	ELMAN J . Finding structure in time. Cognitive Science, 1990, 14 (2): 179- 211. doi: 10.1207/s15516709cog1402_1
31	HOCHREITER S , SCHMIDHUBER J . Long short-term memory. Neural Computation, 1997, 9 (8): 1735- 1780. doi: 10.1162/neco.1997.9.8.1735
32	CHO K. Learning phrase representations using RNN encoder-decoder for statistical machine translation[EB/OL]. [2024-05-10]. https://arxiv.org/abs/1406.1078.
33	SCHUSTER M , PALIWAL K K . Bidirectional recurrent neural networks. IEEE Transactions on Signal Processing, 1997, 45 (11): 2673- 2681. doi: 10.1109/78.650093
34	GRAVES A, MOHAMED A R, HINTON G. Speech recognition with deep recurrent neural networks[C]//Proceedings of the IEEE International Conference on Acoustics, Speech and Signal Processing. Vancouver, Canada: IEEE Press, 2013: 6645-6649.
35	BAHDANAU D. Neural machine translation by jointly learning to align and translate[EB/OL]. [2024-05-10]. https://arxiv.org/abs/1409.0473.

[1]	杨明芬, 甘昀, 张兴鹏. 基于有监督自编码器的TLS加密异常流量检测[J]. 计算机工程, 2025, 51(9): 192-200.
[2]	陈良臣, 傅德印, 刘宝旭, 高曙, 张煦尧. 面向网络加密流量的增量式入侵检测关键技术研究综述[J]. 计算机工程, 2025, 51(12): 18-30.
[3]	周雪阳, 傅启明, 陈建平, 陈延明, 陆悠, 王蕴哲. 基于证据和图推理的文档级关系抽取方法: 以医学关系为例[J]. 计算机工程, 2025, 51(1): 106-117.
[4]	梁松林, 林伟, 王珏, 杨庆. 面向后渗透攻击行为的网络恶意流量检测研究[J]. 计算机工程, 2024, 50(5): 128-138.
[5]	代巍, 王丰羽, 冀常鹏. 基于情感增强与双图卷积网络的方面级情感分析[J]. 计算机工程, 2024, 50(5): 120-127.
[6]	任义, 苏博, 袁帅. 教育领域下多维度特征命名实体识别方法[J]. 计算机工程, 2024, 50(10): 110-118.
[7]	衡红军, 范昱辰, 王家亮. 基于Transformer的多方面特征编码图像描述生成算法[J]. 计算机工程, 2023, 49(2): 199-205.
[8]	孙懿, 高见, 顾益军. 融合一维Inception结构与ViT的恶意加密流量检测[J]. 计算机工程, 2023, 49(1): 154-162.
[9]	丁庆丰, 李晋国. 一种物联网环境下的分布式异常流量检测方案[J]. 计算机工程, 2022, 48(8): 152-159.
[10]	葛昕, 邹福泰, 郭万达, 谭越, 李林森. 社交僵尸网络发展综述[J]. 计算机工程, 2022, 48(8): 12-24.
[11]	张稣荣, 卜佑军, 陈博, 孙重鑫, 王涵, 胡先君. 基于多层双向SRU与注意力模型的加密流量分类方法[J]. 计算机工程, 2022, 48(11): 127-136.
[12]	蒋彤彤, 尹魏昕, 蔡冰, 张琨. 基于层次时空特征与多头注意力的恶意加密流量识别[J]. 计算机工程, 2021, 47(7): 101-108.
[13]	胡斌, 周志洪, 姚立红, 李建华. 结合报文负载与流指纹特征的恶意流量检测[J]. 计算机工程, 2020, 46(11): 157-163.
[14]	马喆康, 迪力亚尔·帕尔哈提, 早克热·卡德尔, 吐尔根·依布拉音, 西尔艾力·色提, 艾山·吾买尔. 一种集成深度学习模型的旅游问句文本分类算法[J]. 计算机工程, 2020, 46(11): 70-76.
[15]	季琳雅,吕鑫,陶飞飞,曾涛. 基于对抗自编码网络的水利数据补全方法[J]. 计算机工程, 2019, 45(4): 307-310.

选择文件类型/文献管理软件名称

选择包含的内容