融合多头注意力机制的网络恶意流量检测

doi:10.11871/jfdc.issn.2096-742X.2022.05.007

数据与计算发展前沿 ›› 2022, Vol. 4 ›› Issue (5): 60-67.

CSTR: 32002.14.jfdc.CN10-1649/TP.2022.05.007

doi: 10.11871/jfdc.issn.2096-742X.2022.05.007

• 专题:第37次全国计算机安全学术交流会征文 • 上一篇下一篇

融合多头注意力机制的网络恶意流量检测

赵忠斌,蔡满春^*(),芦天亮

中国人民公安大学,信息网络安全学院,北京 100038

收稿日期:2022-08-02 出版日期:2022-10-20 发布日期:2022-10-27
通讯作者: 蔡满春
作者简介:赵忠斌,中国人民公安大学,信息网络安全学院,硕士研究生,主要研究方向为恶意代码检测、恶意流量检测、深度学习。
本文中主要承担实验测试和论文撰写。
ZHAO Zhongbin, People’s Public Security University of China, School of Information Network Security, master’s degree student, whose main research interests are malicious code detection, malicious traffic detection, and deep learning.
In this paper, he mainly undertakes experimental testing and thesis writing.
E-mail: 2020211628@stu.ppsuc.edu.cn|蔡满春,中国人民公安大学,信息网络安全学院,副教授,博士,主要研究方向为恶意代码检测、人工智能。本文中承担论文指导和修改工作。
CAI Manchun, People’s Public Security University of China, School of Informa-tion Network Security, Associate Professor, Ph.D., whose main research interests are malicious code detection and artificial intelligence.
In this paper, he undertakes the supervision and revision of the thesis.
E-mail: caimanchun@ppsuc.edu.cn
基金资助:
国家社科基金重大项目(21&ZD193)

Network Malicious Traffic Detection Incorporating Multi-Head Attention Mechanism

ZHAO Zhongbin,CAI Manchun^*(),LU Tianliang

College of Information Network Security, People’s Public Security University of China, Beijing 100038, China

Received:2022-08-02 Online:2022-10-20 Published:2022-10-27
Contact: CAI Manchun

摘要/Abstract

摘要：

【目的】现有的网络恶意流量检测方法依赖统计特征进行建模,忽略了网络流量本身所具备的时序特征,通过对时序特征的提取、学习、建模,可以进一步提高网络恶意流量检测精度。【方法】将网络流量以会话为基本单元进行切分,对每个会话截取固定长度的流量字节,以词嵌入的方式为每个字节编码,通过融合多头注意力机制的特征提取算法提取其时序特征,将提取的特征输入分类器从而实现对恶意流量的检测。【结果】实验结果表明,本文提出模型对恶意流量的分类准确率达到99.97%,明显优于通过统计特征建模的恶意流量检测方法,对比LSTM和Bi-LSTM等同类模型也有提升。【结论】融合多头注意力机制的网络恶意流量检测方法能够明显提高现有算法对恶意流量的检测精度,能够有效支撑网络空间安全保卫与防护任务。

关键词: 网络恶意流量检测, 多头注意力, 机器学习

Abstract:

[Objective] Existing network malicious traffic detection methods rely on statistical features for modeling, ignoring the temporal features possessed by network traffic itself. By extracting, learning, and modeling temporal features, the network malicious traffic detection accuracy can be further improved. [Methods] The network traffic is segmented into sessions, and each session is intercepted with a fixed length of traffic bytes, and each byte is encoded in the form of word embedding, and its temporal features are extracted by a feature extraction algorithm incorporating a multi-head attention mechanism, and the extracted features are fed into a classifier to achieve detection of malicious traffic. [Results] The experimental results show that the classification accuracy of the proposed model for malicious traffic reaches 99.97%, which is significantly better than the malicious traffic detection methods modeled by statistical features, and also improved compared with similar models such as LSTM and Bi-LSTM. [Conclusions] The network malicious traffic detection method incorporating the multi-head attention mechanism can significantly improve the detection accuracy of the existing algorithms for malicious traffic and can effectively support the task of cyberspace security defense and protection.

Key words: network malicious traffic detection, multi-head attention, machine learning

赵忠斌,蔡满春,芦天亮. 融合多头注意力机制的网络恶意流量检测[J]. 数据与计算发展前沿, 2022, 4(5): 60-67.

ZHAO Zhongbin,CAI Manchun,LU Tianliang. Network Malicious Traffic Detection Incorporating Multi-Head Attention Mechanism[J]. Frontiers of Data and Computing, 2022, 4(5): 60-67, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2022.05.007.

图/表 9

图1

图2

图3

表1

图4

表2

表3

表4

表5

参考文献 17

[1]	Zhu M, Ye K, Wang Y, et al. A deep learning approach for network anomaly detection based on AMF-LSTM[C]// IFIP international conference on network and parallel computing. Springer, Cham, 2018: 137-141.
[2]	HUANG H, DENG H, CHEN J, et al. Automatic Multi-task Learning System for Abnormal Network Traffic Detection[J]. International Journal of Emerging Techno-logies in Learning, 2018, 13(4): 4-20.
[3]	Kong L, Huang G, Wu K. Identification of abnormal network traffic using support vector machine[C]// 2017 18th international conference on parallel and distributed computing, applications and technologies (PDCAT), IEEE, 2017: 288-292.
[4]	Dey S K, Rahman M M. Flow based anomaly detection in software defined networking: A deep learning approach with feature selection method[C]// 2018 4th international conference on electrical engineering and information & communication technology (iCEEiCT),IEEE, 2018: 630-635.
[5]	NIYAZ Q, SUN W, JAVAID A Y. A deep learning based DDoS detection system in software-defined networking (SDN)[J]. arXiv preprint arXiv:161107400, 2016.
[6]	GARG S, KAUR K, KUMAR N, et al. Hybrid deep-lea-rning-based anomaly detection scheme for suspicious flow detection in SDN: A social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019, 21(3): 566-78. doi: 10.1109/TMM.2019.2893549
[7]	LI J, ZHAO Z, LI R. A machine learning based intrusion detection system for software defined 5G network[J]. arXiv preprint arXiv:170804571, 2017.
[8]	A. Özgür, H. Erdem. A review of kdd99 dataset usage in intrusion detection and machine learning between 2010 and 2015[J]. PeerJ PrePrints, 2016, 4: e1954v1.
[9]	Moustafa N, Slay J. The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems[C]// 2015 4th international workshop on building analysis datasets and gathering experience returns for security (BADGERS), IEEE, 2015: 25-31.
[10]	王伟. 基于深度学习的网络流量分类及异常检测方法研究[D]. 中国科学技术大学, 2018.
[11]	DAINOTTI A, PESCAPE A, CLAFFY K C. Issues and future directions in traffic classification[J]. IEEE net-work, 2012, 26(1): 35-40.
[12]	SMAGULOVA K, JAMES A P. A survey on LSTM me-mristive neural network architectures and applications[J]. The European Physical Journal Special Topics, 2019, 228(10): 2313-2324. doi: 10.1140/epjst/e2019-900046-x
[13]	HUANG Z, XU W, YU K. Bidirectional LSTM-CRF models for sequence tagging[J]. arXiv preprint arXiv: 150801991, 2015.
[14]	SHAW P, USZKOREIT J, VASWANI A. Self-attention with relative position representations[J]. arXiv preprint arXiv:180302155, 2018.
[15]	A. Vaswani, N. Shazeer, N. Parmar, et al. Attention is all you need[C]. Advances in Neural Information Processing Systems, 2017: 5998-6008.
[16]	Wang W, Zhu M, Zeng X, et al. Malware traffic class-ification using convolutional neural network for represen-tation learning[C]// 2017 International conference on infor-mation networking (ICOIN), IEEE, 2017: 712-717.
[17]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward generating a new intrusion detection dataset and intrusion traffic characterization[J]. ICISSp, 2018, 1: 108-116.

名称	训练集	验证集	测试集	总计
Cridex	10487	2622	3277	16386
Geodo	26206	6551	8190	40947
Htbot	4075	1019	1273	6367
Miuref	8628	2157	2696	13481
Neris	21626	5407	6758	33791
Nsis-ay	3884	971	1214	6069
Shifu	6166	1541	1927	9634
Tinba	5443	1361	1701	8504
Virut	21186	5296	6621	33103
Zeus	7021	1755	2194	10970

流量类别	Cridex	Geodo	Htbot	Miuref	Neris	Nsis-ay	Shifu	Tinba	Virut	Zeus
Cridex	3275	0	0	0	0	0	0	2	0	0
Geodo	0	8190	0	0	0	0	0	0	0	0
Htbot	0	0	1273	0	0	0	0	0	0	0
Miuref	1	0	0	2692	0	0	0	3	0	0
Neris	0	0	0	0	6758	0	0	0	0	0
Nsis-ay	0	0	0	0	0	1212	0	0	0	2
Shifu	0	1	0	0	0	0	1926	0	0	0
Tinba	0	0	0	1	0	0	0	1700	0	0
Virut	0	0	0	0	1	0	0	0	6620	0
Zeus	0	0	0	0	0	0	0	0	0	2194

流量类别	Pprecision(%)	Rrecall(%)	F1(%)
Cridex	99.97	99.94	99.95
Geodo	99.99	100	99.99
Htbot	100	100	100
Miuref	99.96	99.85	99.91
Neris	99.99	100	99.99
Nsis-ay	100	99.84	99.92
Shifu	100	99.95	99.97
Tinba	99.71	99.94	99.82
Virut	100	99.98	99.99
Zeus	99.91	100	99.95
AVERAGE	99.95	99.95	99.95

	Aaccuracy (%)	Pprecision (%)	Rrecall (%)	F1(%)
本文模型	99.97	99.95	99.95	99.95
LSTM	99.68	99.43	99.48	99.45
Bi-LSTM	99.40	99.19	99.15	99.16
10-classifiers	98.52	98.54	98.65	98.56
20-classifiers	99.17	98.65	98.73	98.68

	Aaccuracy (%)	Pprecision (%)	Rrecall (%)	F1(%)
本文模型	98.90	97.44	97.18	97.26
LSTM	97.89	94.62	93.93	94.18
Bi-LSTM	98.27	96.42	95.89	96.06

融合多头注意力机制的网络恶意流量检测

Network Malicious Traffic Detection Incorporating Multi-Head Attention Mechanism

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 17

相关文章 12

编辑推荐

Metrics

本文评价

[1]	危婷,张宏海,蔺小丽,张蕾蕾,王妍,贾金峰. 云服务网站用户复访行为预测模型研究[J]. 数据与计算发展前沿, 2022, 4(3): 124-130.
[2]	孙永谦,张茹茹,林子涵,张圣林,谭智元,张玉志. KPI异常检测方法评估[J]. 数据与计算发展前沿, 2022, 4(3): 46-65.
[3]	张怡宁,何洪波,王闰强. 热门数字音频预测技术综述[J]. 数据与计算发展前沿, 2021, 3(4): 81-92.
[4]	蒲剑苏,朱正国,邵慧,高博洋,朱焱麟,闫宗楷,向勇. 基于可视化的固态电解质材料机器学习筛选与预测[J]. 数据与计算发展前沿, 2021, 3(4): 18-29.
[5]	张舒莹,韩鑫胤,何小雨,袁丹阳,栾海晶,李瑞琳,何佳茵,牛北方. 基于机器学习的基因组微卫星状态探测方法综述[J]. 数据与计算发展前沿, 2021, 3(3): 126-135.
[6]	肖建平,龙春,赵静,魏金侠,胡安磊,杜冠瑶. 基于深度学习的网络入侵检测研究综述[J]. 数据与计算发展前沿, 2021, 3(3): 59-74.
[7]	郭佳龙,王宗国,王彦棡,赵旭山,宿彦京,刘志威. 基于计算机技术的材料研发方法概述[J]. 数据与计算发展前沿, 2021, 3(2): 120-132.
[8]	任荟颖,王婧,王彦棡. 基于AutoML的湍流建模[J]. 数据与计算发展前沿, 2020, 2(4): 121-131.
[9]	李姿昕,张能,熊斌,胡云凤,赵新鹏,黄海友. 材料科学数据库在材料研发中的应用与展望[J]. 数据与计算发展前沿, 2020, 2(2): 78-90.
[10]	钱旭,田子奇. 材料基因方法在材料设计中的应用[J]. 数据与计算发展前沿, 2020, 2(1): 128-141.
[11]	储中明, 肖邓杰, 乔予思, 万金宇. 机器学习在粒子加速器的应用[J]. 数据与计算发展前沿, 2019, 1(2): 110-120.
[12]	张智鹏,江佳伟,余乐乐,崔斌. Angel ⁺ : 基于Angel的分布式机器学习平台[J]. 数据与计算发展前沿, 2019, 1(1): 63-72.