数据与计算发展前沿 ›› 2022, Vol. 4 ›› Issue (5): 60-67.

CSTR: 32002.14.jfdc.CN10-1649/TP.2022.05.007

doi: 10.11871/jfdc.issn.2096-742X.2022.05.007

• 专题:第37次全国计算机安全学术交流会征文 • 上一篇    下一篇

融合多头注意力机制的网络恶意流量检测

赵忠斌,蔡满春*(),芦天亮   

  1. 中国人民公安大学,信息网络安全学院,北京 100038
  • 收稿日期:2022-08-02 出版日期:2022-10-20 发布日期:2022-10-27
  • 通讯作者: 蔡满春
  • 作者简介:赵忠斌,中国人民公安大学,信息网络安全学院,硕士研究生,主要研究方向为恶意代码检测、恶意流量检测、深度学习。
    本文中主要承担实验测试和论文撰写。
    ZHAO Zhongbin, People’s Public Security University of China, School of Information Network Security, master’s degree student, whose main research interests are malicious code detection, malicious traffic detection, and deep learning.
    In this paper, he mainly undertakes experimental testing and thesis writing.
    E-mail: 2020211628@stu.ppsuc.edu.cn|蔡满春,中国人民公安大学,信息网络安全学院,副教授,博士,主要研究方向为恶意代码检测、人工智能。本文中承担论文指导和修改工作。
    CAI Manchun, People’s Public Security University of China, School of Informa-tion Network Security, Associate Professor, Ph.D., whose main research interests are malicious code detection and artificial intelligence.
    In this paper, he undertakes the supervision and revision of the thesis.
    E-mail: caimanchun@ppsuc.edu.cn
  • 基金资助:
    国家社科基金重大项目(21&ZD193)

Network Malicious Traffic Detection Incorporating Multi-Head Attention Mechanism

ZHAO Zhongbin,CAI Manchun*(),LU Tianliang   

  1. College of Information Network Security, People’s Public Security University of China, Beijing 100038, China
  • Received:2022-08-02 Online:2022-10-20 Published:2022-10-27
  • Contact: CAI Manchun

摘要:

【目的】现有的网络恶意流量检测方法依赖统计特征进行建模,忽略了网络流量本身所具备的时序特征,通过对时序特征的提取、学习、建模,可以进一步提高网络恶意流量检测精度。【方法】将网络流量以会话为基本单元进行切分,对每个会话截取固定长度的流量字节,以词嵌入的方式为每个字节编码,通过融合多头注意力机制的特征提取算法提取其时序特征,将提取的特征输入分类器从而实现对恶意流量的检测。【结果】实验结果表明,本文提出模型对恶意流量的分类准确率达到99.97%,明显优于通过统计特征建模的恶意流量检测方法,对比LSTM和Bi-LSTM等同类模型也有提升。【结论】融合多头注意力机制的网络恶意流量检测方法能够明显提高现有算法对恶意流量的检测精度,能够有效支撑网络空间安全保卫与防护任务。

关键词: 网络恶意流量检测, 多头注意力, 机器学习

Abstract:

[Objective] Existing network malicious traffic detection methods rely on statistical features for modeling, ignoring the temporal features possessed by network traffic itself. By extracting, learning, and modeling temporal features, the network malicious traffic detection accuracy can be further improved. [Methods] The network traffic is segmented into sessions, and each session is intercepted with a fixed length of traffic bytes, and each byte is encoded in the form of word embedding, and its temporal features are extracted by a feature extraction algorithm incorporating a multi-head attention mechanism, and the extracted features are fed into a classifier to achieve detection of malicious traffic. [Results] The experimental results show that the classification accuracy of the proposed model for malicious traffic reaches 99.97%, which is significantly better than the malicious traffic detection methods modeled by statistical features, and also improved compared with similar models such as LSTM and Bi-LSTM. [Conclusions] The network malicious traffic detection method incorporating the multi-head attention mechanism can significantly improve the detection accuracy of the existing algorithms for malicious traffic and can effectively support the task of cyberspace security defense and protection.

Key words: network malicious traffic detection, multi-head attention, machine learning