Network Malicious Traffic Detection Incorporating Multi-Head Attention Mechanism

doi:10.11871/jfdc.issn.2096-742X.2022.05.007

Abstract

Abstract:

[Objective] Existing network malicious traffic detection methods rely on statistical features for modeling, ignoring the temporal features possessed by network traffic itself. By extracting, learning, and modeling temporal features, the network malicious traffic detection accuracy can be further improved. [Methods] The network traffic is segmented into sessions, and each session is intercepted with a fixed length of traffic bytes, and each byte is encoded in the form of word embedding, and its temporal features are extracted by a feature extraction algorithm incorporating a multi-head attention mechanism, and the extracted features are fed into a classifier to achieve detection of malicious traffic. [Results] The experimental results show that the classification accuracy of the proposed model for malicious traffic reaches 99.97%, which is significantly better than the malicious traffic detection methods modeled by statistical features, and also improved compared with similar models such as LSTM and Bi-LSTM. [Conclusions] The network malicious traffic detection method incorporating the multi-head attention mechanism can significantly improve the detection accuracy of the existing algorithms for malicious traffic and can effectively support the task of cyberspace security defense and protection.

Key words: network malicious traffic detection, multi-head attention, machine learning

ZHAO Zhongbin,CAI Manchun,LU Tianliang. Network Malicious Traffic Detection Incorporating Multi-Head Attention Mechanism[J]. Frontiers of Data and Computing, 2022, 4(5): 60-67, https://cstr.cn/32002.14.jfdc.CN10-1649/TP.2022.05.007.

Figures/Tables 9

Fig.1

Fig.2

Fig.3

Table 1

Fig.4

Table 2

Table 3

Table 4

Table 5

References 17

[1]	Zhu M, Ye K, Wang Y, et al. A deep learning approach for network anomaly detection based on AMF-LSTM[C]// IFIP international conference on network and parallel computing. Springer, Cham, 2018: 137-141.
[2]	HUANG H, DENG H, CHEN J, et al. Automatic Multi-task Learning System for Abnormal Network Traffic Detection[J]. International Journal of Emerging Techno-logies in Learning, 2018, 13(4): 4-20.
[3]	Kong L, Huang G, Wu K. Identification of abnormal network traffic using support vector machine[C]// 2017 18th international conference on parallel and distributed computing, applications and technologies (PDCAT), IEEE, 2017: 288-292.
[4]	Dey S K, Rahman M M. Flow based anomaly detection in software defined networking: A deep learning approach with feature selection method[C]// 2018 4th international conference on electrical engineering and information & communication technology (iCEEiCT),IEEE, 2018: 630-635.
[5]	NIYAZ Q, SUN W, JAVAID A Y. A deep learning based DDoS detection system in software-defined networking (SDN)[J]. arXiv preprint arXiv:161107400, 2016.
[6]	GARG S, KAUR K, KUMAR N, et al. Hybrid deep-lea-rning-based anomaly detection scheme for suspicious flow detection in SDN: A social multimedia perspective[J]. IEEE Transactions on Multimedia, 2019, 21(3): 566-78. doi: 10.1109/TMM.2019.2893549
[7]	LI J, ZHAO Z, LI R. A machine learning based intrusion detection system for software defined 5G network[J]. arXiv preprint arXiv:170804571, 2017.
[8]	A. Özgür, H. Erdem. A review of kdd99 dataset usage in intrusion detection and machine learning between 2010 and 2015[J]. PeerJ PrePrints, 2016, 4: e1954v1.
[9]	Moustafa N, Slay J. The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems[C]// 2015 4th international workshop on building analysis datasets and gathering experience returns for security (BADGERS), IEEE, 2015: 25-31.
[10]	王伟. 基于深度学习的网络流量分类及异常检测方法研究[D]. 中国科学技术大学, 2018.
[11]	DAINOTTI A, PESCAPE A, CLAFFY K C. Issues and future directions in traffic classification[J]. IEEE net-work, 2012, 26(1): 35-40.
[12]	SMAGULOVA K, JAMES A P. A survey on LSTM me-mristive neural network architectures and applications[J]. The European Physical Journal Special Topics, 2019, 228(10): 2313-2324. doi: 10.1140/epjst/e2019-900046-x
[13]	HUANG Z, XU W, YU K. Bidirectional LSTM-CRF models for sequence tagging[J]. arXiv preprint arXiv: 150801991, 2015.
[14]	SHAW P, USZKOREIT J, VASWANI A. Self-attention with relative position representations[J]. arXiv preprint arXiv:180302155, 2018.
[15]	A. Vaswani, N. Shazeer, N. Parmar, et al. Attention is all you need[C]. Advances in Neural Information Processing Systems, 2017: 5998-6008.
[16]	Wang W, Zhu M, Zeng X, et al. Malware traffic class-ification using convolutional neural network for represen-tation learning[C]// 2017 International conference on infor-mation networking (ICOIN), IEEE, 2017: 712-717.
[17]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward generating a new intrusion detection dataset and intrusion traffic characterization[J]. ICISSp, 2018, 1: 108-116.

名称	训练集	验证集	测试集	总计
Cridex	10487	2622	3277	16386
Geodo	26206	6551	8190	40947
Htbot	4075	1019	1273	6367
Miuref	8628	2157	2696	13481
Neris	21626	5407	6758	33791
Nsis-ay	3884	971	1214	6069
Shifu	6166	1541	1927	9634
Tinba	5443	1361	1701	8504
Virut	21186	5296	6621	33103
Zeus	7021	1755	2194	10970

流量类别	Cridex	Geodo	Htbot	Miuref	Neris	Nsis-ay	Shifu	Tinba	Virut	Zeus
Cridex	3275	0	0	0	0	0	0	2	0	0
Geodo	0	8190	0	0	0	0	0	0	0	0
Htbot	0	0	1273	0	0	0	0	0	0	0
Miuref	1	0	0	2692	0	0	0	3	0	0
Neris	0	0	0	0	6758	0	0	0	0	0
Nsis-ay	0	0	0	0	0	1212	0	0	0	2
Shifu	0	1	0	0	0	0	1926	0	0	0
Tinba	0	0	0	1	0	0	0	1700	0	0
Virut	0	0	0	0	1	0	0	0	6620	0
Zeus	0	0	0	0	0	0	0	0	0	2194

流量类别	Pprecision(%)	Rrecall(%)	F1(%)
Cridex	99.97	99.94	99.95
Geodo	99.99	100	99.99
Htbot	100	100	100
Miuref	99.96	99.85	99.91
Neris	99.99	100	99.99
Nsis-ay	100	99.84	99.92
Shifu	100	99.95	99.97
Tinba	99.71	99.94	99.82
Virut	100	99.98	99.99
Zeus	99.91	100	99.95
AVERAGE	99.95	99.95	99.95

	Aaccuracy (%)	Pprecision (%)	Rrecall (%)	F1(%)
本文模型	99.97	99.95	99.95	99.95
LSTM	99.68	99.43	99.48	99.45
Bi-LSTM	99.40	99.19	99.15	99.16
10-classifiers	98.52	98.54	98.65	98.56
20-classifiers	99.17	98.65	98.73	98.68

	Aaccuracy (%)	Pprecision (%)	Rrecall (%)	F1(%)
本文模型	98.90	97.44	97.18	97.26
LSTM	97.89	94.62	93.93	94.18
Bi-LSTM	98.27	96.42	95.89	96.06