计算机工程与应用 ›› 2023, Vol. 59 ›› Issue (23): 246-253.DOI: 10.3778/j.issn.1002-8331.2208-0054

• 网络、通信与安全 • 上一篇    下一篇

联合胶囊和双向LSTM网络的VPN加密流量识别

杨忠富,常俊,许妍,罗金燕,吴彭   

  1. 云南大学 信息学院,昆明 650500
  • 出版日期:2023-12-01 发布日期:2023-12-01

VPN Encrypted Traffic Identification for Joint Capsule and Bidirectional LSTM Networks

YANG Zhongfu, CHANG Jun, XU Yan, LUO Jinyan, WU Peng   

  1. School of Information, Yunnan University, Kunming  650500, China
  • Online:2023-12-01 Published:2023-12-01

摘要: 为了提高对网络资源的有效管理,加密流量识别已成为网络安全领域的一大挑战,目前研究大多是基于深度学习的方法,但这些方法忽略了网络流量的层次化特征,如固定字符串的位置、不同协议的Bit转换成图像时造成的错位,对此,提出一种联合胶囊网络(capsule network,CapsNet)和双向长短期记忆网络(bidirectional long short-term memory,BiLSTM)的深度神经网络来对加密流量进行识别。该模型分别提取了加密流量的空间位置特征和时序特征,最后使用Softmax分类器实现对加密流量服务的识别,其中,针对CapsNet进行了改进,将原来的1层9×9卷积优化成了4层3×3卷积,并提出一种联合损失函数。该方法在ISCX VPN-non VPN公共数据集上进行了验证,三个分类实验结果表明,该模型的分类准确率、精确率、召回率和F1值均在98%以上,优于最先进的加密流量分类方法。

关键词: 加密流量识别, 深度学习, 层次化特征, 胶囊网络, 双向长短期记忆网络, 联合损失函数

Abstract: In order to improve the effective management of network resources, encrypted traffic identification has become a major challenge in the field of network security. Most of the current research is based on deep learning methods, but these methods ignore the hierarchical characteristics of network traffic, such as the position of fixed strings and the dislocation caused by the Bit conversion of different protocols into images. In this regard, a deep neural network combining capsule network and bidirectional long short-term memory is proposed to identify encrypted traffic. The model extracts the spatial location features and timing features of encrypted traffic respectively. Finally, it uses the Softmax classifier to identify encrypted traffic services. Among them, the CapsNet is improved by optimizing the original 1-layer 9×9 convolution into 4-layer 3×3 convolution, and a joint loss function is proposed. The method is validated on the ISCX VPN-non VPN public dataset, and the results of three classification experiments show that the classification accuracy, precision, recall and F1 value of the model are all above 98%, which is better than the state-of-the-art encryption traffic classification method.

Key words: encrypted traffic identification, deep learning, hierarchical features, capsule network, bidirectional long short-term memory network, joint loss function