基于孪生神经网络的恶意流量检测方法

doi:10.3778/j.issn.1002-8331.2104-0159

摘要/Abstract

摘要： 随着科技的发展，个人电脑和手机成为现代社会中所不可缺少的智能设备。个人电脑和手机中丰富的应用程序通过互联网给用户提供诸如实时聊天、邮件、下载等便捷的网络服务。但是，这些设备的普及也吸引了大量的恶意攻击者，恶意应用程序和恶意流量随之产生。针对这一问题，在恶意流量分类检测的基础上，基于孪生神经网络提出一种端到端的单样本检测方法。对样本数据进行预处理转化为灰度图像，在TensorFlow深度学习框架下对图像样本进行训练学习，通过对比灰度图像间的相似程度实现了恶意流量的检测。提出的方法不仅能够实现端到端的单样本检测，而且在样本不均衡的分类问题上也给出了一种解决方案。最终的实验检测准确率可达95.04%，证明了该方法的可行性和科学性。

关键词: 恶意流量, 孪生神经网络, 灰度图像, 相似程度, 单样本, 样本不均衡

Abstract: With the development of technology, PC and cell phones have become indispensable smart devices in modern society. A large number of applications in PC and cell phones provide users with convenient web services such as live chat, email, and downloads, etc. via the Internet. However, the popularity of these devices has also attracted a large number of malicious attackers, and malicious applications and malicious traffic have arisen as a result. To address this problem, this paper proposes an end-to-end single-sample detection method based on Siamese neural network on the basis of malicious traffic classification detection. First, the sample data is pre-processed into grayscale images, then the image samples are trained and learned in the TensorFlow deep learning framework, and finally the detection of malicious traffic is achieved by comparing the similarity between grayscale images. The method proposed in this paper can not only realize end-to-end single-sample detection, but also provides a solution to the classification problem of imbalanced dataset. The final experimental detection accuracy rate can reach 95.04%, which proves the feasibility and scientific validity of this method.

Key words: malicious traffic, Siamese neural network, grayscale image, similarity, single sample, sample imbalance

李道全, 鲁晓夫, 杨乾乾. 基于孪生神经网络的恶意流量检测方法[J]. 计算机工程与应用, 2022, 58(14): 89-95.

LI Daoquan, LU Xiaofu, YANG Qianqian. Malicious Traffic Detection Method Based on Siamese Neural Network[J]. Computer Engineering and Applications, 2022, 58(14): 89-95.

参考文献

[1] BIERSACK E，CALLEGARI C，MATIJASEVIC M.Data traffic monitoring and analysis[J].Lecture Notes in Computer Science，2013，5（23）：12561-12570.
[2] YOON S H，PARK J W，PARK J S，et al.Internet application traffic classification using fixed IP-port[C]//Asia-Pacific Network Operations and Management Symposium.Berlin，Heidelberg：Springer，2009：21-30.
[3] CASCARANO N，CIMINIERA L，RISSO F.Improving cost and accuracy of DPI traffic classifiers[C]//Proceedings of the 2010 ACM Symposium on Applied Computing，2010：641-646.
[4] 郭宝华.基于SDN和机器学习的QoS保障技术研究[D].西安：西安电子科技大学，2019.
GUO B H.Research on QoS guaranteed technology based on SDN and machine learning[D].Xi’an：Xidian University，2019.
[5] 刘纪伟，赵杨，李绍晖.一种基于改进K-means算法的网络流量分类方法[J].电子技术应用，2017，43（11）：86-89.
LIU J W，ZHAO Y，LI S H.One method of network traffic classification based on improved K-means algorithm[J].Application of Electronic Technique，2017，43（11）：86-89.
[6] LECUN Y，BENGIO Y，HINTON G.Deep learning[J].Nature，2015，521（7553）：436-444.
[7] WANG W，ZHU M，ZENG X，et al.Malware traffic classification using convolutional neural network for representation learning[C]//2017 International Conference on Information Networking（ICOIN），2017：712-717.
[8] 李道全，王雪，于波，等.基于一维卷积神经网络的网络流量分类方法[J].计算机工程与应用，2020，56（3）：94-99.
LI D Q，WANG X，YU B，et al.Network traffic classification method based on one-dimensional convolution neural network[J].Computer Engineering and Applications，2020，56（3）：94-99.
[9] ZOU Z，GE J，ZHENG H，et al.Encrypted traffic classification with a convolutional long short-term memory neural network[C]//2018 IEEE 20th International Conference on High Performance Computing and Communications；IEEE 16th International Conference on Smart City；IEEE 4th International Conference on Data Science and Systems（HPCC/SmartCity/DSS），2018：329-334.
[10] HE Y，LI W.Image-based encrypted traffic classification with convolution neural networks[C]//2020 IEEE Fifth International Conference on Data Science in Cyberspace（DSC），2020：271-278.
[11] Ixia Corporation.Ixia breakpoint overview and specifications[EB/OL].[2021-01-10].https：//www.ixiacom.com/products/breakingpoint.
[12] CTU University.The stratosphere IPS project dataset[EB/OL].[2021-01-10].https：//stratosphereips.org/category/dataset.html.
[13] CUI Z，XUE F，CAI X，et al.Detection of malicious code variants based on deep learning[J].IEEE Transactions on Industrial Informatics，2018，14（7）：3187-3196.
[14] LI J，LU B L.An adaptive image Euclidean distance[J].Pattern Recognition，2009，42（3）：349-357.
[15] BUJA A，STUETZLE W，SHEN Y.Loss functions for binary class probability estimation and classification：structure and applications[Z].Working Draft，2005.
[16] HINDY H，TACHTATZIS C，ATKINSON R，et al.Leveraging siamese networks for one-shot intrusion detection model[J].arXiv：2006.15343，2020.
[17] LI Q，WANG X.Image classification based on SIFT and SVM[C]//2018 IEEE/ACIS 17th International Conference on Computer and Information Science（ICIS），2018：762-765.