Computer Engineering and Applications ›› 2022, Vol. 58 ›› Issue (17): 130-138.DOI: 10.3778/j.issn.1002-8331.2106-0143

• Network, Communication and Security • Previous Articles     Next Articles

Encrypted Malicious Traffic Detection Method Based on Transfer Learning

ZHANG Surong, CHEN Bo, BU Youjun, LU Xiangyu, SUN Jia   

  1. 1.Information Technology Institute, PLA Strategic Support Force Information Engineering University, Zhengzhou 450000, China
    2.School of Software, Zhengzhou University, Zhengzhou 450000, China
  • Online:2022-09-01 Published:2022-09-01

基于迁移学习的加密恶意流量检测方法

张稣荣,陈博,卜佑军,路祥雨,孙嘉   

  1. 1.中国人民解放军战略支援部队信息工程大学 信息技术研究所,郑州 450000
    2.郑州大学 软件学院,郑州 450000

Abstract: The existing encryption malicious traffic detection methods need to use a large number of accurately marked samples for training, to achieve a better detection effect. But in the real network environment, it is difficult to mark the encrypted traffic data correctly because its content is not visible. In view of the above problems, an encrypted malicious traffic detection method based on tranfer learning is proposed. The Eficientnet-B0, a pre-trained model based on the Imagenet dataset, is transferred to the encrypted traffic dataset for the first time. Its convolution layer structure and parameters are preserved, and the fully connected layers are replaced and retrained. By the idea of migration learning, the high detection performance under small sample condition is realized. Utilizing the end-to-end framework design, this method can extract the features from the original traffic data directly, then detect and classify them in fine-grained way, which avoids the complicated manual feature extraction process. The experimental results show that this method can achieve 99.87% binary classification accuracy and 98.88% fine-grained classification accuracy. Furthermore, when the number of various traffic samples in the training set is reduced to 100, it can also reach 96.35% of fine-grained classification accuracy.

Key words: encrypted malicious traffic detection, transfer learning, Efficientnet, few-shot, encrypted traffic

摘要: 现有加密恶意流量检测方法需要利用大量准确标记的样本进行训练,以达到较好的检测效果。但在实际网络环境中,加密流量数据由于其内容不可见而难以进行正确标记。针对上述问题,提出了一种基于迁移学习的加密恶意流量检测方法,首次将基于ImageNet数据集预训练的模型Efficientnet-B0,迁移到加密流量数据集上,保留其卷积层结构和参数,对全连接层进行替换和再训练,利用迁移学习的思想实现小样本条件下的高性能检测。该方法利用端到端的框架设计,能够直接从原始流量数据中提取特征并进行检测和细粒度分类,避免了繁杂的手动特征提取过程。实验结果表明,该方法对正常、恶意流量的二分类准确率能够达到99.87%,加密恶意流量细粒度分类准确率可达到98.88%,并且在训练集中各类流量样本数量减少到100条时,也能够达到96.35%的细粒度分类准确率。

关键词: 加密恶意流量检测, 迁移学习, Efficientnet, 小样本, 加密流量