Malicious Traffic Detection Method Based on Decision Tree-SNN Under Small Sample

doi:10.3778/j.issn.1002-8331.2207-0128

Abstract

Abstract: Aiming at the low accuracy, insufficient feature extraction, and model overfitting problems of the current malicious traffic detection method under small samples, a malicious traffic detection algorithm based on an improved decision tree-siamese neural network（SNN） under small samples is proposed. To reduce the difficulty of multi-classification tasks under small samples, a binary decision tree is constructed using the center distance between classes to convert multi-class problems into binary classification problems. The comparative branch of SNN is designed as a parallel structure of three one-dimensional convolutional neural networks to solve the problem of insufficient feature extraction under small samples. The squeeze-and-excitation module optimized by pooling strategies and one-dimensional convolution operations is introduced to reduce the problem of model overfitting under small samples. Malicious traffic detection is achieved by comparing the similarity of samples. The experimental results show that the proposed method effectively detects malicious traffic under small samples.

Key words: malicious traffic, decision tree, siamese neural network（SNN）, center distance between classes, small sample, channel attention

摘要： 针对目前小样本下的恶意流量检测方法存在准确度低、特征提取不足和模型过拟合问题，提出了一种小样本下基于改进决策树-孪生神经网络的恶意流量检测算法。为了降低小样本下多分类任务的难度，利用类间中心距离构建二叉决策树将多分类问题转换为二分类问题。将孪生神经网络的对比分支设计为三支一维卷积神经网络并行的结构来解决小样本下特征提取不足问题。引入了通过池化策略和一维卷积操作优化的SE（squeeze-and-excitation）模块，以减少小样本下模型过拟合问题。通过对比样本的相似度实现了恶意流量检测。实验结果表明，所提方法在小样本下的恶意流量检测问题上具有良好的效果。

关键词: 恶意流量, 决策树, 孪生神经网络, 类间中心距离, 小样本, 通道注意力

LI Daoquan, LI Yuxiu , REN Dayong. Malicious Traffic Detection Method Based on Decision Tree-SNN Under Small Sample[J]. Computer Engineering and Applications, 2023, 59(21): 258-266.

李道全, 李玉秀, 任大用. 小样本下基于决策树-SNN的恶意流量检测方法[J]. 计算机工程与应用, 2023, 59(21): 258-266.

References

[1] ZAINAL A，MAAROR M A.Ensemble classifiers for net-work intrusion detection system[J].International Journal of Information Security，2009，4（3）：217-225.
[2] AKBANOV M.The case of WannaCry[J].Computers & Electrical Engineering，2019，76：111-121.
[3] XU Y，LIU Y.DDoS attack detection under SDN context[C]//The 35th Annual IEEE International Conference on Computer Communications，2016：1-9.
[4] AHMAD Z，SHAHID KHAN A.Network intrusion detection system：a systematic study of machine learning and deep learning approaches[J].Transactions on Emerging Telecom-munications Technologies，2021，32（1）：e4150.
[5] 赵凯琳，靳小龙，王元卓.小样本学习研究综述[J].软件学报，2021，32（2）：349-369.
ZHAO K L，JIN X L，WANG Y Z.Survey on few-shot learning[J].Journal of Software，2021，32（2）：349-369.
[6] BREIMAN L.Random forests[J].Machine Learning，2001，45（1）：5-32.
[7] LECUN Y，BENGIO Y.Deep learning[J].Nature，2015，521（7553）：436-444.
[8] CHOWDHURY M M U，HAMMOND F，KONOWICZ G，et al.A few-shot deep learning approach for improved intrusion detection[C]//2017 IEEE 8th Annual Ubiquitous Computing，Electronics and Mobile Communication Conference（UEMCON），2017：456-462.
[9] 吴春琼.基于特征选择的网络入侵检测模型[J].计算机仿真，2012，29（6）：136-139.
WU C Q.Network intrusion detection model based on feature selection[J].Computer Simulation，2012，29（6）：136-139.
[10] 张春艳，倪世宏，张鹏.基于多层聚类的多分类SVM快速学习方法[J].计算机工程与设计，2017，38（2）：522-527.
ZHANG C Y，NI S H，ZHANG P.Multi-classification SVM multi-clustering fast learning method[J].Computer Engineering and Design，2017，38（2）：522-527.
[11] CHICCO D.Siamese neural networks：an overview[J]. Artificial Neural Networks，2021，2190：73-94.
[12] XU C，SHEN J，DU X.A method of few-shot network intrusion detection based on meta-learning framework[J].IEEE Transactions on Information Forensics and Security，2020，15：3540-3552.
[13] YU Y，BIAN N.An intrusion detection method using few-shot learning[J].IEEE Access，2020，8：49730-49740.
[14] HE M，WANG X，ZHOU J，et al.Deep-feature-based autoencoder network for few-shot malicious traffic detection[J].Security and Communication Networks，2021，2021：6659022.
[15] YE T，LI G，AHMAD I，et al.FLAG：few-shot latent dirichlet generative learning for semantic-aware traffic detection[J].IEEE Transactions on Network and Service Management，2021，19（1）：73-88.
[16] 高浩寒，潮群.小样本下基于孪生神经网络的柱塞泵故障诊断[J].北京航空航天大学学报，2023，49（1）：155-164.
GAO H H，CHAO Q.Piston pump fault diagnosis based on siamese neural network with small samples[J].Journal of Beijing University of Aeronautics and Astronautics，2023，49（1）：155-164.
[17] QUINLAN J R.Induction on decision tree[J].Machine Learning，1986，1（1）：81-106.
[18] KOCH G，ZEMEL R，SALAKHUTDINOV R.Siamese neural networks for one-shot image recognition[C]//International Conference on Machine Learning Deep Learning Workshop，2015：2-17.
[19] CHEN X，YAN X，ZHENG F，et al.One-shot adversarial attacks on visual tracking with dual attention[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition，2020：10176-10185.
[20] 张宸嘉，朱磊，俞璐.卷积神经网络中的注意力机制综述[J].计算机工程与应用，2021，57（20）：64-72．
ZHANG C J，ZHU L，YU L.Review of attention mechanism in convolutional neural networks[J].Computer Engineering and Applications，2021，57（20）：64-72.
[21] HU J，SHEN L，SUN G.Squeeze-and-excitation networks[C]//IEEE/CVF Conference on Computer Vision and Pattern Recognition，2018：7132-7141.
[22] TAVALLAEE M，BAGHERI E，LU W，et al.A detailed analysis of the KDD CUP 99 data set[C]//2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications，2009：1-6.
[23] MOUSTAFA N.UNSW-NB15：a comprehensive data set for network intrusion detection systems（UNSW-NB15 network data set）[C]//2015 Military Communications and Information Systems Conference（MilCIS），2015：1-6.