基于对抗样本的网络欺骗流量生成方法

doi:10.11959/j.issn.1000-436x.2020166

摘要/Abstract

摘要：

为了应对流量分类攻击，从防御者的角度出发，提出了一种基于对抗样本的网络欺骗流量生成方法。通过在正常的网络流量中增加扰动，形成欺骗流量的对抗样本，使攻击者在实施以深度学习模型为基础的流量分类攻击时出现分类错误，欺骗攻击者从而导致攻击失败，并造成攻击者时间和精力的消耗。采用几种不同的扰动生成方法形成网络流量对抗样本，选择LeNet-5深度卷积神经网络作为攻击者使用的流量分类模型实施欺骗，通过实验验证了所提方法的有效性，为流量混淆和欺骗提供了新的方法。

关键词: 对抗样本, 网络流量分类, 网络欺骗, 网络流量混淆, 深度学习

Abstract:

In order to prevent attacker traffic classification attacks,a method for generating deception traffic based on adversarial samples from the perspective of the defender was proposed.By adding perturbation to the normal network traffic,an adversarial sample of deception traffic was formed,so that an attacker could make a misclassification when implementing a traffic analysis attack based on a deep learning model,achieving deception effect by causing the attacker to consume time and energy.Several different methods for crafting perturbation were used to generate adversarial samples of deception traffic,and the LeNet-5 deep convolutional neural network was selected as a traffic classification model for attackers to deceive.The effectiveness of the proposed method is verified by experiments,which provides a new method for network traffic obfuscation and deception.

Key words: adversarial sample, network traffic classification, cyber deception, network traffic obfuscation, deep learning

中图分类号:

TP393

胡永进,郭渊博,马骏,张晗,毛秀青. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9): 59-70.

Yongjin HU,Yuanbo GUO,Jun MA,Han ZHANG,Xiuqing MAO. Method to generate cyber deception traffic based on adversarial sample[J]. Journal on Communications, 2020, 41(9): 59-70.

图/表 18

图1

表1

图2

表2

攻击者模型相关符号定义与说明"

符号	描述	说明
TF	攻击者观测到的流量	—
X	流量TF的特征集合	$X = {x_{1}, x_{2}, x_{3}, \dots, x_{m}}$
C	流量TF对应的应用类型集合	$C = {c_{1}, c_{2}, c_{3} \dots, c_{i}, \dots, c_{n}}$
$F (x_{i})$	分类模型的分类函数	输入值为流量TF，输出值为流量TF属于应用类型集合C 中第i 个应用类型的概率

表2

表3

防御者模型相关符号定义与说明"

符号	描述	说明
P	扰动	—
TD	防御者在流量TF内加入扰动 P 后形成的对抗样本，称为欺骗流量	—
X′	欺骗流量TD的特征集合	$X^{'} = {{x^{'}}_{1}, {x^{'}}_{2}, {x^{'}}_{3}, \dots, {x^{'}}_{m}}$
F (x′)	分类模型的分类函数	输入值为欺骗流量TD，输出值为欺骗流量TD属于应用类型集合C中第i′个应用类型的概率

表3

图3

图4

表4

图5

表5

图6

图7

表6

图8

表7

图9

表8

图10

参考文献 33

[1]	FRANK J . Artificial intelligence and intrusion detection:current and future directions[J]. Computers ＆ Security, 1995,14(1):31.
[2]	SZEGEDY C , ZAREMBA W , SUTSKEVER I ,et al. Intriguing properties of neural networks[J]. arXiv Preprint,arXiv:1312.6199, 2013
[3]	SITAWARIN C , BHAGOJI AN , MOSENIA A ,et al. Rogue signs:deceiving traffic sign recognition with malicious ads and logos[J]. arXiv Preprint,arXiv:1801.02780, 2018
[4]	YANG K , LIU J , ZHANG C ,et al. Adversarial examples against the deep learning based network intrusion detection system[C]// 2018 IEEE Military Communications Conference. Piscataway:IEEE Press, 2018: 559-564.
[5]	HU W W , TAN Y . Generating adversarial malware examples for black-box attacks based on GAN[J]. arXiv Preprint,arXiv:1702.05983, 2017
[6]	熊刚, 孟姣, 曹自刚 ,等. 网络流量分类研究进展与展望[J]. 集成技术, 2012,1(1): 32-42.
	XIONG G , MENG J , CAO Z G ,et al. Research progress and prospects of network traffic classification[J]. Journal of Integration Technology, 2012,1(1): 32-42.
[7]	WANG Z . The applications of deep learning on tracidentification[J]. BlackHat USA, 2015,24(11): 21-26.
[8]	WANG W , ZHU M , WANG J ,et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks[C]// 2017 IEEE International Conference on Intelligence and Security Informatics. Piscataway:IEEE Press, 2017: 43-48.
[9]	RIMMER V , PREUVENEERS D , JUAREZ M ,et al. Automated website fingerprinting through deep learning[J]. arXiv Preprint,arXiv:1708.06376, 2017
[10]	WANG W , ZHU M , ZENG X ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// 2017 International Conference on Information Networking. Piscataway:IEEE Press, 2017: 712-717.
[11]	PANCHENKO A , NIESSEN L , ZINNEN A ,et al. Website fingerprinting in onion routing based anonymization networks[C]// Proceedings of 27 the 10th annual ACM workshop on Privacy in the electronic society. New York:ACM Press, 2011: 103-114.
[12]	DYER K P , COULL S E , RISTENPART T ,et al. Peek-a-boo,i still see you:why efficient traffic analysis countermeasures fail[C]// 2012 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2012: 332-346.
[13]	CUI W , YU J , GONG Y ,et al. Realistic cover traffic to mitigate website fingerprinting attacks[C]// 2018 IEEE 38th International Conference on Distributed Computing Systems. Piscataway:IEEE Press, 2018: 1579-1584.
[14]	WANG T , GOLDBERG I . Walkie-talkie:an efficient defense against passive website fingerprinting attacks[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 1375-1390.
[15]	DINGLEDINE R . Obfsproxy:the next step in the censorship arms race[R]. TOR Project official,(2012-05-23)[2020-03-20].
[16]	MOGHADDAM H , LI B , DERAKHSHANI M ,et al. SkypeMorph:protocol obfuscation for TOR bridges[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security. New York:ACM Press, 2012: 97-108.
[17]	LI F F , KAKHKI A M , CHOFFNES D ,et al. Classifiers unclassified:an efficient approach to revealing IP traffic classification rules[C]// Proceedings of the 2016 Internet Measurement Conference. New York:ACM Press, 2016: 239-245.
[18]	张思思, 左信, 刘建伟 . 深度学习中的对抗样本问题[J]. 计算机学报, 2019,42(8): 1886-1904.
	ZHANG S S , ZUO X , LIU J W . The problem of the adversarial exam-ples in deep learning[J]. Chinese Journal of Computers, 2019,42(8): 1886-1904.
[19]	GOODFELLOW I , SHLENS J , SZEGEDY C . Explaining and harnessing adversarial examples[J]. arXiv Preprint,arXiv:1412.6572, 2014
[20]	KURAKIN A , GOODFELLOW I , BENGIO S . Adversarial examples in the physical world[J]. arXiv Preprint,arXiv:1607.02533, 2016
[21]	MOOSAVI-DEZFOOLI S M , FAWZI A , FAWZI O ,et al. Universal Adversarial Perturbations[C]// The IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2017: 1765-1773.
[22]	ATHALYE A , ENGSTROM L , ILYAS A ,et al. Synthesizing robust adversarial examples[J]. arXiv Preprint,arXiv:1707.07397, 2017
[23]	MOOSAVI-DEZFOOLI S M , FAWZI A , FROSSARD P . DeepFool:a simple and accurate method to fool deep neural networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2016: 2574-2582.
[24]	METZEN J H , KUMAR M C , BROX T ,et al. Universal adversarial perturbations against semantic image segmentation[C]// The IEEE International Conference on Computer Vision. Piscataway:IEEE Press, 2017: 2755-2764.
[25]	MOPURI K R , GARG U , BAHU R V . Fast feature fool:a data independent approach to universal adversarial perturbations[J]. arXiv Preprint,arXiv:1707.05572, 2017
[26]	MOPURI K R , GANESHAN A , BABU R V . Generalizable data-free objective for crafting universal adversarial perturbations[C]// IEEE Transactions on Pattern Analysis and Machine Intelligence. Piscataway:IEEE Press, 2019,41(10): 2452-2465.
[27]	VERMA G , CIFTCIOGLU E , SHEATSLEY R ,et al. Network traffic obfuscation:an adversarial machine learning approach[C]// 2018 IEEE Military Communications Conference. Piscataway:IEEE Press, 2018: 1-6.
[28]	潘文雯, 王新宇, 宋明黎 ,等. 对抗样本生成技术综述[J]. 软件学报, 2020,31(1): 67-81.
	PAN W W , WANG X Y , SONG M L ,et al. Survey on generating ad-versarial examples[J]. Journal of Software, 2020,31(1): 67-81.
[29]	CARLINI N , WAGNER D . Towards evaluating the robustness of neural networks[C]// 2017 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2017: 39-57.
[30]	HE K M , SUN J . Convolutional neural networks at constrained time cost[C]// The IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2015: 5353-5360.
[31]	MOORE A W , ZUEV D . Discriminators for use in flow-based classification[R]. Intel Research,Cambridge,(2005-08)[2020-03-19].
[32]	LENCUN Y , BOTTOU L , BENGIO Y . Gradient-based learning applied to document recognition[J]. Proceedings of the IEEE, 1998,862: 2278-2324
[33]	王勇, 周慧怡, 俸皓 ,等. 基于深度卷积神经网络的网络流量分类方法[J]. 通信学报, 2018,39(1): 14-23.
	WANG Y , ZHOU H Y , FENG H ,et al. Network traffic classification method basing on CNN[J]. Journal on Communications, 2018,39(1): 14-23.

流量颗粒度	关注点
packet级	主要关注数据分组（packet）的特征及其到达过程，如数据分组大小分布、数据分组到达时间间隔的分布等
flow级	主要关注流（flow）的特征及其到达过程，可以为一个TCP（transmission control protocol）连接或者一个UDP（user datagram protocol）流
stream级	主要关注主机对及其之间的应用流量，通常指一个由源IP地址、目的IP地址、应用协议组成的三元组，适用于更粗粒度上研究骨干网的长期流量统计特性

环境	参数
操作系统	Windows 10,64 bit
处理器	Intel Core i78706G,3.1 GHz
内存	8 GB,LPDDR3,2 133 MHz
Pycharm	Community Edition 11.05
Tensorflow	3.7 版本
训练集数量/个	65 036
测试集数量/个	23 801

应用类别	flow记录数量/条	所占比例	对应标签
Web	328 092	86.906%	0
email	28 567	7.567%	1
FTP-control	3 054	0.809%	2
FTP-pasv	2 688	0.712%	3
attack	1 793	0.475%	4
P2P	2 094	0.555%	5
database	2 648	0.701%	6
FTP-data	5 797	1.536%	7
multimedia	5 76	0.153%	8
services	2 099	0.556%	9
interactive	110	0.028%	10
games	8	0.002%	11
合计	377 526	100%	12

	名称	参数
	输入层	16×16
C1卷积层	卷积核	8×(3×3)
C1卷积层	输出	8×(16×16)
S2池化层	采样窗口	2×2
S2池化层	输出	8×(8×8)
C3卷积层	卷积核	16×(5×5)
C3卷积层	输出	16×(8×8)
S4池化层	采样窗口	2×2
S4池化层	输出	16×(4×4)
C5全连接层	卷积核	128×(4×4)
C5全连接层	输出	128×1
	输出层	12×1

扰动生成方法	总体欺骗率	生成时间/s
FGSM	99.05%	143.61
DeepFool	97.38%	86.63
C＆W	67.97%	60.84