通信学报 ›› 2016, Vol. 37 ›› Issue (11): 114-128.doi: 10.11959/j.issn.1000-436x.2016228
寇广1,2,汤光明1,王硕1,宋海涛1,边媛1
出版日期:
2016-11-25
发布日期:
2016-11-30
基金资助:
Guang KOU1,2,Guang-ming TANG1,Shuo WANG1,Hai-tao SONG1,Yuan BIAN1
Online:
2016-11-25
Published:
2016-11-30
Supported by:
摘要:
僵尸云和正常云服务2种环境下的基本网络流特征差异不明显,导致传统的基于网络流特征分析法在检测僵尸云问题上失效。为此,研究利用深度学习技术解决僵尸云检测问题。首先,从网络流中提取基本特征;然后将其映射为灰度图像;最后利用卷积神经网络算法进行特征学习,提取出更加抽象的特征,用以表达网络流数据中隐藏的模式及结构关系,进而用于检测僵尸云。实验结果表明,该方法不仅能够提高检测的准确度,而且能减少检测所用时间。
寇广,汤光明,王硕,宋海涛,边媛. 深度学习在僵尸云检测中的应用研究[J]. 通信学报, 2016, 37(11): 114-128.
Guang KOU,Guang-ming TANG,Shuo WANG,Hai-tao SONG,Yuan BIAN. Using deep learning for detecting BotCloud[J]. Journal on Communications, 2016, 37(11): 114-128.
表1
选取的20个基本网络流特征"
序号 | 特征 | 描述 | 类型 |
1 | source IP | 源IP地址 | 字符串 |
2 | destination IP | 目的IP地址 | 字符串 |
3 | source port | 源端口号 | 整型 |
4 | destination port | 目的端口号 | 整型 |
5 | protocol | 协议类型 | 字符串 |
6 | PX (total number of packet exchanged) | 数据分组的总数量 | 整型 |
7 | NNP (number of null packets exchanged) | 空数据分组的数量 | 整型 |
8 | IOPR (ratio between the number of incoming packets over the number of outgoing packets) | 进出数据分组数量的比率 | 浮点型 |
9 | reconnect (number of reconnects) | 重连接的数量 | 整型 |
10 | duration (flow duration) | 流持续的时间 | 浮点型 |
11 | FPS (length of the first packet) | 第一个数据分组的长度 | 整型 |
12 | TBT (total number of bytes) | 总共的字节数 | 整型 |
13 | average bytes per packet | 平均每个分组的字节数 | 浮点型 |
14 | variance of bytes per packet | 每个分组字节数的方差 | 浮点型 |
15 | APL (average payload packet length) | 平均分组长度 | 浮点型 |
16 | DPL (total number of packets with the same length over the total number of packets) | 相同长度的分组数量与总分组数量的比例 | 浮点型 |
17 | PV (standard deviation of payload packet length) | 数据分组长度的标准差 | 浮点型 |
18 | BS (average bits-per-second) | 平均每秒比特数 | 浮点型 |
19 | AIT (average inter arrival time of packets) | 数据分组到达的平均间隔 | 浮点型 |
20 | PPS (average packets-per-second) | 平均每秒的分组数 | 浮点型 |
表4
实验设计的6种不同网络结构的卷积神经网络"
C1卷积层 | S2次抽样层 | C3卷积层 | S4次抽样层 | C5全联接层 | ||||||
编号 | ||||||||||
卷积核 | 输出 | 采样窗口 | 输出 | 卷积核 | 输出 | 采样窗口 | 输出 | 卷积核 | 输出 | |
1 | 6×(3×3) | 6×(18×18) | 2×2 | 6×(9×9) | 16×(3×3) | 16×(7×7) | 2×2 | 16×(4×4) | 80×(4×4) | 80×1 |
2 | 6×(3×3) | 6×(18×18) | 2×2 | 6×(9×9) | 16×(3×3) | 16×(7×7) | 2×2 | 16×(3×3) | 80×(3×3) | 80×1 |
3 | 6×(3×3) | 6×(18×18) | 2×2 | 6×(9×9) | 16×(4×4) | 16×(6×6) | 2×2 | 16×(3×3) | 80×(3×3) | 80×1 |
4 | 6×(4×4) | 6×(17×17) | 2×2 | 6×(9×9) | 16×(4×4) | 16×(6×6) | 2×2 | 16×(3×3) | 80×(3×3) | 80×1 |
5 | 6×(5×5) | 6×(16×16) | 2×2 | 6×(8×8) | 16×(5×5) | 16×(4×4) | 2×2 | 16×(2×2) | 80×(2×2) | 80×1 |
6 | 6×(6×6) | 6×(15×15) | 2×2 | 6×(8×8) | 16×(6×6) | 16×(3×3) | 2×2 | 16×(2×2) | 80×(2×2) | 80×1 |
表7
不同样本数量下的3种算法检测结果"
本文算法 | SVM | 决策树 | ||||||||||||
样本数量 | ||||||||||||||
检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | |||
10 000 | 0.861 1 | 0.114 9 | 0.107 1 | 9.3 | 0.753 5 | 0.154 6 | 0.127 3 | 21.1 | 0.781 3 | 0.149 7 | 0.129 1 | 25.4 | ||
20 000 | 0.870 5 | 0.101 0 | 0.104 2 | 17.5 | 0.740 4 | 0.149 8 | 0.124 5 | 39.2 | 0.797 9 | 0.142 5 | 0.126 2 | 48.3 | ||
30 000 | 0.873 0 | 0.103 7 | 0.099 6 | 24.7 | 0.762 8 | 0.146 9 | 0.118 7 | 57.6 | 0.807 7 | 0.147 7 | 0.117 3 | 71.1 | ||
40 000 | 0.882 9 | 0.097 0 | 0.094 2 | 31.4 | 0.778 4 | 0.140 3 | 0.115 4 | 73.4 | 0.793 4 | 0.136 5 | 0.113 0 | 93.6 | ||
50 000 | 0.878 5 | 0.093 4 | 0.089 0 | 37.6 | 0.781 8 | 0.145 2 | 0.109 4 | 88.1 | 0.822 5 | 0.134 6 | 0.103 7 | 114.7 | ||
60 000 | 0.908 4 | 0.087 6 | 0.086 4 | 43.1 | 0.804 8 | 0.131 6 | 0.110 2 | 104.3 | 0.838 0 | 0.132 3 | 0.100 4 | 134.8 | ||
70 000 | 0.912 3 | 0.081 1 | 0.078 7 | 48.3 | 0.815 6 | 0.128 7 | 0.102 8 | 118.0 | 0.854 0 | 0.124 0 | 0.096 1 | 150.7 | ||
80 000 | 0.927 3 | 0.076 4 | 0.072 5 | 52.6 | 0.829 4 | 0.115 4 | 0.099 5 | 131.4 | 0.846 6 | 0.110 7 | 0.099 8 | 167.2 | ||
90 000 | 0.939 8 | 0.070 3 | 0.067 2 | 58.1 | 0.822 9 | 0.116 4 | 0.102 0 | 143.5 | 0.851 7 | 0.111 4 | 0.095 2 | 182.5 | ||
100 000 | 0.942 7 | 0.068 2 | 0.064 3 | 63.2 | 0.841 8 | 0.111 8 | 0.098 7 | 154.6 | 0.855 0 | 0.110 2 | 0.093 2 | 195.3 |
表8
不同时间窗条件下3种算法实时检测结果"
本文算法 | SVM | 决策树 | ||||||||||||
时间窗/s | ||||||||||||||
检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | |||
10 | 0.835 2 | 0.452 7 | 0.381 6 | 11.3 | 0.625 2 | 0.490 3 | 0.461 6 | 25.5 | 0.635 3 | 0.484 9 | 0.452 3 | 30.2 | ||
30 | 0.841 1 | 0.397 5 | 0.312 1 | 11.9 | 0.630 7 | 0.458 7 | 0.425 1 | 24.9 | 0.641 5 | 0.451 8 | 0.415 6 | 30.3 | ||
60 | 0.855 6 | 0.364 6 | 0.234 5 | 10.9 | 0.634 6 | 0.427 6 | 0.375 4 | 25.3 | 0.645 9 | 0.402 6 | 0.365 8 | 29.1 | ||
120 | 0.876 5 | 0.245 2 | 0.193 4 | 11.6 | 0.658 3 | 0.356 1 | 0.285 5 | 23.6 | 0.672 4 | 0.275 8 | 0.254 7 | 27.6 | ||
180 | 0.892 3 | 0.136 8 | 0.154 2 | 11.4 | 0.678 4 | 0.254 4 | 0.199 7 | 23.9 | 0.689 5 | 0.152 4 | 0.171 2 | 28.9 | ||
240 | 0.895 1 | 0.128 7 | 0.132 4 | 12.3 | 0.685 9 | 0.205 3 | 0.163 3 | 24.6 | 0.693 7 | 0.132 6 | 0.160 3 | 29.5 | ||
300 | 0.896 3 | 0.111 6 | 0.091 3 | 9.7 | 0.687 5 | 0.175 7 | 0.152 4 | 25.4 | 0.697 7 | 0.121 9 | 0.142 0 | 27.9 |
[1] | 江健, 诸葛建伟, 段海新 , 等. 僵尸网络机理与防御技术[J]. 软件学报, 2012,23(1):82-96. JIANG J , ZHUGE J W , DUAN H X , et al. Research on botnet mecha-nisms and defenses[J]. Journal of Software, 2012,23(1):82-96. |
[2] | ARTAIL H , MASTRI Z A , SRAJ M , et al. A dynamic honeypot design for intrusion detection[C]// IEEE/ACS International Conference on Pervasive Services. 2004.95-104. |
[3] | 诸葛建伟, 韩心慧, 周勇林 , 等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,28(12):8-13. ZHUGE J W , HANG X H , ZHOU Y L , et al. HoneyBow: an auto-mated malware collection tool based on the high-interaction honeypot principle[J]. Journal on Communications, 2007,28(12):8-13. |
[4] | ALHAMMADI Y , AICKELIN U . Detecting botnets through log cor-relation[C]// The Workshop on Monitoring, Attack Detection and Mi-tigation. 2010. |
[5] | STINSON E , MITCHELL J C . Characterizing bots' remote control behavior[C]// The 4th international conference on Detection of Intru-sions and Malware, and Vulnerability Assessment. 2007:89-108. |
[6] | LIU L , CHEN S , YAN G , et al. Bottracer: Execution-based bot-like malware detection[C]// The 11th International Conference on Informa-tion Security. 2008:97-113. |
[7] | KOLBITSCH C , COMPARETTI P M , KRUEGEL C , et al. Effective and efficient malware detection at the end host[C]// The 18th Confer-ence on USENIX Security Symposium. 2009:351-366. |
[8] | ROESCH M . Snort: lightweight intrusion detection for networks[C]// The 13th USENIX Conference on System Administration. 1999:229-238. |
[9] | GOEBEL J , HOLZ T . Rishi: identify bot contaminated hosts by IRC nickname evaluation[C]// The first conference on First Workshop on Hot Topics in Understanding Botnets. 2007. |
[10] | LIVADS C , WALSH R , LAPSLEY D , et al. Using machine learning techniques to identify botnet traffic[C]// 31th IEEE Conference on Lo-cal Computer Networks. 2006:967-974. |
[11] | STRAYER W T , LAPSELY D , WALSH R , et al. Botnet detection based on network behavior[C]// 2006 ARO Workshop on Botnets. 2007:1-24. |
[12] | ZENG Y , HU X , SHIN K . Detection of botnets using combined host and network-level information[C]// International Conference on De-pendable Systems and Networks (DSN). 2010:291-300. |
[13] | WANG H , HOU J , GONG Z . Botnet detection architecture based on heterogeneous multi-sensor information fusion[J]. Journal of Networks, 2011,6(12):1655-1661. |
[14] | GU G , ZHANG J , LEE W . BotSniffer: detecting botnet command and control channels in network traffic[C]// The 15th Annual Network and Distributed System Security Symposium. 2008:269-286. |
[15] | BEIGI E B , JAZ H H STAKHANOVA N , et al. Towards effective feature selection in machine learning-based botnet detection ap-proaches[C]// International Conference on Communications and Net-work Security. 2014:247-255. |
[16] | ZHAO D , TRAORE I , SAYED B , et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013,4(7):2-16. |
[17] | 闫健恩, 袁春阳, 许海燕 , 等. 基于多维流量特征的 IRC 僵尸网络频道检测[J]. 通信学报, 2013,34(10):49-64. YAN J E , YUAN C Y , XU H Y , et al. Method of detecting IRC botnet based on the multi-features of traffic flow[J]. Journal on Communica-tions, 2013,34(10):49-64. |
[18] | YAMAUCHI K , HORI Y , SAKURAI K , et al. Detecting HTTP-based bot-net based on characteristic of the C&C session using by SVM[C]// 8th Asia Joint Conference on Information Security. 2013:63-68. |
[19] | BADIS H , DOYEN G , KHATOUN R . Toward a source detection of botclouds: a PCA-based approach[C]// International Conference on Au-tonomous Infrastructure, Management, and Security. 2014:105-117. |
[20] | TULASIRAM N , ANUSHUA K , BHANU SMS , et al. An extrusion detection system against botclouds[C]// Seventh International Confer-ence on Communication Networks (ICCN-2013). 2013:207-215. |
[21] | BADIS H , DOYEN G , KHATOUN R . A collaborative approach for a source based detection of botclouds[C]// International Symposium on Integrated Network Management. 2015:906-909. |
[22] | JADHAV S , DUTIA S , CALANGUTKAR K , et al. Cloud-based android botnet malware detection system[C]// 17th International Con-ference on Advanced Communication Technology. 2015:347-352. |
[23] | HINTION G E , SALAKHUTDINOV R R . Reducing the dimensional-ity of data with neural networks[J]. Science, 2006,313(28):504-507. |
[24] | TAN Z Y . Detection of denial-of-service attacks based on computer vision techniques[D]. Sydney: University of Technology, 2013. |
[25] | FANG Z J , FEI F C , FANG Y M , et al. Abnormal event detection in crowded scenes based on deep learning[J]. Multimedia Tools & Ap-plications, 2016:1-23. |
[26] | YUAN Z L , LU Y Q , XUE Y B . Droid detector: Android malware characterization and detection using deep learning[J]. Tsinghua Sci-ence & Technology, 2016,21(1):114-123. |
[27] | WANG Y , CAI W D , WEI P C . A deep learning approach for detecting malicious javascript code[J]. Security & Communication Networks, 2016,51(8):28656-28667. |
[28] | 韩晓光, 曲武, 姚宣霞 , 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136. HAN X G , QU W , YAO X X , et al. Research on malicious code vari-ants detection based on texture fingerprint[J]. Journal on Communica-tions, 2014,35(8):125-136. |
[29] | LECUN Y , BOTTOU L , BENGIO Y , et al. Gradient-based learning applied to document recognition[C]// The IEEE. 1998:1-46. |
[30] | 敖道敢 . 无监督特征学习结合神经网络应用于图像识别[D]. 广州:华南理工大学, 2014. AO D G . Integration of unsupervised feature learning and neural net-works applied to image recognition[D]. Guangzhou: South China University of Technology, 2014. |
[31] | JIA Y Q , SHELHAMER E , DONAHUE J , et al. Caffe: convolutional architecture for fast feature embedding[C]// The 22nd ACM interna-tional conference on Multimedia. 2014:675-678. |
[1] | 陈东昱, 陈华, 范丽敏, 付一方, 王舰. 基于深度学习的随机性检验策略研究[J]. 通信学报, 2023, 44(6): 23-33. |
[2] | 李荣鹏, 汪丙炎, 张宏纲, 赵志峰. 知识增强的语义通信接收端设计[J]. 通信学报, 2023, 44(6): 70-76. |
[3] | 魏德宾, 潘成胜, 杨力, 颜佐任. 基于网络流量水平等级预测的自适应随机早期检测算法[J]. 通信学报, 2023, 44(6): 154-166. |
[4] | 马帅, 裴科, 祁华艳, 李航, 曹雯, 王洪梅, 熊海良, 李世银. 基于生成模型的地磁室内高精度定位算法研究[J]. 通信学报, 2023, 44(6): 211-222. |
[5] | 胡斌, 谈潇, 王森鹏. 基于分治策略的SAT差分自动化搜索算法及其应用[J]. 通信学报, 2023, 44(4): 137-144. |
[6] | 王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11. |
[7] | 江沸菠, 彭于波, 董莉. 面向6G的深度图像语义通信模型[J]. 通信学报, 2023, 44(3): 198-208. |
[8] | 仪双燕, 梁永生, 陆晶晶, 柳伟, 胡涛, 何震宇. 联合低秩重构和投影重构的稳健特征选择方法[J]. 通信学报, 2023, 44(3): 209-219. |
[9] | 杨洁, 董标, 付雪, 王禹, 桂冠. 基于轻量化分布式学习的自动调制分类方法[J]. 通信学报, 2022, 43(7): 134-142. |
[10] | 刘建勋, 丁领航, 康国胜, 曹步清, 肖勇. 基于特征深度融合的Web服务QoS联合预测[J]. 通信学报, 2022, 43(7): 215-226. |
[11] | 李昂, 陈建新, 魏昕, 周亮. 面向6G的跨模态信号重建技术[J]. 通信学报, 2022, 43(6): 28-40. |
[12] | 杨秀璋, 彭国军, 李子川, 吕杨琦, 刘思德, 李晨光. 基于Bert和BiLSTM-CRF的APT攻击实体识别及对齐研究[J]. 通信学报, 2022, 43(6): 58-70. |
[13] | 兰巨龙, 朱棣, 李丹. 面向多模态网络业务切片的虚拟网络功能资源容量智能预测方法[J]. 通信学报, 2022, 43(6): 143-155. |
[14] | 王晓丹, 李京泰, 宋亚飞. DDAC:面向卷积神经网络图像隐写分析模型的特征提取方法[J]. 通信学报, 2022, 43(5): 68-81. |
[15] | 廖勇, 王世义. 高速移动环境下基于RM-Net的大规模MIMO CSI反馈算法[J]. 通信学报, 2022, 43(5): 166-176. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|