基于深度残差胶囊网络与注意力机制的加密流量识别方法

doi:10.11959/j.issn.2096-109x.2023007

摘要/Abstract

摘要：

随着用户安全意识的提高和加密技术的发展，加密流量已经成为网络流量中的重要部分，识别加密流量成为网络流量监管的重要部分。基于传统深度学习模型的加密流量识别方法存在效果差、模型训练时间长等问题。针对上述问题，提出了一种基于深度残差胶囊网络模型（DRCN，deep residual capsule network）的加密流量识别方法。原始胶囊网络通过全连接形式堆叠导致模型耦合系数变小，无法搭建深层网络模型。针对上述问题，DRCN模型采用三维卷积算法（3DCNN）动态路由算法代替全连接动态路由算法，减少了每个胶囊层之间传递的参数，降低了运算复杂度，进而构建深层胶囊网络，提高识别的准确率和效率；引入通道注意力机制为不同的特征赋予不同的权重，减少无用特征对识别结果的影响，进一步增强模型特征提取能力；将残差网络引入胶囊网络层，搭建残差胶囊网络模块缓解了深度胶囊网络的梯度消失问题。在数据预处理方面，截取的数据包前784byte，将截取的字节转化成图像输入到DRCN模型中，该方法避免了人工特征提取，减少了加密流量识别的人工成本。在ISCXVPN2016数据集上的实验结果表明，与效果最好的BLSTM模型相比，DRCN模型的准确率提高了5.54%，模型的训练时间缩短了232s。此外，在小数据集上，DRCN模型准确率达到了94.3%。上述实验结果证明，所提出的识别方案具有较高的识别率、良好的性能和适用性。

关键词: 加密流量识别, 深度胶囊网络, 3D卷积算法, 残差网络

Abstract:

With the improvement of users’ security awareness and the development of encryption technology, encrypted traffic has become an important part of network traffic, and identifying encrypted traffic has become an important part of network traffic supervision.The encrypted traffic identification method based on the traditional deep learning model has problems such as poor effect and long model training time.To address these problems, the encrypted traffic identification method based on a deep residual capsule network (DRCN) was proposed.However, the original capsule network was stacked in the form of full connection, which lead to a small model coupling coefficient and it was impossible to build a deep network model.The DRCN model adopted the dynamic routing algorithm based on the three-dimensional convolutional algorithm (3DCNN) instead of the fully-connected dynamic routing algorithm, to reduce the parameters passed between each capsule layer, decrease the complexity of operations, and then build the deep capsule network to improve the accuracy and efficiency of recognition.The channel attention mechanism was introduced to assign different weights to different features, and then the influence of useless features on the recognition results was reduced.The introduction of the residual network into the capsule network layer and the construction of the residual capsule network module alleviated the gradient disappearance problem of the deep capsule network.In terms of data pre-processing, the first 784byte of the intercepted packets was converted into images as input of the DRCN model, to avoid manual feature extraction and reduce the labor cost of encrypted traffic recognition.The experimental results on the ISCXVPN2016 dataset show that the accuracy of the DRCN model is improved by 5.54% and the training time of the model is reduced by 232s compared with the BLSTM model with the best performance.In addition, the accuracy of the DRCN model reaches 94.3% on the small dataset.The above experimental results prove that the proposed recognition scheme has high recognition rate, good performance and applicability.

Key words: encrypted traffic identification, deep capsule network, 3D convolutional algorithm, residual network

中图分类号:

TP393

史国振, 李昆阳, 刘瑶, 杨永健. 基于深度残差胶囊网络与注意力机制的加密流量识别方法[J]. 网络与信息安全学报, 2023, 9(1): 32-41.

Guozhen SHI, Kunyang LI, Yao LIU, Yongjian YANG. Encrypted traffic identification method based on deep residual capsule network with attention mechanism[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 32-41.

图/表 12

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

表1

参考文献 22

[1]	AHMED M , MAHMOOD A N , HU J . A survey of network anomaly detection techniques[J]. Journal of Network ＆ Computer Applications, 2016,60: 19-31.
[2]	DAINOTTI A , PESCAPE A , CLAFFY K C . Issues and future directions in traffic classification[J]. IEEE Network, 2012,26(1): 35-40.
[3]	LUFT S J , CHIANG P . Network element architecture for deep packet inspection:US,US7719966 B2[P]. 2010.
[4]	ESTE A , GRINGOLI F , SALGARELLI L . Support vector machines for TCP traffic classification[J]. Computer Networks, 2009,53(14): 2476-2490.
[5]	KHONDOKE R , RAHAMATULLAH M . Interactive traffic class prioritization and radio link condition diversification techniques for efficient utilization of MMS and WAP services[J]. Chemical Communications, 2012,48(98): 11960-11962.
[6]	QIU C , XU H , BAO Y . Modified-DBSCAN clustering for identifying traffic accident prone locations[C]// International Conference on Intelligent Data Engineering and Automated Learning. 2016: 99-105.
[7]	WEI W , MING Z , WANG J ,et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks[C]// 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). 2017.
[8]	SHAPIRA T , SHAVITT Y . FlowPic:encrypted internet traffic classification is as easy as image recognition[C]// IEEE INFOCOM 2019 - IEEE Conference on Computer Communications Workshops. 2019.
[9]	REN X , GU H , WEI W . Tree-RNN:tree structural recurrent neural network for network traffic classification[J]. Expert Systems with Applications, 2021,167(1): 114363.
[10]	XIAO X , XIAO W , LI R ,et al. EBSNN:extended byte segment neural network for network traffic classification[J]. IEEE Transactions on Dependable and Secure Computing, 2021(1).
[11]	YAO H , LIU C , ZHANG P ,et al. Identification of encrypted traffic through attention mechanism based long short term memory[J]. IEEE Trans Big Data, 2022,8(1): 241-252.
[12]	ZOU Z , GE J , ZHENG H ,et al. Encrypted traffic classification with a convolutional long short-term memory neural network[C]// 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City,IEEE 4th International Conference on Data Science and Systems (HPCC/SmartCity/DSS). 2018: 329-334.
[13]	SABOUR S , FROSST N , HINTON G E . Dynamic routing between capsules[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 3859-3869.
[14]	RAJASEGARAN J , JAYASUNDARA V , JAYASEKARA S ,et al. Deepcaps:going deeper with capsule networks[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2019: 10725-10733.
[15]	VENKATARAMAN S R , BALASUBRAMANIAN S , SARMA R R . Building deep equivariant capsule networks[C]// International Conference on Learning Representations. 2019.
[16]	SRIVASTAVA R K , GREFF K , SCHMIDHUBER J . Training very deep networks[C]// Proceedings of the 28th International Conference on Neural Information Processing Systems-Volume 2. 2015: 2377-2385.
[17]	骆子铭, 许书彬, 刘晓东 . 基于机器学习的 TLS 恶意加密流量检测方案[J]. 网络与信息安全学报, 2020,6(1): 77-83.
	LUO Z M , XU S B , LIU X D . Scheme for identifying malware traffic with TLS data based on machine learning[J]. Chinese Journal of Network and Information Security, 2020,6(1): 77-83.
[18]	翟明芳, 张兴明, 赵博 . 基于深度学习的加密恶意流量检测研究[J]. 网络与信息安全学报, 2020,6(3): 66-77.
	ZHAI M F , ZHANG X M , ZHAO B . Survey of encrypted malicious traffic detection based on deep learning[J]. Chinese Journal of Network and Information Security, 2020,6(3): 66-77.
[19]	HU J , SHEN L , SUN G . Squeeze-and-excitation networks[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2018: 7132-7141.
[20]	TRAN D , BOURDEV L , FERGUS R ,et al. Learning spatiotemporal features with 3d convolutional networks[C]// Proceedings of the IEEE International Conference on Computer Vision. 2015: 4489-4497.
[21]	HE K , ZHANG X , REN S ,et al. Deep residual learning for image recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016: 770-778.
[22]	DRAPER-GIL G , LASHKARI A H , MAMUN M S I ,et al. Characterization of encrypted and VPN traffic using time-related[C]// Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP). 2016: 407-414.

模型类别	训练时间/s	检测时间/s
BLSTM^[11]	1 500	1.64
1D-CNN^[7]	978	0.75
CNN+LSTM^[12]	5 228	3.69
Capsule	2 865	1.83
DRCN	1 268	1.2