基于超图神经网络的恶意流量分类模型

doi:10.11959/j.issn.2096-109x.2023069

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (5): 166-177.doi: 10.11959/j.issn.2096-109x.2023069

• 学术论文 • 上一篇

基于超图神经网络的恶意流量分类模型

赵文博¹^,²^,³, 马紫彤¹^,²^,³, 杨哲¹^,²^,³

¹ 苏州大学计算机科学与技术学院，江苏苏州 215006
² 江苏省计算机信息处理技术重点实验室，江苏苏州 215006
³ 江苏省大数据智能工程实验室，江苏苏州 215006

修回日期:2023-08-18 出版日期:2023-10-01 发布日期:2023-10-01
作者简介:赵文博（1998− )，男，安徽淮北人，苏州大学硕士生，主要研究方向为图机器学习、网络安全、深度学习、推荐算法
马紫彤（1999− ），女，江西赣州人，苏州大学硕士生，主要研究方向为图机器学习、网络安全、深度学习、推荐算法
杨哲（1978− ），男，江苏苏州人，博士，苏州大学副教授，主要研究方向为网络与信息安全、深度学习、智能算法
基金资助:
国家自然科学基金(62072321);教育部产学协同育人项目(220606363154256);江苏省高校自然科学基金(20KJB520002);江苏省未来网络科研基金(FNSRFP-2021-YB-38);江苏高校优势学科建设工程资助项目

Model of the malicious traffic classification based on hypergraph neural network

Wenbo ZHAO¹^,²^,³, Zitong MA¹^,²^,³, Zhe YANG¹^,²^,³

¹ School of Computer Science and Technology, Soochow University, Suzhou 215006, China
² Provincial Key Laboratory for Computer Information Processing Technology, Suzhou 215006, China
³ Provincial Key Laboratory for Intelligent Engineering in Big Data, Suzhou 215006, China

Revised:2023-08-18 Online:2023-10-01 Published:2023-10-01
Supported by:
The National Natural Science Foundation of China(62072321);The Project of the Ministry of Education on the Cooperation of Production and Education(220606363154256);The Natural Science Foundation of the Jiangsu Higher Education Institutions of China(20KJB520002);The Future Network Research Foundation of Jiangsu Province(FNSRFP-2021-YB-38);Project Funded by the Priority Academic Program Development of Jiangsu Higher Education Institutions

摘要/Abstract

摘要：

随着网络的普及和依赖程度的不断增加，恶意流量的泛滥已经成为网络安全领域的严重挑战。在这个数字时代，网络攻击者不断寻找新的方式来侵入系统、窃取数据和破坏网络服务。开发更有效的入侵检测系统，及时发现并应对恶意流量，可以应对网络攻击的持续威胁，极大地减少网络攻击带来的损失。然而现有的恶意流量分类方法存在一些限制，其中之一是过度依赖对数据特征的选择。为了提高恶意流量分类的效果，提出了一种创新的方法，即基于超图神经网络的恶意流量分类模型。这一模型的核心思想是将流量数据表示为超图结构，并利用超图神经网络（HGNN，hypergraph neural network）来捕获流量的空间特征。HGNN 能够更全面地考虑流量数据之间的关系，从而更准确地表征恶意流量的特征。此外，为了处理流量数据的时间特征，引入了循环神经网络（RNN，recurrent neural network），进一步提高了分类模型的性能。最终，提取的时空特征被用于进行恶意流量分类，从而帮助检测网络中的潜在威胁。通过一系列消融实验，验证了HGNN+RNN模型的有效性，证明其能够高效提取流量的时空特征，从而改善了恶意流量的分类性能。在3个广泛使用的开源数据集，即NSL-KDD、UNSW-NB15和CIC-IDS-2017上，模型取得了卓越的分类准确率，分别达到了94%、95.6%和99.08%。这些结果表明，基于超图神经网络的恶意流量分类模型在提高网络安全水平方面具有潜在的重要意义，有望帮助网络安全领域更好地应对不断演变的网络威胁。

关键词: 恶意流量, 网络攻击, 超图神经网络, 循环神经网络

Abstract:

As the use and reliance on networks continue to grow, the prevalence of malicious network traffic poses a significant challenge in the field of network security.Cyber attackers constantly seek new ways to infiltrate systems, steal data, and disrupt network services.To address this ongoing threat, it is crucial to develop more effective intrusion detection systems that can promptly detect and counteract malicious network traffic, thereby minimizing the resulting losses.However, current methods for classifying malicious traffic have limitations, particularly in terms of excessive reliance on data feature selection.To improve the accuracy of malicious traffic classification, a novel malicious traffic classification model based on Hypergraph Neural Networks (HGNN) was proposed.The traffic data was represented as hypergraph structures and HGNN was utilized to capture the spatial features of the traffic.By considering the interrelations among traffic data, HGNN provided a more accurate representation of the characteristics of malicious traffic.Additionally, to handle the temporal features of traffic data, Recurrent Neural Networks (RNN) was introduced to further enhance the model’s classification performance.The extracted spatiotemporal features were then used for the classification of malicious traffic, aiding in the detection of potential threats within the network.Through a series of ablative experiments, the effectiveness of the HGNN+RNN method was verified.These experiments demonstrate the model’s ability to efficiently extract spatiotemporal features from traffic, resulting in improved classification performance for malicious traffic.The model achieved outstanding classification accuracy across three widely-used open-source datasets: NSL-KDD (94% accuracy), UNSW-NB15 (95.6% accuracy), and CIC-IDS-2017 (99.08% accuracy).These results underscore the potential significance of the malicious traffic classification model based on hypergraph neural networks in enhancing network security and its capacity to better address the evolving landscape of network threats within the domain of network security.

Key words: malicious traffic, cyberattack, hypergraph neural network, recurrent neural network

中图分类号:

TP399

赵文博, 马紫彤, 杨哲. 基于超图神经网络的恶意流量分类模型[J]. 网络与信息安全学报, 2023, 9(5): 166-177.

Wenbo ZHAO, Zitong MA, Zhe YANG. Model of the malicious traffic classification based on hypergraph neural network[J]. Chinese Journal of Network and Information Security, 2023, 9(5): 166-177.

图/表 15

图1

图2

图3

图4

图5

图6

表1

HGNN以及RNN层数下的模型性能表现Table 1 Model performance with different HGNN and RNN layer number"

HGNN层数	RNN层数	准确率	时间
0	0	88.90%	14s
0	1	94.85%	20s
0	2	97.45%	57s
0	3	96.60%	1m28s
1	0	96.35%	2m17s
1	1	$99 . 50 %$	$2 m 30 s$
1	2	99.45%	2m39s
1	3	99.45%	2m56s
2	0	98.90%	4m35s
2	1	99.25%	4m49s
2	2	99.30%	4m55s
2	3	99.35%	5m13s
3	0	98.95%	6m50s
3	1	99.05%	7m2s
3	2	99.10%	7m13s
3	3	99.35%	7m25s

表1

图7

表2

NSL-KDD数据集上不同模型的分类性能比较Table2 Classification performance comparison of different model on NSL-KDD dataset"

模型	准确率	精确率	召回率	F1值
CART	87.03%	79.56%	96.04%	87.03%
SVM	89.02%	82.58%	96.04%	88.80%
KNN	83.33%	74.04%	$97 . 36 %$	84.11%
RNN-IDS^[16]	83.28%	—	—	—
DNN^[11]	92.54%	—	90.90%	—
本文	$94 . 00 %$	$94 . 12 %$	94.00%	$94 . 06 %$

表2

表3

UNSW-NB15数据集上不同模型的分类性能比较Table 3 Classification performance Comparison of different models on UNSW-NB15 dataset"

模型	准确率	精确率	召回率	F1值
CART	92.00%	88.10%	92.50%	90.24%
SVM	88.50%	89.04%	81.25%	84.97%
KNN	91.00%	93.06%	83.75%	88.16%
SGC-LSTM ^[18]	91.67%	—	89.89%	—
ADS^[14]	92.40%	—	93.00%	—
本文	$95 . 60 %$	$95 . 68 %$	$95 . 46 %$	$95 . 56 %$

表3

表4

CIC-IDS-2017数据集上不同模型的分类性能比较Table 4 Classification performance comparison of on CIC-IDS-2017 dataset"

模型	准确率	精确率	召回率	F1值
CART	98.90%	98.96%	98.90%	98.85%
SVM	97.31%	97.24%	97.31%	97.27%
KNN	98.60%	98.53%	98.60%	98.54%
Hybrid IDS^[15]	96.67%	—	—	—
SMOTE-LSTM^[12]	98.90%	98.90%	98.90%	98.90%
本文	$99 . 08 %$	$99 . 09 %$	$99 . 08 %$	$99 . 08 %$

表4

图8

图9

图10

图11

参考文献 32

[1]	ROBERTS E . Bad bot report 2020:bad bots strike back[J]. Imperva Blog, 2020.
[2]	BHUYAN M H , BHATTACHARYYA D K , KALITA J K . Network anomaly detection:methods,systems and tools[J]. IEEE Communications Surveys ＆ Tutorials, 2013,16(1): 303-336.
[3]	WIDIPUTRA H D . Clustering based intrusion detection for network profiling using k-means ecm and k-nearest neighbor[J]. Konferensi Nasional Sistem Dan Informatika, 2009: 247-251.
[4]	ZANERO S , SAVARESI S M . Unsupervised learning techniques for an intrusion detection system[C]// Proceedings of the 2004 ACM Symposium on Applied Computing. 2004: 412-419.
[5]	ALI A , SALEH A , RAMDAN T . Multilayer perceptrons networks for an intelligent adaptive intrusion detection system[J]. International Journal of Computer Science and Network Security, 2010,10(2): 275.
[6]	KWON D , KIM H , KIM J ,et al. A survey of deep learning-based network anomaly detection[J]. Cluster Computing, 2019,22(1): 949-961.
[7]	STALLINGS W . Network security essentials:applications and standards[M]. USA: Pearson, 2017.
[8]	ZHANG F , WANG D . An effective feature selection approach for network intrusion detection[C]// 2013 IEEE Eighth International Conference on Networking,Architecture and Storage. 2013: 307-311.
[9]	VIJAYANAND R , DEVARAJ D , KANNAPIRAN B . Intrusion detection system for wireless mesh network using multiple support vector machine classifiers with genetic-algorithm-based feature selection[J]. Computers ＆ Security, 2018,77: 304-314.
[10]	LU X , LIU P , LIN J . Network traffic anomaly detection based on information gain and deep learning[C]// Proceedings of the 2019 3rd International Conference on Information System and Data Mining. 2019: 11-15.
[11]	TANG T A , MHAMDI L , MC-LERNON D , et al . Deep learning approach for network intrusion detection in software defined networking[C]// 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM). 2016: 258-263.
[12]	WANG J H , SEPTIAN T W . Combining oversampling with recurrent neural networks for intrusion detection[C]// International Conference on Database Systems for Advanced Applications. 2021: 305-320.
[13]	HUBBALLI N , SURYANARAYANAN V . False alarm minimization techniques in signature-based intrusion detection systems:a survey[J]. Computer Communications, 2014,49: 1-17.
[14]	MUNA A L H , MOUSTAFA N , SITNIKOVA E . Identification of malicious activities in industrial internet of things based on deep learning models[J]. Journal of Information Security and Applications, 2018,41: 1-11.
[15]	AHMIM A , MAGLARAS L , FERRAG M A ,et al. A novel hierarchical intrusion detection system based on decision tree and rules-based models[C]// 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS). 2019: 228-233.
[16]	YIN C , ZHU Y , FEI J ,et al. A deep learning approach for intrusion detection using recurrent neural networks[J]. IEEE Access, 2017,5: 21954-21961.
[17]	ZHANG J , LING Y , FU X ,et al. Model of the intrusion detection system based on the integration of spatial-temporal features[J]. Computers ＆ Security, 2020,89:101681.
[18]	LIU X , LIU J . Malicious traffic detection combined deep neural network with hierarchical attention mechanism[J]. Scientific Reports, 2021,11(1): 1-15.
[19]	ZHOU D , HUANG J , SCH?LKOPF B . Learning with hypergraphs:clustering,classification,and embedding[C]// Twentieth Annual Conference on Neural Information Processing Systems(NIPS 2006). 2007: 1601-1608.
[20]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv Preprint arXiv:1609.02907, 2016.
[21]	FENG Y , YOU H , ZHANG Z ,et al. Hypergraph neural networks[C]// Proceedings of the AAAI Conference on Artificial Intelligence. 2019: 3558-3565.
[22]	KARPATHY A . The unreasonable effectiveness of recurrent neural networks[J]. Andrej Karpathy Blog, 2015,21:23.
[23]	BERGE C . Hypergraphs:combinatorics of finite sets[M]. Elsevier, 1984.
[24]	GASTI P , TSUDIK G , UZUN E ,et al. DoS and DDoS in named data networking[C]// 2013 22nd International Conference on Computer Communication and Networks (ICCCN). 2013: 1-7.
[25]	ZAREMBA W , SUTSKEVER I , VINYALS O . Recurrent neural network regularization[J]. arXiv Preprint arXiv:1409.2329, 2014.
[26]	TAVALLAEE M , BAGHERI E , LU W ,et al. A detailed analysis of the KDD CUP 99 data set[C]// 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications. 2009: 1-6.
[27]	MOUSTAFA N , SLAY J . UNSW-NB15:a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)[C]// 2015 Military Communications and Information Systems Conference (MilCIS). 2015: 1-6.
[28]	MOUSTAFA N , SLAY J . The evaluation of network anomaly detection systems:statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set[J]. Information Security Journal:A Global Perspective, 2016,25(1-3): 18-31.
[29]	MOUSTAFA N , SLAY J , CREECH G . Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks[J]. IEEE Transactions on Big Data, 2017,5(4): 481-494.
[30]	MOUSTAFA N , CREECH G , SLAY J . Big data analytics for intrusion detection system:statistical decision-making using finite dirichlet mixture models[M]// Data Analytics and Decision Support for Cybersecurity. 2017: 127-156.
[31]	SARHAN M , LAYEGHY S , MOUSTAFA N ,et al. Netflow datasets for machine learning-based network intrusion detection systems[M]// Big Data Technologies and Applications. 2020: 117-135.
[32]	SHARAFALDIN I , LASHKARI A H , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]// ICISSP. 2018: 108-116.

基于超图神经网络的恶意流量分类模型

Model of the malicious traffic classification based on hypergraph neural network

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 32

相关文章 3

Metrics

推荐阅读 0

[1]	贾鉴,刘林峰,吴家皋. 基于循环神经网络的空载电动出租车的充电桩推荐方法[J]. 网络与信息安全学报, 2020, 6(6): 152-163.
[2]	翟明芳,张兴明,赵博. 基于深度学习的加密恶意流量检测研究[J]. 网络与信息安全学报, 2020, 6(3): 66-77.
[3]	燕昺昊,韩国栋. 基于深度循环神经网络和改进SMOTE算法的组合式入侵检测模型[J]. 网络与信息安全学报, 2018, 4(7): 48-59.