小样本下基于度量学习的僵尸网络检测方法

doi:10.11959/j.issn.2096-109x.2023076

Abstract

Abstract:

Botnets pose a great threat to the Internet, and early detection is crucial for maintaining cybersecurity.However, in the early stages of botnet discovery, obtaining a small number of labeled samples restricts the training of current detection models based on deep learning, leading to poor detection results.To address this issue, a botnet detection method called BT-RN, based on metric learning, was proposed for small sample backgrounds.The task-based meta-learning training strategy was used to optimize the model.The verification set was introduced into the task and the similarity between the verification sample and the training sample feature representation was measured to quickly accumulate experience, thereby reducing the model’s dependence on the labeled sample space.The feature-level attention mechanism was introduced.By calculating the attention coefficients of each dimension in the feature, the feature representation was re-integrated and the importance attention was assigned to optimize the feature representation, thereby reducing the feature sparseness of the deep neural network in small samples.The residual network design pattern was introduced, and the skip link was used to avoid the risk of model degradation and gradient disappearance caused by the deeper network after increasing the feature-level attention mechanism module.

Key words: botnet, traffic detection, few-shot detection, metric learning

CLC Number:

TP309.5

Honggang LIN, Junjing ZHU, Lin CHEN. Metric-based learning approach to botnet detection with small samples[J]. Chinese Journal of Network and Information Security, 2023, 9(5): 33-47.

Figures/Tables 21

References 35

[1]	国家计算机网络应急技术处理协调中心(CNCERT/CC). CNCERT互联网安全威胁报告[R]. 2021-8.
	National Computer Network Emergency Response Technology Processing Coordination Center (CNCERT/CC). CNCERT Internet security threat report[R]. 2021-8.
[2]	国家计算机网络应急技术处理协调中心(CNCERT/CC). 2020 年中国互联网网络安全报告[R]. 2021-7.
	National Computer Network Emergency Response Technology Processing Coordination Center (CNCERT/CC). 2020 China Internet network security report[R]. 2021-7.
[3]	XING Y , SHU H , ZHAO H ,et al. Survey on botnet detection techniques:classification,methods,and evaluation[J]. Mathematical Problems in Engineering, 2021,2021: 1-24.
[4]	GARG S , GUIZANI M , GUO S ,et al. Guest editorial:special section on ai-driven developments in 5g-envisioned industrial automation:big data perspective[J]. IEEE Transactions on Industrial Informatics, 2019,PP(33): 1.
[5]	WANG X , YANG Q , JIN X . Periodic communication detection algorithm of botnet based on quantum computing[J]. Chinese Journal of Quantum Electronics, 2016,33(2): 182-187.
[6]	SPATHOULAS G , GIACHOUDIS N , DAMIRIS G-P ,et al. Collaborative blockchain-based detection of distributed denial of service attacks based on internet of things botnets[J]. Future Internet, 2019,11(11): 226.
[7]	LASHKARI A H , GIL G D , KEENAN J E ,et al. A survey leading to a new evaluation framework for network-based botnet detection[C]// International Conference. 2017: 59-66.
[8]	WANG J , CHEN Y . Botnet detection method based on permutation entropy and clustering variance[C]// The 2017 3rd International Symposium on Mechatronics and Industrial Informatics(ISMII 2017). 2017: 161-166.
[9]	BILGE L , BALZAROTTI D , ROBERTSON W ,et al. Disclosure:detecting botnet command and control servers through large-scale NetFlow analysis[C]// Proceedings of the 28th Annual Computer Security Applications Conference. 2012: 129-138.
[10]	金渝筌, 谢彬, 朱毅 . 基于通信相似度的僵尸网络节点检测方法[J]. 网络与信息安全学报, 2018,4(10): 31-38.
	JIN Y Q , XIE B , ZHU Y . Method of botnet network nodes detection base on communication similarity[J]. Chinese Journal of Network and Information Security, 2018,4(10): 31-38.
[11]	JUNG W , ZHAO H , SUN M ,et al. IoT botnet detection via power consumption modeling[J]. Smart Health, 2020,15:100103.
[12]	WANG W , ZHU M , ZENG X ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// 2017 International Conference on Information Networking (ICOIN). 2017: 712-717.
[13]	尹传龙, 祝跃飞, 张鹤童 . 基于LSTM深度学习的僵尸网络检测模型[J]. 信息工程大学学报, 2018,19(94): 76-82.
	YIN C L , ZHU Y F , ZHANG H T . Deep learning approach for botnet detection using LSTM[J]. Journal of Information Engineering University, 2018,19(94): 76-82.
[14]	罗扶华, 张爱新 . 基于深度学习的僵尸网络检测技术研究[J]. 通信技术, 2020,53(1): 174-179.
	LUO F H , ZHANG A X . Botnet detection technology based on deep learning[J]. Communications Technology, 2020,53(1): 174-179.
[15]	谭越, 邹福泰 . 基于ResNet和BiLSTM的僵尸网络检测方法[J]. 通信技术, 2019,52(12): 7.
	TAN Y , ZOU F T . Botnet detection method based on BiLSTM and ResNet[J]. Communications Technology, 2019,52(12): 7.
[16]	YERIMA S Y , ALZAYLAEE M K , SHAJAN A . Deep learning techniques for android botnet detection[J]. Electronics, 2021,10(4): 519.
[17]	OLASEHINDE O , JOHNSON O V , CATHERINE O O . Evaluation of selected meta learning algorithms for the prediction improvement of network intrusion detection system[C]// 2020 International Conference in Mathematics,Computer Engineering and Computer Science (ICMCECS). 2020.
[18]	XU C , SHEN J , DU X . A method of few-shot network intrusion detection based on meta-learning framework[J]. IEEE Transactions on Information Forensics and Security, 2020(99): 1.
[19]	TANG Z , WANG P , WANG J . ConvProtoNet:deep prototype induction towards better class representation for few-shot malware classification[J]. Applied Sciences, 2020,10(8): 2847.
[20]	PAN J . Iot network behavioral fingerprint inference with limited network traces for cyber investigation[C]// 2021 International Conference on Artificial Intelligence in Information and Communication (ICAIIC). 2021: 263-268.
[21]	HINDY H , TACHTATZIS C , ATKINSON R ,et al. Developing a siamese network for intrusion detection systems[C]// Proceedings of the 1st Workshop on Machine Learning and Systems. 2021: 120-126.
[22]	TIANYU G , ZHIYUAN L , MAOSONG S ,et al. Hybrid attention-based prototypical networks for noisy few-shot relation classification[C]// The AAAI Conference on Artificial Intelligence, 2019: 6407-6414.
[23]	AMIR E , DAVID E , MASSOUD P ,et al. A meta-learning approach for custom model training[C]// The AAAI Conference on Artificial Intelligence. 2019: 9937-9938.
[24]	YANG A , LU C , LI J ,et al. Application of meta-learning in cyberspace security:a survey[J]. Digital Communications and Networks, 2022,9(1): 67-78.
[25]	HOSPEDALES T M , ANTONIOU A , MICAELLI P ,et al. Meta-learning in neural networks:a survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021,44(9): 5149-5169.
[26]	WOO S , PARK J , LEE J Y ,et al. Cbam:convolutional block attention module[C]// Proceedings of the European Conference on Computer vision (ECCV). 2018: 3-19.
[27]	HE K , ZHANG X , REN S ,et al. Deep residual learning for image recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016: 770-778.
[28]	SZEGEDY C , LIU W , JIA Y ,et al. Going deeper with Convolutions[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2015: 1-9.
[29]	ZOU Y , ZHANG L , LIU C ,et al. Super-resolution reconstruction of infrared images based on a convolutional neural network with skip connections[J]. Optics and Lasers in Engineering, 2021,146:106717.
[30]	SUNG F , YANG Y , ZHANG L ,et al. Learning to compare:Relation network for few-shot learning[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2018: 1199-1208.
[31]	VINYALS O , BLUNDELL C , LILLICRAP T ,et al. Matching networks for one shot learning[J]. Advances in Neural Information Processing Systems, 2016: 3637-3645.
[32]	SNELL J , SWERSKY K , ZEMEL R . Prototypical networks for few-shot learning[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 4080-4090.
[33]	DOSOVITSKIY A , BEYER L , KOLESNIKOV A ,et al. An image is worth 16×16 words:transformers for image recognition at scale[C]// International Conference on Learning Representations. 2021.
[34]	DAI Z , LIU H , LE Q V ,et al. CoAtNet:marrying convolution and attention for all data sizes[J]. 2021:arXiv.2016.04803.
[35]	HUISMAN M , VAN RIJN J N , PLAAT A . A survey of deep meta-learning[J]. 2020:arXiv:2010.03522.

Metrics

Recommended 0

No Suggested Reading articles found!

数据集	流量类型	是否真实	流量协议类型	僵尸网络类型	训练样本/个	测试样本/个
ISOT	Botnet	否	P2PHTTP	Waledac、StromBlackout、Citadel、Zyklon	2 000	4 500
			IRC	Neris、Rbot
CTU-13	Botnet	是	P2P	Zeus	2 000	2 000
			HTTP	Virut
USTC-TFC2016	Benign	是		9种应用流量	2 700	2 700

实验分类	检测类型	具体设置
		基于FC-Net的方法^[18]
小样本方法对比	已知类型样本	基于原型网络的方法^[20]
		基于孪生网络的方法^[21]
		BT-RN
		基于CNN的方法^[12]
		基于LSTM的方法^[13]
		基于LSTM_CNN的方法^[14]
深度学习方法对比	已知类型样本	基于BiLSTM_CNN的方法^[15]
		基于ViT的方法^[33]
		基于CoAtNet的方法^[34]
		BT-RN
	同源未知	1) 样本均来自ISOT数据集
泛化能力检测	类型样本	2) 样本均来自CTU数据集
泛化能力检测		1) 使用ISOT数据集训练，使用CTU
	异源未知	数据集测试
	类型样本	2) 使用CTU数据集训练，使用ISOT
		数据集测试

样本来源	数据类型	2-way 1-shot（MACC）				2-way 5-shot（MACC）
样本来源	数据类型	FC-net^[18]	孪生网络^[21]	原型网络^[20]	BT-RN	FC-net^[18]	孪生网络^[21]	原型网络^[20]	BT-RN
	Neris	86.67%	76.13%	88.21%	91.81%	89.16%	94.39%	95.82%	96.09%
	Zeus	89.23%	78.34%	91.69%	94.47%	96.37%	88.28%	98.46%	99.63%
CTU数据集CTU数据集	Rbot	97.90%	91.61%	99.02%	99.25%	98.74%	98.40%	99.53%	99.74%
	Virut	92.95%	75.73%	85.21%	90.26%	98.28%	97.77%	96.14%	97.22%
	Avg	93.36%	80.45%	91.03%	93.95%	95.64%	94.71%	97.49%	98.20%
	Citadel	93.50%	92.78%	87.92%	95.03%	97.30%	97.24%	97.86%	98.61%
	Blackout	91.87%	88.70%	84.16%	92.44%	93.55%	93.17%	98.02%	98.50%
ISOT数据集	Storm	78.65%	80.22%	78.81%	85.01%	82.32%	97.00%	98.96%	99.46%
	Walecdac	82.88%	79.21%	94.13%	94.77%	93.66%	95.78%	98.79%	98.12%
	Zyklon	94.93%	94.41%	97.43%	98.74%	97.60%	91.45%	99.31%	99.64%
	Avg	88.37%	87.07%	88.49%	93.20%	92.89%	94.93%	98.59%	98.87%

样本来源	样本数量/个				MACC
样本来源	样本数量/个	ViT^[33]	CoAtNet^[34]	LSTM^[13]	CNN^[12]	LSTM_CNN^[14]	BiLSTM_CNN^[15]	BT-RN
ISOT数据集	400	64.63%	56.49%	64.86%	63.52%	60.15%	67.48%	93.20%(1-shot)
	2000	65.27%	62.63%	65.63%	76.82%	70.92%	68.82%	98.87%(5-shot)
CTU数据集	400	57.37%	58.02%	68.63%	77.45%	76.92%	72.31%	93.95%(1-shot)
	2000	59.18%	68.65%	62.63%	79.75%	79.85%	75.20%	98.20%(5-shot)

问题设置	ISOT数据类型	准确率	精确率	召回率	F1
	Blackout	95.79%	96.37%	95.17%	95.77%
	Citadel	97.50%	96.61%	98.44%	97.52%
2-way 1-shot	Storm	90.97%	92.28%	89.42%	90.83%
	Walecdac	96.71%	96.89%	96.52%	96.70%
	Zyklon	97.71%	96.98%	98.49%	97.73%
	Blackout	98.23%	97.11%	99.41%	98.25%
	Citadel	99.06%	99.22%	98.89%	99.05%
2-way 5-shot	Storm	99.24%	99.48%	99.01%	99.24%
	Walecdac	99.32%	99.07%	99.58%	99.32%
	Zyklon	98.06%	97.61%	98.53%	98.07%

Metric-based learning approach to botnet detection with small samples

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 21

References 35

Related Articles 7

Metrics

Recommended 0

问题设置	CTU数据类型	准确率	精确率	召回率	F1值
	Neris	93.92%	92.90%	95.10%	93.99%
2-way 1-shot	Zeus	89.16%	90.99%	86.93%	88.91%
	Rbot	94.03%	92.01%	96.44%	94.17%
	Virut	95.68%	95.10%	96.33%	95.71%
	Neris	97.16%	98.04%	96.24%	97.13%
2-way 5-shot	Zeus	93.45%	96.76%	89.90%	93.21%
	Rbot	99.13%	99.19%	99.07%	99.13%
	Virut	97.46%	96.97%	97.99%	97.47%

[1]	Qiang LIU, Pengfei LI, Zhangjie FU. Secure controlling method for scalable botnets [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 42-55.
[2]	Shize GUO, Fan ZHANG, Zhuoxue SONG, Ziming ZHAO, Xinjie ZHAO, Xiaojuan WANG, Xiangyang LUO. Detection of SSL/TLS protocol attacks based on flow spectrum theory [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 30-40.
[3]	Xinyu ZHANG, Bingsheng ZHANG, Quanrun MENG, Kui REN. Study on privacy preserving encrypted traffic detection [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 101-113.
[4]	Hao ZHAO, Hui SHU, Fei KANG, Ying XING. High resistance botnet based on smart contract [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 30-41.
[5]	Mingfang ZHAI,Xingming ZHANG,Bo ZHAO. Survey of encrypted malicious traffic detection based on deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(3): 66-77.
[6]	Yuquan JIN, Bin XIE, Yi ZHU. Method of botnet network nodes detection base on communication similarity [J]. Chinese Journal of Network and Information Security, 2018, 4(10): 31-38.
[7]	Ya-liang CHEN,Qin-yun DAI,Hai-yan WU,Zheng WEI. Research on the reverse analyses and monitoring data of Mirai malware botnet [J]. Chinese Journal of Network and Information Security, 2017, 3(8): 35-43.

CTU数据类型	2-way 1-shot				2-way 5-shot
CTU数据类型	准确率	精确率	召回率	F1值	准确率	精确率	召回率	F1值
Zeus	91.33%	91.81%	90.77%	91.28%	96.62%	97.98%	95.20%	96.57%
Neris	86.40%	87.63%	84.77%	86.17%	95.57%	94.14%	88.37%	91.16%
Virut	90.85%	91.90%	89.60%	90.73%	95.30%	96.13%	94.40%	95.26%
Rbot	94.83%	93.95%	95.83%	94.88%	91.43%	94.70%	96.53%	95.61%

ISOT数据类型	2-way 1-shot				2-way 5-shot
ISOT数据类型	准确率	精确率	召回率	F1值	准确率	精确率	召回率	F1值
Storm	84.43%	85.93%	82.33%	84.09%	89.26%	87.67%	91.38%	89.48%
Walecdac	84.36%	86.17%	81.86%	83.96%	88.33%	88.96%	87.52%	88.24%
Zyklon	87.69%	86.90%	88.76%	87.82%	92.79%	90.60%	95.48%	92.97%
Blackout	90.76%	90.04%	91.67%	90.84%	95.12%	94.88%	95.38%	95.13%
Citadel	90.36%	91.16%	89.38%	90.26%	95.07%	95.40%	94.71%	95.05%