Chinese Journal of Network and Information Security ›› 2023, Vol. 9 ›› Issue (5): 33-47.doi: 10.11959/j.issn.2096-109x.2023076
• Papers • Previous Articles
Honggang LIN1,2, Junjing ZHU1,2, Lin CHEN3
Revised:
2023-04-28
Online:
2023-10-01
Published:
2023-10-01
Supported by:
CLC Number:
Honggang LIN, Junjing ZHU, Lin CHEN. Metric-based learning approach to botnet detection with small samples[J]. Chinese Journal of Network and Information Security, 2023, 9(5): 33-47.
"
实验分类 | 检测类型 | 具体设置 |
基于FC-Net的方法[ | ||
小样本方法对比 | 已知类型样本 | 基于原型网络的方法[ |
基于孪生网络的方法[ | ||
BT-RN | ||
基于CNN的方法[ | ||
基于LSTM的方法[ | ||
基于LSTM_CNN的方法[ | ||
深度学习方法对比 | 已知类型样本 | 基于BiLSTM_CNN的方法[ |
基于ViT的方法[ | ||
基于CoAtNet的方法[ | ||
BT-RN | ||
同源未知 | 1) 样本均来自ISOT数据集 | |
泛化能力检测 | 类型样本 | 2) 样本均来自CTU数据集 |
1) 使用ISOT数据集训练,使用CTU | ||
异源未知 | 数据集测试 | |
类型样本 | 2) 使用CTU数据集训练,使用ISOT | |
数据集测试 |
"
样本来源 | 数据类型 | 2-way 1-shot(MACC) | 2-way 5-shot(MACC) | |||||||
FC-net[ | 孪生网络[ | 原型网络[ | BT-RN | FC-net[ | 孪生网络[ | 原型网络[ | BT-RN | |||
Neris | 86.67% | 76.13% | 88.21% | 91.81% | 89.16% | 94.39% | 95.82% | 96.09% | ||
Zeus | 89.23% | 78.34% | 91.69% | 94.47% | 96.37% | 88.28% | 98.46% | 99.63% | ||
CTU数据集CTU数据集 | Rbot | 97.90% | 91.61% | 99.02% | 99.25% | 98.74% | 98.40% | 99.53% | 99.74% | |
Virut | 92.95% | 75.73% | 85.21% | 90.26% | 98.28% | 97.77% | 96.14% | 97.22% | ||
Avg | 93.36% | 80.45% | 91.03% | 93.95% | 95.64% | 94.71% | 97.49% | 98.20% | ||
Citadel | 93.50% | 92.78% | 87.92% | 95.03% | 97.30% | 97.24% | 97.86% | 98.61% | ||
Blackout | 91.87% | 88.70% | 84.16% | 92.44% | 93.55% | 93.17% | 98.02% | 98.50% | ||
ISOT数据集 | Storm | 78.65% | 80.22% | 78.81% | 85.01% | 82.32% | 97.00% | 98.96% | 99.46% | |
Walecdac | 82.88% | 79.21% | 94.13% | 94.77% | 93.66% | 95.78% | 98.79% | 98.12% | ||
Zyklon | 94.93% | 94.41% | 97.43% | 98.74% | 97.60% | 91.45% | 99.31% | 99.64% | ||
Avg | 88.37% | 87.07% | 88.49% | 93.20% | 92.89% | 94.93% | 98.59% | 98.87% |
"
样本来源 | 样本数量/个 | MACC | ||||||
ViT[ | CoAtNet[ | LSTM[ | CNN[ | LSTM_CNN[ | BiLSTM_CNN[ | BT-RN | ||
ISOT数据集 | 400 | 64.63% | 56.49% | 64.86% | 63.52% | 60.15% | 67.48% | 93.20%(1-shot) |
2000 | 65.27% | 62.63% | 65.63% | 76.82% | 70.92% | 68.82% | 98.87%(5-shot) | |
CTU数据集 | 400 | 57.37% | 58.02% | 68.63% | 77.45% | 76.92% | 72.31% | 93.95%(1-shot) |
2000 | 59.18% | 68.65% | 62.63% | 79.75% | 79.85% | 75.20% | 98.20%(5-shot) |
"
问题设置 | ISOT数据类型 | 准确率 | 精确率 | 召回率 | F1 |
Blackout | 95.79% | 96.37% | 95.17% | 95.77% | |
Citadel | 97.50% | 96.61% | 98.44% | 97.52% | |
2-way 1-shot | Storm | 90.97% | 92.28% | 89.42% | 90.83% |
Walecdac | 96.71% | 96.89% | 96.52% | 96.70% | |
Zyklon | 97.71% | 96.98% | 98.49% | 97.73% | |
Blackout | 98.23% | 97.11% | 99.41% | 98.25% | |
Citadel | 99.06% | 99.22% | 98.89% | 99.05% | |
2-way 5-shot | Storm | 99.24% | 99.48% | 99.01% | 99.24% |
Walecdac | 99.32% | 99.07% | 99.58% | 99.32% | |
Zyklon | 98.06% | 97.61% | 98.53% | 98.07% |
"
问题设置 | CTU数据类型 | 准确率 | 精确率 | 召回率 | F1值 |
Neris | 93.92% | 92.90% | 95.10% | 93.99% | |
2-way 1-shot | Zeus | 89.16% | 90.99% | 86.93% | 88.91% |
Rbot | 94.03% | 92.01% | 96.44% | 94.17% | |
Virut | 95.68% | 95.10% | 96.33% | 95.71% | |
Neris | 97.16% | 98.04% | 96.24% | 97.13% | |
2-way 5-shot | Zeus | 93.45% | 96.76% | 89.90% | 93.21% |
Rbot | 99.13% | 99.19% | 99.07% | 99.13% | |
Virut | 97.46% | 96.97% | 97.99% | 97.47% |
"
CTU数据类型 | 2-way 1-shot | 2-way 5-shot | |||||||
准确率 | 精确率 | 召回率 | F1值 | 准确率 | 精确率 | 召回率 | F1值 | ||
Zeus | 91.33% | 91.81% | 90.77% | 91.28% | 96.62% | 97.98% | 95.20% | 96.57% | |
Neris | 86.40% | 87.63% | 84.77% | 86.17% | 95.57% | 94.14% | 88.37% | 91.16% | |
Virut | 90.85% | 91.90% | 89.60% | 90.73% | 95.30% | 96.13% | 94.40% | 95.26% | |
Rbot | 94.83% | 93.95% | 95.83% | 94.88% | 91.43% | 94.70% | 96.53% | 95.61% |
"
ISOT数据类型 | 2-way 1-shot | 2-way 5-shot | |||||||
准确率 | 精确率 | 召回率 | F1值 | 准确率 | 精确率 | 召回率 | F1值 | ||
Storm | 84.43% | 85.93% | 82.33% | 84.09% | 89.26% | 87.67% | 91.38% | 89.48% | |
Walecdac | 84.36% | 86.17% | 81.86% | 83.96% | 88.33% | 88.96% | 87.52% | 88.24% | |
Zyklon | 87.69% | 86.90% | 88.76% | 87.82% | 92.79% | 90.60% | 95.48% | 92.97% | |
Blackout | 90.76% | 90.04% | 91.67% | 90.84% | 95.12% | 94.88% | 95.38% | 95.13% | |
Citadel | 90.36% | 91.16% | 89.38% | 90.26% | 95.07% | 95.40% | 94.71% | 95.05% |
[1] | 国家计算机网络应急技术处理协调中心(CNCERT/CC). CNCERT互联网安全威胁报告[R]. 2021-8. |
National Computer Network Emergency Response Technology Processing Coordination Center (CNCERT/CC). CNCERT Internet security threat report[R]. 2021-8. | |
[2] | 国家计算机网络应急技术处理协调中心(CNCERT/CC). 2020 年中国互联网网络安全报告[R]. 2021-7. |
National Computer Network Emergency Response Technology Processing Coordination Center (CNCERT/CC). 2020 China Internet network security report[R]. 2021-7. | |
[3] | XING Y , SHU H , ZHAO H ,et al. Survey on botnet detection techniques:classification,methods,and evaluation[J]. Mathematical Problems in Engineering, 2021,2021: 1-24. |
[4] | GARG S , GUIZANI M , GUO S ,et al. Guest editorial:special section on ai-driven developments in 5g-envisioned industrial automation:big data perspective[J]. IEEE Transactions on Industrial Informatics, 2019,PP(33): 1. |
[5] | WANG X , YANG Q , JIN X . Periodic communication detection algorithm of botnet based on quantum computing[J]. Chinese Journal of Quantum Electronics, 2016,33(2): 182-187. |
[6] | SPATHOULAS G , GIACHOUDIS N , DAMIRIS G-P ,et al. Collaborative blockchain-based detection of distributed denial of service attacks based on internet of things botnets[J]. Future Internet, 2019,11(11): 226. |
[7] | LASHKARI A H , GIL G D , KEENAN J E ,et al. A survey leading to a new evaluation framework for network-based botnet detection[C]// International Conference. 2017: 59-66. |
[8] | WANG J , CHEN Y . Botnet detection method based on permutation entropy and clustering variance[C]// The 2017 3rd International Symposium on Mechatronics and Industrial Informatics(ISMII 2017). 2017: 161-166. |
[9] | BILGE L , BALZAROTTI D , ROBERTSON W ,et al. Disclosure:detecting botnet command and control servers through large-scale NetFlow analysis[C]// Proceedings of the 28th Annual Computer Security Applications Conference. 2012: 129-138. |
[10] | 金渝筌, 谢彬, 朱毅 . 基于通信相似度的僵尸网络节点检测方法[J]. 网络与信息安全学报, 2018,4(10): 31-38. |
JIN Y Q , XIE B , ZHU Y . Method of botnet network nodes detection base on communication similarity[J]. Chinese Journal of Network and Information Security, 2018,4(10): 31-38. | |
[11] | JUNG W , ZHAO H , SUN M ,et al. IoT botnet detection via power consumption modeling[J]. Smart Health, 2020,15:100103. |
[12] | WANG W , ZHU M , ZENG X ,et al. Malware traffic classification using convolutional neural network for representation learning[C]// 2017 International Conference on Information Networking (ICOIN). 2017: 712-717. |
[13] | 尹传龙, 祝跃飞, 张鹤童 . 基于LSTM深度学习的僵尸网络检测模型[J]. 信息工程大学学报, 2018,19(94): 76-82. |
YIN C L , ZHU Y F , ZHANG H T . Deep learning approach for botnet detection using LSTM[J]. Journal of Information Engineering University, 2018,19(94): 76-82. | |
[14] | 罗扶华, 张爱新 . 基于深度学习的僵尸网络检测技术研究[J]. 通信技术, 2020,53(1): 174-179. |
LUO F H , ZHANG A X . Botnet detection technology based on deep learning[J]. Communications Technology, 2020,53(1): 174-179. | |
[15] | 谭越, 邹福泰 . 基于ResNet和BiLSTM的僵尸网络检测方法[J]. 通信技术, 2019,52(12): 7. |
TAN Y , ZOU F T . Botnet detection method based on BiLSTM and ResNet[J]. Communications Technology, 2019,52(12): 7. | |
[16] | YERIMA S Y , ALZAYLAEE M K , SHAJAN A . Deep learning techniques for android botnet detection[J]. Electronics, 2021,10(4): 519. |
[17] | OLASEHINDE O , JOHNSON O V , CATHERINE O O . Evaluation of selected meta learning algorithms for the prediction improvement of network intrusion detection system[C]// 2020 International Conference in Mathematics,Computer Engineering and Computer Science (ICMCECS). 2020. |
[18] | XU C , SHEN J , DU X . A method of few-shot network intrusion detection based on meta-learning framework[J]. IEEE Transactions on Information Forensics and Security, 2020(99): 1. |
[19] | TANG Z , WANG P , WANG J . ConvProtoNet:deep prototype induction towards better class representation for few-shot malware classification[J]. Applied Sciences, 2020,10(8): 2847. |
[20] | PAN J . Iot network behavioral fingerprint inference with limited network traces for cyber investigation[C]// 2021 International Conference on Artificial Intelligence in Information and Communication (ICAIIC). 2021: 263-268. |
[21] | HINDY H , TACHTATZIS C , ATKINSON R ,et al. Developing a siamese network for intrusion detection systems[C]// Proceedings of the 1st Workshop on Machine Learning and Systems. 2021: 120-126. |
[22] | TIANYU G , ZHIYUAN L , MAOSONG S ,et al. Hybrid attention-based prototypical networks for noisy few-shot relation classification[C]// The AAAI Conference on Artificial Intelligence, 2019: 6407-6414. |
[23] | AMIR E , DAVID E , MASSOUD P ,et al. A meta-learning approach for custom model training[C]// The AAAI Conference on Artificial Intelligence. 2019: 9937-9938. |
[24] | YANG A , LU C , LI J ,et al. Application of meta-learning in cyberspace security:a survey[J]. Digital Communications and Networks, 2022,9(1): 67-78. |
[25] | HOSPEDALES T M , ANTONIOU A , MICAELLI P ,et al. Meta-learning in neural networks:a survey[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021,44(9): 5149-5169. |
[26] | WOO S , PARK J , LEE J Y ,et al. Cbam:convolutional block attention module[C]// Proceedings of the European Conference on Computer vision (ECCV). 2018: 3-19. |
[27] | HE K , ZHANG X , REN S ,et al. Deep residual learning for image recognition[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2016: 770-778. |
[28] | SZEGEDY C , LIU W , JIA Y ,et al. Going deeper with Convolutions[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2015: 1-9. |
[29] | ZOU Y , ZHANG L , LIU C ,et al. Super-resolution reconstruction of infrared images based on a convolutional neural network with skip connections[J]. Optics and Lasers in Engineering, 2021,146:106717. |
[30] | SUNG F , YANG Y , ZHANG L ,et al. Learning to compare:Relation network for few-shot learning[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. 2018: 1199-1208. |
[31] | VINYALS O , BLUNDELL C , LILLICRAP T ,et al. Matching networks for one shot learning[J]. Advances in Neural Information Processing Systems, 2016: 3637-3645. |
[32] | SNELL J , SWERSKY K , ZEMEL R . Prototypical networks for few-shot learning[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 4080-4090. |
[33] | DOSOVITSKIY A , BEYER L , KOLESNIKOV A ,et al. An image is worth 16×16 words:transformers for image recognition at scale[C]// International Conference on Learning Representations. 2021. |
[34] | DAI Z , LIU H , LE Q V ,et al. CoAtNet:marrying convolution and attention for all data sizes[J]. 2021:arXiv.2016.04803. |
[35] | HUISMAN M , VAN RIJN J N , PLAAT A . A survey of deep meta-learning[J]. 2020:arXiv:2010.03522. |
[1] | Qiang LIU, Pengfei LI, Zhangjie FU. Secure controlling method for scalable botnets [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 42-55. |
[2] | Shize GUO, Fan ZHANG, Zhuoxue SONG, Ziming ZHAO, Xinjie ZHAO, Xiaojuan WANG, Xiangyang LUO. Detection of SSL/TLS protocol attacks based on flow spectrum theory [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 30-40. |
[3] | Xinyu ZHANG, Bingsheng ZHANG, Quanrun MENG, Kui REN. Study on privacy preserving encrypted traffic detection [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 101-113. |
[4] | Hao ZHAO, Hui SHU, Fei KANG, Ying XING. High resistance botnet based on smart contract [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 30-41. |
[5] | Mingfang ZHAI,Xingming ZHANG,Bo ZHAO. Survey of encrypted malicious traffic detection based on deep learning [J]. Chinese Journal of Network and Information Security, 2020, 6(3): 66-77. |
[6] | Yuquan JIN, Bin XIE, Yi ZHU. Method of botnet network nodes detection base on communication similarity [J]. Chinese Journal of Network and Information Security, 2018, 4(10): 31-38. |
[7] | Ya-liang CHEN,Qin-yun DAI,Hai-yan WU,Zheng WEI. Research on the reverse analyses and monitoring data of Mirai malware botnet [J]. Chinese Journal of Network and Information Security, 2017, 3(8): 35-43. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|