通信学报 ›› 2021, Vol. 42 ›› Issue (7): 95-106.doi: 10.11959/j.issn.1000-436x.2021082
邹福泰, 谭越, 王林, 蒋永康
修回日期:
2020-12-20
出版日期:
2021-07-25
发布日期:
2021-07-01
作者简介:
邹福泰(1973− ),男,江西安福人,博士,上海交通大学高级工程师,主要研究方向为网络威胁感知和网络攻防技术基金资助:
Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG
Revised:
2020-12-20
Online:
2021-07-25
Published:
2021-07-01
Supported by:
摘要:
为了解决僵尸网络隐蔽性强、难以识别等问题,提高僵尸网络检测精度,提出了基于生成对抗网络的僵尸网络检测方法。首先,通过将僵尸网络流量中的数据包重组为流,分别提取时间维度的流量统计特征和空间维度的流量图像特征;然后,基于生成对抗网络的僵尸网络流量特征生成算法,在2个维度生产僵尸网络特征样本;最后,结合深度学习在僵尸网络检测场景下的应用,提出了基于DCGAN的僵尸网络检测模型和基于BiLSTM-GAN的僵尸网络检测模型。实验表明,所提模型提高了僵尸网络检测能力和泛化能力。
中图分类号:
邹福泰, 谭越, 王林, 蒋永康. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106.
Futai ZOU, Yue TAN, Lin WANG, Yongkang JIANG. Botnet detection based on generative adversarial network[J]. Journal on Communications, 2021, 42(7): 95-106.
表1
流量统计特征"
特征名称 | 含义 | 类型 |
Protocol | 传输层协议 | 基本特征 |
Duration | 流持续时间 | 基于异常行为的特征 |
Reconnect | 重连次数 | 基于异常行为的特征 |
PX | 交换包数量 | 基于异常行为的特征 |
IOPR | 输入包数量/输出包数量 | 基于异常行为的特征 |
NNP | 交换空包数 | 基于异常行为的特征 |
NSP | 交换小数据包数量 | 基于异常行为的特征 |
PSP | 交换小数据包百分比 | 基于异常行为的特征 |
FPS | 第一个包的长度 | 基于异常行为的特征 |
TBT | 总字节数 | 基于流相似的特征 |
APL | 平均数据包长度 | 基于流相似的特征 |
DPL | 相同长度包数/总包数 | 基于流相似的特征 |
PV | 数据包长度标准差 | 基于流相似的特征 |
BS | 每秒平均比特数量 | 基于流相似的特征 |
PPS | 每秒平均包数量 | 基于流相似的特征 |
AIT | 数据包平均到达时间 | 基于流相似的特征 |
表2
ISCX botnet数据集僵尸网络组成情况"
僵尸网络 | 类型 | 训练集 | 测试集 |
Neris | IRC | √(12%) | √(5.67%) |
Rbot | IRC | √(22%) | √(0.018%) |
Menti | IRC | × | √(0.62%) |
Sogou | HTTP | × | √(0.019%) |
Murlo | IRC | × | √(1.06%) |
Virut | HTTP | √(0.94%) | √(12.8%) |
NSIS | P2P | √(2.48%) | √(0.165%) |
Zenus | P2P | √(0.01%) | √(0.109%) |
SMTP Spam | P2P | √(6.48%) | √(4.72%) |
UDP Storm | P2P | × | √(9.63%) |
Tbot | IRC | × | √(0.283%) |
Zero Access | P2P | × | √(0.221%) |
Weasal | P2P | × | √(9.25%) |
Smoke Bot | P2P | × | √(0.017%) |
Zenus control (C&C) | P2P | √(0.01%) | √(0.006%) |
ISCX IRC bot | P2P | × | √(0.387%) |
表7
BiLSTM-GAN模型消融实验"
特征 | 准确率 | 精度 | 召回率 | F1分数 |
基本特征 | 0.747 3 | 0.734 1 | 0.694 7 | 0.704 0 |
异常行为特征 | 0.743 9 | 0.737 6 | 0.676 9 | 0.686 7 |
流相似特征 | 0.854 4 | 0.840 2 | 0.858 3 | 0.846 4 |
基本特征&异常行为特征 | 0.741 1 | 0.726 5 | 0.686 0 | 0.695 0 |
基本特征&流相似特征 | 0.862 3 | 0.847 7 | 0.857 5 | 0.852 0 |
异常行为特征&流相似特征 | 0.852 0 | 0.837 0 | 0.849 7 | 0.842 1 |
全部特征 | 0.855 1 | 0.915 5 | 0.823 8 | 0.867 2 |
[1] | CenturyLink. 2019 threat report[R]. CenturyLink Black Lotus Labs, 2019. |
[2] | NAIR H S , VINODH E S E . A study on botnet detection techniques[J]. International Journal of Scientific and Research Publications, 2012,2(4): 2-4. |
[3] | ANTONAKAKIS M , APRIL T , BAILEY M ,et al. Understanding the Mirai botnet[C]// 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 1093-1110. |
[4] | KESSEM L . The Necursbotnet:a pandora’s box of malicious spam[R]. Security Intelligence, 2017. |
[5] | CHECKPOINT R T . JAFF——a new ransomware is in town,and it’s widely spread by the infamous Necursbotnet[R]. Checkpoint Research Team, 2017. |
[6] | KARL S . Crypto-jacking:how cyber-criminals are exploiting the crypto-currency boom[J]. Computer Fraud & Security, 2018(9): 12-14. |
[7] | SophosLabs Research Team . Emotet exposed:looking inside highly destructive malware[J]. Network Security, 2019(6): 6-11. |
[8] | Distil Networks . 2019 bad bot report[R]. Distil Networks, 2019. |
[9] | WAJEEHA A . Why botnets persist:designing effective technical and policy interventions[J]. MIT Internet Policy Research Initiative, 2019(2): 1-52. |
[10] | BEEK C , DUNTON T , FOKKER J ,et al. Mcafee labs threats report[R]. McAfee Report, 2019. |
[11] | ESMAEILI S , SHAHRIARI H R . PodBot:a new botnet detection method by host and network-based analysis[C]// 2019 27th Iranian Conference on Electrical Engineering. Piscataway:IEEE Press, 2019: 1900-1904. |
[12] | TOKHTABAYEV A G , SKORMIN V A . Non-stationary Markov models and anomaly propagation analysis in IDS[C]// Third International Symposium on Information Assurance and Security. Piscataway:IEEE Press, 2007: 203-208. |
[13] | SHARAFALDIN I , GHARIB A , LASHKARI A H ,et al. BotViz:a memory forensic-based botnet detection and visualization approach[C]// 2017 International Carnahan Conference on Security Technology. Piscataway:IEEE Press, 2017: 1-8. |
[14] | CREECH G , HU J K . A semantic approach to host-based intrusion detection systems using contiguous and discontiguous system call patterns[J]. IEEE Transactions on Computers, 2014,63(4): 807-819. |
[15] | BARUAH S . Botnet detection:analysis of various techniques[J]. International Journal of Computational Intelligence & IoT, 2019,2(2): 1-7. |
[16] | GU G F . Botnet detection in enterprise networks[M]. Berlin: Springer, 2011. |
[17] | YAHYAZADEH M , ABADI M . BotCatch:botnet detection based on coordinated group activities of compromised hosts[C]// 7th International Symposium on Telecommunications. Piscataway:IEEE Press, 2014: 941-945. |
[18] | GU G , PORRAS P A , YEGNESWARAN V ,et al. Bothunter:detecting malware infection through ids-driven dialog correlation[C]// USENIX Security Symposium. Berkeley:USENIX Association, 2007: 1-16. |
[19] | GU G , ZHANG J , LEE W . BotSniffer:detecting botnet command and control channels in network traffic[C]// The Network and Distributed System Security Symposium. Saarland:DBLP, 2008: 1-19. |
[20] | GU G , PERDISCI R , ZHANG J ,et al. Botminer:clustering analysis of network traffic for protocol-and structure-independent botnet detection[C]// Proceedings of the 17th USENIX Security Symposium. Berkeley:USENIX Association, 2008: 1-16. |
[21] | ZHAO D , TRAORE I , SAYED B ,et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013,39: 2-16. |
[22] | KARIM A , SALLEH R B , SHIRAZ M ,et al. Botnet detection techniques:review,future trends,and issues[J]. Journal of Zhejiang University SCIENCE C, 2014,15(11): 943-983. |
[23] | TORRES P , CATANIA C , GARCIA S ,et al. An analysis of recurrent neural networks for botnet detection behavior[C]// 2016 IEEE Biennial Congress of Argentina. Piscataway:IEEE Press, 2016: 1-6. |
[24] | HOMAYOUN S , AHMADZADEH M , HASHEMI S ,et al. BotShark:a deep learning approach for botnet traffic detection[M]. Berlin: Springer, 2018. |
[25] | VINAYAKUMAR R , SOMAN K P , POORNACHANDRAN P ,et al. DBD:deep learning DGA-based botnet detection[M]. Berlin: Springer, 2019. |
[26] | MCDERMOTT C D , MAJDANI F , PETROVSKI A V . Botnet detection in the Internet of things using deep learning approaches[C]// 2018 International Joint Conference on Neural Networks. Piscataway:IEEE Press, 2018: 1-8. |
[27] | MEIDAN Y , BOHADANA M , MATHOV Y ,et al. N-BaIoT——network-based detection of IoT botnet attacks using deep autoencoders[J]. IEEE Pervasive Computing, 2018,17(3): 12-22. |
[28] | HE K M , ZHANG X Y , REN S Q ,et al. Deep residual learning for image recognition[C]// 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2016: 770-778. |
[29] | KIM J Y , BU S J , CHO S B . Malware detection using deep transferred generative adversarial networks[C]// International Conference on Neural Information Processing. Berlin:Springer, 2017: 556-564. |
[30] | KIM J Y , BU S J , CHO S B . Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders[J]. Information Sciences, 2018,460/461: 83-102. |
[31] | YIN C L , ZHU Y F , LIU S L ,et al. An enhancing framework for botnet detection using generative adversarial networks[C]// 2018 International Conference on Artificial Intelligence and Big Data. Piscataway:IEEE Press, 2018: 228-234. |
[32] | ZHU F , YE F , FU Y C ,et al. Electrocardiogram generation with a bidirectional LSTM-CNN generative adversarial network[J]. Scientific Reports, 2019,9:6734. |
[33] | RADFORD A , METZ L , CHINTALA S . Unsupervised representation learning with deep convolutional generative adversarial networks[J]. arXiv Preprint,arXiv:1511.06434, 2015. |
[34] | OORD A , DIELEMAN S , ZEN H ,et al. WaveNet:a generative model for raw audio[J]. arXiv Preprint,arXiv:1609.03499, 2016. |
[35] | MEHRI S , KUMAR K , GULRAJANI I ,et al. SampleRNN:an unconditional end-to-end neural audio generation model[J]. arXiv Preprint,arXiv:1612.07837, 2016. |
[36] | MOGREN O . C-RNN-GAN:continuous recurrent neural networks with adversarial training[J]. arXiv Preprint,arXiv:1611.09904, 2016. |
[37] | YU Y , SRIVASTAVA A , CANALES S . Conditional LSTM-GAN for melody generation from lyrics[J]. ACM Transactions on Multimedia Computing,Communications,and Applications, 2021,17(1): 1-20. |
[38] | GARCíA S , GRILL M , STIBOREK J ,et al. An empirical comparison of botnet detection methods[J]. Computers & Security, 2014,45: 100-123. |
[39] | KORONIOTIS N , MOUSTAFA N , SITNIKOVA E ,et al. Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics:bot-IoT dataset[J]. Future Generation Computer Systems, 2019,100: 779-796. |
[40] | SHIRAVI A , SHIRAVI H , TAVALLAEE M ,et al. Toward developing a systematic approach to generate benchmark datasets for intrusion detection[J]. Computers & Security, 2012,31(3): 357-374. |
[41] | MIRSKY Y , DOITSHMAN T , ELOVICI Y ,et al. Kitsune:an ensemble of autoencoders for online network intrusion detection[J]. arXiv Preprint,arXiv:1802.09089, 2018. |
[42] | BIGLAR BEIGI E , HADIAN JAZI H , STAKHANOVA N ,et al. Towards effective feature selection in machine learning-based botnet detection approaches[C]// 2014 IEEE Conference on Communications and Network Security. Piscataway:IEEE Press, 2014: 247-255. |
[43] | AVIV A J , HAEBERLEN A . Challenges in experimenting with botnet detection systems[C]// 4th USENIX Workshop on Cyber Security Experimentation and Test. Berkeley:USENIX Association, 2011: 1-8. |
[1] | 陈东昱, 陈华, 范丽敏, 付一方, 王舰. 基于深度学习的随机性检验策略研究[J]. 通信学报, 2023, 44(6): 23-33. |
[2] | 李荣鹏, 汪丙炎, 张宏纲, 赵志峰. 知识增强的语义通信接收端设计[J]. 通信学报, 2023, 44(6): 70-76. |
[3] | 马帅, 裴科, 祁华艳, 李航, 曹雯, 王洪梅, 熊海良, 李世银. 基于生成模型的地磁室内高精度定位算法研究[J]. 通信学报, 2023, 44(6): 211-222. |
[4] | 张佳乐, 朱诚诚, 孙小兵, 陈兵. 基于GAN的联邦学习成员推理攻击与防御方法[J]. 通信学报, 2023, 44(5): 193-205. |
[5] | 苏新, 张桂福, 行鸿彦, Zenghui Wang. 基于平衡生成对抗网络的海洋气象传感网入侵检测研究[J]. 通信学报, 2023, 44(4): 124-136. |
[6] | 戴千一, 张斌, 郭松, 徐开勇. 基于多分类器集成的区块链网络层异常流量检测方法[J]. 通信学报, 2023, 44(3): 66-80. |
[7] | 刘延华, 李嘉琪, 欧振贵, 高晓玲, 刘西蒙, MENG Weizhi, 刘宝旭. 对抗训练驱动的恶意代码检测增强方法[J]. 通信学报, 2022, 43(9): 169-180. |
[8] | 王延文, 雷为民, 张伟, 孟欢, 陈新怡, 叶文慧, 景庆阳. 基于生成模型的视频图像重建方法综述[J]. 通信学报, 2022, 43(9): 194-208. |
[9] | 杨洁, 董标, 付雪, 王禹, 桂冠. 基于轻量化分布式学习的自动调制分类方法[J]. 通信学报, 2022, 43(7): 134-142. |
[10] | 李昂, 陈建新, 魏昕, 周亮. 面向6G的跨模态信号重建技术[J]. 通信学报, 2022, 43(6): 28-40. |
[11] | 杨秀璋, 彭国军, 李子川, 吕杨琦, 刘思德, 李晨光. 基于Bert和BiLSTM-CRF的APT攻击实体识别及对齐研究[J]. 通信学报, 2022, 43(6): 58-70. |
[12] | 廖勇, 王世义. 高速移动环境下基于RM-Net的大规模MIMO CSI反馈算法[J]. 通信学报, 2022, 43(5): 166-176. |
[13] | 廖育荣, 王海宁, 林存宝, 李阳, 方宇强, 倪淑燕. 基于深度学习的光学遥感图像目标检测研究进展[J]. 通信学报, 2022, 43(5): 190-203. |
[14] | 赵增华, 童跃凡, 崔佳洋. 基于域自适应的Wi-Fi指纹设备无关室内定位模型[J]. 通信学报, 2022, 43(4): 143-153. |
[15] | 段雪源, 付钰, 王坤. 基于VAE-WGAN的多维时间序列异常检测方法[J]. 通信学报, 2022, 43(3): 1-13. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|