通信学报 ›› 2023, Vol. 44 ›› Issue (3): 1-11.doi: 10.11959/j.issn.1000-436x.2023068

• 学术论文 •    下一篇

基于对比增量学习的细粒度恶意流量分类方法

王一丰1, 郭渊博1, 陈庆礼1, 方晨1, 林韧昊2, 周永良1, 马佳利1   

  1. 1 信息工程大学密码工程学院,河南 郑州 450001
    2 郑州大学计算机与人工智能学院,河南 郑州 450001
  • 修回日期:2023-01-18 出版日期:2023-03-25 发布日期:2023-03-01
  • 作者简介:王一丰(1994- ),男,江苏泰兴人,信息工程大学博士生,主要研究方向为零样本学习、网络安全和入侵检测
    郭渊博(1975- ),男,陕西周至人,博士,信息工程大学教授、博士生导师,主要研究方向为大数据安全、态势感知
    陈庆礼(1998- ),男,河南新乡人,信息工程大学硕士生,主要研究方向为人工智能安全
    方晨(1993- ),男,安徽宿松人,博士,信息工程大学讲师,主要研究方向为机器学习、隐私安全
    林韧昊(1993- ),男,河南郑州人,郑州大学博士生,主要研究方向为深度学习、稳健性验证和网络安全等
    周永良(1983- ),男,河北衡水人,信息工程大学工程师,主要研究方向为网络信息安全、信息化通信技术保障
    马佳利(1996- ),男,福建福清人,信息工程大学博士生,主要研究方向为数字孪生、网络安全
  • 基金资助:
    国家自然科学基金资助项目(62276091);河南省重大公益专项基金资助项目(201300311200)

Method based on contrastive incremental learning for fine-grained malicious traffic classification

Yifeng WANG1, Yuanbo GUO1, Qingli CHEN1, Chen FANG1, Renhao LIN2, Yongliang ZHOU1, Jiali MA1   

  1. 1 Cryptography Engineering Institute, Information Engineering University, Zhengzhou 450001, China
    2 College of Computer and Artificial Intelligence, Zhengzhou University, Zhengzhou 450001, China
  • Revised:2023-01-18 Online:2023-03-25 Published:2023-03-01
  • Supported by:
    The National Natural Science Foundation of China(62276091);Major Public Welfare Project of Henan Province(201300311200)

摘要:

为应对层出不穷的新型网络威胁,提出了一种基于对比增量学习的细粒度恶意流量识别方法。所提方法基于变分自编码器和极值理论,在对已知类、小样本类和未知类流量实现高性能检测的同时,还可以在不采用大量原任务样本的条件下快速实现对新增恶意类的识别,以满足增量学习场景下对存储成本和训练时间的要求。具体来说,模型将对比学习融入变分自编码器的编码阶段,并采用A-Softmax实现对已知类和小样本类的识别;将变分自编码器重构与极值理论结合,采用重构误差实现对未知类的识别;利用变分自编码器存储原有类知识,采用样本重构和知识蒸馏方法,在不采用大量原有类样本的条件下实现对所有类样本的识别。实验结果表明,所提方法不仅实现了对已知类、小样本类和未知类流量高性能检测,并且所设计的样本重构和知识蒸馏模块均可有效降低增量学习场景下对原有类知识的遗忘速度。

关键词: 网络流量分类, 变分自编码器, 增量学习, 对比学习

Abstract:

In order to protect against continuously emerging unknown threats, a new method based on contrastive incremental learning for fine-grained malicious traffic classification was proposed.The proposed method was based on variational auto-encoder (VAE) and extreme value theory (EVT), and the high accuracy could be achieved in known, few-shot and unknown malicious classes and new classes were also identified without using a large number of old task samples, which met the demand of storage and time cost in incremental learning scenarios.Specifically, the contrastive learning was integrated into the encoder of VAE, and the A-Softmax was used for known and few-shot malicious traffic classification, EVT and the decoder of VAE were used for unknown malicious traffic recognition, all classes could be recognized without a lot of old samples when learning new tasks by using VAE reconstruction and knowledge distillation methods.Experimental results indicate that the proposed method is efficient in known, few-shot and unknown malicious classes, and has greatly reduced the forgetting speed of old knowledge in incremental learning scenarios.

Key words: network traffic classification, variational auto-encoder, incremental learning, contrastive learning

中图分类号: 

No Suggested Reading articles found!