基于对比增量学习的细粒度恶意流量分类方法

doi:10.11959/j.issn.1000-436x.2023068

通信学报 ›› 2023, Vol. 44 ›› Issue (3): 1-11.doi: 10.11959/j.issn.1000-436x.2023068

• 学术论文 • 下一篇

基于对比增量学习的细粒度恶意流量分类方法

王一丰¹, 郭渊博¹, 陈庆礼¹, 方晨¹, 林韧昊², 周永良¹, 马佳利¹

¹ 信息工程大学密码工程学院，河南郑州 450001
² 郑州大学计算机与人工智能学院，河南郑州 450001

修回日期:2023-01-18 出版日期:2023-03-25 发布日期:2023-03-01
作者简介:王一丰（1994- ），男，江苏泰兴人，信息工程大学博士生，主要研究方向为零样本学习、网络安全和入侵检测
郭渊博（1975- ），男，陕西周至人，博士，信息工程大学教授、博士生导师，主要研究方向为大数据安全、态势感知
陈庆礼（1998- ），男，河南新乡人，信息工程大学硕士生，主要研究方向为人工智能安全
方晨（1993- ），男，安徽宿松人，博士，信息工程大学讲师，主要研究方向为机器学习、隐私安全
林韧昊（1993- ），男，河南郑州人，郑州大学博士生，主要研究方向为深度学习、稳健性验证和网络安全等
周永良（1983- ），男，河北衡水人，信息工程大学工程师，主要研究方向为网络信息安全、信息化通信技术保障
马佳利（1996- ），男，福建福清人，信息工程大学博士生，主要研究方向为数字孪生、网络安全
基金资助:
国家自然科学基金资助项目(62276091);河南省重大公益专项基金资助项目(201300311200)

Method based on contrastive incremental learning for fine-grained malicious traffic classification

Yifeng WANG¹, Yuanbo GUO¹, Qingli CHEN¹, Chen FANG¹, Renhao LIN², Yongliang ZHOU¹, Jiali MA¹

¹ Cryptography Engineering Institute, Information Engineering University, Zhengzhou 450001, China
² College of Computer and Artificial Intelligence, Zhengzhou University, Zhengzhou 450001, China

Revised:2023-01-18 Online:2023-03-25 Published:2023-03-01
Supported by:
The National Natural Science Foundation of China(62276091);Major Public Welfare Project of Henan Province(201300311200)

摘要/Abstract

摘要：

为应对层出不穷的新型网络威胁，提出了一种基于对比增量学习的细粒度恶意流量识别方法。所提方法基于变分自编码器和极值理论，在对已知类、小样本类和未知类流量实现高性能检测的同时，还可以在不采用大量原任务样本的条件下快速实现对新增恶意类的识别，以满足增量学习场景下对存储成本和训练时间的要求。具体来说，模型将对比学习融入变分自编码器的编码阶段，并采用A-Softmax实现对已知类和小样本类的识别；将变分自编码器重构与极值理论结合，采用重构误差实现对未知类的识别；利用变分自编码器存储原有类知识，采用样本重构和知识蒸馏方法，在不采用大量原有类样本的条件下实现对所有类样本的识别。实验结果表明，所提方法不仅实现了对已知类、小样本类和未知类流量高性能检测，并且所设计的样本重构和知识蒸馏模块均可有效降低增量学习场景下对原有类知识的遗忘速度。

关键词: 网络流量分类, 变分自编码器, 增量学习, 对比学习

Abstract:

In order to protect against continuously emerging unknown threats, a new method based on contrastive incremental learning for fine-grained malicious traffic classification was proposed.The proposed method was based on variational auto-encoder (VAE) and extreme value theory (EVT), and the high accuracy could be achieved in known, few-shot and unknown malicious classes and new classes were also identified without using a large number of old task samples, which met the demand of storage and time cost in incremental learning scenarios.Specifically, the contrastive learning was integrated into the encoder of VAE, and the A-Softmax was used for known and few-shot malicious traffic classification, EVT and the decoder of VAE were used for unknown malicious traffic recognition, all classes could be recognized without a lot of old samples when learning new tasks by using VAE reconstruction and knowledge distillation methods.Experimental results indicate that the proposed method is efficient in known, few-shot and unknown malicious classes, and has greatly reduced the forgetting speed of old knowledge in incremental learning scenarios.

Key words: network traffic classification, variational auto-encoder, incremental learning, contrastive learning

中图分类号:

TP393

王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11.

Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN, Yongliang ZHOU, Jiali MA. Method based on contrastive incremental learning for fine-grained malicious traffic classification[J]. Journal on Communications, 2023, 44(3): 1-11.

图/表 7

图1

图2

表1

表2

图3

图4

图5

参考文献 8

[9]	LECUN Y , BENGIO Y , HINTON G . Deep learning[J]. Nature, 2015,521(7553): 436-444.
[10]	HADSELL R , CHOPRA S , LECUN Y . Dimensionality reduction by learning an invariant mapping[C]// Proceedings of 2006 IEEE Computer Society Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2006: 1735-1742.
[11]	HINTON G , VINYALS O , DEAN J . Distilling the knowledge in a neural network[J]. arXiv Preprint,arXiv:1503.02531, 2015.
[12]	王一丰, 郭渊博, 陈庆礼 ,等. 基于对比学习的细粒度未知恶意流量分类方法[J]. 通信学报, 2022,43(10): 12-25.
	WANG Y F , GUO Y B , GHEN Q L ,et al. Method based on contrastive learning for fine-grained unknown malicious traffic classification[J]. Journal on Communications, 2022,43(10): 12-25.
[13]	KINGMA D P , WELLING M . Auto-encoding variational Bayes[J]. arXiv Preprint,arXiv:1312.6114, 2013.
[14]	LIU W Y , WEN Y D , YU Z D ,et al. SphereFace:deep hypersphere embedding for face recognition[C]// Proceedings of 2017 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2017: 6738-6746.
[15]	HAAN L D , FERREIRA A . Extreme value theory:an introduction[M]. New York: Springer, 2006.
[16]	DONG B , WANG X . Comparison deep learning method to traditional methods using for network intrusion detection[C]// Proceedings of 2016 8th IEEE International Conference on Communication Software and Networks. Piscataway:IEEE Press, 2016: 581-585.
[17]	CRUZ S , COLEMAN C , RUDD E M ,et al. Open set intrusion recognition for fine-grained attack categorization[C]// Proceedings of 2017 IEEE International Symposium on Technologies for Homeland Security. Piscataway:IEEE Press, 2017: 1-6.
[18]	HENRYDOSS J , CRUZ S , RUDD E M ,et al. Incremental open set intrusion recognition using extreme value machine[C]// Proceedings of 2017 16th IEEE International Conference on Machine Learning and Applications. Piscataway:IEEE Press, 2018: 1089-1093.
[19]	MALLYA A , LAZEBNIK S . PackNet:adding multiple tasks to a single network by iterative pruning[C]// Proceedings of IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2018: 7765-7773.
[1]	SOYSAL M , SCHMIDT E G . Machine learning algorithms for accurate flow-based network traffic classification:evaluation and comparison[J]. Performance Evaluation, 2010,67(6): 451-467.
[2]	DUSI M , GRINGOLI F , SALGARELLI L . Quantifying the accuracy of the ground truth associated with Internet traffic traces[J]. Computer Networks, 2011,55(5): 1158-1167.
[20]	LI Z Z , HOIEM D . Learning without forgetting[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2018,40(12): 2935-2947.
[21]	RANNEN A , ALJUNDI R , BLASCHKO M B ,et al. Encoder based lifelong learning[C]// Proceedings of IEEE International Conference on Computer Vision. Piscataway:IEEE Press, 2017: 1329-1337.
[3]	陈明豪, 祝跃飞, 芦斌 ,等. 基于attention-CNN的加密流量应用类型识别[J]. 计算机科学, 2021,48(4): 325-332.
	CHEN M H , ZHU Y F , LU B ,et al. Classification of application type of encrypted traffic based on attention-CNN[J]. Computer Science, 2021,48(4): 325-332.
[22]	ZHANG J T , ZHANG J , GHOSH S ,et al. Class-incremental learning via deep model consolidation[C]// Proceedings of IEEE Winter Conference on Applications of Computer Vision. Piscataway:IEEE Press, 2020: 1120-1129.
[23]	REBUFFI S A , KOLESNIKOV A , SPERL G ,et al. ICARL:incremental classifier and representation learning[C]// Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2017: 2001-2010.
[4]	TING C , FIELD R , FISHER A ,et al. Compression analytics for classification and anomaly detection within network communication[J]. IEEE Transactions on Information Forensics and Security, 2019,14(5): 1366-1376.
[5]	YANG J , CHEN X , CHEN S W ,et al. Conditional variational auto-encoder and extreme value theory aided two-stage learning approach for intelligent fine-grained known/unknown intrusion detection[J]. IEEE Transactions on Information Forensics and Security, 2021,16: 3538-3553.
[24]	ROLNICK D , AHUJA A , SCHWARZ J ,et al. Experience replay for continual learning[C]// Proceedings of the 33rd International Conference on Neural Information Processing Systems. Massachusetts:MIT Press, 2019: 350-360.
[25]	SOHN K , . Improved deep metric learning with multi-class n-pair loss objective[C]// Proceedings of International Conference on Neural Information Processing Systems. Massachusetts:MIT Press, 2016:29.
[6]	CASTRO F M , MARíN-JIMéNEZ M J , GUIL N ,et al. End-to-end incremental learning[C]// Proceedings of the European Conference on Computer Vision. New York:ACM Press, 2018: 233-248.
[7]	LANGE D M , ALJUNDI R , MASANA M ,et al. A continual learning survey:defying forgetting in classification tasks[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022,44(7): 3366-3385.
[26]	CHEN T , KORNBLITH S , NOROUZI M ,et al. A simple framework for contrastive learning of visual representations[C]// Proceedings of International Conference on Machine Learning. New York:PMLR, 2020: 1597-1607.
[27]	HE K M , FAN H Q , WU Y X ,et al. Momentum contrast for unsupervised visual representation learning[C]// Proceedings of 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2020: 9726-9735.
[28]	HU Q J , WANG X , HU W ,et al. AdCo:adversarial contrast for efficient learning of unsupervised representations from self-trained negative adversaries[C]// Proceedings of 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2021: 1074-1083.
[29]	LASHKARI A H , DRAPERGIL G , MAMUN M S I ,et al. Characterization of ToR traffic using time-based features[C]// Proceedings of 3rd International Conference on Information Systems Security and Privacy. New York:ACM Press, 2017: 253-262.
[30]	DOERSCH C . Tutorial on variational autoencoders[J]. arXiv Preprint,arXiv:1606.05908, 2016.
[31]	HIGGINS I , MATTHEY L , PAL A ,et al. Beta-VAE:learning basic visual concepts with a constrained variational frame-work[C]// Proceedings of International Conference on Learning Representations.[S.l.:s.n.], 2017: 1-22.
[32]	OORD V D A , LI Y , VINYALS O . Representation learning with contrastive predictive coding[J]. arXiv Preprint,arXiv:1807.03748, 2018.
[33]	TAVALLAEE M , BAGHERI E , LU W ,et al. A detailed analysis of the KDD CUP 99 data set[C]// Proceedings of 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications. Piscataway:IEEE Press, 2009: 1-6.
[8]	BUKCHIN G , SCHWARTZ E , SAENKO K ,et al. Fine-grained angular contrastive learning with coarse labels[C]// Proceedings of 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway:IEEE Press, 2021: 8726-8736.

粗粒度类	细粒度类	训练集数量	测试集数量
良性	benign	67 343	9 711
	apache2	0	737
	back	956	359
	land	18	7
	neptune	41 214	4 657
DoS	mailbomb	0	293
	pod	201	41
	processtable	0	685
	smurf	2 646	665
	teardrop	892	12
	udpstorm	0	2
	ipsweep	3 599	141
	mscan	0	996
Probe	nmap	1 493	73
	portsweep	2 931	157
	saint	0	319
	satan	3 633	735
	buffer_overflow	30	20
	httptunnel	0	133
	loadmodule	9	2
U2R	perl	3	2
	ps	0	15
	xterm	0	13
	rootkit	10	13
	sqlattack	0	2
	worm	0	2
	ftp_write	8	3
	guess_passwd	53	1 231
	imap	11	1
	multihop	7	18
	named	0	17
	phf	4	2
R2L	sendmail	0	14
	snmpgetattack	0	178
	snmpguess	0	331
	spy	2	0
	warezclient	890	0
	warezmaster	20	944
	xsnoop	0	4
	xlock	0	9

方法	良性类			大样本已知类			小样本已知类
方法	精度	召回率	F₁值	精度	召回率	F₁值	精度	召回率	F₁值
随机森林	0.817	0.954	0.88	0.829	0.780	0.705	0	0	0
MLP	0.758	0.882	0.815	0.533	0.895	0.628	0.376	0.232	0.244
CVAE-EVT	0.871	0.866	0.868	0.561	0.959	0.708	0.348	0.364	0.289
对比CVAE	0.876	0.903	0.890	0.581	0.960	0.723	0.410	0.567	0.476
所提方法	0.941	0.909	0.925	0.714	0.986	0.793	0.342	0.676	0.410
无对比学习的方法	0.931	0.653	0.768	0.599	0.993	0.702	0.302	0.587	0.329
无A-Softmax的方法	0.927	0.871	0.898	0.664	0.956	0.747	0.306	0.445	0.288

基于对比增量学习的细粒度恶意流量分类方法

Method based on contrastive incremental learning for fine-grained malicious traffic classification

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 8

相关文章 6

Metrics

推荐阅读 0

[1]	陈晋音, 熊海洋, 马浩男, 郑雅羽. 基于对比学习的图神经网络后门攻击防御方法[J]. 通信学报, 2023, 44(4): 154-166.
[2]	霍纬纲, 梁锐, 李永华. 基于随机Transformer的多维时间序列异常检测模型[J]. 通信学报, 2023, 44(2): 94-103.
[3]	王延文, 雷为民, 张伟, 孟欢, 陈新怡, 叶文慧, 景庆阳. 基于生成模型的视频图像重建方法综述[J]. 通信学报, 2022, 43(9): 194-208.
[4]	段雪源, 付钰, 王坤. 基于VAE-WGAN的多维时间序列异常检测方法[J]. 通信学报, 2022, 43(3): 1-13.
[5]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊. 基于对比学习的细粒度未知恶意流量分类方法[J]. 通信学报, 2022, 43(10): 12-25.
[6]	胡永进,郭渊博,马骏,张晗,毛秀青. 基于对抗样本的网络欺骗流量生成方法[J]. 通信学报, 2020, 41(9): 59-70.