基于多层次特征的RoQ隐蔽攻击无监督检测方法

doi:10.11959/j.issn.1000-436x.2022166

通信学报 ›› 2022, Vol. 43 ›› Issue (9): 224-239.doi: 10.11959/j.issn.1000-436x.2022166

基于多层次特征的RoQ隐蔽攻击无监督检测方法

赵静¹^,², 李俊¹^,², 龙春¹^,², 万巍¹^,², 魏金侠¹^,², 陈凯¹^,²

¹ 中国科学院计算机网络信息中心，北京 100083
² 中国科学院大学计算机科学与技术学院，北京 100049

修回日期:2022-08-12 出版日期:2022-09-25 发布日期:2022-09-01
作者简介:赵静（1987- ），女，甘肃武威人，博士，中国科学院计算机网络信息中心高级工程师，主要研究方向为网络空间安全、信息安全、计算机网络等
李俊（1968- ），男，安徽桐城人，博士，中国科学院计算机网络信息中心副总工程师，主要研究方向为互联网体系结构、人工智能和大数据应用、互联网安全等
龙春（1979- ），男，湖北广水人，博士，中国科学院计算机网络信息中心正高级工程师，主要研究方向为智能动态网络安全保障、安全大数据挖掘与分析、云计算与移动互联网安全事件管控等
万巍（1982- ），男，湖北孝感人，博士，中国科学院计算机网络信息中心高级工程师，主要研究方向为基于人工智能的网络安全异常检测、安全大数据分析等
魏金侠（1987- ），女，河北秦皇岛人，博士，中国科学院计算机网络信息中心高级工程师，主要研究方向为网络安全大数据分析、网络安全威胁智能检测、基于人工智能的高隐蔽性大规模复杂网络攻击等
陈凯（1997- ），男，山东淄博人，中国科学院计算机网络信息中心硕士生，主要研究方向为网络空间安全、网络入侵检测
基金资助:
国家自然科学基金资助项目(61672490);中国科学院基金资助项目(CAS-WX2022GC-04);中国科学院“青年创新促进会”基金资助项目(2022170)

Unsupervised detection method of RoQ covert attacks based on multilayer features

Jing ZHAO¹^,², Jun LI¹^,², Chun LONG¹^,², Wei WAN¹^,², Jinxia WEI¹^,², Kai CHEN¹^,²

¹ Computer Network Information Center, Chinese Academy of Sciences, Beijing 100083, China
² School of Computer Science and Technology, University of Chinese Academy of Sciences, Beijing 100049, China

Revised:2022-08-12 Online:2022-09-25 Published:2022-09-01
Supported by:
The National Natural Science Foundation of China(61672490);The Research Program of Chinese Academy of Sciences(CAS-WX2022GC-04);The Research Program of Youth Innovation Promotion Association of CAS(2022170)

摘要/Abstract

摘要：

针对 RoQ 攻击隐藏在海量背景流量中难以识别，且现有样本稀少无法提供大规模学习数据的问题，提出了在极少先验知识条件下基于多层次特征的 RoQ 隐蔽攻击无监督检测方法。首先，考虑到大部分正常流量会对后续结果产生干扰，基于流特征，研究了半监督谱聚类的流量筛选方法，实现被筛除的流量中正常样本比例接近 100%。其次，为了找到隐蔽攻击特征与正常流量之间的微小差异且不依赖于攻击样本，基于时序包特征，构造了基于n-Shapelet子序列的无监督检测模型，使用具有明显辨识度的局部特征来辨别微小差异，从而实现RoQ隐蔽攻击的检测。实验结果表明，在只有少量学习样本的情况下，所提方法与现有方法相比具有较高的精确率和召回率，对规避攻击具有稳健性。

关键词: RoQ隐蔽攻击, 谱聚类, 半监督聚类, Shapelet子序列

Abstract:

To solve the problems that RoQ covert attacks are hidden in overwhelming background traffic and difficult to identify, besides the existing samples are scarce and cannot provide large-scale learning data, an unsupervised detection method of RoQ covert attacks based on multilayer features was proposed under the condition of very little prior knowledge.First, considering that most normal flow might interfere with subsequent results, a classification method based on semi-supervised spectral clustering was studied by flow characteristics, so that the proportion of normal samples in the filtered traffic was close to 100%.Secondly, in order to distinguish the nuance between the hidden attack features and normal flow without relying on the attack samples, an unsupervised detection model based on the n-Shapelet subsequence was constructed by packet characteristics, and the subsequences with obvious difference were used, which enabled detection of RoQ convert attacks.Experimental results demonstrate that with only a small number of learning samples, the proposed method has higher precision and recall rate than existing methods, and is robust to evading attacks.

Key words: RoQ converts attack, spectral clustering, semi-supervised clustering, Shapelet subsequence

中图分类号:

TP18

赵静, 李俊, 龙春, 万巍, 魏金侠, 陈凯. 基于多层次特征的RoQ隐蔽攻击无监督检测方法[J]. 通信学报, 2022, 43(9): 224-239.

Jing ZHAO, Jun LI, Chun LONG, Wei WAN, Jinxia WEI, Kai CHEN. Unsupervised detection method of RoQ covert attacks based on multilayer features[J]. Journal on Communications, 2022, 43(9): 224-239.

图/表 17

图1

表1

表2

表3

表4

图4

图5

表5

表6

表7

不同Shapelet个数的性能表现"

v	P	RI	F1
2	93.26%	89.00%	91.60%
3	$94 . 39 %$	$91 . 33 %$	$93 . 43 %$
4	93.89%	90.83%	93.06%
5	$94 . 74 %$	90.00%	92.31%
6	93.91%	91.00%	93.20%
7	90.25%	80.24%	82.71%
8	$94 . 82 %$	91.00%	93.13%

表7

表8

不同方法在不同数据集上聚类纯度P的性能表现"

数据集	K-means	Autoencoder	Whisper	u-Shapelet	本文方法
Slowheaders	50.00%	85.44%	92.98%	90.79%	$95 . 11 %$
Slowbody2	50.00%	74.23%	93.67%	92.84%	$94 . 51 %$
DoS slowloris	59.56%	82.42%	94.45%	92.80%	94.18%
TCP-Congestion DoS	58.82%	78.47%	90.88%	94.36%	$94 . 39 %$
Router LDoS	50.55%	68.04%	86.67%	$89 . 51 %$	88.71%
混合数据1	60.19%	83.78%	91.78%	92.10%	$92 . 74 %$
混合数据2	55.45%	66.17%	$88 . 87 %$	88.24%	86.96%
隐蔽攻击1	39.36%	76.73%	$87 . 49 %$	83.33%	87.25%

表8

表9

不同方法在不同数据集上兰德系数RI的性能表现"

数据集	K-means	Autoencoder	Whisper	u-Shapelet	本文方法
Slowheaders	45.45%	86.18%	$92 . 52 %$	89.77%	92.24%
Slowbody2	45.45%	75.36%	91.87%	91.70%	$93 . 41 %$
DoS slowloris	57.27%	84.07%	$94 . 23 %$	87.64%	91.73%
TCP-Congestion DoS	55.00%	73.16%	87.82%	$93 . 32 %$	91.33%
Router LDoS	45.91%	65.73%	85.95%	87.59%	$89 . 09 %$
混合数据1	55.45%	85.23%	90.98%	93.25%	$93 . 64 %$
混合数据2	50.45%	65.09%	83.55%	69.09%	$84 . 09 %$
隐蔽攻击1	36.36%	73.14%	85.39%	70.91%	$86 . 20 %$

表9

表10

不同方法在不同数据集上F1值的性能表现"

数据集	K-means	Autoencoder	Whisper	u-Shapelet	本文方法
Slowheaders	50.00%	87.66%	$93 . 16 %$	90.61%	92.70%
Slowbody2	47.37%	78.81%	92.45%	92.35%	$93 . 92 %$
DoS slowloris	61.83%	86.04%	$94 . 72 %$	88.09%	92.26%
TCP-Congestion DoS	58.33%	73.99%	88.55%	$93 . 84 %$	93.43%
Router LDoS	47.92%	69.05%	87.20%	88.50%	$90 . 16 %$
混合数据1	56.52%	86.972%	91.72%	93.93%	$94 . 26 %$
混合数据2	52.83%	69.72%	84.11%	63.83%	$95 . 11 %$
隐蔽攻击1	42.53%	74.73%	86.44%	68.63%	$87 . 37 %$

表10

表11

不同聚类方法的性能表现"

方法	精确率	RI	召回率	F1
方法A	88.98%	88.86%	90.86%	89.90%
方法B	89.15%	89.09%	91.08%	90.11%
方法C	90.69%	91.55%	94.17%	92.40%
本文方法	$92 . 74 %$	$93 . 64 %$	$95 . 83 %$	$94 . 26 %$

表11

图6

表12

图7

参考文献 33

[1]	GUIRGUIS M , THARP J , BESTAVROS A ,et al． Assessment of vulnerability of content adaptation mechanisms to RoQ attacks［C］// Proceedings of the 8th International Conference on Networks． Piscataway:IEEE Press, 2009: 445-450．
[2]	GUIRGUIS M , BESTAVROS A , MATTA I ． Exploiting the transients of adaptation for RoQ attacks on Internet resources［C］// Proceedings of the 12th IEEE International Conference on Network Protocols． Piscataway:IEEE Press, 2004: 184-195．
[3]	LUO X P , CHANG R K C ． On a new class of pulsing denial-of-service attacks and the defense［C］// Proceedings of the NDSS Symposium 2005． Piscataway:IEEE Press, 2005: 1-19．
[4]	GUIRGUIS M , BESTAVROS A , MATTA I ,et al． Reduction of quality (RoQ) attacks on dynamic load balancers:vulnerability assessment and design tradeoffs［C］// Proceedings of the 26th IEEE International Conference on Computer Communications． Piscataway:IEEE Press, 2007: 857-865．
[5]	JAZI H H , GONZALEZ H , STAKHANOVA N ,et al． Detecting HTTP-based application layer DoS attacks on Web servers in the presence of sampling［J］． Computer Networks, 2017,121: 25-36．
[6]	YUE M , WANG M X , WU Z J ． Low-high burst:a double potency varying-RTT based full-buffer shrew attack model［J］． IEEE Transactions on Dependable and Secure Computing, 2019,18(5): 2285-2300．
[7]	VACCARI I , AIELLO M , CAMBIASO E ． SlowITe,a novel denial of service attack affecting MQTT［J］． Sensors, 2020,20(10): 2932．
[8]	MERGET R , SOMOROVSKY J , AVIRAM N ,et al． Scalable scanning and automatic classification of TLS padding oracle vulnerabilities［C］// Proceedings of the 28th USENIX Conference on Security Symposium． Berkeley:USENIX Association, 2019: 1029-1046．
[9]	CHEN Y , HWANG K ． Collaborative detection and filtering of shrew DDoS attacks using spectral analysis［J］． Journal of Parallel and Distributed Computing, 2006,66(9): 1137-1151．
[10]	AGRAWAL N , TAPASWI S ． Low rate cloud DDoS attack defense method based on power spectral density analysis［J］． Information Processing Letters, 2018,138: 44-50．
[11]	吴志军, 裴宝崧．基于小信号检测模型的LDoS攻击检测方法的研究［J］．电子学报, 2011,39(6): 1456-1460．
	WU Z J , PEI B S ． The detection of LDoS attack based on the model of small signal［J］． Acta Electronica Sinica, 2011,39(6): 1456-1460．
[12]	TANG D , CHEN K , CHEN X S ,et al． A new detection method based on AEWMA algorithm for LDoS attacks［J］． Journal of Networks, 1969,9(11): 2981．
[13]	TANG D , DAI R , TANG L ,et al． Low-rate DoS attack detection based on two-step cluster analysis［C］// Information and Communications Security． Berlin:Springer, 2018: 92-104．
[14]	TANG D , DAI R , TANG L ,et al． Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis［J］． Human-Centric Computing and Information Sciences, 2020,10(1): 1-20．
[15]	WU Z J , ZHANG L Y , YUE M ． Low-rate DoS attacks detection based on network multifractal［J］． IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 559-567．
[16]	KOAY A , CHEN A , WELCH I ,et al． A new multi classifier system using entropy-based features in DDoS attack detection［C］// Proceedings of 2018 International Conference on Information Networking (ICOIN)． Piscataway:IEEE Press, 2018: 162-167．
[17]	TANG D , ZHANG S Q , CHEN J W ,et al． The detection of low-rate DoS attacks using the SADBSCAN algorithm［J］． Information Sciences, 2021,565: 229-247．
[18]	TANG D , TANG L , DAI R ,et al． MF-Adaboost:LDoS attack detection based on multi-features and improved Adaboost［J］． Future Generation Computer Systems, 2020,106: 347-359．
[19]	吴志军, 刘亮, 岳猛．基于ANN与KPCA的LDoS攻击检测方法［J］．通信学报, 2018,39(5): 11-22．
	WU Z J , LIU L , YUE M ． Detection method of LDoS attacks based on combination of ANN ＆ KPCA［J］． Journal on Communications, 2018,39(5): 11-22．
[20]	LIU L , WANG H Y , WU Z J ,et al． The detection method of low-rate DoS attack based on multi-feature fusion［J］． Digital Communications and Networks, 2020,6(4): 504-513．
[21]	WANG X , QIAN B Y , DAVIDSON I ． On constrained spectral clustering and its applications［J］． Data Mining and Knowledge Discovery, 2014,28(1): 1-30．
[22]	CHEN F , YU R , LIU W M ． Internet of things attack group identification model combined with spectral clustering［C］// Proceedings of 2021 IEEE 21st International Conference on Communication Technology． Piscataway:IEEE Press, 2021: 778-782．
[23]	YE L X , KEOGH E ． Time series shapelets:a new primitive for data mining［C］// Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining． New York:ACM Press, 2009: 947-956．
[24]	ZAKARIA J , MUEEN A , KEOGH E ． Clustering time series using unsupervised-shapelets［C］// Proceedings of 2012 IEEE 12th International Conference on Data Mining． Piscataway:IEEE Press, 2012: 785-794．
[25]	HILLS J , LINES J , BARANAUSKAS E ,et al． Classification of time series by shapelet transformation［J］． Data Mining and Knowledge Discovery, 2014,28(4): 851-881．
[26]	HU W J , YANG Y , CHENG Z Q ,et al． Time-series event prediction with evolutionary state graph［C］// Proceedings of the 14th ACM International Conference on Web Search and Data Mining． New York:ACM Press, 2021: 580-588．
[27]	MEDICO R , RUYSSINCK J , DESCHRIJVER D ,et al． Learning multivariate shapelets with multi-layer neural networks for interpretable time-series classification［J］． Advances in Data Analysis and Classification, 2021,15(4): 911-936．
[28]	SHARAFALDIN I , LASHKARI A H , HAKAK S ,et al． Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy［C］// Proceedings of 2019 International Carnahan Conference on Security Technology (ICCST)． Piscataway:IEEE Press, 2019: 1-8．
[29]	MONTAZERISHATOORI M , DAVIDSON L , KAUR G ,et al． Detection of DoH tunnels using time-series classification of encrypted traffic［C］// Proceedings of 2020 IEEE International Conference on Dependable,Autonomic and Secure Computing,International Conference on Pervasive Intelligence and Computing,International Conference on Cloud and Big Data Computing,International Conference on Cyber Science and Technology Congress． Piscataway:IEEE Press, 2020: 63-70．
[30]	FENG X W , FU C P , LI Q ,et al． Off-path TCP exploits of the mixed IPID assignment［C］// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security． New York:ACM Press, 2020: 1323-1335．
[31]	ZHANG Q , WU J , ZHANG P ,et al． Salient subsequence learning for time series clustering［J］． IEEE Transactions on Pattern Analysis and Machine Intelligence, 2019,41(9): 2193-2207．
[32]	HINDY H , ATKINSON R , TACHTATZIS C ,et al． Utilising deep learning techniques for effective zero-day attack detection［J］． Electronics, 2020,9(10): 1684．
[33]	FU C P , LI Q , SHEN M ,et al． Realtime robust malicious traffic detection via frequency domain analysis［C］// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security． New York:ACM Press, 2021: 3431-3446．

设备	配置
攻击主机	Windows 10系统，处理器Intel(R) Core (TM)，i7-6700，CPU @ 3.40 GHz，8 GB RAM
正常主机	Windows 10系统，处理器Intel(R) Core (TM)，i7-6498DU，CPU @ 2.50GHz，8 GB RAM
捕获主机	Windows10系统，处理器Intel(R) Core (TM)，i7-9700，CPU @ 3.00 GHz，8 GB RAM，配置Wireshark 流量捕获软件
目标服务器	Apache，Windows Server 7，处理器Intel(R) Core (TM)，i7-6700，CPU @ 3.40GHz，8 GB RAM
图形工作站	Windows 10系统，处理器Intel(R) Xeon(R) Gold 5218， CPU @ 2.30 GHz （2颗），内存128 GB，显卡NVIDIA Quadro RTX 5000

序号	数据集	异常/正常比例		异常/正常比例		协议	描述
序号	数据集	包	流	包	流	协议	描述
1	Slowheaders	1:100	1:40	6728507	3950	HTTP	ISCX-SlowDoS-2016数据集中Slowheaders攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合
2	WebDoS	1:35	1:10	6852052	4931	HTTP	CIC-DDoS-2019 数据集中 WebDoS 攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合
3	DoS slowloris	1:20	1:18	9072873	8808	HTTP	ISCX-SlowDoS-2016数据集中Slowbody2攻击流量与CIRA-CIC-DoHBrw-2020数据集正常流量的混合
4	TCP-Congestion DoS	1:129	1:50	6711428	8433	TCP	实验环境中利用TCP拥塞控制机制的攻击流量和真实网络正常流量的混合
5	Router LDoS	1:100	1:30	8741118	4785	IP	实验环境中利用路由器队列机制的攻击流量和真实网络正常流量的混合
6	混合数据1	1:100	1:100	7162332	10188	全栈	1、2、3的混合流量
7	混合数据2	1:100	1:100	7852130	8795	全栈	1、2、3、4、5的混合流量
8	隐蔽攻击1^[30]	1:1000	1:1000	420000	3500	TCP	侧信道攻击

特征名称	特征描述
数据包总量	一段时间内数据包总数量
包数量最大值	一定时间间隔形成流中包数量的最大值
包数量最小值	一定时间间隔形成流中包数量的最小值
包数量差值	一定时间间隔形成流中包数量的最大值与最小值的差值
频域	一段时间内数据包数量在频域上的转换
源IP地址信息熵	一段时间内数据包的源IP地址的信息熵
源端口信息熵	一段时间内数据包的源端口的信息熵
目的端口信息熵	一段时间内数据包的目的端口的信息熵
包长度信息熵	一段时间内数据包长度的信息熵
时间信息熵	一段时间内数据包之间时间间隔信息熵
IP分离率	源IP和目的IP信息熵特征的分离率
端口分离率	源端口和目的端口信息熵特征的分离率

特征名称	特征描述
源IP	一个数据包内源IP地址
目的IP	一个数据包内目的IP地址
目的端口	一个数据包内目的端口
协议	一个数据包内协议
包长度	一个数据包的长度
TCP窗口	TCP窗口大小
序列号	TCP序列号
前序包差值	与前一个数据包大小的差值

监督信息在总数据中的占比	聚类纯度P
0%（M=0）	94.1%
0.5%（M=400）	98.5%
1%（M=800）	99.7%
1.5%（M=1 200）	99.6%
2%（M=1 600）	99.8%

基于多层次特征的RoQ隐蔽攻击无监督检测方法

Unsupervised detection method of RoQ covert attacks based on multilayer features

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 17

参考文献 33

相关文章 10

Metrics

推荐阅读 0

k	P	RI	F1
5%	88.73%	81.29%	84.57%
8%	93.75%	84.67%	87.77%
10%	93.26%	89.00%	91.60%
15%	92.71%	88.00%	90.82%
20%	83.94%	77.36%	77.76%

攻击	比例	本文方法	K-means	Autoencoder	u-Shapelet
	1:1	0.912	0.781	0.771	0.870
Slowheaders+TLS	1:2	0.875	0.625	0.840	0.770
	1:4	0.930	0.521	0.763	0.780
	1:8	0.890	0.623	0.611	0.758
	1:1	0.903	0.710	0.840	0.810
Slowbody2+TLS	1:2	0.925	0.520	0.700	0.823
	1:4	0.842	0.421	0.860	0.782
	1:8	0.894	0.628	0.611	0.691
	1:1	0.940	0.500	0.861	0.851
WebDoS+TLS	1:2	0.952	0.880	0.755	0.720
	1:4	0.891	0.785	0.880	0.761
	1:8	0.910	0.341	0.810	0.650
	1:1	0.897	0.823	0.779	0.879
TCP-Congettion DoS+TLS	1:2	0.914	0.575	0.659	0.875
	1:4	0.880	0.129	0.762	0.840
	1:8	0.814	0.620	0.830	0.852
	1:1	0.896	0.680	0.681	0.871
Router LDoS+TLS	1:2	0.850	0.700	0.700	0.813
	1:4	0.760	0.355	0.813	0.660
	1:8	0.793	0.400	0.790	0.560

[1]	刘真,王娜娜,王晓东,孙永奇. 位置社交网络中谱嵌入增强的兴趣点推荐算法[J]. 通信学报, 2020, 41(3): 197-206.
[2]	蒋伟进, 王扬, 刘晓亮, 吕斯健. 基于词相关性特征的多归属谱聚类突发事件检测[J]. 通信学报, 2020, 41(12): 193-204.
[3]	邱雪松,黄徐川,李文萃,李温静,郭少勇. 面向大规模时间敏感网络的分组调度机制[J]. 通信学报, 2020, 41(11): 124-131.
[4]	吕韵秋,刘凯,程飞. 基于点轨迹的核相关滤波器跟踪算法[J]. 通信学报, 2018, 39(6): 190-198.
[5]	房梁,殷丽华,李凤华,方滨兴. 基于谱聚类的访问控制异常权限配置挖掘机制[J]. 通信学报, 2017, 38(12): 63-72.
[6]	周春楠,黄少滨,迟荣华,李雅,郎大鹏. 基于谱聚类的高阶模糊时序自适应预测方法[J]. 通信学报, 2016, 37(2): 107-115.
[7]	覃匡宇,黄传河,王才华,史姣丽,吴笛,陈希. SDN网络中受时延和容量限制的多控制器均衡部署[J]. 通信学报, 2016, 37(11): 90-103.
[8]	相洁,赵冬琴. 改进谱聚类算法在MCI患者检测中的应用研究[J]. 通信学报, 2015, 36(4): 27-34.
[9]	吴健,崔志明,时玉杰,盛胜利,龚声蓉. 基于局部密度构造相似矩阵的谱聚类算法[J]. 通信学报, 2013, 34(3): 14-22.
[10]	徐森,卢志茂,顾国昌. 使用谱聚类算法解决文本聚类集成问题[J]. 通信学报, 2010, 31(6): 0-66.