Journal on Communications ›› 2016, Vol. 37 ›› Issue (11): 114-128.doi: 10.11959/j.issn.1000-436x.2016228
• academic paper • Previous Articles Next Articles
Guang KOU1,2,Guang-ming TANG1,Shuo WANG1,Hai-tao SONG1,Yuan BIAN1
Online:
2016-11-25
Published:
2016-11-30
Supported by:
Guang KOU,Guang-ming TANG,Shuo WANG,Hai-tao SONG,Yuan BIAN. Using deep learning for detecting BotCloud[J]. Journal on Communications, 2016, 37(11): 114-128.
"
序号 | 特征 | 描述 | 类型 |
1 | source IP | 源IP地址 | 字符串 |
2 | destination IP | 目的IP地址 | 字符串 |
3 | source port | 源端口号 | 整型 |
4 | destination port | 目的端口号 | 整型 |
5 | protocol | 协议类型 | 字符串 |
6 | PX (total number of packet exchanged) | 数据分组的总数量 | 整型 |
7 | NNP (number of null packets exchanged) | 空数据分组的数量 | 整型 |
8 | IOPR (ratio between the number of incoming packets over the number of outgoing packets) | 进出数据分组数量的比率 | 浮点型 |
9 | reconnect (number of reconnects) | 重连接的数量 | 整型 |
10 | duration (flow duration) | 流持续的时间 | 浮点型 |
11 | FPS (length of the first packet) | 第一个数据分组的长度 | 整型 |
12 | TBT (total number of bytes) | 总共的字节数 | 整型 |
13 | average bytes per packet | 平均每个分组的字节数 | 浮点型 |
14 | variance of bytes per packet | 每个分组字节数的方差 | 浮点型 |
15 | APL (average payload packet length) | 平均分组长度 | 浮点型 |
16 | DPL (total number of packets with the same length over the total number of packets) | 相同长度的分组数量与总分组数量的比例 | 浮点型 |
17 | PV (standard deviation of payload packet length) | 数据分组长度的标准差 | 浮点型 |
18 | BS (average bits-per-second) | 平均每秒比特数 | 浮点型 |
19 | AIT (average inter arrival time of packets) | 数据分组到达的平均间隔 | 浮点型 |
20 | PPS (average packets-per-second) | 平均每秒的分组数 | 浮点型 |
"
C1卷积层 | S2次抽样层 | C3卷积层 | S4次抽样层 | C5全联接层 | ||||||
编号 | ||||||||||
卷积核 | 输出 | 采样窗口 | 输出 | 卷积核 | 输出 | 采样窗口 | 输出 | 卷积核 | 输出 | |
1 | 6×(3×3) | 6×(18×18) | 2×2 | 6×(9×9) | 16×(3×3) | 16×(7×7) | 2×2 | 16×(4×4) | 80×(4×4) | 80×1 |
2 | 6×(3×3) | 6×(18×18) | 2×2 | 6×(9×9) | 16×(3×3) | 16×(7×7) | 2×2 | 16×(3×3) | 80×(3×3) | 80×1 |
3 | 6×(3×3) | 6×(18×18) | 2×2 | 6×(9×9) | 16×(4×4) | 16×(6×6) | 2×2 | 16×(3×3) | 80×(3×3) | 80×1 |
4 | 6×(4×4) | 6×(17×17) | 2×2 | 6×(9×9) | 16×(4×4) | 16×(6×6) | 2×2 | 16×(3×3) | 80×(3×3) | 80×1 |
5 | 6×(5×5) | 6×(16×16) | 2×2 | 6×(8×8) | 16×(5×5) | 16×(4×4) | 2×2 | 16×(2×2) | 80×(2×2) | 80×1 |
6 | 6×(6×6) | 6×(15×15) | 2×2 | 6×(8×8) | 16×(6×6) | 16×(3×3) | 2×2 | 16×(2×2) | 80×(2×2) | 80×1 |
"
本文算法 | SVM | 决策树 | ||||||||||||
样本数量 | ||||||||||||||
检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | |||
10 000 | 0.861 1 | 0.114 9 | 0.107 1 | 9.3 | 0.753 5 | 0.154 6 | 0.127 3 | 21.1 | 0.781 3 | 0.149 7 | 0.129 1 | 25.4 | ||
20 000 | 0.870 5 | 0.101 0 | 0.104 2 | 17.5 | 0.740 4 | 0.149 8 | 0.124 5 | 39.2 | 0.797 9 | 0.142 5 | 0.126 2 | 48.3 | ||
30 000 | 0.873 0 | 0.103 7 | 0.099 6 | 24.7 | 0.762 8 | 0.146 9 | 0.118 7 | 57.6 | 0.807 7 | 0.147 7 | 0.117 3 | 71.1 | ||
40 000 | 0.882 9 | 0.097 0 | 0.094 2 | 31.4 | 0.778 4 | 0.140 3 | 0.115 4 | 73.4 | 0.793 4 | 0.136 5 | 0.113 0 | 93.6 | ||
50 000 | 0.878 5 | 0.093 4 | 0.089 0 | 37.6 | 0.781 8 | 0.145 2 | 0.109 4 | 88.1 | 0.822 5 | 0.134 6 | 0.103 7 | 114.7 | ||
60 000 | 0.908 4 | 0.087 6 | 0.086 4 | 43.1 | 0.804 8 | 0.131 6 | 0.110 2 | 104.3 | 0.838 0 | 0.132 3 | 0.100 4 | 134.8 | ||
70 000 | 0.912 3 | 0.081 1 | 0.078 7 | 48.3 | 0.815 6 | 0.128 7 | 0.102 8 | 118.0 | 0.854 0 | 0.124 0 | 0.096 1 | 150.7 | ||
80 000 | 0.927 3 | 0.076 4 | 0.072 5 | 52.6 | 0.829 4 | 0.115 4 | 0.099 5 | 131.4 | 0.846 6 | 0.110 7 | 0.099 8 | 167.2 | ||
90 000 | 0.939 8 | 0.070 3 | 0.067 2 | 58.1 | 0.822 9 | 0.116 4 | 0.102 0 | 143.5 | 0.851 7 | 0.111 4 | 0.095 2 | 182.5 | ||
100 000 | 0.942 7 | 0.068 2 | 0.064 3 | 63.2 | 0.841 8 | 0.111 8 | 0.098 7 | 154.6 | 0.855 0 | 0.110 2 | 0.093 2 | 195.3 |
"
本文算法 | SVM | 决策树 | ||||||||||||
时间窗/s | ||||||||||||||
检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | 检测率 | 误报率 | 漏报率 | 测试时间/s | |||
10 | 0.835 2 | 0.452 7 | 0.381 6 | 11.3 | 0.625 2 | 0.490 3 | 0.461 6 | 25.5 | 0.635 3 | 0.484 9 | 0.452 3 | 30.2 | ||
30 | 0.841 1 | 0.397 5 | 0.312 1 | 11.9 | 0.630 7 | 0.458 7 | 0.425 1 | 24.9 | 0.641 5 | 0.451 8 | 0.415 6 | 30.3 | ||
60 | 0.855 6 | 0.364 6 | 0.234 5 | 10.9 | 0.634 6 | 0.427 6 | 0.375 4 | 25.3 | 0.645 9 | 0.402 6 | 0.365 8 | 29.1 | ||
120 | 0.876 5 | 0.245 2 | 0.193 4 | 11.6 | 0.658 3 | 0.356 1 | 0.285 5 | 23.6 | 0.672 4 | 0.275 8 | 0.254 7 | 27.6 | ||
180 | 0.892 3 | 0.136 8 | 0.154 2 | 11.4 | 0.678 4 | 0.254 4 | 0.199 7 | 23.9 | 0.689 5 | 0.152 4 | 0.171 2 | 28.9 | ||
240 | 0.895 1 | 0.128 7 | 0.132 4 | 12.3 | 0.685 9 | 0.205 3 | 0.163 3 | 24.6 | 0.693 7 | 0.132 6 | 0.160 3 | 29.5 | ||
300 | 0.896 3 | 0.111 6 | 0.091 3 | 9.7 | 0.687 5 | 0.175 7 | 0.152 4 | 25.4 | 0.697 7 | 0.121 9 | 0.142 0 | 27.9 |
[1] | 江健, 诸葛建伟, 段海新 , 等. 僵尸网络机理与防御技术[J]. 软件学报, 2012,23(1):82-96. JIANG J , ZHUGE J W , DUAN H X , et al. Research on botnet mecha-nisms and defenses[J]. Journal of Software, 2012,23(1):82-96. |
[2] | ARTAIL H , MASTRI Z A , SRAJ M , et al. A dynamic honeypot design for intrusion detection[C]// IEEE/ACS International Conference on Pervasive Services. 2004.95-104. |
[3] | 诸葛建伟, 韩心慧, 周勇林 , 等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,28(12):8-13. ZHUGE J W , HANG X H , ZHOU Y L , et al. HoneyBow: an auto-mated malware collection tool based on the high-interaction honeypot principle[J]. Journal on Communications, 2007,28(12):8-13. |
[4] | ALHAMMADI Y , AICKELIN U . Detecting botnets through log cor-relation[C]// The Workshop on Monitoring, Attack Detection and Mi-tigation. 2010. |
[5] | STINSON E , MITCHELL J C . Characterizing bots' remote control behavior[C]// The 4th international conference on Detection of Intru-sions and Malware, and Vulnerability Assessment. 2007:89-108. |
[6] | LIU L , CHEN S , YAN G , et al. Bottracer: Execution-based bot-like malware detection[C]// The 11th International Conference on Informa-tion Security. 2008:97-113. |
[7] | KOLBITSCH C , COMPARETTI P M , KRUEGEL C , et al. Effective and efficient malware detection at the end host[C]// The 18th Confer-ence on USENIX Security Symposium. 2009:351-366. |
[8] | ROESCH M . Snort: lightweight intrusion detection for networks[C]// The 13th USENIX Conference on System Administration. 1999:229-238. |
[9] | GOEBEL J , HOLZ T . Rishi: identify bot contaminated hosts by IRC nickname evaluation[C]// The first conference on First Workshop on Hot Topics in Understanding Botnets. 2007. |
[10] | LIVADS C , WALSH R , LAPSLEY D , et al. Using machine learning techniques to identify botnet traffic[C]// 31th IEEE Conference on Lo-cal Computer Networks. 2006:967-974. |
[11] | STRAYER W T , LAPSELY D , WALSH R , et al. Botnet detection based on network behavior[C]// 2006 ARO Workshop on Botnets. 2007:1-24. |
[12] | ZENG Y , HU X , SHIN K . Detection of botnets using combined host and network-level information[C]// International Conference on De-pendable Systems and Networks (DSN). 2010:291-300. |
[13] | WANG H , HOU J , GONG Z . Botnet detection architecture based on heterogeneous multi-sensor information fusion[J]. Journal of Networks, 2011,6(12):1655-1661. |
[14] | GU G , ZHANG J , LEE W . BotSniffer: detecting botnet command and control channels in network traffic[C]// The 15th Annual Network and Distributed System Security Symposium. 2008:269-286. |
[15] | BEIGI E B , JAZ H H STAKHANOVA N , et al. Towards effective feature selection in machine learning-based botnet detection ap-proaches[C]// International Conference on Communications and Net-work Security. 2014:247-255. |
[16] | ZHAO D , TRAORE I , SAYED B , et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers & Security, 2013,4(7):2-16. |
[17] | 闫健恩, 袁春阳, 许海燕 , 等. 基于多维流量特征的 IRC 僵尸网络频道检测[J]. 通信学报, 2013,34(10):49-64. YAN J E , YUAN C Y , XU H Y , et al. Method of detecting IRC botnet based on the multi-features of traffic flow[J]. Journal on Communica-tions, 2013,34(10):49-64. |
[18] | YAMAUCHI K , HORI Y , SAKURAI K , et al. Detecting HTTP-based bot-net based on characteristic of the C&C session using by SVM[C]// 8th Asia Joint Conference on Information Security. 2013:63-68. |
[19] | BADIS H , DOYEN G , KHATOUN R . Toward a source detection of botclouds: a PCA-based approach[C]// International Conference on Au-tonomous Infrastructure, Management, and Security. 2014:105-117. |
[20] | TULASIRAM N , ANUSHUA K , BHANU SMS , et al. An extrusion detection system against botclouds[C]// Seventh International Confer-ence on Communication Networks (ICCN-2013). 2013:207-215. |
[21] | BADIS H , DOYEN G , KHATOUN R . A collaborative approach for a source based detection of botclouds[C]// International Symposium on Integrated Network Management. 2015:906-909. |
[22] | JADHAV S , DUTIA S , CALANGUTKAR K , et al. Cloud-based android botnet malware detection system[C]// 17th International Con-ference on Advanced Communication Technology. 2015:347-352. |
[23] | HINTION G E , SALAKHUTDINOV R R . Reducing the dimensional-ity of data with neural networks[J]. Science, 2006,313(28):504-507. |
[24] | TAN Z Y . Detection of denial-of-service attacks based on computer vision techniques[D]. Sydney: University of Technology, 2013. |
[25] | FANG Z J , FEI F C , FANG Y M , et al. Abnormal event detection in crowded scenes based on deep learning[J]. Multimedia Tools & Ap-plications, 2016:1-23. |
[26] | YUAN Z L , LU Y Q , XUE Y B . Droid detector: Android malware characterization and detection using deep learning[J]. Tsinghua Sci-ence & Technology, 2016,21(1):114-123. |
[27] | WANG Y , CAI W D , WEI P C . A deep learning approach for detecting malicious javascript code[J]. Security & Communication Networks, 2016,51(8):28656-28667. |
[28] | 韩晓光, 曲武, 姚宣霞 , 等. 基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136. HAN X G , QU W , YAO X X , et al. Research on malicious code vari-ants detection based on texture fingerprint[J]. Journal on Communica-tions, 2014,35(8):125-136. |
[29] | LECUN Y , BOTTOU L , BENGIO Y , et al. Gradient-based learning applied to document recognition[C]// The IEEE. 1998:1-46. |
[30] | 敖道敢 . 无监督特征学习结合神经网络应用于图像识别[D]. 广州:华南理工大学, 2014. AO D G . Integration of unsupervised feature learning and neural net-works applied to image recognition[D]. Guangzhou: South China University of Technology, 2014. |
[31] | JIA Y Q , SHELHAMER E , DONAHUE J , et al. Caffe: convolutional architecture for fast feature embedding[C]// The 22nd ACM interna-tional conference on Multimedia. 2014:675-678. |
[1] | Dongyu CHEN, Hua CHEN, Limin FAN, Yifang FU, Jian WANG. Research on test strategy for randomness based on deep learning [J]. Journal on Communications, 2023, 44(6): 23-33. |
[2] | Rongpeng LI, Bingyan WANG, Honggang ZHANG, Zhifeng ZHAO. Design of knowledge enhanced semantic communication receiver [J]. Journal on Communications, 2023, 44(6): 70-76. |
[3] | Shuai MA, Ke PEI, Huayan QI, Hang LI, Wen CAO, Hongmei WANG, Hailiang XIONG, Shiyin LI. Research on geomagnetic indoor high-precision positioning algorithm based on generative model [J]. Journal on Communications, 2023, 44(6): 211-222. |
[4] | Bin HU, Xiao TAN, Senpeng WANG. SAT-based differential automatic search algorithm using divide-and-conquer strategy and its applications [J]. Journal on Communications, 2023, 44(4): 137-144. |
[5] | Jie YANG, Biao DONG, Xue FU, Yu WANG, Guan GUI. Lightweight decentralized learning-based automatic modulation classification method [J]. Journal on Communications, 2022, 43(7): 134-142. |
[6] | Ang LI, Jianxin CHEN, Xin WEI, Liang ZHOU. 6G-oriented cross-modal signal reconstruction technology [J]. Journal on Communications, 2022, 43(6): 28-40. |
[7] | Xiuzhang YANG, Guojun PENG, Zichuan LI, Yangqi LYU, Side LIU, Chenguang LI. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J]. Journal on Communications, 2022, 43(6): 58-70. |
[8] | Pan TANG, Jiaxin LIN, Jianhua ZHANG, Lei TIAN, Zhaowei CHANG, Liang XIA, Qixing WANG. Research on reflection characteristics of the terahertz channel for 6G [J]. Journal on Communications, 2022, 43(5): 102-109. |
[9] | Yong LIAO, Shiyi WANG. CSI feedback algorithm based on RM-Net for massive MIMO systems in high-speed mobile environment [J]. Journal on Communications, 2022, 43(5): 166-176. |
[10] | Yurong LIAO, Haining WANG, Cunbao LIN, Yang LI, Yuqiang FANG, Shuyan NI. Research progress of deep learning-based object detection of optical remote sensing image [J]. Journal on Communications, 2022, 43(5): 190-203. |
[11] | Zenghua ZHAO, Yuefan TONG, Jiayang CUI. Device-independent Wi-Fi fingerprinting indoor localization model based on domain adaptation [J]. Journal on Communications, 2022, 43(4): 143-153. |
[12] | Yong LIAO, Gang CHENG, Yujie LI. CSI feedback algorithm based on deep unfolding for massive MIMO systems [J]. Journal on Communications, 2022, 43(12): 77-88. |
[13] | Xueyuan DUAN, Yu FU, Kun WANG, Bin LI. LDoS attack detection method based on simple statistical features [J]. Journal on Communications, 2022, 43(11): 53-64. |
[14] | Junyan HUO, Ruipeng QIU, Yanzhuo MA, Fuzheng YANG. Reference frame list optimization algorithm in video coding by quality enhancement of the nearest picture [J]. Journal on Communications, 2022, 43(11): 136-147. |
[15] | Xueyuan DUAN, Yu FU, Kun WANG, Taotao LIU, Bin LI. Network traffic anomaly detection method based on multi-scale characteristic [J]. Journal on Communications, 2022, 43(10): 65-76. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|