深度学习在僵尸云检测中的应用研究

doi:10.11959/j.issn.1000-436x.2016228

Abstract

Abstract:

The differences of the basic network flow characteristics between BotCloud and normal cloud services were not obvious, and this led to the inefficiency of the method in BotCloud detection based on network flow characteristics analysis. To solve this problem, a CNN(convolution neural network)-based method for detecting the BotCloud was pro-posed. First, it extracted the basic network flow characteristics from network flow data packets. Second, it mapped the basic network flow characteristics into gray image. Finally, in order to detect BotCloud, it utilized CNN algorithm to learn and extract characteristics that were more abstract to express the hidden model and structural relationship in the network data flow. The experimental results show that the proposed method can not only enhance the accuracy of detec-tion, but also greatly reduce the time required for detecting.

Key words: BotCloud, cloud security, deep learning, network flow, characteristic, CNN

Guang KOU,Guang-ming TANG,Shuo WANG,Hai-tao SONG,Yuan BIAN. Using deep learning for detecting BotCloud[J]. Journal on Communications, 2016, 37(11): 114-128.

Figures/Tables 18

References 31

[1]	江健，诸葛建伟，段海新，等．僵尸网络机理与防御技术[J]. 软件学报, 2012,23(1):82-96. JIANG J , ZHUGE J W , DUAN H X , et al. Research on botnet mecha-nisms and defenses[J]. Journal of Software, 2012,23(1):82-96.
[2]	ARTAIL H , MASTRI Z A , SRAJ M , et al. A dynamic honeypot design for intrusion detection[C]// IEEE/ACS International Conference on Pervasive Services. 2004.95-104.
[3]	诸葛建伟，韩心慧，周勇林，等． HoneyBow：一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,28(12):8-13. ZHUGE J W , HANG X H , ZHOU Y L , et al. HoneyBow: an auto-mated malware collection tool based on the high-interaction honeypot principle[J]. Journal on Communications, 2007,28(12):8-13.
[4]	ALHAMMADI Y , AICKELIN U . Detecting botnets through log cor-relation[C]// The Workshop on Monitoring, Attack Detection and Mi-tigation. 2010.
[5]	STINSON E , MITCHELL J C . Characterizing bots' remote control behavior[C]// The 4th international conference on Detection of Intru-sions and Malware, and Vulnerability Assessment. 2007:89-108.
[6]	LIU L , CHEN S , YAN G , et al. Bottracer: Execution-based bot-like malware detection[C]// The 11th International Conference on Informa-tion Security. 2008:97-113.
[7]	KOLBITSCH C , COMPARETTI P M , KRUEGEL C , et al. Effective and efficient malware detection at the end host[C]// The 18th Confer-ence on USENIX Security Symposium. 2009:351-366.
[8]	ROESCH M . Snort: lightweight intrusion detection for networks[C]// The 13th USENIX Conference on System Administration. 1999:229-238.
[9]	GOEBEL J , HOLZ T . Rishi: identify bot contaminated hosts by IRC nickname evaluation[C]// The first conference on First Workshop on Hot Topics in Understanding Botnets. 2007.
[10]	LIVADS C , WALSH R , LAPSLEY D , et al. Using machine learning techniques to identify botnet traffic[C]// 31th IEEE Conference on Lo-cal Computer Networks. 2006:967-974.
[11]	STRAYER W T , LAPSELY D , WALSH R , et al. Botnet detection based on network behavior[C]// 2006 ARO Workshop on Botnets. 2007:1-24.
[12]	ZENG Y , HU X , SHIN K . Detection of botnets using combined host and network-level information[C]// International Conference on De-pendable Systems and Networks (DSN). 2010:291-300.
[13]	WANG H , HOU J , GONG Z . Botnet detection architecture based on heterogeneous multi-sensor information fusion[J]. Journal of Networks, 2011,6(12):1655-1661.
[14]	GU G , ZHANG J , LEE W . BotSniffer: detecting botnet command and control channels in network traffic[C]// The 15th Annual Network and Distributed System Security Symposium. 2008:269-286.
[15]	BEIGI E B , JAZ H H STAKHANOVA N , et al. Towards effective feature selection in machine learning-based botnet detection ap-proaches[C]// International Conference on Communications and Net-work Security. 2014:247-255.
[16]	ZHAO D , TRAORE I , SAYED B , et al. Botnet detection based on traffic behavior analysis and flow intervals[J]. Computers ＆ Security, 2013,4(7):2-16.
[17]	闫健恩，袁春阳，许海燕，等．基于多维流量特征的 IRC 僵尸网络频道检测[J]. 通信学报, 2013,34(10):49-64. YAN J E , YUAN C Y , XU H Y , et al. Method of detecting IRC botnet based on the multi-features of traffic flow[J]. Journal on Communica-tions, 2013,34(10):49-64.
[18]	YAMAUCHI K , HORI Y , SAKURAI K , et al. Detecting HTTP-based bot-net based on characteristic of the C＆C session using by SVM[C]// 8th Asia Joint Conference on Information Security. 2013:63-68.
[19]	BADIS H , DOYEN G , KHATOUN R . Toward a source detection of botclouds: a PCA-based approach[C]// International Conference on Au-tonomous Infrastructure, Management, and Security. 2014:105-117.
[20]	TULASIRAM N , ANUSHUA K , BHANU SMS , et al. An extrusion detection system against botclouds[C]// Seventh International Confer-ence on Communication Networks (ICCN-2013). 2013:207-215.
[21]	BADIS H , DOYEN G , KHATOUN R . A collaborative approach for a source based detection of botclouds[C]// International Symposium on Integrated Network Management. 2015:906-909.
[22]	JADHAV S , DUTIA S , CALANGUTKAR K , et al. Cloud-based android botnet malware detection system[C]// 17th International Con-ference on Advanced Communication Technology. 2015:347-352.
[23]	HINTION G E , SALAKHUTDINOV R R . Reducing the dimensional-ity of data with neural networks[J]. Science, 2006,313(28):504-507.
[24]	TAN Z Y . Detection of denial-of-service attacks based on computer vision techniques[D]. Sydney: University of Technology, 2013.
[25]	FANG Z J , FEI F C , FANG Y M , et al. Abnormal event detection in crowded scenes based on deep learning[J]. Multimedia Tools ＆ Ap-plications, 2016:1-23.
[26]	YUAN Z L , LU Y Q , XUE Y B . Droid detector: Android malware characterization and detection using deep learning[J]. Tsinghua Sci-ence ＆ Technology, 2016,21(1):114-123.
[27]	WANG Y , CAI W D , WEI P C . A deep learning approach for detecting malicious javascript code[J]. Security ＆ Communication Networks, 2016,51(8):28656-28667.
[28]	韩晓光，曲武，姚宣霞，等．基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136. HAN X G , QU W , YAO X X , et al. Research on malicious code vari-ants detection based on texture fingerprint[J]. Journal on Communica-tions, 2014,35(8):125-136.
[29]	LECUN Y , BOTTOU L , BENGIO Y , et al. Gradient-based learning applied to document recognition[C]// The IEEE. 1998:1-46.
[30]	敖道敢 . 无监督特征学习结合神经网络应用于图像识别[D]. 广州：华南理工大学, 2014. AO D G . Integration of unsupervised feature learning and neural net-works applied to image recognition[D]. Guangzhou: South China University of Technology, 2014.
[31]	JIA Y Q , SHELHAMER E , DONAHUE J , et al. Caffe: convolutional architecture for fast feature embedding[C]// The 22nd ACM interna-tional conference on Multimedia. 2014:675-678.

Metrics

Recommended 0

No Suggested Reading articles found!

序号	特征	描述	类型
1	source IP	源IP地址	字符串
2	destination IP	目的IP地址	字符串
3	source port	源端口号	整型
4	destination port	目的端口号	整型
5	protocol	协议类型	字符串
6	PX (total number of packet exchanged)	数据分组的总数量	整型
7	NNP (number of null packets exchanged)	空数据分组的数量	整型
8	IOPR (ratio between the number of incoming packets over the number of outgoing packets)	进出数据分组数量的比率	浮点型
9	reconnect (number of reconnects)	重连接的数量	整型
10	duration (flow duration)	流持续的时间	浮点型
11	FPS (length of the first packet)	第一个数据分组的长度	整型
12	TBT (total number of bytes)	总共的字节数	整型
13	average bytes per packet	平均每个分组的字节数	浮点型
14	variance of bytes per packet	每个分组字节数的方差	浮点型
15	APL (average payload packet length)	平均分组长度	浮点型
16	DPL (total number of packets with the same length over the total number of packets)	相同长度的分组数量与总分组数量的比例	浮点型
17	PV (standard deviation of payload packet length)	数据分组长度的标准差	浮点型
18	BS (average bits-per-second)	平均每秒比特数	浮点型
19	AIT (average inter arrival time of packets)	数据分组到达的平均间隔	浮点型
20	PPS (average packets-per-second)	平均每秒的分组数	浮点型

编号	0	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15
0	√				√	√	√			√	√	√	√		√	√
1	√	√				√	√	√			√	√	√	√		√
2	√	√	√				√	√	√			√		√	√	√
3		√	√	√			√	√	√				√		√	√
4			√	√	√			√	√				√	√		√
5				√	√	√			√					√	√	√

数据集类型	标签	流数量(比例)	总数
训练	正常	106 725(78.6%)	135 697
训练	攻击	28 972(21.4%)	135 697
测试	正常	12 716(69.7%)	18 194
测试	攻击	5 478(30.3%)	18 194

	C1卷积层		S2次抽样层		C3卷积层		S4次抽样层		C5全联接层
编号
编号
	卷积核	输出	采样窗口	输出	卷积核	输出	采样窗口	输出	卷积核	输出
1	6×(3×3)	6×(18×18)	2×2	6×(9×9)	16×(3×3)	16×(7×7)	2×2	16×(4×4)	80×(4×4)	80×1
2	6×(3×3)	6×(18×18)	2×2	6×(9×9)	16×(3×3)	16×(7×7)	2×2	16×(3×3)	80×(3×3)	80×1
3	6×(3×3)	6×(18×18)	2×2	6×(9×9)	16×(4×4)	16×(6×6)	2×2	16×(3×3)	80×(3×3)	80×1
4	6×(4×4)	6×(17×17)	2×2	6×(9×9)	16×(4×4)	16×(6×6)	2×2	16×(3×3)	80×(3×3)	80×1
5	6×(5×5)	6×(16×16)	2×2	6×(8×8)	16×(5×5)	16×(4×4)	2×2	16×(2×2)	80×(2×2)	80×1
6	6×(6×6)	6×(15×15)	2×2	6×(8×8)	16×(6×6)	16×(3×3)	2×2	16×(2×2)	80×(2×2)	80×1

编号	检测率	误报率	漏报率	训练时间/s	测试时间/s
1	0.925 1	0.073 9	0.072 8	1 023	63
2	0.921 6	0.077 2	0.061 4	1 064	61
3	0.936 7	0.089 1	0.070 1	1 013	68
4	0.882 3	0.121 4	0.091 4	988	64
5	0.869 2	0.118 4	0.099 5	956	67
6	0.827 1	0.136 9	0.112 8	899	72

Using deep learning for detecting BotCloud

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 31

Related Articles 15

Metrics

Recommended 0

		本文算法				SVM				决策树
样本数量
样本数量
	检测率	误报率	漏报率	测试时间/s	检测率	误报率	漏报率	测试时间/s	检测率	误报率	漏报率	测试时间/s
10 000	0.861 1	0.114 9	0.107 1	9.3	0.753 5	0.154 6	0.127 3	21.1	0.781 3	0.149 7	0.129 1	25.4
20 000	0.870 5	0.101 0	0.104 2	17.5	0.740 4	0.149 8	0.124 5	39.2	0.797 9	0.142 5	0.126 2	48.3
30 000	0.873 0	0.103 7	0.099 6	24.7	0.762 8	0.146 9	0.118 7	57.6	0.807 7	0.147 7	0.117 3	71.1
40 000	0.882 9	0.097 0	0.094 2	31.4	0.778 4	0.140 3	0.115 4	73.4	0.793 4	0.136 5	0.113 0	93.6
50 000	0.878 5	0.093 4	0.089 0	37.6	0.781 8	0.145 2	0.109 4	88.1	0.822 5	0.134 6	0.103 7	114.7
60 000	0.908 4	0.087 6	0.086 4	43.1	0.804 8	0.131 6	0.110 2	104.3	0.838 0	0.132 3	0.100 4	134.8
70 000	0.912 3	0.081 1	0.078 7	48.3	0.815 6	0.128 7	0.102 8	118.0	0.854 0	0.124 0	0.096 1	150.7
80 000	0.927 3	0.076 4	0.072 5	52.6	0.829 4	0.115 4	0.099 5	131.4	0.846 6	0.110 7	0.099 8	167.2
90 000	0.939 8	0.070 3	0.067 2	58.1	0.822 9	0.116 4	0.102 0	143.5	0.851 7	0.111 4	0.095 2	182.5
100 000	0.942 7	0.068 2	0.064 3	63.2	0.841 8	0.111 8	0.098 7	154.6	0.855 0	0.110 2	0.093 2	195.3

		本文算法				SVM				决策树
时间窗/s
时间窗/s
	检测率	误报率	漏报率	测试时间/s	检测率	误报率	漏报率	测试时间/s	检测率	误报率	漏报率	测试时间/s
10	0.835 2	0.452 7	0.381 6	11.3	0.625 2	0.490 3	0.461 6	25.5	0.635 3	0.484 9	0.452 3	30.2
30	0.841 1	0.397 5	0.312 1	11.9	0.630 7	0.458 7	0.425 1	24.9	0.641 5	0.451 8	0.415 6	30.3
60	0.855 6	0.364 6	0.234 5	10.9	0.634 6	0.427 6	0.375 4	25.3	0.645 9	0.402 6	0.365 8	29.1
120	0.876 5	0.245 2	0.193 4	11.6	0.658 3	0.356 1	0.285 5	23.6	0.672 4	0.275 8	0.254 7	27.6
180	0.892 3	0.136 8	0.154 2	11.4	0.678 4	0.254 4	0.199 7	23.9	0.689 5	0.152 4	0.171 2	28.9
240	0.895 1	0.128 7	0.132 4	12.3	0.685 9	0.205 3	0.163 3	24.6	0.693 7	0.132 6	0.160 3	29.5
300	0.896 3	0.111 6	0.091 3	9.7	0.687 5	0.175 7	0.152 4	25.4	0.697 7	0.121 9	0.142 0	27.9

[1]	Dongyu CHEN, Hua CHEN, Limin FAN, Yifang FU, Jian WANG. Research on test strategy for randomness based on deep learning [J]. Journal on Communications, 2023, 44(6): 23-33.
[2]	Rongpeng LI, Bingyan WANG, Honggang ZHANG, Zhifeng ZHAO. Design of knowledge enhanced semantic communication receiver [J]. Journal on Communications, 2023, 44(6): 70-76.
[3]	Shuai MA, Ke PEI, Huayan QI, Hang LI, Wen CAO, Hongmei WANG, Hailiang XIONG, Shiyin LI. Research on geomagnetic indoor high-precision positioning algorithm based on generative model [J]. Journal on Communications, 2023, 44(6): 211-222.
[4]	Bin HU, Xiao TAN, Senpeng WANG. SAT-based differential automatic search algorithm using divide-and-conquer strategy and its applications [J]. Journal on Communications, 2023, 44(4): 137-144.
[5]	Jie YANG, Biao DONG, Xue FU, Yu WANG, Guan GUI. Lightweight decentralized learning-based automatic modulation classification method [J]. Journal on Communications, 2022, 43(7): 134-142.
[6]	Ang LI, Jianxin CHEN, Xin WEI, Liang ZHOU. 6G-oriented cross-modal signal reconstruction technology [J]. Journal on Communications, 2022, 43(6): 28-40.
[7]	Xiuzhang YANG, Guojun PENG, Zichuan LI, Yangqi LYU, Side LIU, Chenguang LI. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J]. Journal on Communications, 2022, 43(6): 58-70.
[8]	Pan TANG, Jiaxin LIN, Jianhua ZHANG, Lei TIAN, Zhaowei CHANG, Liang XIA, Qixing WANG. Research on reflection characteristics of the terahertz channel for 6G [J]. Journal on Communications, 2022, 43(5): 102-109.
[9]	Yong LIAO, Shiyi WANG. CSI feedback algorithm based on RM-Net for massive MIMO systems in high-speed mobile environment [J]. Journal on Communications, 2022, 43(5): 166-176.
[10]	Yurong LIAO, Haining WANG, Cunbao LIN, Yang LI, Yuqiang FANG, Shuyan NI. Research progress of deep learning-based object detection of optical remote sensing image [J]. Journal on Communications, 2022, 43(5): 190-203.
[11]	Zenghua ZHAO, Yuefan TONG, Jiayang CUI. Device-independent Wi-Fi fingerprinting indoor localization model based on domain adaptation [J]. Journal on Communications, 2022, 43(4): 143-153.
[12]	Yong LIAO, Gang CHENG, Yujie LI. CSI feedback algorithm based on deep unfolding for massive MIMO systems [J]. Journal on Communications, 2022, 43(12): 77-88.
[13]	Xueyuan DUAN, Yu FU, Kun WANG, Bin LI. LDoS attack detection method based on simple statistical features [J]. Journal on Communications, 2022, 43(11): 53-64.
[14]	Junyan HUO, Ruipeng QIU, Yanzhuo MA, Fuzheng YANG. Reference frame list optimization algorithm in video coding by quality enhancement of the nearest picture [J]. Journal on Communications, 2022, 43(11): 136-147.
[15]	Xueyuan DUAN, Yu FU, Kun WANG, Taotao LIU, Bin LI. Network traffic anomaly detection method based on multi-scale characteristic [J]. Journal on Communications, 2022, 43(10): 65-76.

编号	检测率	误报率	漏报率	训练时间/s	测试时间/s
1	0.931 5	0.072 4	0.061 1	1 054	68
2	0.915 6	0.089 6	0.052 3	1 018	63
3	0.946 3	0.065 7	0.057 1	1 003	65
4	0.894 7	0.102 3	0.086 1	957	71
5	0.875 4	0.091 1	0.116 4	976	69
6	0.849 8	0.131 1	0.105 2	913	69