计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (6): 434-442.doi: 10.11896/jsjkx.230400159

• 信息安全 • 上一篇    

基于融合序列的远控木马流量检测模型

吴丰源1,2, 刘明2, 尹小康2, 蔡瑞杰2, 刘胜利2   

  1. 1 郑州大学网络空间安全学院 郑州 450001
    2 信息工程大学网络空间安全学院 郑州 450001
  • 收稿日期:2023-04-24 修回日期:2023-07-24 出版日期:2024-06-15 发布日期:2024-06-05
  • 通讯作者: 刘胜利(mr_shengliliu@163.com)
  • 作者简介:(lingtree@qq.com)
  • 基金资助:
    国家重点研发计划(2019QY1300);科技委基础加强项目(2019-JCJQ-ZD-113)

Remote Access Trojan Traffic Detection Based on Fusion Sequences

WU Fengyuan1,2, LIU Ming2, YIN Xiaokang2, CAI Ruijie2, LIU Shengli2   

  1. 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China
    2 School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China
  • Received:2023-04-24 Revised:2023-07-24 Online:2024-06-15 Published:2024-06-05
  • About author:WU Fengyuan,born in 1998,postgra-duate.His main research interests include cyberspace security and deep learning.
    LIU Shengli,born in 1973,Ph.D professor.His main research interests include network device security and network attack detection.
  • Supported by:
    National Key R & D Program of China(2019QY1300) and Science & Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD113).

PDF (PC)

510

摘要: 针对现有远控木马流量检测方法泛化能力较弱、表征能力有限和预警滞后等问题,提出了一种基于融合序列的远控木马流量检测模型。通过深入分析正常应用网络流量与远控木马流量在包长序列、包负载长度序列和包时间间隔序列方面的差异,将流量表征为融合序列。将融合序列输入Transformer模型,利用多头注意力机制与残差连接挖掘融合序列内在联系,学习木马通信行为模式,有效地提升了对远控木马流量的检测能力与模型的泛化能力。所提模型仅需提取网络会话的前20个数据包进行检测,就能够在木马入侵早期做出及时预警。对比实验结果表明,模型不仅在已知数据中具有优异的检测效果,在未知流量测试集上同样表现出色,相比当前已有的深度学习模型,各项检测指标有较大提升,在远控木马流量检测领域具备实际应用价值。

关键词: 远控型木马检测, 融合序列, Transformer模型, 多头注意力机制, 木马行为模式

Abstract: In response to the issues of weak generalization ability,limited representation capability,and delayed warning in exis-ting remote access Trojan(RAT) traffic detection methods,a RAT traffic detection model based on a fusion sequence is proposed.By deeply analyzing the differences between normal network traffic and RAT traffic in packet length sequence,packet payload length sequence,and packet time interval sequence,traffic is represented as a fusion sequence.The fusion sequences are input into a Transformer model that utilizes multi-head attention mechanisms and residual connections to mine the intrinsic relationships within the fusion sequences and learn the patterns of RAT communication behavior,effectively enhancing the detection capability and generalization ability of the model for RAT traffic.The model only needs to extract the first 20 data packets of a network session for detection and can issue timely warnings in the early stages of Trojan intrusion.Comparative experimental results show that the model not only achieves excellent results in known data but also performs well in unknown traffic test sets.Compared with existing deep learning models,it presents superior performance indicators and has practical application value in the field of RAT traffic detection.

Key words: Remote access Trojan detection, Fusion sequences, Transformer model, Multi-head attention mechanism, Trojan behavior patterns

中图分类号: 

  • TP393.08
[1]CHEN T,XIANG Y,YANG L,et al.Malware detection using deep neural network on big data platforms[J].Future Generation Computer Systems,2021,76,291-300.
[2]2019 China Internet Security Report[R].Beijing:China Posts and Telecommunications Press,2019.
[3]WANG P H,ZHENG Q H,NIU G L,et al.Port scan detection algorithms based on statistical traffic features[J].Journal on Communications,2007,28(12):14-19.
[4]CHEN Z H,CHENG G,XU Z H,et al.A Survey on Internet Encrypted Traffic Detection,Classification and Identification[J].Chinese Journal of Computers,2023,46(5):1060-1085.
[5]YU S S,WANG X J,ZHANG Q Q.Detection of Malicious Behavior in Encrypted Traffic Based on Heuristic Search Feature Selection[J].Computer Science,2022,49(S2):734-739.
[6]ZHONG F,RAN L.Investigation of Machine Learning BasedNetwork Traffic Classification[C]//2017 International Symposium on Wireless Communication Systems(ISWCS).Bologna,Italy,2017:1-6.
[7]ALSHAMMARI R,ZINCIR-HEYWOOD A.Investigating two different approaches for encrypted traffic classification[C]//Cybersecurity Applications & Technology Conference for Homeland Security.2009:83-88.
[8]CABALLERO J,GRIER C,KREIBICH C,et al.Measuring pay-per-install:The commoditizationof malware distribution[C]//The 20th USENIX Conference on Security.2011:1-15.
[9]BILGE L,DUMITRAS T.Before we knew it:an empirical study of zero-day attacks in the real world[C]//The 2012 ACM Conference on Computer and Communications Security.2012:833-844.
[10]KASPEREK P,CHORAS M.Behavioral-based detection ofRATs using honeypot data[C]//2014 Federated Conference on Computer Science and Information Systems.2014:555-561.
[11]ALRABAEE N,SALEEM N,TRAORE I.Detecting remote access trojans:A survey[J].Journal of Cyber Security and Mobility,2015,4(1):3-32.
[12]WANG C,GUO C,SHEN G,et al.Research of Remote Access Trojan Early Detection Method Using Sequence Analysis[J].Journal of Frontiers of Computer Science and Technology,2021,15(12):2315-2326.
[13]ARASH H L,GERARD D,MOHAMMAD S,et al.Characte-rization of Tor Traffic Using Time Based Features[C]//2017 the 3rd International Conference on Information Systems Security and Privacy,Portugal.2017:253-262.
[14]REN J D,ZHANG Y F,ZHANG B,et al.Classification Method of Industrial Internet Intrusion Detection Based on Feature Selection[J].Journal of Computer Research and Development,2022,59(5):1148-1159.
[15]ZOU F T,YU T D,XU W L.Encrypted Malicious Traffic Detection Based on Hidden Markov Model[J].Journal of Software,2022,33(7):2683-2698.
[16]WANG W,ZENG X,YE X,et al.Malware traffic classification using convolutional neural network for representation learning[C]//The 31st InternationalConference on Information Networking(ICOIN 2017).2017:712-717.
[17]GU Y H,HUANG B Q,WANG J G,et al.Trojan Traffic Detection Method Based on Semi-Supervised Deep Learning[J].Journal of Computer Research and Development,2022,59(6):1329-1342.
[18]LI X J,XIE X Y,XU Y,et al.Fast identification method of malicious TLS traffic based on CNN-SIndRNN[J].Computer Engineering,2022,48(4):148-157,164.
[19]WANG X T,WANG X,SUN Z X.Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network[J].Computer Science,2022,49(8):314-322.
[20]SONG Y L,LIU G H,WANG G Z,et al.SDN Traffic Prediction Based on Graph Convolutional Network[J].Computer Science,2021,48(6A):392-397.
[21]SUN B,YANG W,YAN M,et al.An Encrypted Traffic Classification Method Combining Graph Convolutional Network and Autoencoder[C]//2020 IEEE 39th International Performance Computing and Communications Conference(IPCCC).Austin,TX,USA,2020:1-8.
[22]ZHAO R,DENG X W,WANG Y H,et al.Flow Sequence-BasedAnonymity Network Traffic Identification with Residual Graph Convolutional Networks[C]//2022 IEEE/ACM 30th International Symposium on Quality of Service(IWQoS).Oslo,Norway,2022:1-10.
[23]LO W,LAYEGHY S,SARHAN M,et al.E-GraphSAGE:AGraph Neural Networkbased Intrusion Detection System for IoT[C]//2022 IEEE/IFIP Network Operations and Management Symposium.Budapest,Hungary,2022:1-9.
[24]PANG B,FU Y,REN S Y,et al.CGNN:Traffic Classification with Graph Neural Network[J].arXiv:2110.09726.
[25]VASWANIA,SHAZEER N,PARMAR N,et al.Attention is all you need[C]//Advances in Neural Information Processing Systems.2017:5998-6008.
[26]YANG Y L,BI Z Z.Network Anomaly Detection Based on Deep Learning[J].Computer Science,2021,48(11):540-546.
[27]LI W,LI L H,LI J,et al.Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases[J].Netinfo Security,2015(5):10-15.
[28]GARCÍA S,GRILL M,STIBOREK J,et al.An empirical comparison of botnet detection methods[J].Computers & Security,2014,45(5):100-123.
[29]IMAN S,ARASH H L,ALI A G.Toward Generating a NewIntrusion Detection Dataset and Intrusion Traffic Characterization[C]//4th International Conference on Information Systems Security and Privacy(ICISSP).Portugal,2018:108-116.
[30]GERARD D G,ARASH H L,MOHAMMAD M,et al.Characterization of Encrypted and VPN Traffic Using Time-Related Features[C]//The 2nd International Conference on Information Systems Security and Privacy.Italy,2016:407-414.
[31]NETRESE C.SplitCap[EB/OL].[2022-04-20].https://www.netresrc.com/?page=SplitCap.
[32]ZOU Z,GE J,ZHENG H,et al.Encrypted Traffic Classificationwith a Convolutional Long Short-Term Memory Neural Network[C]//20th International Conference on High Performance Computing and Communications.Exeter,UK,2018:329-334.
[33]LOTFOLLAHI M,JAFARI S,SHIRALI H,et al.Deep packet:a novel approach for encrypted traffic classification using deep learning[J].Soft Computing,2020,24(3):1999-2012.
[34]HUO Y H,ZHAO F Q.Analysis of Encrypted Malicious TrafficDetection Based on Stacking and Multi-feature Fusion[J/OL].Computer Engineering.https://doi.org/10.19678/j.issn.1000-3428.0064805.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发