计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (6A): 250200080-9.doi: 10.11896/jsjkx.250200080

• 信息安全 • 上一篇    下一篇

基于归一化处理和TrafficLLM的网络攻击缓解框架

成凯, 汤卫东, 谈林涛, 陈佳, 李鑫   

  1. 国家电网有限公司华中分部 武汉 430077
  • 出版日期:2025-06-16 发布日期:2025-06-12
  • 通讯作者: 成凯(kaicheng1988@126.com)
  • 基金资助:
    国家电网有限公司科技项目(SGHZ0000DKJS2400249)

Network Attack Mitigation Framework Based on Normalized Processing and TrafficLLM

CHENG Kai, TANG Weidong, TAN Lintao, CHEN Jia, LI Xin   

  1. Centralchina Branch of State Grid Corporation of China,Wuhan 430077,China
  • Online:2025-06-16 Published:2025-06-12
  • About author:CHENG Kai,born in 1988.His main research interests include electric power network and information security.
  • Supported by:
    State Grid Corporation of China Company Science and Technology Project Research(SGHZ0000DKJS2400249).

PDF (PC)

45

摘要: 随着电力配变网络基础设施规模的不断扩大,各类安全二次设备、边缘终端节点和业务系统产生的信息通信流量数据在格式、协议、语义特征层面存在显著差异。主要存在现有缓解框架缺乏多源异构网络异常流量检测数据归一化处理算法,网络攻击行为分析依赖人工特征提取的规则引擎,以及难以确定有效的网络攻击缓解措施等痛点。针对以上痛点,提出了一种基于归一化处理和TrafficLLM的网络攻击缓解框架(Network Attack Mitigation Framework Based on Normalized Processing and TrafficLLM,NAMF-NPTLLM)。该框架涵盖数据解析、归一化处理、模型微调和生成攻击缓解方案4个核心阶段。首先,在特征选择阶段,通过构建集成学习模型,融合多类基学习器的特征评估结果,精准提取对分类结果影响较大的关键特征。其次,将选取的关键特征通过归一化处理,生成统一的自然语言token序列形式表达,为该网络攻击缓解框架的流量异常分析TrafficLLM模型提供标准化输入。然后,对TrafficLLM模型进行微调,使该模型能够理解提示词模板指令并学习攻击行为的流量模式。最后,通过微调后的大模型进行推理,生成攻击缓解指令,使得该框架能够根据攻击行为特征动态调整网络攻击缓解策略。通过在CIC-DDoS2019数据集上进行实验验证,与传统方法相比,该框架将网络攻击行为分类的准确率达到99.80%,提高了1.3%。实验结果表明,该框架对于缓解海量多源异构电力网络终端流量攻击,具有更好的准确性和有效性。

关键词: 攻击行为检测, 数据解析, 归一化处理, 集成学习模型, 网络攻击缓解, 参数微调

Abstract: With the continuous expansion of the scale of power distribution and transformation network infrastructure,the information and communication traffic data generated by various types of security secondary equipment,edge terminal nodes,and business systems show significant differences in terms of format,protocol,and semantic characteristics.The main issues are reflected in the lack of a data normalization processing algorithm for multi-source heterogeneous network anomaly traffic detection in existing mitigation frameworks,the reliance of network attack behavior analysis on rule engines based on manual feature extraction,and the difficulty in determining effective network attack mitigation measures.To address the above pain points,a network attack mitigation framework based on normalized processing and TrafficLLM(NAMF-NPTLLM) is proposed.This framework includes four stages:feature selection,normalization processing,model fine-tuning,and generation of attack mitigation plans.Firstly,in the feature selection stage,an integrated voting mechanism is used to combine the results of various feature selection methods to accurately extract key features that have a significant impact on classification results.Secondly,the selected key features are norma-lized to generate a unified natural language token sequence expression,providing standardized input for the TrafficLLM model for traffic anomaly analysis in this network attack mitigation framework.Then,the TrafficLLM model is fine-tuned to enable it to understand prompt template instructions and learn the traffic patterns of attack behaviors.Finally,the fine-tuned large model is used for inference to generate attack mitigation instructions,allowing the framework to dynamically adjust network attack mitigation strategies based on the characteristics of attack behaviors.

Key words: Attack behavior detection, Data parsing, Normalization process, Integrated learning models, Cyber attack mitigation, Parameter fine tuning

中图分类号: 

  • TP393.08
[1]GUO Y D,MA J.DeepSeek was attacked by the network,sounding the alarm for the security of large models [N].2025-02-06.
[2]HUSSAIN F,ABBAS S G,SHAH G A,et al.A Framework for Malicious Traffic Detection in IoT Healthcare Environment [J].Sensors,2021,21(9).
[3]MA Q,SUN C,CUI B,et al.A novel model for anomaly detec-tion in network traffic based on kernel support vector machine [J].Computers & Security,2021,104.
[4]SHAFIQ M,TIAN Z,BASHIR A K,et al.CorrAUC:A Malicious Bot-IoT Traffic Detection Method in IoT Network Using Machine-Learning Techniques [J].IEEE Internet of Things Journal,2021,8(5):3242-3254.
[5]WEN W P,HU Y Z,ZHAO G L,et al.Design and Implementation of an Abnormal IP Identification System Based on Traffic Feature Classification[J].Netinfo Security,2021,21(8):1-9.
[6]FU C,LI Q,SHEN M,et al.Realtime Robust Malicious Traffic Detection via Frequency Domain Analysis [C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.2021:3431-3446.
[7]WANG J,YANG L L,YANG M.Multitier ensemble classifiers for malicious network traffic detection[J].Journal on Communications,2018,39(10):155-165.
[8]ZENG Q P,HE S M,CHAI J L.A Malicious TLS Traffic Detection Method with Multi-modal Features[J].Journal of Information Security Research,2025,11(2):130-138.
[9]YANG Y,LV H,CHEN N.A survey on ensemble learning under the era of deep learning [J].Artificial Intelligence Review,2023,56(6):5545-5589.
[10]WANG T,XIE X,ZHANG L,et al.ShieldGPT:An LLM-based Framework for DDoS Mitigation [C]//Proceedings of the 8th Asia-Pacific Workshop on Networking.2024:108-114.
[11]LIU X,LIU J.Malicious traffic detection combined deep neural network with hierarchical attention mechanism [J].Scientific Reports,2021,11(1):12363.
[12]LIN K,XU X,XIAO F.MFFusion:A multi-level features fusion model for malicious traffic detection based on deep learning [J].Computer Networks,2022,202:108658.
[13]WANG Z,THING V L.Feature mining for encrypted malicious traffic detection with deep learning and other machine learning algorithms [J].Computers & Security,2023,128:103143.
[14]TAN G X,PAN Y X,LIU Y J,et al.Current Status,Hotspots,and Trends in Malicious Traffic Identification Research-Visual Analysis Based on CiteSpace Knowledge Graph [J].Advances in Applied Mathematics,2024,13:2392.
[15]LIANG Z Q.Deep Learning Based Malicious Traffic Detection and Attack Recognition Research[J].Information Recording Materials,2023,24(12).
[16]YANG Y P,WANG S T.Study on Malicious Traffic Classification Algorithm Based on CNN Combined with BiGRU[J].Computer Science,2024,51(S2):867-875.
[17]XIA W,QIN C,HAZAN E.Chain of lora:Efficient fine-tuning of language models via residual learning [J].arXiv:240104151,2024.
[18]CHEN Y,QIAN S,TANG H,et al.Longlora:Efficient fine-tuning of long-context large language models [J].arXiv preprint arXiv:230912307,2023.
[19]GINIG E,YASOD,SILVA,et al.Trafficllm:Llms for Improved Open-Set Encrypted Traffic Analysis[OL].http://dx.doi.org/10.2139/ssrn.5074974
[20]BBEIMAN L.Random forests[J].Machine Learning,2001,45:5-32.
[21]FRIEDMAN J H.Greedy function approximation:a gradient boosting machine[J].Annals of statistics,2001:1189-1232.
[22]CORTES C,VAPNIKV.Support-vector networks[J].Machine Learning,1995,20:273-297.
[23]CHEN T,GUESTRIN C.Xgboost:A scalable tree boosting system[C]//Proceedings of the 22nd ACM Sigkdd International Conference on Knowledge Discovery and Data Mining.2016:785-794.
[24]DIETTERICH T G.Ensemble methods in machine learning[C]//International Workshop on Multiple Classifier Systems.Berlin:Springer,2000:1-15.
[25]WU D,WANG X,QIAO Y,et al.NetLLM:Adapting LargeLanguage Models for Networking [C]//Proceedings of the ACM SIGCOMM 2024 Conference.2024:661-678.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发