Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (6): 434-442.doi: 10.11896/jsjkx.230400159

• Information Security • Previous Articles    

Remote Access Trojan Traffic Detection Based on Fusion Sequences

WU Fengyuan1,2, LIU Ming2, YIN Xiaokang2, CAI Ruijie2, LIU Shengli2   

  1. 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450001,China
    2 School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China
  • Received:2023-04-24 Revised:2023-07-24 Online:2024-06-15 Published:2024-06-05
  • About author:WU Fengyuan,born in 1998,postgra-duate.His main research interests include cyberspace security and deep learning.
    LIU Shengli,born in 1973,Ph.D professor.His main research interests include network device security and network attack detection.
  • Supported by:
    National Key R & D Program of China(2019QY1300) and Science & Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD113).

PDF (PC)

505

Abstract: In response to the issues of weak generalization ability,limited representation capability,and delayed warning in exis-ting remote access Trojan(RAT) traffic detection methods,a RAT traffic detection model based on a fusion sequence is proposed.By deeply analyzing the differences between normal network traffic and RAT traffic in packet length sequence,packet payload length sequence,and packet time interval sequence,traffic is represented as a fusion sequence.The fusion sequences are input into a Transformer model that utilizes multi-head attention mechanisms and residual connections to mine the intrinsic relationships within the fusion sequences and learn the patterns of RAT communication behavior,effectively enhancing the detection capability and generalization ability of the model for RAT traffic.The model only needs to extract the first 20 data packets of a network session for detection and can issue timely warnings in the early stages of Trojan intrusion.Comparative experimental results show that the model not only achieves excellent results in known data but also performs well in unknown traffic test sets.Compared with existing deep learning models,it presents superior performance indicators and has practical application value in the field of RAT traffic detection.

Key words: Remote access Trojan detection, Fusion sequences, Transformer model, Multi-head attention mechanism, Trojan behavior patterns

CLC Number: 

  • TP393.08
[1]CHEN T,XIANG Y,YANG L,et al.Malware detection using deep neural network on big data platforms[J].Future Generation Computer Systems,2021,76,291-300.
[2]2019 China Internet Security Report[R].Beijing:China Posts and Telecommunications Press,2019.
[3]WANG P H,ZHENG Q H,NIU G L,et al.Port scan detection algorithms based on statistical traffic features[J].Journal on Communications,2007,28(12):14-19.
[4]CHEN Z H,CHENG G,XU Z H,et al.A Survey on Internet Encrypted Traffic Detection,Classification and Identification[J].Chinese Journal of Computers,2023,46(5):1060-1085.
[5]YU S S,WANG X J,ZHANG Q Q.Detection of Malicious Behavior in Encrypted Traffic Based on Heuristic Search Feature Selection[J].Computer Science,2022,49(S2):734-739.
[6]ZHONG F,RAN L.Investigation of Machine Learning BasedNetwork Traffic Classification[C]//2017 International Symposium on Wireless Communication Systems(ISWCS).Bologna,Italy,2017:1-6.
[7]ALSHAMMARI R,ZINCIR-HEYWOOD A.Investigating two different approaches for encrypted traffic classification[C]//Cybersecurity Applications & Technology Conference for Homeland Security.2009:83-88.
[8]CABALLERO J,GRIER C,KREIBICH C,et al.Measuring pay-per-install:The commoditizationof malware distribution[C]//The 20th USENIX Conference on Security.2011:1-15.
[9]BILGE L,DUMITRAS T.Before we knew it:an empirical study of zero-day attacks in the real world[C]//The 2012 ACM Conference on Computer and Communications Security.2012:833-844.
[10]KASPEREK P,CHORAS M.Behavioral-based detection ofRATs using honeypot data[C]//2014 Federated Conference on Computer Science and Information Systems.2014:555-561.
[11]ALRABAEE N,SALEEM N,TRAORE I.Detecting remote access trojans:A survey[J].Journal of Cyber Security and Mobility,2015,4(1):3-32.
[12]WANG C,GUO C,SHEN G,et al.Research of Remote Access Trojan Early Detection Method Using Sequence Analysis[J].Journal of Frontiers of Computer Science and Technology,2021,15(12):2315-2326.
[13]ARASH H L,GERARD D,MOHAMMAD S,et al.Characte-rization of Tor Traffic Using Time Based Features[C]//2017 the 3rd International Conference on Information Systems Security and Privacy,Portugal.2017:253-262.
[14]REN J D,ZHANG Y F,ZHANG B,et al.Classification Method of Industrial Internet Intrusion Detection Based on Feature Selection[J].Journal of Computer Research and Development,2022,59(5):1148-1159.
[15]ZOU F T,YU T D,XU W L.Encrypted Malicious Traffic Detection Based on Hidden Markov Model[J].Journal of Software,2022,33(7):2683-2698.
[16]WANG W,ZENG X,YE X,et al.Malware traffic classification using convolutional neural network for representation learning[C]//The 31st InternationalConference on Information Networking(ICOIN 2017).2017:712-717.
[17]GU Y H,HUANG B Q,WANG J G,et al.Trojan Traffic Detection Method Based on Semi-Supervised Deep Learning[J].Journal of Computer Research and Development,2022,59(6):1329-1342.
[18]LI X J,XIE X Y,XU Y,et al.Fast identification method of malicious TLS traffic based on CNN-SIndRNN[J].Computer Engineering,2022,48(4):148-157,164.
[19]WANG X T,WANG X,SUN Z X.Network Traffic Anomaly Detection Method Based on Multi-scale Memory Residual Network[J].Computer Science,2022,49(8):314-322.
[20]SONG Y L,LIU G H,WANG G Z,et al.SDN Traffic Prediction Based on Graph Convolutional Network[J].Computer Science,2021,48(6A):392-397.
[21]SUN B,YANG W,YAN M,et al.An Encrypted Traffic Classification Method Combining Graph Convolutional Network and Autoencoder[C]//2020 IEEE 39th International Performance Computing and Communications Conference(IPCCC).Austin,TX,USA,2020:1-8.
[22]ZHAO R,DENG X W,WANG Y H,et al.Flow Sequence-BasedAnonymity Network Traffic Identification with Residual Graph Convolutional Networks[C]//2022 IEEE/ACM 30th International Symposium on Quality of Service(IWQoS).Oslo,Norway,2022:1-10.
[23]LO W,LAYEGHY S,SARHAN M,et al.E-GraphSAGE:AGraph Neural Networkbased Intrusion Detection System for IoT[C]//2022 IEEE/IFIP Network Operations and Management Symposium.Budapest,Hungary,2022:1-9.
[24]PANG B,FU Y,REN S Y,et al.CGNN:Traffic Classification with Graph Neural Network[J].arXiv:2110.09726.
[25]VASWANIA,SHAZEER N,PARMAR N,et al.Attention is all you need[C]//Advances in Neural Information Processing Systems.2017:5998-6008.
[26]YANG Y L,BI Z Z.Network Anomaly Detection Based on Deep Learning[J].Computer Science,2021,48(11):540-546.
[27]LI W,LI L H,LI J,et al.Characteristics Analysis of Traffic Behavior of Remote Access Trojan in Three Communication Phases[J].Netinfo Security,2015(5):10-15.
[28]GARCÍA S,GRILL M,STIBOREK J,et al.An empirical comparison of botnet detection methods[J].Computers & Security,2014,45(5):100-123.
[29]IMAN S,ARASH H L,ALI A G.Toward Generating a NewIntrusion Detection Dataset and Intrusion Traffic Characterization[C]//4th International Conference on Information Systems Security and Privacy(ICISSP).Portugal,2018:108-116.
[30]GERARD D G,ARASH H L,MOHAMMAD M,et al.Characterization of Encrypted and VPN Traffic Using Time-Related Features[C]//The 2nd International Conference on Information Systems Security and Privacy.Italy,2016:407-414.
[31]NETRESE C.SplitCap[EB/OL].[2022-04-20].https://www.netresrc.com/?page=SplitCap.
[32]ZOU Z,GE J,ZHENG H,et al.Encrypted Traffic Classificationwith a Convolutional Long Short-Term Memory Neural Network[C]//20th International Conference on High Performance Computing and Communications.Exeter,UK,2018:329-334.
[33]LOTFOLLAHI M,JAFARI S,SHIRALI H,et al.Deep packet:a novel approach for encrypted traffic classification using deep learning[J].Soft Computing,2020,24(3):1999-2012.
[34]HUO Y H,ZHAO F Q.Analysis of Encrypted Malicious TrafficDetection Based on Stacking and Multi-feature Fusion[J/OL].Computer Engineering.https://doi.org/10.19678/j.issn.1000-3428.0064805.
[1] LUO Yuanyuan, YANG Chunming, LI Bo, ZHANG Hui, ZHAO Xujian. Chinese Medical Named Entity Recognition Method Incorporating Machine ReadingComprehension [J]. Computer Science, 2023, 50(9): 287-294.
[2] CUI Lin, CUI Chenlu, LIU Zhengwei, XUE Kai. Speech Emotion Recognition Based on Improved MFCC and Parallel Hybrid Model [J]. Computer Science, 2023, 50(6A): 220800211-7.
[3] ZANG Jie, ZHOU Wanlin, WANG Yan. Semantic Matching Method Integrating Multi-head Attention Mechanism and Siamese Network [J]. Computer Science, 2023, 50(12): 294-301.
[4] XIAO Ding, ZHANG Yu-fan, JI Hou-ye. Electricity Theft Detection Based on Multi-head Attention Mechanism [J]. Computer Science, 2022, 49(1): 140-145.
[5] YANG Jin-cai, CAO Yuan, HU Quan, SHEN Xian-jun. Relation Classification of Chinese Causal Compound Sentences Based on Transformer Model and Relational Word Feature [J]. Computer Science, 2021, 48(6A): 295-298.
[6] WANG Rui-ping, JIA Zhen, LIU Chang, CHEN Ze-wei, LI Tian-rui. Deep Interest Factorization Machine Network Based on DeepFM [J]. Computer Science, 2021, 48(1): 226-232.
[7] ZHANG Zhi-yang, ZHANG Feng-li, CHEN Xue-qin, WANG Rui-jin. Information Cascade Prediction Model Based on Hierarchical Attention [J]. Computer Science, 2020, 47(6): 201-209.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.