面向物联网的多协议僵尸网络检测方法

doi:10.12263/DZXB.20220881

电子学报

• •

面向物联网的多协议僵尸网络检测方法

杨宏宇¹^,², 王泽霖², 张良³, 成翔⁴^,⁵

^1.中国民航大学安全科学与工程学院，天津 300300
^2.中国民航大学计算机科学与技术学院，天津 300300
^3.亚利桑那大学信息学院，美国亚利桑那州图森市 AZ857 21
^4.扬州大学信息工程学院，江苏扬州 225127
^5.江苏省知识管理与智能服务工程研究中心，江苏扬州 225127

收稿日期:2022-07-25 修回日期:2022-10-08 出版日期:2022-11-24
- 作者简介:
- 杨宏宇男，1969年12月生，吉林长春人.博士，中国民航大学教授.主要研究方向为网络与系统安全、漏洞分析与评估、云计算与大数据安全. E-mail: yhyxlx@hotmail.com
  王泽霖男，1998年6月生，黑龙江哈尔滨人.中国民航大学硕士研究生.主要研究方向为网络与系统安全、物联网安全、僵尸网络检测. E-mail: cauc_wzl@hotmail.com
  张良男，1987年6月生，天津人.博士，亚利桑那大学博士后研究员.主要研究方向为强化学习、基于深度学习的信号处理. E-mail: liangzh@arizona.edu
  成翔（通讯作者）男，1988年9月生，新疆乌鲁木齐人.博士，扬州大学实验师.主要研究方向为网络与系统安全、网络安全态势感知、联邦学习、边缘计算.
- 基金资助:
- 国家自然科学基金 (U1833107)

A Multi-Protocol Botnet Detection Method for IoT

YANG Hong-yu¹^,², WANG Ze-lin², ZHANG Liang³, CHENG Xiang⁴^,⁵

^1.School of Safety Science and Engineering，Civil Aviation University of China，Tianjin 300300，China
^2.School of Computer Science and Technology，Civil Aviation University of China，Tianjin 300300，China
^3.School of Information，The University of Arizona，Tucson，Arizona 85721，USA
^4.School of Information Engineering，Yangzhou University，Yangzhou，Jiangsu 225127，China
^5.Jiangsu Engineering Research Center for Knowledge Management and Intelligent Service，Yangzhou，Jiangsu 225127，China

Received:2022-07-25 Revised:2022-10-08 Online:2022-11-24
- Supported by:
- National Natural Science Foundation of China (U1833107)

摘要/Abstract

摘要：

针对现有僵尸网络检测方法采样不均、特征选择差、泛化能力较弱，导致检测分类效果偏低且对计算和存储资源受限的物联网环境的适应性较差等不足，本文提出了一种面向物联网的多协议僵尸网络检测方法.通过所设计的基于地址三元组和时间窗口的IP聚合与特征重构方法整合从物联网网关中获取的网络流量，得到重构样本集.采用所提出的自修正混合加权采样算法平衡重构样本集中正常流量与僵尸流量，得到重采样样本集.采用所提出的基于多属性决策和邻接关系链的序列前向选择算法剔除重采样样本集中的冗余特征，得到最优特征子集.采用所设计的基于阵发混沌的秃鹰搜索算法优化后的两阶段混合异构模型，对经最优特征子集筛选后的重采样样本集进行检测分类.实验结果表明，所提方法对僵尸网络的检测效果较好，检测准确率为99.24%，马修斯相关系数为98.49%，误报率为0.17%，漏报率为1.29%，优于现有方法.该方法能够有效降低采样与特征选择的时空开销，可较好地适应资源受限的物联网环境.

关键词: 僵尸网络, 物联网, 样本重构, 前向选择, 阵发混沌, 搜索算法

Abstract:

In order to solve the problems of uneven sampling, poor feature selection, and weak generalization ability to the existing botnet detection methods, this paper proposes a multi-protocol botnet detection method for internet of things(IoT). The designed IP aggregation and feature reconstruction method using address triples and time windows is used to integrate the network traffic samples obtained from the IoT gateway to obtain the reconstructed sample set. The proposed self-correcting hybrid weighted sampling algorithm balances the normal and botnet flow samples to get the resampling sample set. The proposed multi-attribute decision making and adjacency relation chain-based sequential forward selection algorithm is used to eliminate the redundant features and obtain the optimal feature subset. The resampling sample set filtered by the optimal feature subset is detected and classified through the designed two-stage hybrid heterogeneous model optimized by the intermittent chaos-based bald eagle search algorithm. Experimental results show that the proposed method has a good detection effect on the botnet. The detection accuracy is 99.24%, Matthews correlation coefficient is 98.49%, false positive rate is 0.17%, and false negative rate is 1.29%, which are better than the existing methods. This method can effectively reduce sampling and feature selection time and space overhead and better adapt to the resource-constrained IoT environment.

Key words: botnet, internet of things, sample reconstruction, forward selection, intermittent chaos, search algorithm

中图分类号:

TP393.08

杨宏宇, 王泽霖, 张良, 成翔. 面向物联网的多协议僵尸网络检测方法[J]. 电子学报, DOI: 10.12263/DZXB.20220881.

YANG Hong-yu, WANG Ze-lin, ZHANG Liang, CHENG Xiang. A Multi-Protocol Botnet Detection Method for IoT[J]. Acta Electronica Sinica, DOI: 10.12263/DZXB.20220881.

图/表 15

参考文献 32

1	XU G Q, BAI H P, XING J, et al. SG-PBFT: A secure and highly efficient distributed blockchain PBFT consensus algorithm for intelligent Internet of vehicles[J]. Journal of Parallel and Distributed Computing, 2022, 164: 1-11.
2	ZHAO B, JI S, LEE W H, et al. A large-scale empirical study on the vulnerability of deployed IoT devices[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(3): 1826-1840.
3	QIAO H, NOVIKOV B, BLECH J O. Concept drift analysis by dynamic residual projection for effectively detecting botnet cyber-attacks in IoT scenarios[J]. IEEE Transactions on Industrial Informatics, 2021, 18(6): 3692-3701.
4	WANG Q, WANG D, CHENG C, et al. Quantum2fa: efficient quantum-resistant two-factor authentication scheme for mobile devices[J/OL]. IEEE Transactions on Dependable and Secure Computing, 2021. DOI: 10.1109/TDSC.2021.3129512 .
5	MIAO Y, CHEN C, PAN L, et al. Machine learning-based cyber attacks targeting on controlled information: a survey[J]. ACM Computing Surveys(CSUR), 2021, 54(7): 1-36.
6	陈书仪, 刘亚丽, 林昌露, 等. 面向物联网的轻量级可验证群组认证方案[J]. 电子学报, 2022, 50(4): 990-1001.
	CHEN Shu-yi, LIU Ya-li, LIN Chang-lu, et al. Lightweight verifiable group authentication scheme for the internet of things[J]. Acta Electronica Sinica, 2022, 50(4): 990-1001. (in Chinese)
7	DOSHI K, YILMAZ Y, ULUDAG S. Timely detection and mitigation of stealthy DDoS attacks via IoT networks[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(5): 2164-2176.
8	JOSHI C, RANJAN R K, BHARTI V. A fuzzy logic based feature engineering approach for botnet detection using ANN[J/OL]. Journal of King Saud University-Computer and Information Sciences, 2021. DOI: 10.1016/j.jksuci.2021.06.018 .
9	PALMIERI F. Network anomaly detection based on logistic regression of nonlinear chaotic invariants[J]. Journal of Network and Computer Applications, 2019, 148: 102460-102473.
10	IKRAM S T, PRIYA V, ANBARASU B, et al. Prediction of IIoT traffic using a modified whale optimization approach integrated with random forest classifier[J]. The Journal of Supercomputing, 2022, 78(8): 10725-10756.
11	MAJUMDAR P, SINGH A, PANDEY A, et al. A deep learning approach against botnet attacks to reduce the interference problem of IoT[M]//Intelligent Computing and Applications. Singapore: Springer, 2021: 645-655.
12	吴迪, 方滨兴, 崔翔, 等. BotCatcher: 基于深度学习的僵尸网络检测系统[J]. 通信学报, 2018, 39(8): 18-28.
	WU Di, FANG Bin-xing, CUI Xiang, et al. BotCatcher: botnet detection system based on deep learning[J]. Journal on Communications, 2018, 39(8): 18-28. (in Chinese)
13	牛伟纳, 蒋天宇, 张小松, 等. 基于流量时空特征的fast-flux僵尸网络检测方法[J]. 电子与信息学报, 2020, 42(8): 1872-1880.
	NIU Wei-na, JIANG Tian-yu, ZHANG Xiao-song, et al. Fast-flux botnet detection method based on spatiotemporal feature of network traffic[J]. Journal of Electronics & Information Technology, 2020, 42(8): 1872-1880. (in Chinese)
14	朱艳. 优化觅食算法改进支持向量机的僵尸网络检测模型研究[D]. 兰州: 兰州大学, 2018.
	ZHU Yan. Research on Botnet Detection Model Based on Support Vector Machine Improved by Optimal Foraging Algorithm[D]. Lanzhou: Lanzhou University, 2018. (in Chinese)
15	TORRES J L G, CATANIA C A, VEAS E. Active learning approach to label network traffic datasets[J]. Journal of Information Security and Applications, 2019, 49: 102388-102400.
16	Al S, DENER M. STL-HDL: A new hybrid network intrusion detection system for imbalanced dataset on big data environment[J]. Computers & Security, 2021, 110: 102435-102455.
17	KANNANGARA K K P M, ZHOU W, DING Z, et al. Investigation of feature contribution to shield tunneling-induced settlement using shapley additive explanations method[J]. Journal of Rock Mechanics and Geotechnical Engineering, 2022, 14(4): 1052-1063.
18	GAN M, ZHANG L. Iteratively local Fisher score for feature selection[J]. Applied Intelligence, 2021, 51(8): 6167-6181.
19	杨宏宇, 袁海航, 张良. 基于攻击图的主机安全评估方法[J]. 通信学报, 2022, 43(2): 89-99.
	YANG Hong-yu, YUAN Hai-hang, ZHANG Liang. Host security assessment method based on attack graph[J]. Journal on Communications, 2022, 43(2): 89-99. (in Chinese)
20	杨宏宇, 张旭高. 基于自修正系数修匀法的网络安全态势预测[J]. 通信学报, 2020, 41(5): 196-204.
	YANG Hong-yu, ZHANG Xu-gao. Self-corrected coefficient smoothing method based network security situation prediction[J]. Journal on Communications, 2020, 41(5): 196-204. (in Chinese)
21	ZHU D, WANG R, DUAN J, et al. Comprehensive weight method based on game theory for identify critical transmission lines in power system[J]. International Journal of Electrical Power & Energy Systems, 2021, 124: 106362-106369.
22	ZELENKOV Y, VOLODARSKIY N. Bankruptcy prediction on the base of the unbalanced data using multi-objective selection of classifiers[J]. Expert Systems with Applications, 2021, 185: 115559-115570.
23	YANG H Y, ZHANG Z X, XIE L X, et al. Network security situation assessment with network attack behavior classification[J]. International Journal of Intelligent Systems, 2022, 37(10): 6909-6927.
24	YANG H Y, ZENG R Y, XU G Q, et al. A network security situation assessment method based on adversarial deep learning[J]. Applied Soft Computing, 2021, 102: 107096-107104.
25	ALSATTAR H A, ZAIDAN A A, ZAIDAN B B. Novel meta-heuristic bald eagle search optimization algorithm[J]. Artificial Intelligence Review, 2020, 53(3): 2237-2264.
26	YANG Z, LIU X, LI T, et al. A systematic literature review of methods and datasets for anomaly-based network intrusion detection[J]. Computers & Security, 2022, 116: 102675-102694.
27	张鑫, 李占山. 自然进化策略的特征选择算法研究[J]. 软件学报, 2020, 31(12): 3733-3752.
	ZHANG Xin, LI Zhan-shan. Research on feature selection algorithm based on natural evolution strategy[J]. Journal of Software, 2020, 31(12): 3733-3752. (in Chinese)
28	WANG X L, GONG J, SONG Y, et al. Adaptively weighted three-way decision oversampling: A cluster imbalanced-ratio based approach[J/OL]. Applied Intelligence, 2022. DOI: 10.1007/s10489-022-03394-7 .
29	IDAKWO G, THANGAPANDIAN S, LUTTRELL J, et al. Structure–activity relationship-based chemical classification of highly imbalanced Tox21 datasets[J]. Journal of Cheminformatics, 2020, 12(1): 1-19.
30	ROFFO G, MELZI S, CASTELLANI U, et al. Infinite feature selection: a graph-based feature filtering approach[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2020, 43(12): 4396-4410.
31	LI A D, XUE B, ZHANG M. Improved binary particle swarm optimization for feature selection with new initialization and search space reduction strategies[J]. Applied Soft Computing, 2021, 106: 107302-107339.
32	LIU W, WANG J. Recursive elimination–election algorithms for wrapper feature selection[J]. Applied Soft Computing, 2021, 113: 107956-107968.

变量	含义	变量	含义
t_s	采样开始时间	S_r	重采样样本集
t_e	采样结束时间	N_i	实际重采样样本数量
t	采样用时	N_c	重构样本类别数
c_i	样本类别	ramics	实际少数类重采样样本
w_i	样本权重	ramcs	实际多数类重采样样本
esv _i	期望样本数	mcs	多数类重采样样本
S_o	重构样本集	mic	多数类重采样样本
N_o	重构样本总数	remain	剩余样本

变量	含义	变量	含义
t_s	采样开始时间	S_r	重采样样本集
t_e	采样结束时间	N_i	实际重采样样本数量
t	采样用时	N_c	重构样本类别数
c_i	样本类别	ramics	实际少数类重采样样本
w_i	样本权重	ramcs	实际多数类重采样样本
esv _i	期望样本数	mcs	多数类重采样样本
S_o	重构样本集	mic	多数类重采样样本
N_o	重构样本总数	remain	剩余样本

相关系数区间	相关性
[0,0.2)	极弱相关或无关
[0.2,0.4)	弱相关
[0.4,0.6)	中等程度相关
[0.6,0.8)	强相关
[0.8,1]	极强相关

相关系数区间	相关性
[0,0.2)	极弱相关或无关
[0.2,0.4)	弱相关
[0.4,0.6)	中等程度相关
[0.6,0.8)	强相关
[0.8,1]	极强相关

算法	正样本数	负样本数	IR
NNC	1269	502630	396.1
ADASYN	503001	502860	1.0
SMOTEENN	496439	494204	1.0
SCHWS	250566	252064	1.0

面向物联网的多协议僵尸网络检测方法

A Multi-Protocol Botnet Detection Method for IoT

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 32

相关文章 15

编辑推荐

Metrics

ε	删除的特征	剩余特征数	MCC
1	无	39	0.9310
0.95	F8,F32,F21,F29,F12,F22,F34,F9,F3	30	0.9339
0.8	F12,F9,F3,F18,F32,F29,F16,F22,F8,F31	29	0.9420
0.65	F29,F3,F18,F9,F16,F22,F12,F31	31	0.9298
0.4	F31,F11,F28,F18,F29,F3,F9,F16,F22	30	0.9302
0.2	F11,F9,F3,F31,F22,F28,F18,F16	31	0.9316
0.1	F18,F13,F31,F22,F9,F16,F3	32	0.9275

算法	N_Φ	DRR
重采样样本	39	0
GLE	20	0.4872
CLE	21	0.4615
SFS	29	0.2564
SBS	38	0.0256
RFE	25	0.3590
MADM-RC-SFS	14	0.6410

方法	Acc	F-score	MCC	GM	FPR	FNR
FSL-ANN^[8]	0.8943	0.8947	0.7888	0.8943	0.0509	0.1131
NCI-LR^[9]	0.9900	0.9171	0.9123	0.9467	0.0029	0.1000
MNSWOA-IPM-RF^[10]	0.8538	0.8666	0.7228	0.8652	0.0405	0.2067
RBM^[11]	0.9513	—	—	—	—	—
BotCatcher^[12]	0.9800	—	—	—	—	—
DensNet-BiLSTM^[13]	0.9836	0.9599	0.9714	0.9787	0.0061	0.0328
OFA-SVM^[14]	0.9507	0.9486	0.9018	0.9500	0.0192	0.0681
RiskID^[15]	0.9300	—	—	—	—	—
TSHHM	0.9924	0.9924	0.9849	0.9963	0.0017	0.0129

[1]	李玮, 张雨希, 谷大武, 张金煜, 朱晓铭, 刘春, 蔡天培, 李嘉耀. 轻量级密码MANTIS的唯密文故障分析[J]. 电子学报, 2022, 50(4): 967-976.
[2]	陈书仪, 刘亚丽, 林昌露, 李涛, 董永权. 面向物联网的轻量级可验证群组认证方案[J]. 电子学报, 2022, 50(4): 990-1001.
[3]	孟超, 周倩, 郭林, 王攀, 孙知信. 基于相关性传输模型的无线链路质量估计方法及路由优化算法[J]. 电子学报, 2022, 50(10): 2409-2424.
[4]	陈亮, 李峰, 任保全, 杨建喜. 软件定义物联网研究综述[J]. 电子学报, 2021, 49(5): 1019-1032.
[5]	丁青锋, 罗静, 高鑫鹏, 石辉. 基于混合量化移相器的毫米波大规模MIMO预编码设计[J]. 电子学报, 2021, 49(12): 2349-2356.
[6]	焦贤龙, 郭松涛, 黎勇, 李艳涛, 向朝参. 基于相继干扰消除和跨层并发传输的物联网数据聚合调度[J]. 电子学报, 2021, 49(10): 1982-1992.
[7]	黄俊君, 关杰. 基于元胞自动机的S盒的性质与神经网络实现研究[J]. 电子学报, 2020, 48(12): 2462-2468.
[8]	黄美根, 郁滨. 软件定义WSN规则一致更新研究[J]. 电子学报, 2019, 47(9): 1965-1971.
[9]	徐诚, 何杰, 张晓彤, 姚翠, 段世红, 齐悦. IMU/TOA融合人体运动追踪性能评估方法[J]. 电子学报, 2019, 47(8): 1748-1754.
[10]	王巍, 彭力, 赵继军, 常存喜, 黄晓丹, 田立勤. 移动物联网非完整约束中继的协同任务规划[J]. 电子学报, 2019, 47(6): 1251-1259.
[11]	李森森, 黄一才, 郁滨, 鲍博武. 基于PUF的低开销物联网安全通信方案[J]. 电子学报, 2019, 47(4): 812-817.
[12]	唐晓庆, 谢桂辉, 佘亚军, 俞杨. 基于MCU的无源Wi-Fi散射通信方法[J]. 电子学报, 2019, 47(10): 2069-2075.
[13]	赵世杰, 高雷阜, 于冬梅, 徒君. 基于变因子加权学习与邻代维度交叉策略的改进CSA算法[J]. 电子学报, 2019, 47(1): 40-48.
[14]	庹宇鹏, 张永铮, 尹涛. P2P僵尸网络跨域体系结构的构建与评估[J]. 电子学报, 2018, 46(4): 791-796.
[15]	杨晓东, 陈益强, 于汉超, 张迎伟, 钟习, 胡子昂, 刘弘. 面向帕金森病的多模态异构协同感知方法[J]. 电子学报, 2018, 46(3): 659-664.

算法	用时
SFS	1396.8315
SBS	3503.1650
RFE	2168.1705
MADM-RC-SFS	911.1700

算法	用时
SFS	1396.8315
SBS	3503.1650
RFE	2168.1705
MADM-RC-SFS	911.1700