电子学报

• •    

面向物联网的多协议僵尸网络检测方法

杨宏宇1,2, 王泽霖2, 张良3, 成翔4,5   

  1. 1.中国民航大学安全科学与工程学院,天津 300300
    2.中国民航大学计算机科学与技术学院,天津 300300
    3.亚利桑那大学信息学院,美国亚利桑那州图森市 AZ857 21
    4.扬州大学信息工程学院,江苏 扬州 225127
    5.江苏省知识管理与智能服务工程研究中心,江苏 扬州 225127
  • 收稿日期:2022-07-25 修回日期:2022-10-08 出版日期:2022-11-24
    • 作者简介:
    • 杨宏宇 男,1969年12月生,吉林长春人.博士,中国民航大学教授.主要研究方向为网络与系统安全、漏洞分析与评估、云计算与大数据安全. E-mail: yhyxlx@hotmail.com
      王泽霖 男,1998年6月生,黑龙江哈尔滨人.中国民航大学硕士研究生.主要研究方向为网络与系统安全、物联网安全、僵尸网络检测. E-mail: cauc_wzl@hotmail.com
      张良 男,1987年6月生,天津人.博士,亚利桑那大学博士后研究员.主要研究方向为强化学习、基于深度学习的信号处理. E-mail: liangzh@arizona.edu
      成翔(通讯作者) 男,1988年9月生,新疆乌鲁木齐人.博士,扬州大学实验师.主要研究方向为网络与系统安全、网络安全态势感知、联邦学习、边缘计算.
    • 基金资助:
    • 国家自然科学基金 (U1833107)

A Multi-Protocol Botnet Detection Method for IoT

YANG Hong-yu1,2, WANG Ze-lin2, ZHANG Liang3, CHENG Xiang4,5   

  1. 1.School of Safety Science and Engineering,Civil Aviation University of China,Tianjin 300300,China
    2.School of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China
    3.School of Information,The University of Arizona,Tucson,Arizona 85721,USA
    4.School of Information Engineering,Yangzhou University,Yangzhou,Jiangsu 225127,China
    5.Jiangsu Engineering Research Center for Knowledge Management and Intelligent Service,Yangzhou,Jiangsu 225127,China
  • Received:2022-07-25 Revised:2022-10-08 Online:2022-11-24
    • Supported by:
    • National Natural Science Foundation of China (U1833107)

摘要:

针对现有僵尸网络检测方法采样不均、特征选择差、泛化能力较弱,导致检测分类效果偏低且对计算和存储资源受限的物联网环境的适应性较差等不足,本文提出了一种面向物联网的多协议僵尸网络检测方法.通过所设计的基于地址三元组和时间窗口的IP聚合与特征重构方法整合从物联网网关中获取的网络流量,得到重构样本集.采用所提出的自修正混合加权采样算法平衡重构样本集中正常流量与僵尸流量,得到重采样样本集.采用所提出的基于多属性决策和邻接关系链的序列前向选择算法剔除重采样样本集中的冗余特征,得到最优特征子集.采用所设计的基于阵发混沌的秃鹰搜索算法优化后的两阶段混合异构模型,对经最优特征子集筛选后的重采样样本集进行检测分类.实验结果表明,所提方法对僵尸网络的检测效果较好,检测准确率为99.24%,马修斯相关系数为98.49%,误报率为0.17%,漏报率为1.29%,优于现有方法.该方法能够有效降低采样与特征选择的时空开销,可较好地适应资源受限的物联网环境.

关键词: 僵尸网络, 物联网, 样本重构, 前向选择, 阵发混沌, 搜索算法

Abstract:

In order to solve the problems of uneven sampling, poor feature selection, and weak generalization ability to the existing botnet detection methods, this paper proposes a multi-protocol botnet detection method for internet of things(IoT). The designed IP aggregation and feature reconstruction method using address triples and time windows is used to integrate the network traffic samples obtained from the IoT gateway to obtain the reconstructed sample set. The proposed self-correcting hybrid weighted sampling algorithm balances the normal and botnet flow samples to get the resampling sample set. The proposed multi-attribute decision making and adjacency relation chain-based sequential forward selection algorithm is used to eliminate the redundant features and obtain the optimal feature subset. The resampling sample set filtered by the optimal feature subset is detected and classified through the designed two-stage hybrid heterogeneous model optimized by the intermittent chaos-based bald eagle search algorithm. Experimental results show that the proposed method has a good detection effect on the botnet. The detection accuracy is 99.24%, Matthews correlation coefficient is 98.49%, false positive rate is 0.17%, and false negative rate is 1.29%, which are better than the existing methods. This method can effectively reduce sampling and feature selection time and space overhead and better adapt to the resource-constrained IoT environment.

Key words: botnet, internet of things, sample reconstruction, forward selection, intermittent chaos, search algorithm

中图分类号: