一种基于双层模型和指标分布的恶意网络流持续检测和分类方法

陆浩天; 董育宁; 全宇轩

doi:10.12263/DZXB.20250069

您当前的位置：

首页 >

文章列表页 >

一种基于双层模型和指标分布的恶意网络流持续检测和分类方法

学术论文 | 更新时间：2025-08-18

- 一种基于双层模型和指标分布的恶意网络流持续检测和分类方法
- A Method for Continuous Detection and Classification of Malicious Network Traffic Based on Double-Layer Model and Distribution of Indexes
- 电子学报 2025年53卷第5期页码：1637-1649
- 作者机构：
  
  南京邮电大学通信与信息工程学院，江苏南京 210003
- 作者简介：
  
  [ "陆浩天男，1998年9月出生于江苏省南通市.现为南京邮电大学通信与信息工程学院博士研究生.主要研究方向为多媒体通信、网络流识别和联邦学习. E-mail: lhtnjupt@163.com" ]
  [ "董育宁男，1955年出生于江苏省南京市.现为南京邮电大学通信与信息工程学院教授、博士生导师.主要研究方向为无线网络、多媒体通信和网络流识别. E-mail: 19900011@njupt.edu.cn" ]
  [ "全宇轩男，1998年6月出生于山东省枣庄市.2024年毕业于南京邮电大学，获工学硕士学位.现为天翼安全科技有限公司研发工程师. E-mail: quanyx1233@163.com" ]
- 基金信息：
  
  国家自然科学基金(61271233);江苏省研究生科研创新计划(KYCX23_1031)
- DOI：10.12263/DZXB.20250069
  中图分类号： TP393;
- 收稿：2025-01-17，
  
  修回：2025-04-13，
  
  纸质出版：2025-05-25
- 稿件说明：
移动端阅览
陆浩天, 董育宁, 全宇轩. 一种基于双层模型和指标分布的恶意网络流持续检测和分类方法[J]. 电子学报, 2025, 53(05): 1637-1649.

LU Hao-tian, DONG Yu-ning, QUAN Yu-xuan. A Method for Continuous Detection and Classification of Malicious Network Traffic Based on Double-Layer Model and Distribution of Indexes[J]. Acta Electronica Sinica, 2025, 53(05): 1637-1649.
陆浩天, 董育宁, 全宇轩. 一种基于双层模型和指标分布的恶意网络流持续检测和分类方法[J]. 电子学报, 2025, 53(05): 1637-1649. DOI：10.12263/DZXB.20250069

LU Hao-tian, DONG Yu-ning, QUAN Yu-xuan. A Method for Continuous Detection and Classification of Malicious Network Traffic Based on Double-Layer Model and Distribution of Indexes[J]. Acta Electronica Sinica, 2025, 53(05): 1637-1649. DOI：10.12263/DZXB.20250069

摘要

开集恶意流量识别在网络安全领域发挥着重要的作用.现有文献方法存在模型结构单一，缺乏灵活性；忽视增量训练样本选择，造成分类性能欠优等问题.针对这些问题，本文提出了一种基于双层模型和指标分布的恶意网络流持续检测和分类方法.该方法基于可扩展极限学习机（Scalable Extreme Learning Machine，S-ELM）输出权重与标准输出的关系，设计了改进的最接近皮尔森相关系数、归一化相对方差和归一化“其他”列距离这三个指标，通过相乘最终得到一个综合指标，并结合单分类器来进行未知类检测.为了提高S-ELM在开集识别任务中的连续增量能力，设计了基于综合指标分布的样本筛选方法，选择最优增量训练样本集.与代表性文献方法的对比实验表明，本方法的未知类检测NA指标能改善3%~13%，持续增量更新后的分类Acc性能可以提高约3%~7%.

Abstract

Open-set malicious traffic recognition plays an important role in the field of network security. Existing methods have limitations in single model structure and lack of flexibility; neglecting incremental training samples selection

resulting in suboptimal classification performance. To address these problems

this paper proposes a method for continuous detection and classification of malicious network flows based on double-layer model and index distribution. Based on the relationship between the output weights of scalable extreme learning machine (S-ELM) and the standard output

this method designs following three indexes: the improved closest Pearson’s correlation coefficient

the normalized relative variance

and the normalized distance to “the others” column. These indexes are multiplied together to obtain a comprehensive index

which is combined with a single classifier for unknown class detection. In order to improve the continuous incremental capability of S-ELM in the open-set recognition task

a sample selection method based on the distribution of the comprehensive index is developed to select the optimal sub-dataset for incremental model training. Comparison experiments with existing representative methods show that the NA index of unknown class detection of the proposed method can be improved by 3%~13%

and the classification Acc index can be enhanced by about 3%~7% after continuous incremental updating.

关键词

Keywords

references

Statista . Number of apps available in leading app stores as of August 2024 [EB/OL ] . ( 2024-08-30 )[ 2025-01-01 ] . https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores .

CLOUDFLARE . 2024 Application security trends report [R/OL ] . ( 2024-07-12 )[ 2025-01-01 ] . https://www.cloudflare.com/zh-cn/2024-application-security-trends https://www.cloudflare.com/zh-cn/2024-application-security-trends .

BORKAR A , DONODE A , KUMARI A . A survey on intrusion detection system (IDS) and internal intrusion detection and protection system (IIDPS) [C ] // 2017 International Conference on Inventive Computing and Informatics (ICICI) . Piscataway : IEEE , 2017 : 949 - 953 .

OBASI T , SHAFIQ M O . An experimental study of different machine and deep learning techniques for classification of encrypted network traffic [C ] // 2020 IEEE International Conference on Big Data (Big Data) . Piscataway : IEEE , 2020 : 4690 - 4699 .

周奕涛 , 张斌 , 刘自豪 . 基于多模态深度神经网络的应用层DDoS攻击检测模型 [J ] . 电子学报 , 2022 , 50 ( 2 ): 508 - 512 .

ZHOU Y T , ZHANG B , LIU Z H . Application layer DDoS detection model based on multimodal deep learning neural network [J ] . Acta Electronica Sinica , 2022 , 50 ( 2 ): 508 - 512 . (in Chinese)

胡向东 , 张琴 . 基于特征组合优化的工业互联网恶意行为实时检测方法 [J ] . 电子学报 , 2024 , 52 ( 9 ): 3075 - 3085 .

HU X D , ZHANG Q . Real-time detection method of malicious behaviors in industrial Internet based on feature combination optimization [J ] . Acta Electronica Sinica , 2024 , 52 ( 9 ): 3075 - 3085 . (in Chinese)

LE S Q , LAI Y X , WANG Y P , et al . An adaptive classification and updating method for unknown network traffic in open environments [J ] . Computer Networks , 2024 , 238 : 110114 .

BENDALE A , BOULT T . Towards open world recognition [C ] // 2015 IEEE Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway : IEEE , 2015 : 1893 - 1902 .

ZHOU P , WANG N , ZHAO S , et al . Difficult novel class detection in semisupervised streaming data [J ] . IEEE Transactions on Neural Networks and Learning Systems , 2023 , 34 ( 10 ): 6872 - 6886 .

FAN L N , HE L , WU Y C , et al . AutoIoT: Automatically updated IoT device identification with semi-supervised learning [J ] . IEEE Transactions on Mobile Computing , 2023 , 22 ( 10 ): 5769 - 5786 .

PING G L , YE X J . Open-set intrusion detection with MinMax autoencoder and pseudo extreme value machine [C ] // 2022 International Joint Conference on Neural Networks (IJCNN) . Piscataway : IEEE , 2022 : 1 - 8 .

YANG J , CHEN X , CHEN S W , et al . Conditional variational auto-encoder and extreme value theory aided two-stage learning approach for intelligent fine-grained known/unknown intrusion detection [J ] . IEEE Transactions on Information Forensics and Security , 2021 , 16 : 3538 - 3553 .

ZHONG Y , WANG Z L , SHI X G , et al . RFG-HELAD: A robust fine-grained network traffic anomaly detection model based on heterogeneous ensemble learning [J ] . IEEE Transactions on Information Forensics and Security , 2024 , 19 : 5895 - 5910 .

WANG T T , LV Q J , HU B , et al . A few-shot class-incremental learning approach for intrusion detection [C ] // 2021 International Conference on Computer Communications and Networks (ICCCN) . Piscataway : IEEE , 2021 : 1 - 8 .

LIANG Y L , WANG F , CHEN S H . DACS: A double-layer application classification scheme for hybrid zero-day traffic [C ] // 2022 IEEE 22nd International Conference on Communication Technology (ICCT) . Piscataway : IEEE , 2022 : 1380 - 1387 .

ZHANG J T , ZHANG J , GHOSH S , et al . Class-incremental learning via deep model consolidation [C ] // 2020 IEEE Winter Conference on Applications of Computer Vision (WACV) . Piscataway : IEEE , 2020 : 1120 - 1129 .

LEE C L , CHEN Y T , WU A Y . A scalable extreme learning machine (S-ELM) for class-incremental ECG-based user identification [C ] // 2021 IEEE International Symposium on Circuits and Systems (ISCAS) . Piscataway : IEEE , 2021 : 1 - 5 .

SCHEIRER W J , DE REZENDE ROCHA A , SAPKOTA A , et al . Toward open set recognition [J ] . IEEE Transactions on Pattern Analysis and Machine Intelligence , 2013 , 35 ( 7 ): 1757 - 1772 .

ZHANG J L , LI F H , YE F , et al . Autonomous unknown-application filtering and labeling for DL-based traffic classifier update [C ] // IEEE INFOCOM 2020 - IEEE Conference on Computer Communications . Piscataway : IEEE , 2020 : 397 - 405 .

YANG L , GUO W , HAO Q , et al . CADE: Detecting and explaining concept drift samples for security applications [C ] // 30th USENIX Security Symposium (USENIX Security 21) . California : USENIX Association , 2021 : 2327 - 2344 .

ZHAO Z X , ZHANG H Y , MIN H , et al . Towards recognition of open-set speech forgery algorithms by using prototype learning [C ] // Third International Conference on Algorithms, Microchips, and Network Applications (AMNA 2024) . Xian : SPIE , 2024 : 1317102 .

郭虎升 , 丛璐 , 高淑花 , 等 . 基于在线集成的概念漂移自适应分类方法 [J ] . 计算机研究与发展 , 2023 , 60 ( 7 ): 1592 - 1602 .

GUO H S , CONG L , GAO S H , et al . Adaptive classification method for concept drift based on online ensemble [J ] . Journal of Computer Research and Development , 2023 , 60 ( 7 ): 1592 - 1602 . (in Chinese)

韩光洁 , 赵腾飞 , 刘立 , 等 . 基于多元区域集划分的工业数据流概念漂移检测 [J ] . 电子学报 , 2023 , 51 ( 7 ): 1906 - 1916 .

HAN G J , ZHAO T F , LIU L , et al . Concept drift detection of industrial data flow based on multivariate region set partition [J ] . Acta Electronica Sinica , 2023 , 51 ( 7 ): 1906 - 1916 . (in Chinese)

SHENG C , YAO Y , LI W X , et al . Unknown attack traffic classification in SCADA network using heuristic clustering technique [J ] . IEEE Transactions on Network and Service Management , 2023 , 20 ( 3 ): 2625 - 2638 .

ZHANG L , CUSHING R , DE LAAT C , et al . A real-time intrusion detection system based on OC-SVM for containerized applications [C ] // 2021 IEEE 24th International Conference on Computational Science and Engineering (CSE) . Piscataway : IEEE , 2021 : 138 - 145 .

SAPUTRA RANGKUTI F R , ALI FAUZI M , SARI Y A , et al . Sentiment analysis on movie reviews using ensemble features and Pearson correlation based feature selection [C ] // 2018 International Conference on Sustainable Information Engineering and Technology (SIET) . Piscataway : IEEE , 2018 : 88 - 91 .

PERNA G , MARKUDOVA D , TREVISAN M , et al . Online classification of RTC traffic [C ] // 2021 IEEE 18th Annual Consumer Communications & Networking Conference (CCNC) . Piscataway : IEEE , 2021 : 1 - 6 .

YU J , XIA C M , XIE J Z , et al . Research on feature importance of gait mechanomyography signal based on random forest [C ] // 2020 International Conference on Computer Vision, Image and Deep Learning (CVIDL) . Piscataway : IEEE , 2020 : 191 - 196 .

HSU Y C , SMITH J , SHEN Y L , et al . A closer look at knowledge distillation with features, logits, and gradients [EB/OL ] . ( 2022-05-18 )[ 2025-01-01 ] . https://arxiv.org/abs/2203.10163v1 https://arxiv.org/abs/2203.10163v1 .

SHARAFALDIN I , HABIBI LASHKARI A , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization [C ] // Proceedings of the 4th International Conference on Information Systems Security and Privacy . SCITEPRESS - Science and Technology Publications . Oxford : ICISS , 2018 : 108 - 116 .

SARHAN M , LAYEGHY S , PORTMANN M . Towards a standard feature set for network intrusion detection system datasets [J ] . Mobile Networks and Applications , 2022 , 27 ( 1 ): 357 - 370 .

HABIBI LASHKARI A , DRAPER GIL G , MAMUN M S I , et al . Characterization of tor traffic using time based features [C ] // Proceedings of the 3rd International Conference on Information Systems Security and Privacy . SCITEPRESS - Science and Technology Publications . Oxford : ICISS , 2017 : 253 - 262 .

MOUSTAFA N , SLAY J . UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) [C ] // 2015 Military Communications and Information Systems Conference (MilCIS) . Piscataway : IEEE , 2015 : 1 - 6 .

KORONIOTIS N , MOUSTAFA N , SCHILIRO F , et al . A holistic review of cybersecurity and reliability perspectives in smart airports [J ] . IEEE Access , 2020 , 8 : 209802 - 209834 .

MOUSTAFA N . A new distributed architecture for evaluating AI-based security systems at the edge: Network TON_IoT datasets [J ] . Sustainable Cities and Society , 2021 , 72 : 102994 .

OTOVIĆ E , NJIRJAK M , JOZINOVIĆ D , et al . Intra-domain and cross-domain transfer learning for time series data: How transferable are the features? [J ] . Knowledge-Based Systems , 2022 , 239 : 107976 .

GALLO M , FINAMORE A , SIMON G , et al . Fenxi: Deeplearning traffic analytics at the edge [C ] // in 2021 IEEE/ACM Symposium on Edge Computing (SEC) . Piscataway : IEEE , 2021 : 202 - 213 .

CHEN Z H , CHENG G , WEI Z J , et al . Classify traffic rather than flow: Versatile multi-flow encrypted traffic classification with flow clustering [J ] . IEEE Transactions on Network and Service Management , 2024 , 21 ( 2 ): 1446 - 1466 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于多尺度增量学习的单人体操动作中关键点检测方法

面向任务扩展的增量学习动态神经网络:研究进展与展望

一种基于降噪自动编码器和宽度学习的增量式疾病预测模型