对比学习的恶意加密流量检测方法

doi:10.3969/j.issn.1006-2475.2025.12.009

摘要/Abstract

摘要： 摘要：针对恶意加密流量检测模型表征能力不足的问题，提出一种基于对比学习的恶意加密流量检测方法，旨在提高模型的表征能力从而提高恶意加密流量的检测精度。与传统方法直接从流量数据中提取流量特征不同，本文方法侧重于学习数据的内在表示后再进行特征提取。具体来说，首先利用多尺度机制提取加密流量的局部与全局特征，以捕捉不同尺度下的关键信息。然后，在对比学习的度量空间中，通过优化目标函数，缩小加密流量与正确分类标签的距离，同时增加与错误分类标签的距离，使得模型能够更好地区分恶意与正常的加密流量。经过训练，模型捕获到更具区分度的加密流量特征，最终提高检测精度。实验数据集由UNSW NS 2019、CICIDS-2017、CIC-AndMal 2017、Malware Capture Facility Project Dataset和CICIDS-2012等多个公共数据集采样组合而成。实验结果表明，该方法较对比模型表现出更优的性能，检测精度达到97.59%，相较随机森林的基准模型，提高了3.16百分点。此外，该方法在可解释性与检测速率上也有提升。

关键词: 关键词：加密流量, 恶意流量, 深度学习, 对比学习, 多尺度特征

Abstract: Abstract: To address the issue of insufficient representation capability in malicious encrypted traffic detection models， a malicious encrypted traffic detection method based on contrastive learning is proposed， with the goal of enhancing the model’s representation ability and thereby improving the detection accuracy of malicious encrypted traffic. This method diverges from traditional approaches that directly extract features from traffic data， focusing instead on learning the intrinsic representations of the data prior to feature extraction. Specifically， local and global features of encrypted traffic are extracted using a multi-scale mechanism to capture key information at different scales. Then， in the metric space of contrastive learning， the distance between encrypted traffic and the correct classification label is minimized， while the distance from the incorrect classification label is maximized by optimizing the objective function， enabling the model to better distinguish between malicious and normal encrypted traffic. After training， the model captures more discriminative features of encrypted traffic， ultimately improving detection accuracy. The experimental dataset is composed of sampling from multiple public datasets including UNSW NS 2019， CICIDS-2017， CIC-AndMal 2017， Malware Capture Facility Project Dataset， and CICIDS-2012. The results show that the method achieves 97.59% detection accuracy， exceeding comparative models， with 3.16 percentage points increase over the random forest benchmark. Furthermore， the interpretability and detection rate of the method are also improved.

Key words: Key words: encrypted traffic, malicious traffic, deep learning, contrastive learning, multi-scale features

中图分类号:

中图分类号：TP393

吴佳宏. 对比学习的恶意加密流量检测方法[J]. 计算机与现代化, 2025, 0(12): 61-65.

WU Jiahong. Contrastive Learning Method for Detecting Malicious Encrypted Traffic [J]. Computer and Modernization, 2025, 0(12): 61-65.

参考文献

［1］ SHEN M， YE K， LIU X T， et al. Machine learning-powered encrypted network traffic analysis: A comprehensive survey［J］. IEEE Communications Surveys & Tutorials， 2022，25（1）:791-824
［2］温纤纤，柳毅，凌捷，等. 基于1DCNN-GRU的网络入侵检测混合模型［J］. 计算机应用与软件， 2023，40（6）:282-287.
［3］龚星宇，来源，李娜，等. 基于多尺度融合和时空特征的网络入侵检测模型［J］. 计算机工程与设计， 2024，45（6）:1640 -1646.
［4］邓昕，刘朝晖，欧阳燕，等. 基于CNN CBAM-BiGRU Attention的加密恶意流量识别［J］. 计算机工程， 2023，49（11）:178-186.
［5］巩思越，刘辉，王宝会. 基于会话统计编码器的恶意加密流量检测方法研究［J］. 计算机科学， 2024，51（11）:340-346.
［6］ ZHANG S R， BU Y J， CHEN B， et al. Transfer learning for encrypted malicious traffic detection based on efficientnet［C］// 2021 3rd International Conference on Advances in Computer Technology， Information Science and Communication （CTISC）. IEEE， 2021:72-76.
［7］ HONG Y P， LI Q， YANG Y Q， et al. Graph based encrypted malicious traffic detection with hybrid analysis of multi-view features［J］. Information Sciences， 2023，644. DOI: 10.1016/j.ins.2023.119229.
［8］ YANG H， HE Q， LIU Z Y， et al. Malicious encryption traffic detection based on NLP［J］. Security and Communication Networks， 2021，2021. DOI: 10.1155/2021/9960822.
［9］ YANG J， LIANG G， LI B B， et al. A deep-learning- and reinforcement-learning-based system for encrypted network malicious traffic detection［J］. Electronics Letters， 2021，57（9）:363-365
［10］ WANG Z H， FOK K W， THING V L L. Machine learning for encrypted malicious traffic detection: Approaches， datasets and comparative study［J］. Computers & Security， 2022，113（C）. DOI: 10.1016/j.cose.2021.102542.
［11］ JAISWAL A， BABU A R， ZADEH M Z， et al. A survey on contrastive self-supervised learning ［J］. Technologies， 2020，9（1）. DOI: 10.3390/technologies9010002.
［12］李希，刘喜平，李旺才，等. 对比学习研究综述［J］. 小型微型计算机系统， 2023，44（4）:787-797.
［13］ CHEN T， KORNBLITH S， NOROUZI M， et al. A simple framework for contrastive learning of visual representations［C］// Proceedings of the 37th International Conference on Machine Learning. PMLR， 2020:1597-1607.
［14］ GUNEL B， DU J F， CONNEAU A， et al. Supervised contrastive learning for pre-trained language model fine-tuning［J］. arXiv preprint arXiv:2011.01403， 2020.
［15］ HAN T D， XIE W D， ZISSERMAN A. Self-supervised co-training for video representation learning［C］// Proceedings of the 34th International Conference on Neural Information Processing Systems. ACM， 2020:5679-5690.
［16］ HE K M， FAN H Q， WU Y X， et al. Momentum contrast for unsupervised visual representation learning［C］// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. IEEE， 2020:9729-9738.
［17］ HU Q J， WANG X， HU W， et al. AdCo: Adversarial contrast for efficient learning of unsupervised representations from self-trained negative adversaries ［C］// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. IEEE， 2021:1074-1083.
［18］ ZHAO Z Y， GUO Y Y， WANG J H， et al. CL-ETC: A contrastive learning method for encrypted traffic classification［C］// 2022 IFIP Networking Conference （IFIP Networking）. IEEE， 2022. DOI: 10.23919/IFIPNetworking550
13.2022.9829767.
［19］ HE K M， ZHANG X Y， REN S Q， et al. Spatial pyramid pooling in deep convolutional networks for visual recognition ［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence， 2015，37（9）:1904-1916.
［20］ LOPEZ-MARTIN M， SANCHEZ-ESGUEVILLAS A， ARR-IBAS J I， et al. Supervised contrastive learning over prototype-label embeddings for network intrusion detection［J］. Information Fusion， 2022，79（C）:200-228.
［21］陈良臣，高曙，刘宝旭，等. 网络加密流量识别研究进展及发展趋势［J］. 信息网络安全， 2019（3）:19-25.
［22］ LIU J Y， TIAN Z Y， ZHENG R F， et al. A distance-based method for building an encrypted malware traffic identification framework［J］. IEEE Access， 2019，7:100014-100028.
［23］ KHALID S， KHALIL T， NASREEN S. A survey of feature selection and feature extraction techniques in machine learning［C］// 2014 Science and Information Conference. IEEE， 2014:372-378.
［24］侯剑，鲁辉，刘方爱，等. 加密恶意流量检测及对抗综述［J］. 软件学报， 2024，35（1）:333-355.
［25］ SHAHHOSSEINI M， MASHAYEKHI H， REZVANI M. A deep learning approach for botnet detection using raw network traffic data［J］. Journal of Network and Systems Management， 2022，30（3）:Article Number 44.
［26］ CELIK Z B， WALLS R J， MCDANIEL P， et al. Malware traffic detection using tamper resistant features［C］// MILC
OM 2015-2015 IEEE Military Communications Conference. IEEE， 2015:330-335.
［27］ SARKAR D， VINOD P， YERIMA S Y. Detection of Tor traffic using deep learning［C］// 2020 IEEE/ACS 17th International Conference on Computer Systems and Applications （AICCSA）. IEEE， 2020. DOI: 10.1109/AICCSA50499.2020.9316533.

[1]	李京阳1, 薛化建2, 3, 杨勇1, 任鸽1. 基于边缘计算的智能监考系统[J]. 计算机与现代化, 2025, 0(12): 26-31.
[2]	刘健龙1, 岑颖2, 许斌3, 焦旋4. 多视图IM-NET三维目标精细化重建[J]. 计算机与现代化, 2025, 0(12): 46-53.
[3]	汤辉1, 刘鑫2, 胡必伟1, 刘帆1. KD-NeRF：知识蒸馏增强的果树神经辐射场重建方法[J]. 计算机与现代化, 2025, 0(12): 66-73.
[4]	涂子健1, 2, 王梓2, 汤进1, 2, 3. 用于手卫生评估的多专家对比学习方法[J]. 计算机与现代化, 2025, 0(12): 88-96.
[5]	罗冠聪1, 冯跃1, 徐红2, 秦传波1, 李福凤3, 钱鹏3, 刘慧琳3. 元学习优化的面部色诊分类方法[J]. 计算机与现代化, 2025, 0(12): 115-122.
[6]	王晶鹏, 崔雨勇, 蔡长霖, 赫明骜, 李颖浩, 唐中和. 一种改进的跨模态交互和多尺度聚合的SOD算法[J]. 计算机与现代化, 2025, 0(11): 71-79.
[7]	黄姗姗, 罗旺, 郝运河. 基于知识蒸馏技术的电力视觉系统[J]. 计算机与现代化, 2025, 0(10): 20-24.
[8]	李雪, 魏延, 李林骏. 基于DWT-SCINet-MDSC的电价预测混合模型[J]. 计算机与现代化, 2025, 0(10): 37-43.
[9]	姚敏佳1, 宋文爱1, 孙雪2, 王子钰3, 雷毅4, 王青4, 赵莉5. InstantMesh：早期胃癌图像三维重建方法[J]. 计算机与现代化, 2025, 0(10): 51-56.
[10]	李雄清1, 2, 彭明田1, 2, 李永1, 2, 王骏飞1, 2, 刘德志1, 3, 卞宇轩1, 3, 柴阅林1, 3, 刘云韬1, 3. 打包推荐算法综述[J]. 计算机与现代化, 2025, 0(09): 1-13.
[11]	张婧颖1, 耿琳2, 刘宁钟2. 基于自蒸馏和自注意力增强的低数据细粒度图像分类[J]. 计算机与现代化, 2025, 0(09): 27-34.
[12]	韦慧敏1, 2, 周加可1, 2, 文勇军1, 2, 唐立军1, 2. 基于深度学习的中文实体关系联合抽取方法[J]. 计算机与现代化, 2025, 0(08): 10-15.
[13]	李佳. 基于迁移学习的乳腺癌组织病理图像分类诊断[J]. 计算机与现代化, 2025, 0(08): 89-96.
[14]	张山鹿1, 张伟2. 基于领域生成和对比学习的人脸活体检测[J]. 计算机与现代化, 2025, 0(07): 1-8.
[15]	刘少君, 沙倚天, 金倩倩, 陈鹏, 吴越. 面向智能电网的LDA-IDF进程日志异常检测方法[J]. 计算机与现代化, 2025, 0(06): 114-119.