Malicious TLS Traffic Identification Based on Deep Generation Adversarial Network

Abstract

Abstract: The class imbalance problem in the public data sets of malicious encrypted traffic identification seriously affects the performance of malicious traffic prediction. In this paper, we propose to use the generator and discriminator in the depth generation adversarial network DGAN to simulate the generation of real data sets and the expansion of small sample data to form balanced data sets. In addition, in order to solve the problems that traditional machine learning methods rely on artificial feature extraction, which leads to the decrease of classification accuracy, a malicious traffic recognition model based on the combination of two-way gating loop unit BiGRU and attention mechanism is proposed. The deep learning algorithm automatically obtains the important feature vectors of different time series of data sets to identify malicious traffic. Experiments show that compared with the common malicious traffic recognition algorithms, the model has a good improvement in accuracy, recall, F1 and other indicators, and can effectively realize the identification of malicious encrypted traffic.

Key words: malicious encrypted traffic, generation adversarial network, class imbalance, traffic identification

QIN Ming-yue, NIAN Mei, ZHANG Jun, . Malicious TLS Traffic Identification Based on Deep Generation Adversarial Network[J]. Computer and Modernization, 2022, 0(04): 121-126.

References ［26］

［1］	Cisco. Encrypted traffic analytics (ETA)［EB/OL］. ［2021-03-27］. https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html.
［2］	ISRG互联网安全研究小组. Let’s Encrypt统计数据［EB/OL］. ［2021-03-27］. https://letsencrypt.org/zh-cn/stats/.
［3］	Cisco. Encrypted traffic analytics white paper［EB/OL］. ［2018-12-31］. https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf.
［4］	陈良臣,高曙,刘宝旭,等. 网络加密流量识别研究进展及发展趋势［J］. 信息网络安全, 2019,19(3):19-25.
［5］	潘吴斌,程光,郭晓军,等. 网络加密流量识别研究综述及展望［J］. 通信学报, 2016,37(9):154-167.
［6］	ANDERSON B, PAUL S, MCGREW D. Deciphering malware’s use of TLS (without decryption)［J］. Journal of Computer Virology and Hacking Techniques, 2018,14(3):195-211.
［7］	ZHOU H Y, WANG Y, LEI X C, et al. A method of improved CNN traffic classification［C］// Proceedings of the 2017 13th International Conference on Computational Intelligence and Security (CIS). 2017:177-181.
［8］	KIM J, KIM J, THU H L T, et al. Long short term memory recurrent neural network classifier for intrusion detection［C］// Proceedings of the 2016 International Conference on Platform Technology and Service (PlatCon). 2016. DOI: 10.1109/PlatCon.2016.7456805.
［9］	CHAWLA N V, BOWYER K W, HALL L O, et al. SMOTE: Synthetic minority over-sampling technique［J］. Journal of Artificial Intelligence Research, 2002,16(1):321-357.
［10］	BATISTA G E A P A, CARVALHO A C P L F, MONARD M C. Applying one-sided selection to unbalanced datasets［C］// Proceedings of the 2000 Mexican International Conference on Artificial Intelligence: Advances in Artificial Intelligence. 2000:315-325.
［11］	YEN S J, LEE Y S. Cluster-based under-sampling approaches for imbalanced data distributions［J］. Expert Systems with Applications, 2009,36(3):5718-5727.
［12］	GOODFELLOW I J, SHLENS J, SZEGEDY C. Explaining and harnessing adversarial examples［J］. arXiv preprint arXiv:1412.6572, 2014.
［13］	李沛洋,李璇,陈俊杰,等. 面向规避僵尸网络流量检测的对抗样本生成［J/OL］. 计算机工程与应用:1-9(2021-01-29)［2021-03-27］. https://kns.cnki.net/kcms/detail/11.2127.TP.20210129.1053.004.html.
［14］	谭越,邹福泰. 基于ResNet和BiLSTM的僵尸网络检测方法［J］. 通信技术, 2019,52(12):2975-2981.
［15］	林雍博,凌捷. 基于残差网络和GRU的XSS攻击检测方法［J/OL］. 计算机工程与应用:1-8(2021-04-20)［2021-04-28］. https://kns.cnki.net/kcms/detail/11.2127.TP.20210420.1038.030.html.
［16］	万子云,陈世伟,秦斌,等. 基于深度学习的MOOC作弊行为检测研究［J］. 信息安全学报, 2021,6(1):32-39.
［17］	王晓茹,张珩. 基于注意力机制和图卷积的小样本分类网络［J/OL］. 计算机工程与应用:1-8(2021-06-24)［2021-06-25］. https://kns.cnki.net/kcms/detail/11.2127.tp.20210624.1629.006.html.
［18］	VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need［C］// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017:6000-6010.
［19］	王伟. 基于深度学习的网络流量分类及异常检测方法研究［D］. 合肥:中国科学技术大学, 2018.
［20］	蒋彤彤,尹魏昕,蔡冰,等. 基于多头注意力的恶意加密流量识别［J/OL］. 计算机工程:1-14［2021-05-08］. https://doi.org/10.19678/j.issn.1000-3428.0058517.
［21］	李道全,王雪,于波,等. 基于一维卷积神经网络的网络流量分类方法［J］. 计算机工程与应用, 2020,56(3):94-99.
［22］	University of New Brunswick. Intrusion detection evaluation dataset (CIC-IDS2017)［EB/OL］. ［2021-05-08］. https://www.unb.ca/cic/datasets/ids-2017.html.
［23］	DUNCAN B. Malware-traffic-analysis［EB/OL］. ［2021-05-08］. https://www.malware-traffic-analysis.net.
［24］	Stratosphere Lab. Malware capture facility project［EB/OL］. ［2021-05-08］. https://www.stratosphereips.org/datasets-malware.
［25］	RADFORD A, METZ L, CHINTALA S. Unsupervised representation learning with deep convolutional generative adversarial networks［J］. arXiv preprint arXiv:1511.06434, 2015.
［26］	WANG W, ZHU M, WANG J L, et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks［C］// Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). 2017:43-48.

[1]	WANG Yao, LI Wei, WU Ke-he, CUI Wen-chao. Application of Fusion Model of GBDT and LR in Encrypted Traffic Identification [J]. Computer and Modernization, 2020, 0(03): 93-.
[2]	XI Xiao-yan, YU Hua-long. Coupling Sample Prior Distribution Weighted Extreme Learning Machine [J]. Computer and Modernization, 2018, 0(08): 61-.