基于流量行为图的攻击检测方法

doi:10.3969/j.issn.1671-1122.2022.01.009

信息网络安全 ›› 2022, Vol. 22 ›› Issue (1): 72-79.doi: 10.3969/j.issn.1671-1122.2022.01.009

基于流量行为图的攻击检测方法

张东鑫¹^,², 郎波¹, 严寒冰¹^,²()

1.北京航空航天大学计算机学院,北京 100191
2.国家互联网应急中心,北京 100029

收稿日期:2021-06-29 出版日期:2022-01-10 发布日期:2022-02-16
通讯作者: 严寒冰 E-mail:yhb@cert.org.cn
作者简介:张东鑫（1996—）,男,河北,硕士研究生,主要研究方向为网络安全;|郎波（1969—）,女,北京,教授,博士,主要研究方向为基于机器学习的大数据分析与管理、信息安全|严寒冰（1975—）,男,江西,正高级工程师,博士,主要研究方向为网络安全、计算机图形学
基金资助:
国家自然科学基金(U1736218);国家重点研发计划(2018YFB0804701)

Attack Detection Method Based on Flow Behavior Graph

ZHANG Dongxin¹^,², LANG Bo¹, YAN Hanbing¹^,²()

1. School of Computer Science and Engineering, Beihang University, Beijing 100191, China
2. National Internet Emergency Center, Beijing 100029, China

Received:2021-06-29 Online:2022-01-10 Published:2022-02-16
Contact: YAN Hanbing E-mail:yhb@cert.org.cn

摘要/Abstract

摘要：

传统基于流的攻击检测无法完全捕获网络通信模式,难以对网络中的攻击事件进行有效检测,而流量行为图中包含的信息可以有效反映主机的真实情况。文章针对多类型网络攻击检测问题,提出了基于流量行为图的攻击检测方法,实现了基于流量行为图的攻击检测。检测方法基于聚类和生成学习模型,包含两个阶段,第一阶段通过聚类算法尽可能地过滤良性节点,第二阶段应用生成学习模型检测多种不同攻击事件。在公开数据集上的实验结果表明,文章提出的攻击检测方法可以有效检测出网络中存在的多种不同攻击事件。此外,系统使用基于Apache Spark的分布式处理框架,可以有效进行大规模数据处理。

关键词: 流量行为图, 聚类, 生成学习, 攻击检测, Spark

Abstract:

Traditional flow-based attack detection cannot fully capture network communication patterns, and it is difficult to effectively detect attack events that exist in the network. The information contained in the flow behavior graph can effectively reflect the real behavior of the host. Aiming at the detection of multiple types of network attacks, this article proposed an attack detection method based on flow behavior graph, and the attack detection based on flow behavior graph was realized. The detection method is based on clustering and a generative learning model, and consists of two stages. The first stage uses a clustering algorithm to filter benign nodes as much as possible, and the second stage uses a generative learning model to detect a variety of different attack events. The experimental results on the public data set show that the attack detection method proposed in this article can effectively detect a variety of different attack events in the network. In addition, the system uses a distributed processing framework based on Apache Spark, which can effectively process large-scale data.

Key words: flow behavior graph, clustering, generative learning, attack detection, Spark

中图分类号:

TP309

张东鑫, 郎波, 严寒冰. 基于流量行为图的攻击检测方法[J]. 信息网络安全, 2022, 22(1): 72-79.

ZHANG Dongxin, LANG Bo, YAN Hanbing. Attack Detection Method Based on Flow Behavior Graph[J]. Netinfo Security, 2022, 22(1): 72-79.

图/表 10

图1

图2

图3

图4

图5

表1

表2

图6

图7

图8

参考文献 15

[1]	DAYA A A, SALAHUDDIN M A, LIMAM N, et al. A Graph-based Machine Learning Approach for Bot Detection[C]//IEEE. 2019 IEEE Symposium on Integrated Network and Service Management(IM), April 8-12, 2019, Arlington, VA, USA. Piscataway: IEEE, 2019: 144-152.
[2]	KAUR G. A Novel Distributed Machine Learning Framework for Semi-supervised Detection of Botnet Attacks[C]//IEEE. 2018 11th International Conference on Contemporary Computing (IC3), August 2-4, 2018, Noida, India. Piscataway: IEEE, 2018: 1-7.
[3]	WANG Kai, CHEN Danwei. Graph Structure Based Anomaly Behavior Detection[C]//Atlantis. 2017 2nd International Conference on Computer Engineering, Information Science & Application Technology (ICCIA 2017), September 8-11, 2017, Beijing, China. Paris: Atlantis Press, 2017: 561-568.
[4]	WANG Wei, SHANG Yaoyao, HE Yongzhong, et al. BotMark: Automated Botnet Detection with Hybrid Analysis of Flow-based and Graph-based Traffic Behaviors[J]. Information Sciences, 2020, 28(511):284-296.
[5]	AKOGLU L, MCGLOHON M, FALOUTSOS C. Oddball: Spotting Anomalies in Weighted Graphs[C]//Springer. Pacific-Asia Conference on Knowledge Discovery and Data Mining, June 21-24, 2010, Hyderabad, India. Heidelberg: Springer, 2010: 410-421.
[6]	NOBLE C C, COOK D J. Graph-based Anomaly Detection[C]//ACM. 2003 9th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, August 24-27, 2003, Washington, DC, USA. New York: ACM, 2003: 631-636.
[7]	LAGRAA S, FRANÇOIS J, LAHMADI A, et al. Botgm: Unsupervised Graph Mining to Detect Botnets in Traffic Flows[C]//IEEE. 2017 1st Cyber Security in Networking Conference (CSNet), October 18-20, 2017, Rio De Janeiro, Brazil. Piscataway: IEEE, 2017: 1-8.
[8]	GAO Jing, LIANG Feng, FAN Wei, et al. On Community Outliers and Their Efficient Detection in Information Networks[C]//ACM. 2010 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, July 25-28, 2010, Washington, DC, USA. New York: ACM, 2010: 813-822.
[9]	MULLER E, SANCHEZ P I, MULLE Y, et al. Ranking Outlier Nodes in Subspaces of Attributed Graphs[C]//IEEE. 2013 IEEE 29th International Conference on Data Engineering Workshops (ICDEW), April 8-12, 2013, Brisbane, QLD, Australia. Piscataway: IEEE, 2013: 216-222.
[10]	AKOGLU L, TONG Hanghang, KOUTRA D. Graph Based Anomaly Detection and Description: A Survey[J]. Data Mining & Knowledge Discovery, 2015, 29(3):626-688.
[11]	BERLINGERIO M, KOUTRA D, ELIASSI-RAD T, et al. NetSimile: A Scalable Approach to Size-Independent Network Similarity[J]. Computer Science, 2012, 12(1):1-28.
[12]	PAPADIMITRIOU P, DASDAN A, GARCIA-MOLINA H. Web Graph Similarity for Anomaly Detection[J]. Journal of Internet Services & Applications, 2010, 1(1):19-30.
[13]	GASTON M E, KRAETZL M, WALLIS W D. Using Graph Diameter for Change Detection in Dynamic Networks[EB/OL]. https://www.researchgate.net/publication/267192400_Using_graph_diameter_for_change_detection_in_dynamic_networks, 2006-01-07.
[14]	KOUTRA D, VOGELSTEIN J T, FALOUTSOS C. DELTACON: A Principled Massive-graph Similarity Function[EB/OL]. https://arxiv.org/abs/1304.4657v1, 2013-04-17.
[15]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[EB/OL]. https://www.scitepress.org/Documents/2018/66398/, 2018-01-22.

参数阶段	总节点数/个	异常节点数/个	异常节点占比
聚类前	269677	72	0.02%
聚类后	1792	72	4.0%

生成学习算法	准确率	召回率
高斯朴素贝叶斯	99.9%	98.6%
高斯判别分析	75.2%	91.4%

基于流量行为图的攻击检测方法

Attack Detection Method Based on Flow Behavior Graph

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 15

相关文章 15

编辑推荐

Metrics

本文评价

[1]	李群, 董佳涵, 关志涛, 王超. 一种基于聚类分类的物联网恶意攻击检测方法[J]. 信息网络安全, 2021, 21(8): 82-90.
[2]	方敏之, 程光, 孔攀宇. 抗噪的应用层二进制协议格式逆向方法[J]. 信息网络安全, 2021, 21(7): 72-79.
[3]	李佳玮, 吴克河, 张波. 基于高斯混合聚类的电力工控系统异常检测研究[J]. 信息网络安全, 2021, 21(3): 53-63.
[4]	宋宇波, 耿益瑾, 李古月, 李涛. 基于差分星座轨迹图的LoRa设备识别方法[J]. 信息网络安全, 2021, 21(1): 41-48.
[5]	王长杰, 李志华, 张叶. 一种针对恶意软件家族的威胁情报生成方法[J]. 信息网络安全, 2020, 20(12): 83-90.
[6]	黄保华, 程琪, 袁鸿, 黄丕荣. 基于距离与误差平方和的差分隐私K-means聚类算法[J]. 信息网络安全, 2020, 20(10): 34-40.
[7]	陈良臣, 刘宝旭, 高曙. 网络攻击检测中流量数据抽样技术研究[J]. 信息网络安全, 2019, 19(8): 22-28.
[8]	田春岐, 李静, 王伟, 张礼庆. 一种基于机器学习的Spark容器集群性能提升方法[J]. 信息网络安全, 2019, 19(4): 11-19.
[9]	傅彦铭, 李振铎. 基于拉普拉斯机制的差分隐私保护k-means++聚类算法研究[J]. 信息网络安全, 2019, 19(2): 43-52.
[10]	吴天雄, 陈兴蜀, 罗永刚. 大数据平台下应用程序保护机制的研究与实现[J]. 信息网络安全, 2019, 19(1): 68-75.
[11]	冯新扬, 沈建京. 一种基于Yarn云计算平台与NMF的大数据聚类算法[J]. 信息网络安全, 2018, 18(8): 43-49.
[12]	陆勰, 罗守山, 张玉梅. 基于Hadoop的海量安全日志聚类算法研究[J]. 信息网络安全, 2018, 18(8): 56-63.
[13]	赵薇, 赵娜, 张怡兴. 基于颜色不变特征的谱聚类双分图分割方法[J]. 信息网络安全, 2018, 18(12): 8-14.
[14]	何利, 姚元辉. 基于上下文聚类的云虚拟机异常检测与识别策略[J]. 信息网络安全, 2018, 18(12): 54-65.
[15]	张雪博, 刘敬浩, 付晓梅. 基于改进Logistic回归算法的抗Web DDoS攻击模型的设计与实现[J]. 信息网络安全, 2017, 17(6): 62-67.