基于机器学习的匿名流量分类方法研究

doi:10.3969/j.issn.1671-1122.2023.05.001

摘要/Abstract

摘要：

匿名通信工具在进行用户隐私保护的同时也为违法犯罪提供了便利，使得网络环境净化与监管愈发困难。对匿名网络信息交换产生的匿名流量进行分类可以细化网络监管范围。文章针对现有匿名流量分类方法存在流量分类粒度不细致和应用层匿名流量分类准确率偏低等问题，提出一种基于机器学习的匿名流量分类方法。该方法包括基于自动编码器和随机森林的特征提取模型以及基于卷积神经网络和XGBoost的匿名流量多分类模型两个模型，通过特征重构和模型结合的方式提升分类效果。最后在Anon17公开匿名流量数据集上进行了验证，证明了模型的可用性、有效性和准确性。

关键词: 机器学习, 匿名流量, 自动编码器, 特征提取, 卷积神经网络

Abstract:

Anonymous communication tools not only protect users’ privacy, but also provide shelter for crimes, making it more difficult to purify and supervise the network environment. Classification of anonymous traffic generated during information exchange in anonymous networks can refine the scope of network supervision. Aiming at the problems of insufficient granularity of traffic classification and low accuracy of anonymous traffic classification in the application layer in the existing anonymous traffic classification field, this paper proposed an application layer multi classification method for anonymous traffic based on machine learning. It included the feature extraction model based on auto-encoder and random forest, and the anonymous traffic multi classification model based on convolutional neural networks and XGBoost. The classification effect is improved through feature reconstruction and model combination, and is verified on Anon17 public anonymous traffic dataset, proving the usability, effectiveness and accuracy of the designed model.

Key words: machine learning, anonymous traffic, auto-encoder, feature extraction, convolutional neural networks

中图分类号:

TP309

赵小林, 王琪瑶, 赵斌, 薛静锋. 基于机器学习的匿名流量分类方法研究[J]. 信息网络安全, 2023, 23(5): 1-10.

ZHAO Xiaolin, WANG Qiyao, ZHAO Bin, XUE Jingfeng. Research on Anonymous Traffic Classification Method Based on Machine Learning[J]. Netinfo Security, 2023, 23(5): 1-10.

图/表 19

表1

表2

图1

图2

图3

表3

表4

图4

图5

表5

图6

图7

图8

图9

图10

表6

图11

图12

图13

参考文献 21

[1]	SHIN Y, YASUDA H, MAEDA K, et al. Anonymous Communication System and Method for Subscribing to Said Communication System: Japan, US15772985[P]. 2019-05-16.
[2]	TEAM T M. Onion Services-Tor Metrics[EB/OL]. (2018-10-01)[2022-09-27]. http://metrics.torpro ject.org.
[3]	CAO Shimin, WANG Juan. Review of the Special Network Traffic Identification[J]. Computer Knowledge and Technology, 2018, 14(17): 22-26, 30.
[4]	SINGH A, JANG-JACCARD J. Autoencoder-Based Unsupervised Intrusion Detection Using Multi-Scale Convolutional Recurrent Networks[EB/OL]. [2022-09-27]. https://doi.org/10.48550/arXiv.2204.03779.
[5]	WEI Songjie, LI Chenghao, SHEN Haotong, et al. Research and Application of Network Hidden Traffic Detection Method Based on Deep Forest[J]. Netinfo Security, 2022, 22(8): 64-71.
	魏松杰, 李成豪, 沈浩桐, 等. 基于深度森林的网络匿流量检测方法研究与应用[J]. 信息网络安全, 2022, 22(8):64-71.
[6]	WANG Xirui, LU Tianliang, ZHANG Jianling, et al. Tor Anonymous Traffic Identification Method Based on Weighted Stacking Ensemble Learning[J]. Netinfo Security, 2021, 21(12): 118-125.
	王曦锐, 芦天亮, 张建岭, 等. 基于加权Stacking集成学习的Tor匿名流量识别方法[J]. 信息网络安全, 2021, 21(12):118-125.
[7]	THABTAH F, KAMALOV F, HAMMOUD S, et al. Least Loss: A Simplified Filter Method for Feature Selection[J]. Information Sciences, 2020, 534: 1-15. doi: 10.1016/j.ins.2020.05.017 URL
[8]	ALI W. Phishing Website Detection Based on Supervised Machine Learning with Wrapper Features Selection[J]. International Journal of Advanced Computer Science and Applications, 2017, 8(9): 72-78.
[9]	HAMEED S S, PETINRIN O O, HASHI A O, et al. Filter-Wrapper Combination and Embedded Feature Selection for Gene Expression Data[J]. International Journal of Advances in Soft Computing and Its Applications, 2018, 10(1): 90-105.
[10]	LI Zhiqin, DU Jianqiang, NIE Bin, et al. Overview of Feature Selection Methods[J]. Computer Engineering and Applications, 2019, 55(24): 10-19. doi: 10.3778/j.issn.1002-8331.1909-0066
	李郅琴, 杜建强, 聂斌, 等. 特征选择方法综述[J]. 计算机工程与应用, 2019, 55(24):10-19. doi: 10.3778/j.issn.1002-8331.1909-0066
[11]	ZHANG Ge, WANG Jianlin. High-Dimensional Feature Selection Method Based on Hybrid ABC and CRO[J]. Computer Engineering and Applications, 2019, 55(11): 93-101. doi: 10.3778/j.issn.1002-8331.1811-0316
	张戈, 王建林. 基于混合ABC和CRO的高维特征选择方法[J]. 计算机工程与应用, 2019, 55(11):93-101. doi: 10.3778/j.issn.1002-8331.1811-0316
[12]	BEL O, PATA J, VLIMANT J R, et al. Diolkos: Improving Ethernet Throughput Through Dynamic Port Selection[C]// ACM. 18th ACM International Conference on Computing Frontiers. New York: ACM, 2021: 83-92.
[13]	THAY C, VISOOTTIVISETH V, MONGKOLLUKSAMEE S. P2P Traffic Classification for Residential Network[C]// IEEE. 2015 International Computer Science and Engineering Conference(ICSEC). New York: IEEE, 2015: 1-6.
[14]	CAI Manchun, WANG Tengfei, YUE Ting, et al. Fingerprint Recognition Technology of Tor Website Based on ARF[J]. Netinfo Security, 2021, 21(4): 39-48.
	蔡满春, 王腾飞, 岳婷, 等. 基于ARF的Tor网站指纹识别技术[J]. 信息网络安全, 2021, 21(4):39-48.
[15]	SUN Zhijun, XUE Lei, XU Yangming, et al. Overview of Deep Learning Research[J]. Application Research of Computers, 2012, 29(8): 2806-2810.
	孙志军, 薛磊, 许阳明, 等. 深度学习研究综述[J]. 计算机应用研究, 2012, 29(8):2806-2810.
[16]	NIMS. Network Information Management and Security Group[EB/OL]. [2022-09-27]. https://projects.cs.dal.ca/projectx/.
[17]	KHALID SHAHBAR A Z H. Anonymity Networks Dataset[EB/OL]. [2022-09-27] https://web.cs.dal.ca/-shahbar/dataset/anon17.
[18]	ZHANG Qian, LU Han, SAK H, et al. Transformer Transducer: A Streamable Speech Recognition Model with Transformer Encoders and RNN-t Loss[C]// IEEE. 2020 IEEE International Conference on Acoustics, Speech and Signal Processing(ICASSP). New York: IEEE, 2020: 7829-7833.
[19]	OKADA S, OHZEKI M, TAGUCHI S. Efficient Partition of Integer Optimization Problems with One-Hot Encoding[J]. Scientific Reports, 2019, 9(1): 1-12. doi: 10.1038/s41598-018-37186-2
[20]	MONTIERI A, CIUONZO D, BOVENZI G, et al. A Dive into the Dark Web: Hierarchical Traffic Classification of Anonymity Tools[J]. IEEE Transactions on Network Science and Engineering, 2019, 7(3): 1043-1054. doi: 10.1109/TNSE.6488902 URL
[21]	CHEN Tianqi, GUESTRIN C. XGBoost: A Scalable Tree Boosting System[C]// ACM. 22nd ACM Sigkdd International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2016: 785-794.

方法	类别	优点	缺点
过滤式	特征排序	训练效率较高	特征子集冗余度高
过滤式	搜索策略	特征子集冗余度低	依赖度量标准，不适用于高维数据
封装式	—	可获得近似最优解	训练容易出现过拟合
嵌入式	—	效率高，可处理高维数据	依赖学习算法，可能过拟合
集成式	—	稳定性好，较准确	特征子集无法复现

方法	优点	缺点
基于端口识别的分类方法	简单快捷	无法识别加密和匿名流量
基于深度包检测的分类方法	分析细致，准确率高	需要维护指纹库，识别复杂且无法处理匿名流量
基于统计的分类方法	模型自主学习且训练简单	依赖提取的特征信息的质量
基于行为的分类方法	利用模型学习，不需人工参与	不适用于匿名流量

特征子集	编码后的结果
[“Streaming”,“A”,“8_6_1”,“0x01”,“0_6_2_123_2”]	1000100011010
[“Torrent”,“B”,“8_6_2”,“0x04”,“0_6_2_123_1”]	0100010100101
[“Eepsites”,“A”,“8_6_3”,“0x01”,“0_6_2_123_1”]	0010101001001
[“Browsing”,“B”,“8_6_3”,“0x01”,“0_6_2_123_2”]	0001011001010

名称	优点	缺点
序数编码	实际应用场景简单，编码过程简单高效	未考虑空间中的距离，不适合学习算法的预处理
目标编码	考虑分类变量和目标变量之间的关系	容易出现标签泄露，对标签十分敏感，编码结果容易出现偏差
独热编码	编码过程考虑欧式空间中的距离	容易出现高维度稀疏矩阵，需要进一步处理

优化器	优点	缺点
SGD	训练速度快	对梯度的估计准确率低
Momentum	可以加速梯度下降并减小谷底震荡现象	盲目训练时适应性较差
RMSProp	可以平衡导数值，防止学习过早结束	依赖于全局学习率
Adam	结合二阶动量后优化效果更好	可能出现损失函数不收敛和错过全局最优解的情况