基于两阶段图学习的僵尸网络自动化检测方法

doi:10.3969/j.issn.1671-1122.2024.12.011

摘要/Abstract

摘要：

僵尸网络已经成为网络基础设施最严重的威胁之一。现有的僵尸网络检测方法严重依赖特征工程，导致在实际环境中的检测性能受到限制。基于原始流量的僵尸网络检测方法在这方面更具优势，尤其是利用图和原始流量来增强对异常僵尸网络行为的识别，这也是文章研究的重点。文章提出一种基于两阶段图学习的僵尸网络自动化检测方法Graph2BotNet。从每个双向网络流的交互数据包中构建一个流图，通过IP之间通信拓扑构建通信图，采用图同构网络模型学习流图的向量表示，将向量表示嵌入对应的通信图节点中，最后传入第二阶段图学习模型，对节点进行分类。Graph2BotNet利用图结构自动提取流图特征，在不需要大量专家特征的情况下，结合图神经网络模型进行两阶段图学习，实现快速准确的僵尸网络检测。实验结果表明，在ISCX-2014、CTU-13和CICIDS2017僵尸网络数据集上，Graph2BotNet性能优于其他方法。

关键词: 僵尸网络检测, 深度学习, 图神经网络, 网络流量分析, 僵尸网络拓扑

Abstract:

Botnets had become one of the most serious threats to network infrastructure. Existing botnet detection methods heavily rely on feature engineering, which significantly limits their detection performance in real-world environments. Botnet detection methods based on raw traffic had more advantages in this aspect, especially when leveraging graphs and raw traffic to enhance the identification of abnormal botnet behaviors, which is the focus of this study. This paper proposed an automated botnet detection method based on two-stage graph learning called Graph2BotNet. The approach involved constructing a flow graph from the interaction packets of each bidirectional network flow and building a communication graph based on the communication topology between IPs. The graph isomorphism network model was used to learn the vector representation of the flow graph, embedding the vector representation into the corresponding communication graph nodes, and finally passing it into the second stage-graph neural networks model to classify the nodes. Graph2BotNet leveraged the graph structure to automatically extract flow graph features and, without requiring extensive expert features, combined graph neural network models to perform two-stage graph learning for fast and accurate botnet detection. The experimental results on the ISCX-2014, CTU-13, and CICIDS2017 botnet datasets demonstrate that Graph2BotNet outperforms the current state-of-the-art methods.

Key words: Botnet detection, deep learning, graph neural networks, network traffic analysis, botnet topology

中图分类号:

TP309

张选, 万良, 罗恒, 杨阳. 基于两阶段图学习的僵尸网络自动化检测方法[J]. 信息网络安全, 2024, 24(12): 1933-1947.

ZHANG Xuan, WAN Liang, LUO Heng, YANG Yang. Automated Botnet Detection Method Based on Two-Stage Graph Learning[J]. Netinfo Security, 2024, 24(12): 1933-1947.

图/表 13

图1

图2

图3

图4

表1

表2

表3

表4

表5

图5

表6

表7

表8

参考文献 29

[1]	XING Ying, SHU Hui, ZHAO Hao, et al. Survey on Botnet Detection Techniques: Classification, Methods, and Evaluation[J]. Mathematical Problems in Engineering, 2021, 2021: 1-24.
[2]	SHARAFALDIN I, GHARIB A, LASHKARI A H, et al. BotViz: A Memory Forensic-Based Botnet Detection and Visualization Approach[C]// IEEE. 2017 International Carnahan Conference on Security Technology (ICCST). New York: IEEE, 2017: 1-8.
[3]	CREECH G, HU Jiankun. A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns[J]. IEEE Transactions on Computers, 2014, 63(4): 807-819.
[4]	GARRE J T, GILPÉREZ M, RUIZ-MARTÍNEZ A. A Novel Machine Learning-Based Approach for the Detection of SSH Botnet Infection[J]. Future Generation Computer Systems, 2021, 115: 387-396.
[5]	HOSSAIN M I, ESHRAK S, AUVIK M J, et al. Efficient Feature Selection for Detecting Botnets Based on Network Traffic and Behavior Analysis[C]// ACM. 7th International Conference on Networking, Systems and Security. New York: ACM, 2020: 56-62.
[6]	XIA Qinyu, DONG Shi, PENG Tao. An Abnormal Traffic Detection Method for IoT Devices Based on Federated Learning and Depthwise Separable Convolutional Neural Networks[C]// IEEE. 2022 IEEE International Performance, Computing, and Communications Conference (IPCCC). New York: IEEE, 2022: 352-359.
[7]	ZHOU Jiawei, XU Zhiying, RUSH A M, et al. Automating Botnet Detection with Graph Neural Networks[EB/OL]. (2020-03-13)[2024-03-04]. https://arxiv.org/abs/2003.06344v1.
[8]	HU Xiaoyan, GAO Wenjie, CHENG Guang, et al. Toward Early and Accurate Network Intrusion Detection Using Graph Embedding[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 5817-5831.
[9]	VELASCO-MATA J, GONZÁLEZ-CASTRO V, FIDALGO E, et al. Real-Time Botnet Detection on Large Network Bandwidths Using Machine Learning[EB/OL]. (2023-03-15)[2024-03-04]. https://pubmed.ncbi.nlm.nih.gov/36922641/.
[10]	BANSAL A, MAHAPATRA S. A Comparative Analysis of Machine Learning Techniques for Botnet Detection[C]// ACM. Proceedings of the 10th International Conference on Security of Information and Networks. New York: ACM, 2017: 91-98.
[11]	LETTERI I, DELLA PENNA G, CAIANIELLO P. Feature Selection Strategies for HTTP Botnet Traffic Detection[C]// IEEE. 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). New York: IEEE, 2019: 202-210.
[12]	IBRAHIM W N H, ANUAR S, SELAMAT A, et al. Multilayer Framework for Botnet Detection Using Machine Learning Algorithms[J]. IEEE Access, 2021, 9: 48753-48768.
[13]	SHAHHOSSEINI M, MASHAYEKHI H, REZVANI M. A Deep Learning Approach for Botnet Detection Using Raw Network Traffic Data[EB/OL]. [2024-03-04]. https://link.springer.com/article/10.1007/s10922-022-09655-7.
[14]	LUO Fuhua, ZHANG Aixin. Botnet Detection Technology Based on Deep Learning[J]. Communications Technology, 2020, 53(1): 174-179.
	罗扶华, 张爱新. 基于深度学习的僵尸网络检测技术研究[J]. 通信技术, 2020, 53(1): 174-179.
[15]	ZOU Futai, TAN Yue, WANG Lin, et al. Botnet Detection Based on Generative Adversarial Network[J]. Journal on Communications, 2021, 42(7): 95-106. doi: 10.11959/j.issn.1000-436x.2021082
	邹福泰, 谭越, 王林, 等. 基于生成对抗网络的僵尸网络检测[J]. 通信学报, 2021, 42(7): 95-106. doi: 10.11959/j.issn.1000-436x.2021082
[16]	XIA Yuanjun, DONG Shi, PENG Tao, et al. Wireless Network Abnormal Traffic Detection Method Based on Deep Transfer Reinforcement Learning[C]// IEEE. 2021 17th International Conference on Mobility, Sensing and Networking (MSN). New York: IEEE, 2021: 528-535.
[17]	DONG Shi, XIA Yuanjun, PENG Tao. Network Abnormal Traffic Detection Model Based on Semi-Supervised Deep Reinforcement Learning[J]. IEEE Transactions on Network and Service Management, 2021, 18(4): 4197-4212.
[18]	PEKTAŞ A, ACARMAN T. Botnet Detection Based on Network Flow Summary and Deep Learning[EB/OL]. (2018-07-25)[2024-03-04]. https://doi.org/10.1002/nem.2039.
[19]	WANG Wei, SHANG Yaoyao, HE Yongzhong, et al. BotMark: Automated Botnet Detection with Hybrid Analysis of Flow-Based and Graph-Based Traffic Behaviors[J]. Information Sciences, 2020, 511: 284-296.
[20]	LIN Honggang, ZHANG Yunli, GUO Nanxin, et al. P2P Botnet Detection Method Based on Graph Neural Network[J]. Advanced Engineering Sciences, 2022, 54(2): 65-72.
	林宏刚, 张运理, 郭楠馨, 等. 基于图神经网络的P2P僵尸网络检测方法[J]. 工程科学与技术, 2022, 54(2): 65-72.
[21]	GITHUB. FlowContainer[EB/OL]. [2024-03-04]. https://github.com/jmhIcoding/flowcontainer.
[22]	AL-NAAMI K, CHANDRA S, MUSTAFA A, et al. Adaptive Encrypted Traffic Fingerprinting with Bi-Directional Dependence[C]// ACM. Proceedings of the 32nd Annual Conference on Computer Security Applications. New York: ACM, 2016: 177-188.
[23]	GROVER A, LESKOVEC J. Node2vec: Scalable Feature Learning for Networks[C]// ACM. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2016: 855-864.
[24]	BIGLAR B E, HADIAN J H, STAKHANOVA N, et al. Towards Effective Feature Selection in Machine Learning-Based Botnet Detection Approaches[C]// IEEE. 2014 IEEE Conference on Communications and Network Security. New York: IEEE, 2014: 247-255.
[25]	GARCÍA S, GRILL M, STIBOREK J, et al. An Empirical Comparison of Botnet Detection Methods[J]. Computers & Security, 2014, 45: 100-123.
[26]	SHARAFALDIN I, HABIBI LASHKARI A, GHORBANI A A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[C]// IEEE. International Conference on Information Systems Security & Privacy. New York: IEEE, 2018: 108-116.
[27]	ZHAO D, TRAORE I, SAYED B, et al. Botnet Detection Based on Traffic Behavior Analysis and Flow Intervals[J]. Computers & Security, 2013, 39: 2-16.
[28]	SHIRAVI A, SHIRAVI H, TAVALLAEE M, et al. Toward Developing a Systematic Approach to Generate Benchmark Datasets for Intrusion Detection[J]. Computers & Security, 2012, 31(3): 357-374.
[29]	HANG H, WEI Xuetao, FALOUTSOS M, et al. Entelecheia: Detecting P2P Botnets in Their Waiting Stage[C]// IEEE. 2013 IFIP Networking Conference. New York: IEEE, 2013: 1-9.

僵尸网络	类型	训练集	测试集
Neris	IRC	√	√
Rbot	IRC	√	√
Menti	IRC	×	√
Sogou	HTTP	×	√
Murlo	IRC	×	√
Virut	HTTP	√	√
NSIS	P2P	√	√
Zeus	P2P	√	√
SMTP Spam	P2P	√	√
UDP Storm	P2P	×	√
Tbot	IRC	×	√
Zero Access	P2P	×	√
Weasel	P2P	×	√
Smoke Bot	P2P	×	√
Zeus Control (C&C)	P2P	√	√
ISCX IRC bot	P2P	×	√

序号	持续时间/hrs	数据包/个	网络流/条	数据大小/GB	僵尸网络
1	6.15	71971482	2824637	52.0	Neris
2	4.21	71851300	1808123	60.0	Neris
3	66.85	167730395	4710639	121.0	Rbot
4	4.21	62089135	1121077	53.0	Rbot
5	11.63	4481167	129833	37.6	Virut
6	2.18	38764357	558920	30.0	Menti
7	0.38	7467139	114078	5.8	Sogou
8	19.50	155207799	2954231	123.0	Murlo
9	5.18	115415321	2753885	94.0	Neris
10	4.75	90389782	1309792	73.0	Rbot
11	0.26	6337202	107252	5.2	Rbot
12	1.21	13212268	325472	8.3	NSIS.ay
13	16.36	50888256	1925150	34.0	Virut

数据集	场景	僵尸网络样本/个	正常样本/个
ISCX-2014数据集	训练集	35476	120897
ISCX-2014数据集	测试集	49517	77475
CTU-13数据集	1,2,9	45379	45000
	3,4,10,11	34965	31000
	5,13	31403	34706
	6	15258	17000
	7	18568	19000
	8	32467	33000
	12	25349	27000
CICIDS2017数据集	—	96365	182065

参数	GIN	SSG
优化器	Adam	Adam
训练轮数/轮	20	20
批次大小/个	64	64
激活函数	ReLU	ReLU
丢弃率	0.5%	—

数据集	方法	准确率	召回率	精确率	F1分数
ISCX-2014 数据集	No-Flowgraph	95.90%	92.93%	98.20%	95.49%
	No-Commgraph	91.14%	94.05%	96.10%	95.06%
	本文方法	99.88%	99.76%	99.88%	99.72%
场景1,2,9（CTU-13）	No-Flowgraph	92.66%	96.30%	94.70%	95.49%
	No-Commgraph	96.28%	97.03%	98.44%	97.73%
	本文方法	98.81%	99.26%	98.82%	99.04%
场景3,4,10,11（CTU-13）	No-Flowgraph	92.45%	92.11%	94.21%	93.15%
	No-Commgraph	95.58%	98.38%	91.55%	94.84%
	本文方法	98.62%	97.10%	96.63%	96.87%
场景5,13 （CTU-13）	No-Flowgraph	81.00%	81.12%	79.68%	80.40%
	No-Commgraph	85.56%	89.18%	87.33%	88.24%
	本文方法	91.97%	93.66%	91.63%	92.64%
场景6 （CTU-13）	No-Flowgraph	77.44%	76.50%	86.08%	81.01%
	No-Commgraph	78.94%	86.25%	85.41%	85.83%
	本文方法	89.13%	89.70%	88.65%	89.17%
场景7 （CTU-13）	No-Flowgraph	92.40%	94.44%	94.17%	94.31%
	No-Commgraph	95.44%	96.59%	94.36%	95.46%
	本文方法	97.65%	98.27%	97.77%	98.02%
场景8 （CTU-13）	No-Flowgraph	91.47%	97.53%	92.58%	94.99%
	No-Commgraph	96.42%	96.01%	97.14%	96.57%
	本文方法	97.77%	98.00%	97.39%	97.70%
场景12 （CTU-13）	No-Flowgraph	79.38%	76.48%	80.03%	78.22%
	No-Commgraph	86.30%	80.94%	83.53%	86.30%
	本文方法	92.90%	95.82%	92.77%	94.27%
CICIDS2017 数据集	No-Flowgraph	97.77%	98.00%	97.39%	97.70%
	No-Commgraph	99.48%	98.80%	99.66%	99.21%
	本文方法	99.59%	98.87%	99.92%	99.38%