Anomaly Traffic Detection Based on Deep Metric Learning

doi:10.3969/j.issn.1671-1122.2024.03.011

Abstract

Abstract:

The identification of network anomalous traffic is one of the important tasks of cyber security nowadays. However, traditional traffic classification models are trained based on traffic data, and most of the traffic data are unevenly distributed, leading to fuzzy classification boundaries, which will greatly limits the classification performance of the model. In order to solve the above problems, this paper proposed a deep metric learning based abnormal traffic detection method. Firstly, a new double-proxy mechanism was designed to improve the efficiency of model training by guiding the optimization direction of updateable proxy through the target proxy compared with the traditional deep metric learning algorithm of single proxy for each category, and to enhance the ability of aggregating traffic data of the same category and separating traffic data of different categories to minimize the intra-class distance and maximized the inter-class distance, which in turn maked the classification of data boundaries more clearly, breaking the performance bottleneck of traditional traffic classification models. Secondly, this paper built neural networks based on 1D-CNN and Bi-LSTM, which can efficiently extract traffic features from spatial and temporal perspectives. The experimental results show that the intra-class distance of NSL-KDD traffic data is significantly reduced and the inter-class distance is significantly increased after the model processing. The intra-class distance decreased by 73.5% compared to the original intra-class distance and the inter-class distance increased by 52.7% compared to the original inter-class distance. And the neural network built in this paper is compared to the widely used deep residual network for deep metric learning with shorter training time and better results. Applying the model proposed in this paper to the traffic classification task on the NSL-KDD and CICIDS2017 datasets, the classification effect is also significantly improved compared to the traditional traffic classification algorithms.

Key words: deep metric learning, abnormal traffic detection, traffic data distribution, neural network

CLC Number:

TP309

ZHANG Qiang, HE Junjiang, LI Wenshan, LI Tao. Anomaly Traffic Detection Based on Deep Metric Learning[J]. Netinfo Security, 2024, 24(3): 462-472.

Figures/Tables 13

References 38

[1]	YANG Zheng, LIU Xiaodong, LI Tong, et al. A Systematic Literature Review of Methods and Datasets for Anomaly-Based Network Intrusion Detection[J]. Computers & Security, 2022, 116: 102675-102684. doi: 10.1016/j.cose.2022.102675 URL
[2]	ROSHAN K, ZAFAR A. Deep Learning Approaches for Anomaly and Intrusion Detection in Computer Network: A Review[J]. Cyber Security and Cyber Security and Digital Forensics, 2022, 73: 551-563.
[3]	AZAB A, KHASAWNEH M, ALRABAEE S, et al. Network Traffic Classification: Techniques, Datasets, and Challenges[EB/OL]. (2022-09-18) [2023-06-20]. https://doi.org/10.1016/j.dcan.2022.09.009.
[4]	SEN S, SPATSCHECK O, WANG Dongmei. Accurate, Scalable in-Network Identification of P2P Traffic Using Application Signatures[C]// ACM. Proceedings of the 13th International Conference on World Wide Web. New York: ACM, 2004: 512-521.
[5]	MOORE A W, PAPAGIANNAKI K. Toward the Accurate Identification of Network Applications[C]// Springer. 6th International Workshop on Passive and Active Network Measurement. Heidelberg: Springer, 2005: 41-54.
[6]	PARVAT T J, CHANDRA P. A Novel Approach to Deep Packet Inspection for Intrusion Detection[J]. Procedia Computer Science, 2015, 45: 506-513. doi: 10.1016/j.procs.2015.03.091 URL
[7]	ZHANG Chunying, JIA Donghao, WANG Liya, et al. Comparative Research on Network Intrusion Detection Methods Based on Machine Learning[J]. Computers & Security, 2022, 121: 102861-102873. doi: 10.1016/j.cose.2022.102861 URL
[8]	HEARST M A, DUMAIS S T, OSUNA E, et al. Support Vector Machines[J]. IEEE Intelligent Systems and Their Applications, 1998, 13(4): 18-28.
[9]	SONG Yanyan, YING Lu. Decision Tree Methods: Applications for Classification and Prediction[J]. Shanghai Archives of Psychiatry, 2015, 27(2): 130-135. doi: 10.11919/j.issn.1002-0829.215044 pmid: 26120265
[10]	LAAKSONEN J, OJA E. Classification with Learning K-Nearest Neighbors[C]// IEEE. Proceedings of International Conference on Neural Networks (ICNN’96). New York: IEEE, 1996, 3: 1480-1483.
[11]	BREIMAN L. Random Forests[J]. Machine Learning, 2001, 45: 5-32. doi: 10.1023/A:1010933404324 URL
[12]	CHEN T, GUESTRIN C. XGBoost: A Scalable Tree Boosting System[C]// ACM. Proceedings of the 22nd ACM Sigkdd International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2016: 785-794.
[13]	WANG Wei, ZHU Ming, WANG Jinlin, et al. End-to-End Encrypted Traffic Classification with One-Dimensional Convolution Neural Networks[C]// IEEE. 2017 IEEE International Conference on Intelligence and Security Informatics (ISI). New York: IEEE, 2017: 43-48.
[14]	YAO Haipeng, LIU Chong, ZHANG Peiying, et al. Identification of Encrypted Traffic through Attention Mechanism Based Long Short Term Memory[J]. IEEE Transactions on Big Data, 2019, 8(1): 241-252. doi: 10.1109/TBDATA.2019.2940675 URL
[15]	ZHANG Wenming. Abnormal Network Traffic Detection Based on Deep Metric Learning[D]. Xi’an: Xidian University, 2021.
	张文铭. 基于深度度量学习的异常网络流量检测[D]. 西安: 西安电子科技大学, 2021.
[16]	XUE Jingliang. Research on Network Traffic Identificaiton Technology Based on Deep Metric Learning[D]. Zhengzhou: PLA Strategic Support Force Information Engineering University, 2021.
	薛靖靓. 基于深度度量学习的网络流量识别技术研究[D]. 郑州: 战略支援部队信息工程大学, 2021.
[17]	CHOPRA S, HADSELL R, LECUN Y. Learning a Similarity Metric Discriminatively, with Application to Face Verification[C]// IEEE. 2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR’05). New York: IEEE, 2005: 539-546.
[18]	SCHROFF F, KALENICHENKO D, PHILBIN J. Facenet: A Unified Embedding for Face Recognition and Clustering[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2015: 815-823.
[19]	SONG O H, XIANG Yu, JEGELKA S, et al. Deep Metric LEARNING via Lifted Structured Feature Embedding[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2016: 4004-4012.
[20]	CHEN Weihua, CHEN Xiaotang, ZHANG Jianguo, et al. Beyond Triplet Loss: A Deep Quadruplet Network for Person Re-Identification[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2017: 403-412.
[21]	SOHN K. Improved Deep Metric Learning with Multi-Class N-Pair Loss Objective[J]. Advances in Neural Information Processing Systems, 2016, 8: 29-37.
[22]	MOVSHOVITZ-ATTIAS Y, TOSHEV A, LEUNG T K, et al. No Fuss Distance Metric Learning Using Proxies[C]// IEEE. Proceedings of the IEEE International Conference on Computer Vision. New York: IEEE, 2017: 360-368.
[23]	KIM S, KIM D, CHO M, et al. Proxy Anchor Loss for Deep Metric Learning[C]// IEEE. Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2020: 3238-3247.
[24]	WANG Yifan, LIU Pingping, LANG Yijun, et al. Learnable Dynamic Margin in Deep Metric Learning[J]. Pattern Recognition, 2022, 132: 128-140.
[25]	LOKOČ J, KOHOUT J, ČECH P, et al. K-NN Classification of Malware in HTTPS Traffic Using the Metric Space Approach[C]// Springer. Intelligence and Security Informatics:11th Pacific Asia Workshop. Heidelberg: Springer, 2016: 131-145.
[26]	DI M M, DI S C. Improving SIEM Capabilities through an Enhanced Probe for Encrypted Skype Traffic Detection[J]. Journal of Information Security and Applications, 2018, 38: 85-95. doi: 10.1016/j.jisa.2017.12.001 URL
[27]	LOTFOLLAHI M, JAFARI S M, SHIRALI H Z R, et al. Deep Packet: A Novel Approach for Encrypted Traffic Classification Using Deep Learning[J]. Soft Computing, 2020, 24(3): 1999-2012. doi: 10.1007/s00500-019-04030-2
[28]	ZENG Yi, GU Huaxi, WEI Wenting, et al. Deep-Full-Range: A Deep Learning Based Network Encrypted Traffic Classification and Intrusion Detection Framework[J]. IEEE Access, 2019, 7: 45182-45190. doi: 10.1109/Access.6287639 URL
[29]	LIU Chang, HE Longtao, XIONG Gang, et al. FS-Net: A Flow Sequence Network for Encrypted Traffic Classification[C]// IEEE. IEEE INFOCOM 2019-IEEE Conference On Computer Communications. New York: IEEE, 2019: 1171-1179.
[30]	WANG Xin, CHENShuhui, SUJinshu. App-Net: A Hybrid Neural Network for Encrypted Mobile Traffic Classification[C]// IEEE. IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). New York: IEEE, 2020: 424-429.
[31]	TANG Chaofei, LUKTARHAN N, ZHAO Yuxin. SAAE-DNN: Deep Learning Method on Intrusion Detection[J]. Symmetry, 2020, 12(10): 1695-1699. doi: 10.3390/sym12101695 URL
[32]	LIN Kunda, XU Xiaolong, XIAO Fu. MFFusion: A Multi-Level Features Fusion Model for Malicious Traffic Detection Based on Deep Learning[J]. Computer Networks, 2022, 22: 108658-108665.
[33]	LAN Jinghong, LIU Xudong, LI Bo, et al. MEMBER: A Multi-Task Learning Model with Hybrid Deep Features for Network Intrusion Detection[J]. Computers & Security, 2022, 123: 102919-102925. doi: 10.1016/j.cose.2022.102919 URL
[34]	TAVALLAEE M, BAGHERI E, LU Wei, et al. A Detailed Analysis of the KDD CUP 99 Data Set[C]// IEEE. 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications. New York: IEEE, 2009: 1-6.
[35]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[J]. International Conference on Information Systems Security and Privacy, 2018, 1: 108-116.
[36]	KESKES N, FAKHFAKH S, KANOUN O, et al. High Performance Oversampling Technique Considering Intra-Class and Inter-Class Distances[EB/OL]. (2022-11-02)[2023-06-20]. https://doi.org/10.1002/cpe.6753.
[37]	LOPEZ-MARTIN M, CARRO B, SANCHEZ-ESGUEVILLAS A, et al. Network Traffic Classifier with Convolutional and Recurrent Neural Networks for Internet of Things[J]. IEEE Access, 2017, 5: 18042-18050. doi: 10.1109/Access.6287639 URL
[38]	SINHA J, MANOLLAS M. Efficient Deep CNN-BiLSTM Model for Network Intrusion Detection[C]// ACM. Proceedings of the 2020 3rd International Conference on Artificial Intelligence and Pattern Recognition. New York: ACM, 2020: 223-231.

类别	Normal	DoS	Probe	U2R	R2L
训练集/个	67343	45927	11656	52	995
测试集/个	9711	7460	2421	67	2885

类别	训练集/个	测试集/个
BENIGN	15898	4542
DDoS	8958	2560
PortScan	11113	3175
DoS Hulk	16105	4602
DoS GoldenEye	7205	2059
DoS slowloris	4057	1159
DoS Slowhttptest	3847	1099
FTP Patator	5555	1587
SSH Patator	4127	1180
Bot	1370	391
Web Attack Brute Force	1055	301
Web Attack XSS	456	130

算法	类内距离	类间距离
原始数据	1.496	1177.544
Proxy-NCA	0.708	1240.120
Proxy-Anchor	0.604	1691.011
AM	0.564	1647.869
本文方法	0.397	1797.618

网络结构	模型层数/层	参数量	模型大小/MB
1D-CNN	7	2224888	8.90
BiLSTM	5	1220872	3.83
ResNet-1D	50	12439226	49.76
VGGNet-1D	19	11997114	47.99
1D-CNN+BiLSTM	9	4748296	18.99

网络结构	每一轮训练时间/s	类内距离	类间距离
1D-CNN	2.48	0.410	1756.602
BiLSTM	1.73	0.523	1614.695
ResNet-1D	12.18	0.604	1764.859
VGGNet-1D	9.36	0.453	1453.839
1D-CNN+BiLSTM	3.11	0.397	1797.618