Anomaly Traffic Identification and Defense Model in Networks Based on the Multi-Gate Mixture of Experts

doi:10.3969/j.issn.1671-1122.2024.09.013

Abstract

Abstract:

This paper proposed a big data network anomaly traffic identification and defense strategy generation model based on the multi-gate mixture of experts(MMoE) model. This model is particularly suitable for scenarios involving mixed attack traffic during peak business periods. First, the MMoE model conducted real-time monitoring and anomaly identification of network traffic, distinguishing between normal traffic peaks caused by business demands and genuine anomalous traffic, effectively reducing false alarms. When anomalous traffic was detected, the system used it as input to generate targeted defense strategies. Secondly, the MMoE model coordinated the expert models for anomaly detection and defense strategy generation, enhancing the precision of identification and the effectiveness of strategy generation. Experimental results on datasets obtained from real business scenarios show that the identification accuracy and defense effect of the model proposed in this study are better than mainstream machine learning models and can accurately identify abnormal attack traffic mixed during business peaks and generate appropriate defense strategies.

Key words: anomaly traffic identification, defense strategy generation, mixture of experts model, stealth attack

CLC Number:

TP309

GUO Yongjin, HUANG Hejun. Anomaly Traffic Identification and Defense Model in Networks Based on the Multi-Gate Mixture of Experts[J]. Netinfo Security, 2024, 24(9): 1458-1469.

Figures/Tables 16

References 21

[1]	PRICE-WILLIAMS M, HEARD N, RUBIN-DELANCHY P. Detecting Weak Dependence in Computer Network Traffic Patterns by Using Higher Criticism[J]. Journal of the Royal Statistical Society Series C, 2019, 68(3): 641-655.
[2]	WAN Jiafu, CHEN Baotong, IMRAN M, et al. Toward Dynamic Resources Management for IoT-Based Manufacturing[J]. IEEE Communications Magazine, 2018, 56(2): 52-59.
[3]	TIAN Zhihong, SHI Wei, WANG Yuhang, et al. Real-Time Lateral Movement Detection Based on Evidence Reasoning Network for Edge Computing Environment[J]. IEEE Transactions on Industrial Informatics, 2019, 15(7): 4285-4294.
[4]	VAN HASSELT H, GUEZ A, SILVER D. Deep Reinforcement Learning with Double Q-Learning[EB/OL]. (2015-12-08)[2024-05-11]. http://arxiv.org/abs/1509.06461v3.
[5]	CHOI H, KIM M, LEE G, et al. Unsupervised Learning Approach for Network Intrusion Detection System Using Autoencoders[J]. The Journal of Supercomputing, 2019, 75(9): 5597-5621.
[6]	AHMED M, SERAJ R, ISLAM S M S. The k-Means Algorithm: A Comprehensive Survey and Performance Evaluation[EB/OL]. (2020-08-07)[2024-05-11]. https://doi.org/10.3390/electronics9081295.
[7]	HAUSKNECHT M, STONE P, RAMANI D. Deep Recurrent Q-Learning for Partially Observable MDPS[EB/OL]. [2024-05-11]. https://arxiv.org/abs/1507.06527v4.
[8]	WANG Ke, STOLFO S J. Anomalous Payload-Based Network Intrusion Detection[EB/OL]. [2024-05-11]. https://wenku.baidu.com/view/8b5063a2284ac850ad02429f.html?fr=xueshu&_wkts_=1724600629659&needWelcomeRecommand=1.
[9]	KIM M S, KONG H J, HONG S C, et al. A Flow-Based Method for Abnormal Network Traffic Detection[C]// IEEE. 2004 IEEE/IFIP Network Operations and Management Symposium. New York: IEEE, 2004: 599-612.
[10]	QIAO Yiguo, XIN Xuezhu, BIN Yu, et al. Anomaly Intrusion Detection Method Based on HMM[J]. Electronics Letters, 2002, 38(13): 663-664.
[11]	LEI Yang. Network Anomaly Traffic Detection Algorithm Based on SVM[C]// IEEE. 2017 International Conference on Robots & Intelligent System (ICRIS). New York: IEEE, 2017: 217-220.
[12]	KONG Lingjing, HUANG Guowei, WU Keke. Identification of Abnormal Network Traffic Using Support Vector Machine[C]// IEEE. 2017 18th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT). New York: IEEE, 2017: 288-292.
[13]	JIANG Wei, FANG Binxing, TIAN Zhihong, et al. Research on Defense Strategies Selection Based on Attack-Defense Stochastic Game Model[J]. Journal of Computer Research & Development, 2010, 47(10): 1714-1723.
[14]	WEI Longfei, SARWAT A I, SAAD W, et al. Stochastic Games for Power Grid Protection against Coordinated Cyber-Physical Attacks[J]. IEEE Transactions on Smart Grid, 2018, 9(2): 684-694.
[15]	WATKINS C, DAYAN P. Q-Learning[J]. Machine Learning, 1992, 8(3-4): 279-292.
[16]	NGUYEN T T, REDDI V J. Deep Reinforcement Learning for Cyber Security[J]. IEEE Transactions on Neural Networks and Learning Systems, 2023, 34(8): 3779-3795.
[17]	EGHTESAD T, VOROBEYCHIK Y, LASZKA A. Adversarial Deep Reinforcement Learning Based Adaptive Moving Target Defense[C]// Srpinger. International Conference on Decision and Game Theory for Security. Heidelberg: Springer, 2020: 58-79.
[18]	CASGRAIN P, NING B, JAIMUNGAL S. Deep Q-Learning for Nash Equilibria: Nash-DQN[EB/OL]. [2024-05-11]. https://arxiv.org/abs/1904.10554v2.
[19]	SHEN Sheng, HOU Le, ZHOU Yanqi, et al. Mixture-of-Experts Meets Instruction Tuning: A Winning Combination for Large Language Models[EB/OL]. [2024-05-11]. https://arxiv.org/pdf/2305.14705.
[20]	SHAZEER N, MIRHOSEINI A, MAZIARZ K, et al. Outrageously Large Neural Networks: The Sparsely-Gated Mixture-of-Experts Layer[EB/OL]. [2024-05-11]. https://arxiv.org/abs/1701.06538v1.
[21]	LEPIKHIN D, LEE H, XU Yuanzhong, et al. GShard: Scaling Giant Models with Conditional Computation and Automatic Sharding[EB/OL]. [2024-05-11]. https://arxiv.org/pdf/2006.16668.

特征	含义
ip_ua_unique_path_cnt_w	窗口内相同IP、UA（User-Agent）的情况下path的去重数量
ip_unique_ua_cnt_w	窗口内相同IP情况下遍历不同UA的去重数量
ip_cnt_w	窗口内IP数量
url_cnt_w	窗口内URL数量
ip_ua_cnt_w	窗口内IP和UA的组合数量
ip_url_cnt_w	窗口内IP和URL的组合数量
ip_ua_url_cnt_w	窗口内IP、UA和URL的组合数量
url_unique_ip_cnt_w	窗口内同一URL下IP的去重数量
ip_34xx_cnt_w	窗口内同一IP下状态码为401/403/404的数量
ip_url_unique_ua_cnt_w	窗口内同一IP和URL下UA的去重数量
ip_req_mean_w	窗口内同一IP下请求包大小均值

模型	Loss₁	Loss₂	Loss
独立模型（简单）	0.001240	0.001223	0.002550
独立模型（复杂）	0.001213	0.001209	0.002417
MMoE模型	0.001173	0.001167	0.002366

模型	Loss₁	Loss₂	Loss
独立模型（简单）	0.001326	0.001273	0.002859
独立模型（复杂）	0.001302	0.001284	0.002424
MMoE模型	0.001053	0.001068	0.002154

辅助特征	防御策略
大量来自少数源IP地址的异常请求 ->窗口内URL聚合后IP去重数量增加	封锁攻击源IP
单个IP地址的请求速率异常高 ->窗口IP频次计算较高	对源IP的请求速率进行限制
来自未知IP地址或频繁请求的IP地址 ->IP库中未知请求IP ->IP请求频次较高	验证码验证
服务器负载异常高 -> 响应时长增加 -> 窗口内响应时长变化速率	流量分流和负载均衡

标签	含义	准确率	召回率	F1值	支持度
0	正常	0.55	0.70	0.62	40
1	封IP	0.73	0.73	0.73	37
2	限速率	0.76	0.70	0.73	40
3	验证码	0.68	0.47	0.56	40
4	分流	0.68	0.74	0.71	43