一种基于少样本且不均衡的网络攻击流量检测系统  被引量：7

作　　者：石欣然 张奇支[1,2] 赵淦森 郑伟平[1,2] SHI Xinran;ZHANG Qizhi;ZHAO Gansen;ZHENG Weiping(School of Computer Science,South China Normal University,Guangzhou 510631,China;Key Lab on Cloud Security and Assessment Technology of Guangzhou,Guangzhou 510631,China)

机构地区：[1]华南师范大学计算机学院,广州510631 [2]广州市云计算安全与测评技术重点实验室,广州510631

出　　处：《华南师范大学学报（自然科学版）》2021年第1期100-108,共9页Journal of South China Normal University(Natural Science Edition)

基　　金：国家重点领域研发计划项目(2018YFB1404402,2019YFB1804003);国家社会科学基金项目(19ZDA041);广东省重点领域研发计划项目(2019B010137003,2018A07071702,2016B030305006);广州市科技计划项目(201802030004,201804010314)。

摘　　要：为解决网络攻击流量检测中使用的有监督学习方法严重依赖标签数据规模的问题,针对一种少样本且不均衡的攻击流量检测场景,即训练数据仅包含少量蜜罐捕获的攻击流量且无正常流量,设计了一个攻击流量检测系统,并构建了基于孪生网络和深度学习卷积神经网络(CNN)的网络攻击流量检测模型(CNN-Siamese),以实现少样本且不均衡的攻击流量检测目的;随后为了解决CNN-Simaese在训练样本对构造采样时造成的预测不稳定的问题,结合迁移学习的思路,构建了基于预训练的检测模型(AE-CNN-Siamese);此外,对孪生网络中常用的对比损失函数进行了改进.实验结果表明:CNN-Siamese可以准确地检测攻击流量,与CNN、CNN-SVM相比,在漏报率无明显差距情况下,可将误报率从30%降低至2%;AE-CNN-Siamese的预测结果比CNN-Siamese更稳定;改进后的损失函数提高了模型的收敛速度,加速了模型训练.In order to solve the problem that the supervised learning method used in network attack traffic detection relies heavily on the scale of label data,an attack traffic detection system is designed and a network attack traffic detection model(CNN-Siamese)based on siamese network and deep learning convolutional neural network(CNN)is built to achieve the purpose of few-shot and uneven attack traffic detection.Subsequently,a pre-trained detection model AE-CNN-Siamese was constructed,adopting the idea of migration learning,to solve the problem of unstable prediction caused by CNN-Simaese on obtaining training samples.In addition,the contrastive loss function commonly used in a siamese network is improved.The experimental results show that CNN-Siamese can accurately detect attack traffic.Compared with CNN and CNN-SVM,it can correct the error when there is no significant gap in the false negative rate.The reporting rate is reduced from 30%to 2%;the prediction result of AE-CNN-Sia-mese is more stable than that of CNN-Siamese;the improved loss function improves the convergence speed of the model and accelerates model training.

关 键 词：流量分类 少样本 样本不均衡 孪生网络 损失函数 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]