基于图神经网络的P2P僵尸网络检测方法  被引量：7

作　　者：林宏刚 张运理 郭楠馨 陈麟 LIN Honggang;ZHANG Yunli;GUO Nanxin;CHEN Lin(School of Cyberspace Security,Chengdu Univ.of Info.Technol.,Chengdu 610225,China;Advanced Cryptography and System Security Key Lab.of Sichuan Province,Chengdu 610225,China;Anhui Province Key Lab.of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China)

机构地区：[1]成都信息工程大学网络空间安全学院,四川成都610225 [2]先进密码技术与系统安全四川省重点实验室,四川成都610225 [3]网络空间安全态势感知与评估安徽省重点实验室,安徽合肥230037

出　　处：《工程科学与技术》2022年第2期65-72,共8页Advanced Engineering Sciences

基　　金：网络空间安全态势感知与评估安徽省重点实验室开放课题(CSSAE–2021–002);国家242信息安全计划项目(2021–037)。

摘　　要：P2P僵尸网络因具有较高的隐蔽性和健壮性,已经成为新型的网络攻击平台,对网络空间安全造成的威胁越来越大,但现有基于规则分析或流量分析的检测方法不能有效检测。为了解决P2P僵尸网络隐蔽性强、难以识别等问题,提出了一种基于图神经网络(graph neural network,GNN)的P2P僵尸网络检测方法。该方法不依赖流量协议特征,而是基于P2P僵尸网络节点交互特征及网络拓扑结构信息实现检测。首先,该方法先提取P2P僵尸网络流量中的源IP、目的IP、出度、入度和节点介数中心性,构建成拓扑图、出入度图和介数中心性图;其次,通过元素积对3种特征图的邻接矩阵加权求和进行图融合,得到检测模型的输入;然后,利用基于注意力机制的图卷积神经网络提取节点间特征,使用神经协同过滤算法实现中心节点注意力概率分配,完成节点状态更新;最后,利用多层图卷积层之间的紧密连通性实现对交互特征的降维抽取和对高阶结构信息的挖掘,自动学习僵尸网络的内在特征,并通过节点分类模块判别分类,完成僵尸网络检测。使用ISCX–2014僵尸网络数据集对该方法进行对比验证,实验结果表明,在训练样本包含僵尸网络节点规模较大时本文提出的深层图神经网络方法的检测准确率和模型稳定性优于其他两类对比方法,所提方法能有效提高P2P僵尸网络检测能力和泛化能力,降低误报率。P2P botnet has become a new network attack platform because of its high concealment and robustness, which poses an increasing threat to cyberspace security. However, the existing detection methods based on rule analysis or traffic analysis can’t detect it effectively. In order to solve the problems of strong concealment and difficult identification of P2P botnets, a P2P botnet detection method based on graph neural network(GNN) was proposed. The method was based on the information of P2P botnet node interaction and network topology to realize detection and did not rely on the characteristics of traffic protocol. Firstly, the source IP, the destination IP, the outdegree, the indegree and the node betweenness centrality in P2P botnet traffic were extracted to construct a topology graph, an out-degree and in-degree graph and a betweenness centrality graph;Then, the weighted sum of adjacency matrices of the three feature graphs was fused by element-wise product to input into the detection model;Then, a graph convolution neural network based on attention mechanism was used to extract the features between nodes, and the neural collaborative filtering algorithm was used to realize the attention probability distribution of the central node and complete the node state update;Using the close connectivity between multi-layer graph convolution layers, the dimension reduction extraction of interactive features and the mining of high-order structure information were realized. The internal characteristics of botnet were automatically learned, and the botnet detection was completed through the node classification module. The proposed method was validated on the ISCX–2014 botnet dataset. The experimental results showed that the proposed deep graph neural network method outperforms the other two comparative methods in terms of detection accuracy and model stability when the training sample contains botnet nodes of large size. The model can effectively improve the detection ability and generalization ability of P2P botnets, as

关 键 词：P2P僵尸网络 深度学习 图卷积神经网络 图融合 注意力机制 

分 类 号：TP309.5[自动化与计算机技术—计算机系统结构]