基于CNN⁃SIndRNN的恶意TLS流量快速识别方法  被引量：8

作　　者：李小剑 谢晓尧 徐洋[2] 张思聪[2] LI Xiaojian;XIE Xiaoyao;XU Yang;ZHANG Sicong(School of Mathematical Science,Guizhou Normal University,Guiyang 550001,China;Key Laboratory of Information and Computing Science Guizhou Province,Guizhou Normal University,Guiyang 550001,China)

机构地区：[1]贵州师范大学数学科学学院,贵阳550001 [2]贵州师范大学贵州省信息与计算科学重点实验室,贵阳550001

出　　处：《计算机工程》2022年第4期148-157,164,共11页Computer Engineering

基　　金：中央引导地方科技发展专项资金(黔科中引地[2018]4008);贵州省科技计划项目(黔科合支撑[2020]2Y013);贵州省研究生教育创新计划项目(黔教合YJSCXJH[2019]043)。

摘　　要：传统浅层机器学习方法在识别恶意TLS流量时依赖专家经验且流量表征不足,而现有的深度神经网络检测模型因层次结构复杂导致训练时间过长。提出一种基于CNN-SIndRNN端到端的轻量级恶意加密流量识别方法,使用多层一维卷积神经网络提取流量字节序列局部模式特征,并利用全局最大池化降维以减少计算参数。为增强流量表征,设计一种改进的循环神经网络用于捕获流量字节长距离依赖关系。在此基础上,采用独立循环神经网络IndRNN单元代替传统RNN循环单元,使用切片并行计算结构代替传统RNN的串行计算结构,并将两种类型深度神经网络所提取的特征拼接作为恶意TLS流量表征。在CTU-Maluware-Capure公开数据集上的实验结果表明,该方法在二分类实验上F1值高达0.9657,在多分类实验上整体准确率为0.8489,相比BotCatcher模型训练时间与检测时间分别节省了98.47%和98.28%。Traditional shallow machine learning methods for identifying malicious TLS traffic rely heavily on expert experience,and perform poorly in traffic representation.In addition,the training of the existing deep neural network detection models is time-consuming due to the deepened hierarchical structure.To address the problem,a lightweight end-to-end method for malicious encrypted traffic detection is proposed based on CNN-SIndRNN.The method employs a multi-layer onedimensional convolutional neural network to extract the local pattern features of a traffic byte sequence,and uses global maximum pooling to reduce dimensions to simplify computational parameters.At the same time,to enhance traffic representation,an improved recurrent neural network is designed in parallel to capture the long-distance dependence of traffic bytes.On this basis,the Independent Recurrent Neural Network(IndRNN)unit is used to replace the traditional Recurrent Neural Network(RNN)unit,and the sliced parallel computing structure is adopted to replace the serial computing structure of the traditional RNN.Then,the features extracted from the two types of deep neural networks are spliced to represent the malicious TLS traffic.The effectiveness of the proposed method is verified on two open datasets.The experimental results show that the method exhibits a F1 score of 0.9657 in the binary classification experiment.Its overall accuracy rate reaches 84.89%in the multi-classification experiment.Compared with the model of BotCatcher,CNN-SIndRNN model improves the classification performance while reducing the training time by 98.47%and test time by 98.28%.

关 键 词：恶意TLS流量 独立循环神经网络 切片循环神经网络 一维卷积 全局池化 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]