基于多层次特征的RoQ隐蔽攻击无监督检测方法  

作　　者：赵静[1,2] 李俊 龙春[1,2] 万巍 魏金侠[1,2] 陈凯 ZHAO Jing;LI Jun;LONG Chun;WAN Wei;WEI Jinxia;CHEN Kai(Computer Network Information Center,Chinese Academy of Sciences,Beijing 100083,China;School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 100049,Chin)

机构地区：[1]中国科学院计算机网络信息中心,北京100083 [2]中国科学院大学计算机科学与技术学院,北京100049

出　　处：《通信学报》2022年第9期224-239,共16页Journal on Communications

基　　金：国家自然科学基金资助项目(No.61672490);中国科学院基金资助项目(No.CAS-WX2022GC-04);中国科学院“青年创新促进会”基金资助项目(No.2022170)。

摘　　要：针对RoQ攻击隐藏在海量背景流量中难以识别,且现有样本稀少无法提供大规模学习数据的问题,提出了在极少先验知识条件下基于多层次特征的RoQ隐蔽攻击无监督检测方法。首先,考虑到大部分正常流量会对后续结果产生干扰,基于流特征,研究了半监督谱聚类的流量筛选方法,实现被筛除的流量中正常样本比例接近100%。其次,为了找到隐蔽攻击特征与正常流量之间的微小差异且不依赖于攻击样本,基于时序包特征,构造了基于n-Shapelet子序列的无监督检测模型,使用具有明显辨识度的局部特征来辨别微小差异,从而实现RoQ隐蔽攻击的检测。实验结果表明,在只有少量学习样本的情况下,所提方法与现有方法相比具有较高的精确率和召回率,对规避攻击具有稳健性。To solve the problems that RoQ covert attacks are hidden in overwhelming background traffic and difficult to identify, besides the existing samples are scarce and cannot provide large-scale learning data, an unsupervised detection method of RoQ covert attacks based on multilayer features was proposed under the condition of very little prior knowledge. First, considering that most normal flow might interfere with subsequent results, a classification method based on semi-supervised spectral clustering was studied by flow characteristics, so that the proportion of normal samples in the filtered traffic was close to 100%. Secondly, in order to distinguish the nuance between the hidden attack features and normal flow without relying on the attack samples, an unsupervised detection model based on the n-Shapelet subsequence was constructed by packet characteristics, and the subsequences with obvious difference were used, which enabled detection of RoQ convert attacks. Experimental results demonstrate that with only a small number of learning samples, the proposed method has higher precision and recall rate than existing methods, and is robust to evading attacks.

关 键 词：RoQ隐蔽攻击 谱聚类 半监督聚类 Shapelet子序列 

分 类 号：TP18[自动化与计算机技术—控制理论与控制工程]