基于图神经网络的物联网僵尸网络检测  被引量：1

作　　者：邓毓川 江昊[1] 吴静[1] 罗威[2] DENG Yuchuan;JIANG Hao;WU Jing;LUO Wei(School of Electronic Information,Wuhan University,Wuhan 430072,China;China Ship Development and Design Center,Wuhan 430064,China)

机构地区：[1]武汉大学电子信息学院,湖北武汉430072 [2]中国舰船研究设计中心,湖北武汉430064

出　　处：《武汉大学学报（工学版）》2023年第3期371-378,共8页Engineering Journal of Wuhan University

基　　金：国防基础科研计划(编号:JCKY2018207C121)。

摘　　要：提出一种基于图神经网络的物联网僵尸网络检测方法。首先,利用网络流数据将网络建模为节点不带特征而边带特征的图;然后,利用图神经网络,根据图中边的特征迭代学习通信拓扑图中各节点的向量表示;最后,根据得到的向量表示对节点进行分类,以此检测网络中被攻击者利用的僵尸主机。学习节点表示时,所提方法同时考虑了网络流特征和网络通信拓扑,并且明确考虑了图中边的方向。此外,所提方法是归纳式的,因此能够适应网络的动态变化,也难以被攻击者绕开。在2个公开数据集上的实验结果表明,所提方法在训练时能快速收敛,且相比于无法利用网络通信拓扑结构信息的模型,所提方法的Micro-F1分数更高。相比其他方法,所提方法更易于推广到训练时未见过的数据上。A graph neural network(GNN)based method is proposed to detect the Internet of Things(IoT)botnet.First,the network flow data is used to model the network as a graph,in which the nodes are without features but the edges are with features.Then,the GNN is used to iteratively learn the vector representation of each node in the communication topology according to the features of the edges in the graph,and finally the nodes are classified according to the obtained vector representation,so as to detect the botnet hosts used by the attacker in the network.When learning node representation,the proposed method considers both characteristics of network flow and communication topology of network,and explicitly considers the direction of the edges in the graph.In addition,the proposed method is inductive,so it can adapt to the dynamic changes of the network,and it is also difficult to be bypassed by attackers.The experimental results on two public data sets show that the proposed method can quickly converge during training,and compared with the models that cannot use the information of network communication topology,the Micro-F1 score of the proposed method is higher.In addition,the proposed method is easier to generalize to the data which has not been seen during training compared with other methods.

关 键 词：僵尸网络 图神经网络 卷积神经网络 表示学习 

分 类 号：TP183[自动化与计算机技术—控制理论与控制工程]