面向物联网的多协议僵尸网络检测方法  被引量：2

作　　者：杨宏宇 王泽霖[2] 张良 成翔 YANG Hong-yu;WANG Ze-lin;ZHANG Liang;CHENG Xiang(School of Safety Science and Engineering,Civil Aviation University of China,Tianjin 300300,China;School of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China;School of Information,The University of Arizona,Tucson,Arizona 85721,USA;School of Information Engineering,Yangzhou University,Yangzhou,Jiangsu 225127,China;Jiangsu Engineering Research Center for Knowledge Management and Intelligent Service,Yangzhou,Jiangsu 225127,China)

机构地区：[1]中国民航大学安全科学与工程学院,天津300300 [2]中国民航大学计算机科学与技术学院,天津300300 [3]亚利桑那大学信息学院,美国亚利桑那州图森市85721 [4]扬州大学信息工程学院,江苏扬州225127 [5]江苏省知识管理与智能服务工程研究中心,江苏扬州225127

出　　处：《电子学报》2023年第5期1198-1206,共9页Acta Electronica Sinica

基　　金：国家自然科学基金(No.U1833107)。

摘　　要：针对现有僵尸网络检测方法采样不均、特征选择差、泛化能力较弱,导致检测分类效果偏低且对计算和存储资源受限的物联网环境的适应性较差等不足,本文提出了一种面向物联网的多协议僵尸网络检测方法 .通过所设计的基于地址三元组和时间窗口的IP聚合与特征重构方法整合从物联网网关中获取的网络流量,得到重构样本集.采用所提出的自修正混合加权采样算法平衡重构样本集中正常流量与僵尸流量,得到重采样样本集.采用所提出的基于多属性决策和邻接关系链的序列前向选择算法剔除重采样样本集中的冗余特征,得到最优特征子集.采用所设计的基于阵发混沌的秃鹰搜索算法优化后的两阶段混合异构模型,对经最优特征子集筛选后的重采样样本集进行检测分类.实验结果表明,所提方法对僵尸网络的检测效果较好,检测准确率为99.24%,马修斯相关系数为98.49%,误报率为0.17%,漏报率为1.29%,优于现有方法 .该方法能够有效降低采样与特征选择的时空开销,可较好地适应资源受限的物联网环境.In order to solve the problems of uneven sampling,poor feature selection,and weak generalization ability to the existing botnet detection methods,this paper proposes a multi-protocol botnet detection method for internet of things(IoT).The designed IP aggregation and feature reconstruction method using address triples and time windows is used to in-tegrate the network traffic samples obtained from the IoT gateway to obtain the reconstructed sample set.The proposed self-correcting hybrid weighted sampling algorithm balances the normal and botnet flow samples to get the resampling sample set.The proposed multi-attribute decision making and adjacency relation chain-based sequential forward selection algorithm is used to eliminate the redundant features and obtain the optimal feature subset.The resampling sample set filtered by the optimal feature subset is detected and classified through the designed two-stage hybrid heterogeneous model optimized by the intermittent chaos-based bald eagle search algorithm.Experimental results show that the proposed method has a good de-tection effect on the botnet.The detection accuracy is 99.24%,Matthews correlation coefficient is 98.49%,false positive rate is 0.17%,and false negative rate is 1.29%,which are better than the existing methods.This method can effectively re-duce sampling and feature selection time and space overhead and better adapt to the resource-constrained IoT environment.

关 键 词：僵尸网络 物联网 样本重构 前向选择 阵发混沌 搜索算法 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]