基于多样化时间关联的流量对抗攻击方法  

作　　者：何元康 马海龙[1,2] 胡涛 江逸茗[1,2] HE Yuankang;MA Hailong;HU Tao;JIANG Yiming(Information Engineering University,Zhengzhou 450001,China;Key Laboratory of Cyberspace Security,Ministry of Education,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,河南郑州450001 [2]网络空间安全教育部重点实验室,河南郑州450001

出　　处：《信息工程大学学报》2024年第3期298-306,共9页Journal of Information Engineering University

基　　金：雄安新区科技创新专项(2022XAGG0111)。

摘　　要：传统基于长短期记忆(Long Short-Term Memory,LSTM)网络的流量对抗样本生成方法需在知晓整条流量信息的基础上生成,无法应用于实网端到端环境。针对该问题,提出了基于多样化时间关联的流量对抗攻击(Diversified Time Correlation Attack,DTCA)方法。首先,该方法在攻击发动前使用因子主成分分析,对恶意流量进行时间簇特征提取。其次,利用多输入LSTM模型,对网络中流经的正常流量进行时间关联性学习,再以此对恶意流量持续时间进行预测并对其进行对抗“伪装”。最后,基于对抗生成的流量持续时间重塑恶意流量,重放回至目标网络并检测攻击效果。实验使用DTCA与传统方法在3种经典检测模型上进行测试,并从对抗流量的生成和攻击有效性进行分析。结果表明,DTCA方法能使3种检测器的检测效果平均下降60%以上,并可用于实网端到端的环境。Traditional traffic adversarial example generation methods based on long short-term memory(LSTM)require knowledge of the entire traffic flow for generation,making them unsuitable for realworld end-to-end environments.To address this issue,a diversified time correlation attack(DTCA)method is proposed in this paper.First,the method employs factor principal component analysis to extract time cluster features of malicious traffic before launching an attack.Then,it uses a multi-input LSTM model to learn the temporal correlations of normal network traffic,based on which the malicious traffic duration is predicted and“disguised”for adversarial purposes.Finally,the method reshapes the malicious traffic based on the adversarial generated traffic duration,replays it back into the target network,and assesses the attack’s effectiveness.Experiments on three classic detection models show that,compared with traditional methods,the DTCA method can reduce the detection effectiveness of the three detectors by an average of over 60%,and can be applied in real network end-to-end environments.

关 键 词：入侵检测 对抗样本攻击 流量重塑 主成分分析 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]