基于图神经网络的SSL/TLS加密恶意流量检测算法研究  被引量：1

作　　者：唐瑛 王宝会[1] TANG Ying;WANG Baohui(School of Software,Beihang University,Beijing 100191,China)

机构地区：[1]北京航空航天大学软件学院,北京100191

出　　处：《计算机科学》2024年第9期365-370,共6页Computer Science

摘　　要：为实现SSL/TLS加密恶意流量的精准检测,针对传统机器学习方法过分依赖专家经验的问题,提出一种基于图神经网络的恶意加密流量检测模型。通过对SSL/TLS加密会话进行分析,利用图结构对流量会话交互信息进行表征,将恶意加密流量检测问题转化为图分类问题。生成的模型基于分层图池化架构,通过多层卷积池化的聚合,结合注意力机制,充分挖掘图中节点特征和图结构信息,实现了端到端的恶意加密流量检测方法。基于公开数据集CICAndMal2017进行验证,实验结果表明,所提模型在加密恶意流量二分类检测中,准确率高达97.1%,相较于其他模型,准确率、召回率、精确率、F1分数分别提升了2.1%,3.2%,1.6%,2.1%,说明所提方法对于恶意加密流量的表征能力和检测能力优于其他方法。In order to achieve precise detection of SSL/TLS encrypted malicious traffic,a graph neural network-based model for malicious encrypted traffic detection is proposed,to address the issue of excessive reliance on expert experience in traditional machine learning methods.Through the analysis of SSL/TLS encrypted sessions,the interactive information within traffic sessions is characterized using a graph structure,transforming the problem of detecting malicious encrypted traffic into a graph classification task.The proposed model is based on a hierarchical graph pooling architecture,which aggregates through multiple layers of con-volutional pooling,incorporating attention mechanisms to fully exploit node features and graph structure information,resulting in an end-to-end approach for malicious encrypted traffic detection.The proposed model is evaluated on public CICAndMal2017 dataset.Experimental results demonstrate tha it achieves an accuracy of 97.1%in binary classification of encrypted malicious traffic detection,outperforming other models with an accuracy improvement of 2.1%,recall improvement of 3.2%,precision improvement of 1.6%,F1 score improvement of 2.1%.These results indicate that the proposed method exhibits superior representational and detection capabilities for malicious encrypted traffic in comparison to other methods.

关 键 词：SSL/TLS 恶意加密流量 图神经网络 图分类 分层池化 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]