基于混合双向LSTM的中间人攻击检测方法  

作　　者：郭晓军[1,2,3] 梁添鑫 靳玮琨 孙雨生 GUO Xiao-jun;LIANG Tian-xin;JIN Wei-kun;SUN Yu-sheng(School of Information Engineering,Xizang Minzu University,Xianyang 712082,China;Xizang Cyberspace Governance Research Center,Xizang Minzu University,Xianyang 712082,China;Key Laboratory of Optical Information Processing and Visualization Technology of Tibet Autonomous Region,Xizang Minzu University,Xianyang 712082,China)

机构地区：[1]西藏民族大学信息工程学院,陕西咸阳712082 [2]西藏民族大学西藏网络空间治理研究基地,陕西咸阳712082 [3]西藏民族大学西藏自治区光信息处理与可视化技术重点实验室,陕西咸阳712082

出　　处：《计算机工程与设计》2024年第12期3560-3567,共8页Computer Engineering and Design

基　　金：西藏自治区自然科学基金项目(XZ2019ZRG-36(Z));西藏民族大学“藏秦喜马拉雅人才发展支持计划-杰出青年学者”基金项目(324011810216);西藏民族大学“涉藏网络信息内容与数据安全团队”基金项目(324042000709)。

摘　　要：针对局域网中基于ARP协议的中间人攻击检测准确率低、误报率高、泛化性差的问题,提出一种结合极端随机树分类器(ETC)和改进注意力机制(IAM)的双向长短时记忆网络(BiLSTM)的组合模型。利用ETC提取数据特征,通过改进的注意力机制模块处理中间人攻击流量时间序列信息,将组合特征输入BiLSTM实现对中间人攻击的检测。实验结果表明,在Kitsune数据集中,该模型的中间人攻击检测准确率达99.98%,在自建Ooter数据集中为99.94%。相较于主流的中间人攻击检测算法,该方法具有更高的准确率、更低的误报率及更好的泛化性。To address the challenges of low detection accuracy,high false positive rates,and poor generalization in detecting man-in-the-middle attacks based on the ARP protocol within a local area network,a combined model was proposed.An integration of an extreme random forest classifier(ETC)and an improved attention mechanism(IAM)with a bidirectional long short-term memory network(BiLSTM)were combined.ETC was utilized to extract data features.The time-series information of man-in-the-middle attack traffic was processed through the improved attention mechanism module.The combined features were input into BiLSTM to achieve the effective detection of man-in-the-middle attacks.Experimental results demonstrate that on the Kitsune dataset,the model achieves the detection accuracy of 99.98%,and on a custom Ooter dataset,it reaches 99.94%.In comparison to mainstream man-in-the-middle attack detection algorithms,this approach exhibits higher accuracy,lower false positive rates,and superior generalization.

关 键 词：中间人攻击 地址解析协议 深度学习 双向长短时记忆网络 注意力机制 极端随机树分类器 模型融合 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]