基于图重构和子图挖掘的僵尸网络检测方法  

作　　者：景永俊 吴悔[2] 陈旭 宋吉飞 JING Yongjun;WU Hui;CHEN Xu;SONG Jifei(School of Computer Science and Information Engineering,Hefei University of Technology,Hefei 230601,China;School of Computer Science and Engineering,North Minzu University,Yinchuan 750021,China;National(Zhongwei)New-type Internet Exchange Point,Zhongwei 755000,China)

机构地区：[1]合肥工业大学计算机与信息学院,安徽合肥230601 [2]北方民族大学计算机科学与工程学院,宁夏银川750021 [3]国家(中卫)新型互联网交换中心,宁夏中卫755000

出　　处：《郑州大学学报（工学版）》2025年第1期34-41,共8页Journal of Zhengzhou University（Engineering Science）

基　　金：宁夏回族自治区重点研发计划(2023BDE02017);中央高校基本科研业务费专项资金(2022PT_S04)。

摘　　要：针对伪装后僵尸网络主机难以检测的问题,提出一种基于图重构和子图挖掘的僵尸网络检测方法(GR-SGM)。首先,将网络数据转化为图数据,并对其进行重构以此增强主机节点特征表示;其次,基于重构图中拓扑结构、节点的特征和位置变化设计僵尸网络子图评分函数,以此捕捉伪装后的特征,提取出僵尸网络子图,并对原始图和重构图进行预检测,以提高检测的准确率和效率,减少重构误差;最后,对预检测结果和僵尸网络子图进行综合评分,以获取完整的僵尸网络信息。在ISCX2014僵尸网络数据集和CICIDS2017僵尸网络数据集上的实验结果表明:GR-SGM的检测准确率分别达到99.98%和99.91%,F 1分别达到99.94%和99.65%,相较于其他僵尸网络检测模型,GR-SGM能更加高效准确地识别僵尸网络节点,同时具有更低的误报率。Aiming at the problem that disguised botnet hosts are difficult to detect,a botnet detection method based on graph reconstruction and subgraph mining(GR-SGM)was proposed.Firstly,network data was converted into graph data which was reconstructed to enhance the host node feature representation.Then,based on the topological structure,node characteristics,and position changes in the reconstructed graph,a botnet subgraph scoring function was designed.In this way,the camouflaged features were captured,the botnet subgraph was extracted,and the original and reconstructed graphs were pre-detected to improve detection accuracy and efficiency reducing reconstruction errors.Finally,the pre-detection results and botnet subgraphs were comprehensively scored to obtain complete botnet information.Experimental results on the ISCX2014 botnet dataset and CICIDS2017 botnet dataset showed that the detection accuracy of GR-SGM was 99.98%and 99.91%,respectively,and the F 1 reached 99.94%and 99.65%,respectively.Compared with other botnet detection models,GR-SGM could identify botnet nodes more efficiently and accurately,while having a lower false alarm rate.

关 键 词：僵尸网络 子图挖掘 图重构 网络安全 预检测 

分 类 号：TP391[自动化与计算机技术—计算机应用技术] TP393[自动化与计算机技术—计算机科学与技术]