基于两阶段图学习的僵尸网络自动化检测方法  

作　　者：张选 万良[1,2] 罗恒 杨阳 ZHANG Xuan;WAN Liang;LUO Heng;YANG Yang(College of Computer Science and Technology,Guizhou University,Guiyang 550025,China;State Key Laboratory of Public Big Data,Guizhou University,Guiyang 550025,China)

机构地区：[1]贵州大学计算机科学与技术学院,贵阳550025 [2]公共大数据国家重点实验室,贵阳550025

出　　处：《信息网络安全》2024年第12期1933-1947,共15页Netinfo Security

基　　金：国家自然科学基金[62262004]。

摘　　要：僵尸网络已经成为网络基础设施最严重的威胁之一。现有的僵尸网络检测方法严重依赖特征工程,导致在实际环境中的检测性能受到限制。基于原始流量的僵尸网络检测方法在这方面更具优势,尤其是利用图和原始流量来增强对异常僵尸网络行为的识别,这也是文章研究的重点。文章提出一种基于两阶段图学习的僵尸网络自动化检测方法Graph2BotNet。从每个双向网络流的交互数据包中构建一个流图,通过IP之间通信拓扑构建通信图,采用图同构网络模型学习流图的向量表示,将向量表示嵌入对应的通信图节点中,最后传入第二阶段图学习模型,对节点进行分类。Graph2BotNet利用图结构自动提取流图特征,在不需要大量专家特征的情况下,结合图神经网络模型进行两阶段图学习,实现快速准确的僵尸网络检测。实验结果表明,在ISCX-2014、CTU-13和CICIDS2017僵尸网络数据集上,Graph2BotNet性能优于其他方法。Botnets had become one of the most serious threats to network infrastructure.Existing botnet detection methods heavily rely on feature engineering,which significantly limits their detection performance in real-world environments.Botnet detection methods based on raw traffic had more advantages in this aspect,especially when leveraging graphs and raw traffic to enhance the identification of abnormal botnet behaviors,which is the focus of this study.This paper proposed an automated botnet detection method based on two-stage graph learning called Graph2BotNet.The approach involved constructing a flow graph from the interaction packets of each bidirectional network flow and building a communication graph based on the communication topology between IPs.The graph isomorphism network model was used to learn the vector representation of the flow graph,embedding the vector representation into the corresponding communication graph nodes,and finally passing it into the second stage-graph neural networks model to classify the nodes.Graph2BotNet leveraged the graph structure to automatically extract flow graph features and,without requiring extensive expert features,combined graph neural network models to perform two-stage graph learning for fast and accurate botnet detection.The experimental results on the ISCX-2014,CTU-13,and CICIDS2017 botnet datasets demonstrate that Graph2BotNet outperforms the current state-of-the-art methods.

关 键 词：僵尸网络检测 深度学习 图神经网络 网络流量分析 僵尸网络拓扑 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]