基于半监督深度学习的木马流量检测方法

Trojan Traffic Detection Method Based on Semi-Supervised Deep Learning

针对木马流量检测技术存在人工提取特征不够准确、大量标记样本获取困难、无标记样本没有充分利用、模型对于未知样本识别率较低等问题,提出基于半监督深度学习的木马流量检测方法,利用大量未标记网络流量用于模型训练.首先,采用基于mean teacher模型的检测方法提高检测准确率;然后,为解决mean teacher模型中采用随机噪声导致模型泛化能力不足的问题,提出基于虚拟对抗mean teacher模型的检测方法;最后,通过实验验证所提半监督深度学习检测方法在少标记样本下的二分类、多分类以及未知样本检测任务中具有更高的准确率.此外,基于虚拟对抗mean teacher模型的检测方法在多分类任务中比原始mean teacher模型表现出更强的泛化性能.

The existing Trojan traffic detection technology has problems,such as the inaccuracy of manual feature extraction,the difficulty of obtaining a large number of labeled samples,the insufficient utilization of unlabeled samples,and the low detection rate of unknown samples.A semi-supervised deep learning method is proposed to detect Trojan traffic by using unlabeled network traffic for model training.Firstly,the detection method based on the mean teacher model is used to improve the detection accuracy.Then,in order to solve the problem that the model generalization ability is not enough due to the random noise in the mean teacher model,a detection method based on the virtual adversarial mean teacher is proposed.At last,the experimental results show that the proposed semi-supervised deep learning detection method has higher accuracy in the task of two classifications,multi-classification and unknown sample detection under the condition of less labeled samples.Besides,the detection method based on virtual adversarial mean teacher model has stronger generalization performance than the original mean teacher model in the task of multi-classification.