基于多粒度表征学习的加密恶意流量检测

Multi-Granularity Representation Learning for Encrypted Malicious Traffic Detection

现有加密恶意流量检测方法中,基于统计特征的方法存在特征提取依赖专家经验和特征之间相互独立的问题,基于原始输入的机器学习和深度学习方法存在信息不全、随机字段、单一粒度的问题,对加密流量交互行为的语义表征不足.为解决上述问题,本文提出一种基于多粒度表征学习的加密恶意流量检测方法MGREL(MultiGranularity REpresentation Learning).该方法将加密会话分为字段级和包级两个粒度分别处理.在字段级粒度中,基于词向量进行局部行为建模,提取握手报文并选取关键字段,缓解信息不全导致的语义缺失问题,将字段的字节值表示为词向量,同时增加报文类型与握手类型作为位置前缀,解决位置语义缺失的问题,采用Multi-head Attention计算字段间的交互,再通过Bi LSTM得到报文级语义;在包级粒度中,基于时空进行全局行为建模,提取包的时空状态信息并采用LSTM模型得到流级语义.将两个粒度下得到的局部行为语义和全局行为语义融合,得到加密流量的表征,解决单一粒度表征能力不足的问题.最后,通过对比实验验证本文所提方法MGREL在检测加密恶意流量方面表现最好.

In the field of encrypted malicious traffic detection,the current detection methods are insufficient.In the method based on statistical features,feature extraction relies on expert experience,and the features are independent of each other;while the method based on original input has problems of incomplete information,random fields,and single granularity,and cannot learn the semantics of traffic interaction behavior well.In order to overcome the shortcomings of existing methods,this paper proposes an encrypted malicious traffic detection method MGREL(Multi-Granularity REpresentation Learning).This method divides the encrypted session into two granularities,field-level and packet-level.In field-level granularity,local behavior modeling is performed based on word vectors,handshake messages are extracted and key fields are selected to relieve the problem of incomplete information,the byte values of fields are represented as word vectors,and message types are added at the same time.Use the handshake type as the location prefix to solve the problem of lack of location semantics.Multi-head Attention is used to calculate the interaction between fields,and then BiLSTM is used to obtain the message-level semantics.In the packet-level granularity,global behavior modeling is performed based on space and time,and packets are extracted.The spatiotemporal state information is obtained and the LSTM model is used to obtain stream-level semantics.The local behavior semantics and global behavior semantics obtained at two granularities are fused to obtain the representation of encrypted traffic,which solves the problem of insufficient representation capability of a single granularity.Finally,it is verified by comparative experiments that the proposed method MGREL performs the best in detecting encrypted malicious traffic.