小样本下基于度量学习的僵尸网络检测方法

Metric-based learning approach to botnet detection with small samples

僵尸网络给互联网带来了极大的威胁,尽早有效地检测出僵尸网络对于维护网络空间安全具有重要的实践意义。然而在僵尸网络发现初期,可获得带标记样本数量较少,这使得目前大部分基于深度学习的检测方法无法得到充分训练,导致检测结果不佳。因此,提出了一种用于小样本下的基于度量学习的僵尸网络检测方法BT-RN,利用基于任务的元学习训练策略优化模型,在任务中引入验证集并通过度量验证样本和训练样本特征表示之间的相似度来快速累积经验,从而降低模型对标记样本空间的依赖;引入了特征级注意力机制,通过计算特征中各维度的注意力系数,重新整合特征表示并分配重要度关注来优化特征表示,从而减少深度神经网络在小样本中的特征稀疏问题;引入了残差网络设计模式,利用跳跃链接来规避增加特征级注意力机制模块后,较深的网络所带来的模型退化和梯度消失风险。实验结果表明,在小样本背景下,所提僵尸网络检测方法的正确率和模型泛化能力优于其他小样本检测方法和深度学习检测方法。

Botnets pose a great threat to the Internet,and early detection is crucial for maintaining cybersecurity.However,in the early stages of botnet discovery,obtaining a small number of labeled samples restricts the training of current detection models based on deep learning,leading to poor detection results.To address this issue,a botnet detection method called BT-RN,based on metric learning,was proposed for small sample backgrounds.The task-based meta-learning training strategy was used to optimize the model.The verification set was introduced into the task and the similarity between the verification sample and the training sample feature representation was measured to quickly accumulate experience,thereby reducing the model’s dependence on the labeled sample space.The feature-level attention mechanism was introduced.By calculating the attention coefficients of each dimension in the feature,the feature representation was re-integrated and the importance attention was assigned to optimize the feature representation,thereby reducing the feature sparseness of the deep neural network in small samples.The residual network design pattern was introduced,and the skip link was used to avoid the risk of model degradation and gradient disappearance caused by the deeper network after increasing the feature-level attention mechanism module.