Abstract:
Industrial Internet is an important part of the national critical information infrastructure. It promotes the formation of a new architecture of industrial production, manufacturing and service through the comprehensive interconnection of people, machines and things. However, there exist a great number of security vulnerabilities in traditional industrial devices. They can be exploited maliciously during device interconnection, then causing serious security accidents or economic losses. Botnet is a main security threat that Industrial Internet is currently facing. It can control a large number of networked devices through vulnerability exploitation and virus propagation, thereby achieving large-scale collaborative attacks on the target network. The traditional rule-based or threshold-based anomaly detection methods overly rely on manual rule formulation or threshold setting, and the traditional machine learning-based techniques are not good at automatically processing complex and high-dimensional network communication features, resulting in poor botnet detection performance. Considering the ubiquitous device-to-device connectivity in Industrial Internet, we use a graph structure to model the device communication network, in order to describe its topology accurately. On the basis of the graph model, we propose a novel botnet detection approach based on Graph Neural Network (GNN)-enhanced traffic features. It explores richer node and traffic features generated during network communication, and achieves node information propagation and aggregation in the whole network through GNN, thus to form more accurate aggregated node features. Then, aggregated node features are used to enhance traffic features. Finally, a MultiLayer Perceptron (MLP) model is used to automatically classify the enhanced traffic features, thus to achieve accurate detection of botnet communications. We conducted comprehensive experiments on a publicly available large-scale dataset CTU-13. The experimental results show that the proposed approach can achieve better detection performance than traditional anomaly detection methods.