基于图神经网络增强通信特征的僵尸网络异常通信检测

Botnet abnormal communication detection based on GNN-enhanced traffic features

  • 摘要: 工业互联网是国家关键信息基础设施的重要组成部分,其通过人、机、物的全面互联,推动形成全新的工业生产制造和服务体系。然而,传统工业设备存在大量安全漏洞,在联网过程中很容易被攻击者恶意利用,进而造成严重的安全事故或经济损失。僵尸网络是目前工业互联网面临的主要安全威胁之一,其通过漏洞利用、病毒传播等手段控制大量联网设备,实现对目标网络的大规模协同攻击。传统基于规则或阈值的检测方法过度依赖于人工规则制定或阈值设定,传统机器学习技术对复杂网络高维通信特征的自动处理能力有限,因此对僵尸网络检测效果不佳。鉴于联网设备之间的高度互联特性,本文采用图结构建模复杂的设备通信网络,以准确描述网络拓扑结构。在此基础上,提出一种基于图神经网络增强通信特征的僵尸网络异常通信检测模型,充分发掘复杂网络通信所产生的丰富的节点特征与通信特征,并通过图神经网络实现网络中节点信息的传播与聚合,以获得更准确的节点聚合特征表示。再用节点聚合特征增强通信特征,获得更准确的通信特征表示。最后,采用多层感知机模型对增强的通信特征进行自动分类,实现僵尸网络异常通信检测。我们在大型公开数据集CTU-13上进行了综合实验验证。实验结果表明本文所提出的方案与传统异常检测方法相比,能更准确地检测僵尸网络异常通信。

     

    Abstract: Industrial Internet is an important part of the national critical information infrastructure. It promotes the formation of a new architecture of industrial production, manufacturing and service through the comprehensive interconnection of people, machines and things. However, there exist a great number of security vulnerabilities in traditional industrial devices. They can be exploited maliciously during device interconnection, then causing serious security accidents or economic losses. Botnet is a main security threat that Industrial Internet is currently facing. It can control a large number of networked devices through vulnerability exploitation and virus propagation, thereby achieving large-scale collaborative attacks on the target network. The traditional rule-based or threshold-based anomaly detection methods overly rely on manual rule formulation or threshold setting, and the traditional machine learning-based techniques are not good at automatically processing complex and high-dimensional network communication features, resulting in poor botnet detection performance. Considering the ubiquitous device-to-device connectivity in Industrial Internet, we use a graph structure to model the device communication network, in order to describe its topology accurately. On the basis of the graph model, we propose a novel botnet detection approach based on Graph Neural Network (GNN)-enhanced traffic features. It explores richer node and traffic features generated during network communication, and achieves node information propagation and aggregation in the whole network through GNN, thus to form more accurate aggregated node features. Then, aggregated node features are used to enhance traffic features. Finally, a MultiLayer Perceptron (MLP) model is used to automatically classify the enhanced traffic features, thus to achieve accurate detection of botnet communications. We conducted comprehensive experiments on a publicly available large-scale dataset CTU-13. The experimental results show that the proposed approach can achieve better detection performance than traditional anomaly detection methods.

     

/

返回文章
返回