| 卫重波* **,谢高岗***,刁祖龙* ****,张广兴*.基于数据包头序列的物联网恶意流量检测[J].高技术通讯(中文),2024,34(8):798~806 |
| 基于数据包头序列的物联网恶意流量检测 |
| IoT traffic anomaly detection based on header sequence |
| |
| DOI:10. 3772 / j. issn. 1002-0470. 2024. 08. 002 |
| 中文关键词: 机器学习(ML); 恶意流量检测; 网络行为; 物联网(IoT)安全; 数据包头序列 |
| 英文关键词: machine learning (ML), traffic anomaly detection, network behavior, Internet of Things (IoT) security, packet header sequence |
| 基金项目: |
| 作者 | 单位 | | 卫重波* ** | (*中国科学院计算技术研究所北京 100190)
(**中国科学院大学北京 100190)
(***中国科学院计算机网络信息中心北京 100190)
(****紫金山实验室南京 211111) | | 谢高岗*** | | | 刁祖龙* **** | | | 张广兴* | |
|
| 摘要点击次数: 519 |
| 全文下载次数: 568 |
| 中文摘要: |
| 现有的基于机器学习(ML)的恶意流量检测方法,通常以高维的流量特征作为输入,并采用复杂模型,在实践中产生高误报率且资源占用较高。更重要的是,加密协议的广泛使用,使得数据包有效载荷特征很难被访问。幸运的是,物联网(IoT)设备的网络行为通常是有规律和周期性的,该特征反映在通信数据包序列上,每个数据包一定程度上描述了一次网络事件。基于此,本文提出了基于数据包头序列的恶意流量检测方法。它将流量序列转换为网络事件序列,并计算一组特征(即序列性、频率性、周期性和爆发性)来描述网络行为。实验环境包含一组真实的物联网设备,并将提出的方法部署在树莓派模拟的网关上。实验结果表明,与最新的检测方法相比,本文提出的方法能够在复杂网络环境下保持高准确性和低误报率,并提升了处理速率。 |
| 英文摘要: |
| Existing malicious traffic detection methods based on machine learning (ML) usually take high-dimensional traffic features as input and use complex models. In practice, it generates high false alarm rates and has high resource consumption. More importantly, the widespread use of encryption protocols makes packet payload features difficult to access. Fortunately, the network behavior of Internet of Things (IoT) devices is usually regular and periodic, and the feature is reflected in the sequence of communication packets, each of which describes a network event to some extent. Based on this, this paper proposes a malicious traffic detection method based on packet header sequences. It converts traffic sequences into network event sequences and computes a set of features (namely sequence, frequency, surge, and seasonality) to describe the network behavior. The experimental environment contains a set of real IoT devices, and the proposed method is deployed on a Raspberry Pi simulated gateway. The experimental results show that the proposed method is able to maintain high accuracy and low false alarm rate in complex network environments and improve the processing rate compared to the state-of-the-art detection methods. |
|
查看全文
查看/发表评论 下载PDF阅读器 |
| 关闭 |
|
|
|
