摘要
挖矿流量检测属于变长数据分类任务,现有的检测方案如关键字匹配、N-gram特征签名等基于局部特征的分类方法未能充分利用流量的全局特征。使用深度学习模型对挖矿流量进行建模,可以提取挖矿流量的全局特征,提高挖矿流量检测的准确率。文章提出的流量分类模型,使用Transformer编码器提取流量全局特征,然后使用序列总结器处理编码结果,获得用于分类的定长表示。由于挖矿样本在数据集中占比低于3%,使用准确率衡量模型的分类效果偏差较大,因此,文章综合考虑了模型的精确率和召回率,使用F1分数对模型的分类效果进行评估。在模型的编码器中使用正余弦位置编码可使模型在测试集上取得99.84%的F1分数,精确率达到100%。
Mining traffic detection is a variable-length data classification task.Existing detection schemes,such as keyword matching and N-gram feature signatures,which are based on local feature classification methods,fail to fully utilize the global features of traffic.By employing deep learning models to model mining traffic,global features within the mining traffic are extracted to enhance the accuracy of mining traffic detection.The traffic classification model proposed in the article first employed a Transformer encoder to extract global features of the traffic,followed by a sequence summarizer to process the encoded results,obtaining a fixed-length representation for classification.Due to the mining samples accounting for less than 3%in the dataset,using accuracy to measure the classification effect of the model leads to significant bias.Therefore,the article comprehensively considered the precision and recall of the model,and employed the F1 score to evaluate the classification performance.Utilizing sinusoidal positional encoding in the model’s encoder enables the model to achieve an F1 score of 99.84%on the test set,with a precision rate of 100%.
作者
魏金侠
黄玺章
付豫豪
李婧
龙春
WEI Jinxia;HUANG Xizhang;FU Yuhao;LI Jing;LONG Chun(Computer Network Information Center,Chinese Academy of Sciences,Beijing 100083,China;School of Computer Science and Technology,University of Chinese Academy of Sciences,Beijing 100049,China)
出处
《信息网络安全》
CSCD
北大核心
2024年第10期1506-1514,共9页
Netinfo Security
基金
中国科学院青年创新促进会项目[2022170]
中国科学院网络安全和信息化专项[CAS-WX2022GC-04]。
关键词
挖矿木马
流量分类
深度学习
序列处理
mining malware
traffic classification
deep learning
sequence processing