CN118861795A - Tor traffic detection classification method and system based on time series conversion - Google Patents
Tor traffic detection classification method and system based on time series conversion Download PDFInfo
- Publication number
- CN118861795A CN118861795A CN202410785848.3A CN202410785848A CN118861795A CN 118861795 A CN118861795 A CN 118861795A CN 202410785848 A CN202410785848 A CN 202410785848A CN 118861795 A CN118861795 A CN 118861795A
- Authority
- CN
- China
- Prior art keywords
- time series
- dimensional
- tensor
- dimensional tensor
- conversion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000006243 chemical reaction Methods 0.000 title claims abstract description 27
- 238000001514 detection method Methods 0.000 title claims description 20
- 239000013598 vector Substances 0.000 claims abstract description 8
- 230000008569 process Effects 0.000 claims description 22
- 230000007246 mechanism Effects 0.000 claims description 10
- 230000002776 aggregation Effects 0.000 claims description 8
- 238000004220 aggregation Methods 0.000 claims description 8
- 230000006835 compression Effects 0.000 claims description 8
- 238000007906 compression Methods 0.000 claims description 8
- 230000008859 change Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 5
- 238000013136 deep learning model Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000013145 classification model Methods 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 101100481876 Danio rerio pbk gene Proteins 0.000 description 1
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 1
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 1
- 101100481878 Mus musculus Pbk gene Proteins 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2123/00—Data types
- G06F2123/02—Data types in the time domain, e.g. time-series data
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Computer Vision & Pattern Recognition (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Computing Systems (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Mathematical Physics (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Software Systems (AREA)
- Molecular Biology (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域Technical Field
本发明属于网络空间安全与加密流量检测分类及应用类型识别技术领域,具体涉及一种基于时间序列转换的Tor流量检测分类方法及系统。The present invention belongs to the technical field of cyberspace security and encrypted traffic detection classification and application type identification, and specifically relates to a Tor traffic detection classification method and system based on time series conversion.
背景技术Background Art
本部分的陈述仅仅是提供了与本发明相关的背景技术信息,不必然构成在先技术。The statements in this section merely provide background information related to the present invention and do not necessarily constitute prior art.
在互联网发展的早期,流量分类的技术研究已经开始,一般的网络流量分类方法包括基于端口的分类,基于深度包检测的分类,基于机器学习或深度学习的分类。网络流量分类,是指将网络流量按照服务类型或应用类型等进行分类,如邮件类、视频类、脸书、火狐、谷歌等。网络流量分类有利于网络管理和维护网络空间的安全,例如通过识别流量的应用类型,可以将其分为不同的优先级,实现质量服务控制,提升用户体验;在网络安全领域,恶意流量、异常流量的检测或分类也常常需要通过网络流量分类技术实现。In the early days of the Internet, technical research on traffic classification has begun. General network traffic classification methods include port-based classification, deep packet inspection-based classification, and machine learning or deep learning-based classification. Network traffic classification refers to the classification of network traffic according to service type or application type, such as email, video, Facebook, Firefox, Google, etc. Network traffic classification is conducive to network management and maintaining the security of cyberspace. For example, by identifying the application type of traffic, it can be divided into different priorities to achieve quality service control and improve user experience. In the field of network security, the detection or classification of malicious traffic and abnormal traffic often needs to be achieved through network traffic classification technology.
随着加密流量成为互联网中的主要流量形式,许多网络流量分类技术的性能有不同程度的下降。然而,随着网络代理工具的使用,加密后的流量再次被多次加密和转发,提高了加密流量分类任务的难度。其中,比较流行的匿名通信工具Tor,在暗网中常被使用,带来了巨大的安全风险,需要新的加密流量分类技术对Tor流量进行识别与分类。As encrypted traffic becomes the main form of traffic on the Internet, the performance of many network traffic classification technologies has declined to varying degrees. However, with the use of network proxy tools, encrypted traffic is encrypted and forwarded again multiple times, which increases the difficulty of encrypted traffic classification tasks. Among them, Tor, a popular anonymous communication tool, is often used in the dark web, which brings huge security risks. New encrypted traffic classification technologies are needed to identify and classify Tor traffic.
在之前对于加密流量分类的研究中,通过提取包级、流级、会话级以及统计特征等,输入到机器学习或深度学习的模型中进行分类被证明是有效的。然而,这些基于特征的方法需要人工设计特征,并且对于不同类别的流量可能需要设计不同的特征,总体比较耗时耗力。最近,由于深度学习端到端框架的优越性能,将原始流量送入到深度学习模型中进行表征学习的方法越来约流行。通过深度学习模型,自动提取流量的高级抽象特征,从而进行流量分类,不仅降低了模型对于人工设计特征的依赖性,而且适用于各种网络流量,具有普适性。然而,大多数现有方法将网络流量数据直接转换为一维数据或图像数据进行处理,这限制了模型对于网络流量的表征能力。因此,如何结合网络流量数据特点,提高对于加密流量检测分类与应用类型识别任务的性能等成为亟需解决的问题。In previous studies on encrypted traffic classification, extracting packet-level, flow-level, session-level and statistical features and inputting them into machine learning or deep learning models for classification has been proven to be effective. However, these feature-based methods require manual design of features, and different features may need to be designed for different types of traffic, which is generally time-consuming and labor-intensive. Recently, due to the superior performance of the end-to-end deep learning framework, the method of feeding raw traffic into deep learning models for representation learning has become increasingly popular. Through deep learning models, high-level abstract features of traffic are automatically extracted to classify traffic, which not only reduces the model's dependence on manually designed features, but also is applicable to various network traffic and has universal applicability. However, most existing methods directly convert network traffic data into one-dimensional data or image data for processing, which limits the model's ability to represent network traffic. Therefore, how to combine the characteristics of network traffic data to improve the performance of encrypted traffic detection classification and application type identification tasks has become an urgent problem to be solved.
发明内容Summary of the invention
本发明为了解决上述问题,提出了一种基于时间序列转换的Tor流量检测分类方法及系统,本发明将网络流量在会话水平上建模为高维时间序列,针对时间序列具有周期性的特点,根据主要周期将时间序列转换为二维张量,另外,基于时间序列多周期的特点,将二维张量中的行视为时间序列,重复此操作,将二维张量中的行向量继续转换为二维张量,提高时间序列数据的表达能力。In order to solve the above problems, the present invention proposes a Tor traffic detection and classification method and system based on time series conversion. The present invention models network traffic as a high-dimensional time series at the session level. In view of the periodicity of time series, the time series is converted into a two-dimensional tensor according to the main period. In addition, based on the multi-period characteristics of time series, the rows in the two-dimensional tensor are regarded as time series. This operation is repeated to further convert the row vectors in the two-dimensional tensor into a two-dimensional tensor, thereby improving the expression ability of time series data.
根据一些实施例,本发明采用如下技术方案:According to some embodiments, the present invention adopts the following technical solutions:
一种基于时间序列转换的Tor流量检测分类方法,包括以下步骤:A Tor traffic detection and classification method based on time series conversion includes the following steps:
获取待测网络环境中的网络流量数据;Obtain network traffic data in the network environment to be tested;
将网络流量数据在会话水平上建模为具有高维特征的时间序列,基于时间序列的周期性,根据频率选择策略,将时间序列转换为二维张量;The network traffic data is modeled as a time series with high-dimensional features at the session level. Based on the periodicity of the time series and the frequency selection strategy, the time series is converted into a two-dimensional tensor.
将二维张量中的行视为子时间序列,根据频率选择策略,将子时间序列转换为二维张量,重复该操作,将时间序列转换为一组二维张量,对每一个二维张量进行特征学习,并将学习到的特征图聚合成一个新的具有高维特征的一维序列;Treat the rows in the two-dimensional tensor as sub-time series, convert the sub-time series into a two-dimensional tensor according to the frequency selection strategy, repeat this operation to convert the time series into a set of two-dimensional tensors, perform feature learning on each two-dimensional tensor, and aggregate the learned feature maps into a new one-dimensional sequence with high-dimensional features;
对所述一维序列进行分类,得到有无网络流量的识别结果。The one-dimensional sequence is classified to obtain an identification result of whether there is network traffic.
作为可选择的实施方式,所述将网络流量在会话水平上建模为具有高维特征的时间序列的过程包括:将一个会话中的的数据包数目视为时间序列长度,将数据包看作一个时间点向量,并进行时间序列长度与特征维度的统一。As an optional implementation, the process of modeling network traffic at the session level as a time series with high-dimensional features includes: considering the number of data packets in a session as the length of the time series, considering the data packet as a time point vector, and unifying the time series length and the feature dimension.
作为可选择的实施方式,将时间序列转换为二维张量的具体过程包括包括原时间序列转换为1个二维张量,通过压缩维度操作和转换维度操作,将二维张量的行视为子时间序列,继续生成新的二维张量。As an optional implementation, the specific process of converting a time series into a two-dimensional tensor includes converting the original time series into a two-dimensional tensor, treating the rows of the two-dimensional tensor as sub-time series through dimension compression operations and dimension conversion operations, and continuing to generate a new two-dimensional tensor.
作为进一步的实施方式,将原时间序列转换为1个二维张量过程包括:As a further implementation, the process of converting the original time series into a two-dimensional tensor includes:
根据频率选择策略,找到合适的频率值;According to the frequency selection strategy, find the appropriate frequency value;
找到与频率值对应的周期,所述周期和频率值呈倒数关系;Find a period corresponding to the frequency value, wherein the period and the frequency value are in an inverse relationship;
根据周期和频率值,将一维时间序列转换为二维张量。Convert a one-dimensional time series into a two-dimensional tensor based on period and frequency values.
作为进一步的实施方式,通过压缩维度操作和转换维度操作的具体过程包括:将二维张量的每一行视为一个时间序列,并进行压缩维度操作,根据频率选择策略以及周期和频率值的关系,找到经过压缩维度操作的时间序列的主周期与对应频率,对二维张量进行重塑;As a further implementation method, the specific process of the compression dimension operation and the conversion dimension operation includes: treating each row of the two-dimensional tensor as a time series, and performing the compression dimension operation, finding the main period and corresponding frequency of the time series after the compression dimension operation according to the frequency selection strategy and the relationship between the period and the frequency value, and reshaping the two-dimensional tensor;
重复上述过程(k-1)次,生成(k-1)个新的二维张量,共k个二维张量。Repeat the above process (k-1) times to generate (k-1) new two-dimensional tensors, a total of k two-dimensional tensors.
作为可选择的实施方式,所述频率选择策略为:在生成一个新的二维张量时,将时间序列进行快速傅里叶变换操作,并找到k-kth个幅值最大的频峰;As an optional implementation, the frequency selection strategy is: when generating a new two-dimensional tensor, the time series is subjected to a fast Fourier transform operation, and the kkth frequency peak with the largest amplitude is found;
当生成的二维张量为第kth个时,选择kth个幅值最大的频峰中的最小频率;When the generated two-dimensional tensor is the kth , the minimum frequency among the kth frequency peaks with the largest amplitude is selected;
当生成的二维张量为第k个时,直接选择幅值最大的频率。When the generated two-dimensional tensor is the kth, the frequency with the largest amplitude is directly selected.
一种基于时间序列转换的Tor流量检测分类系统,包括:A Tor traffic detection and classification system based on time series transformation, including:
获取模块,被配置为获取待测网络环境中的网络流量数据;An acquisition module is configured to acquire network traffic data in the network environment to be tested;
时间序列模型模块,被配置为将网络流量数据在会话水平上建模为具有高维特征的时间序列,基于时间序列的周期性,根据频率选择策略,将时间序列转换为二维张量;The time series model module is configured to model the network traffic data as a time series with high-dimensional features at the session level, and convert the time series into a two-dimensional tensor according to a frequency selection strategy based on the periodicity of the time series;
将二维张量中的行视为子时间序列,根据频率选择策略,将子时间序列转换为二维张量,重复该操作,将时间序列转换为一组二维张量,对每一个二维张量进行特征学习,并将学习到的特征图聚合成一个新的具有高维特征的一维序列;Treat the rows in the two-dimensional tensor as sub-time series, convert the sub-time series into a two-dimensional tensor according to the frequency selection strategy, repeat this operation to convert the time series into a set of two-dimensional tensors, perform feature learning on each two-dimensional tensor, and aggregate the learned feature maps into a new one-dimensional sequence with high-dimensional features;
分类模块,被配置为对所述一维序列进行分类,得到有无网络流量的识别结果。The classification module is configured to classify the one-dimensional sequence to obtain an identification result of whether there is network traffic.
作为可选择的实施方式,所述时间序列模型模块,包括多个序列操作模块通过残差方式堆叠连接而成,每个序列操作模块包括第一转换模块、二维特征提取器和聚合模块,所述第一转换模块,用于将一维时间序列转换生成k个二维张量;As an optional implementation, the time series model module includes multiple sequence operation modules stacked and connected in a residual manner, each sequence operation module includes a first conversion module, a two-dimensional feature extractor and an aggregation module, and the first conversion module is used to convert a one-dimensional time series into k two-dimensional tensors;
所述二维特征提取器,用于对k个二维张量进行特征提取;The two-dimensional feature extractor is used to extract features from k two-dimensional tensors;
所述聚合模块,用于将k个学习到的特征图聚合生成新的具有高维特征的一维序列。The aggregation module is used to aggregate k learned feature maps to generate a new one-dimensional sequence with high-dimensional features.
作为可选择的实施方式,所述二维特征提取器包括多尺度二维核块和轴注意力机制块,所述多尺度二维核块用于提取空间特征,所述轴注意力机制块用于提取时间序列周期间和周期内的变化特征。As an optional embodiment, the two-dimensional feature extractor includes a multi-scale two-dimensional kernel block and an axis attention mechanism block, wherein the multi-scale two-dimensional kernel block is used to extract spatial features, and the axis attention mechanism block is used to extract change features between and within cycles of a time series.
一种电子设备,包括存储器和处理器以及存储在存储器上并在处理器上运行的计算机指令,所述计算机指令被处理器运行时,完成上述方法中的步骤。An electronic device comprises a memory and a processor, and computer instructions stored in the memory and executed on the processor. When the computer instructions are executed by the processor, the steps in the above method are completed.
与现有技术相比,本发明的有益效果为:Compared with the prior art, the present invention has the following beneficial effects:
本发明提出了一种将网络流量数据建模为时间序列的方法,在会话水平上,将数据包视为时间点向量,将数据包数目视为时间序列长度,减少了时间序列模型中常用的特征嵌入操作。另外,本发明还提出了一种用于加密流量分类的时间序列模型,根据时间序列周期性与多周期的特点,将网络流量数据进行升维操作,转换为一组二维张量,并使用多尺度二维核块和轴注意力机制块进行特征提取,提高了数据的表达能力与模型的学习能力,提高了流量分类问题的准确率。The present invention proposes a method for modeling network traffic data as a time series. At the session level, the data packet is regarded as a time point vector, and the number of data packets is regarded as the length of the time series, which reduces the feature embedding operations commonly used in the time series model. In addition, the present invention also proposes a time series model for encrypted traffic classification. According to the characteristics of time series periodicity and multi-period, the network traffic data is subjected to dimensionality increase operation and converted into a set of two-dimensional tensors, and multi-scale two-dimensional kernel blocks and axis attention mechanism blocks are used for feature extraction, which improves the data expression ability and the model's learning ability, and improves the accuracy of traffic classification problems.
为使本发明的上述目的、特征和优点能更明显易懂,下文特举较佳实施例,并配合所附附图,作详细说明如下。In order to make the above-mentioned objects, features and advantages of the present invention more obvious and easy to understand, preferred embodiments are given below and described in detail with reference to the accompanying drawings.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
构成本发明的一部分的说明书附图用来提供对本发明的进一步理解,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。The accompanying drawings in the specification, which constitute a part of the present invention, are used to provide a further understanding of the present invention. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute improper limitations on the present invention.
图1为本发明实施例1提供的将原始流量转换为具有高维特征的时间序列的示意图;FIG1 is a schematic diagram of converting original traffic into a time series with high-dimensional features provided by Embodiment 1 of the present invention;
图2为本发明实施例1提供的将一维时间序列转换为二维张量的示意图;FIG2 is a schematic diagram of converting a one-dimensional time series into a two-dimensional tensor provided by Embodiment 1 of the present invention;
图3为本发明实施例1提供的Squeeze and reshape Block结构示意图;FIG3 is a schematic diagram of the structure of the Squeeze and reshape Block provided in Example 1 of the present invention;
图4为本发明实施例1提供的TitNet模型结构示意图。FIG4 is a schematic diagram of the TitNet model structure provided in Example 1 of the present invention.
具体实施方式DETAILED DESCRIPTION
下面结合附图与实施例对本发明作进一步说明。The present invention will be further described below in conjunction with the accompanying drawings and embodiments.
应该指出,以下详细说明都是例示性的,旨在对本发明提供进一步的说明。除非另有指明,本文使用的所有技术和科学术语具有与本发明所属技术领域的普通技术人员通常理解的相同含义。It should be noted that the following detailed descriptions are all illustrative and intended to provide further explanation of the present invention. Unless otherwise specified, all technical and scientific terms used herein have the same meanings as those commonly understood by those skilled in the art to which the present invention belongs.
需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本发明的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terms used herein are only for describing specific embodiments and are not intended to limit exemplary embodiments according to the present invention. As used herein, unless the context clearly indicates otherwise, the singular form is also intended to include the plural form. In addition, it should be understood that when the terms "comprising" and/or "including" are used in this specification, it indicates the presence of features, steps, operations, devices, components and/or combinations thereof.
实施例一Embodiment 1
本实施例提供一种基于时间序列转换的Tor流量检测分类方法,包括:This embodiment provides a Tor traffic detection and classification method based on time series conversion, including:
获取待测网络环境中的网络流量数据;Obtain network traffic data in the network environment to be tested;
采用训练后的Tor流量分类模型对网络流量数据进行分类,得到有无网络流量的识别结果;The trained Tor traffic classification model is used to classify the network traffic data to obtain the identification result of whether there is network traffic;
所述Tor流量分类模型基于时间序列模型构建,训练过程包括:将网络流量在会话水平上建模为具有高维特征的时间序列,然后根据时间序列具有周期性的特点,根据频率选择策略,将时间序列转换为二维张量,基于时间序列多周期的特点,将二维张量中的行视为子时间序列,根据频率选择策略,将子时间序列也转换为二维张量,重复此操作,可以将时间序列转换为一组二维张量,共有k个,然后使用二维特征提取器进行特征学习后聚合成一个新的具有高维特征的一维序列,该操作是TitBlock运算,堆叠TitBlock模块L次构成TitNet,最后使用全连接层进行分类,并依据标签对TitNet模型进行训练。The Tor traffic classification model is built based on a time series model. The training process includes: modeling network traffic as a time series with high-dimensional features at the session level, and then converting the time series into a two-dimensional tensor based on the periodic characteristics of the time series according to the frequency selection strategy. Based on the multi-period characteristics of the time series, the rows in the two-dimensional tensor are regarded as sub-time series. According to the frequency selection strategy, the sub-time series is also converted into a two-dimensional tensor. Repeating this operation can convert the time series into a set of k two-dimensional tensors, and then using a two-dimensional feature extractor for feature learning to aggregate into a new one-dimensional sequence with high-dimensional features. This operation is a TitBlock operation. TitBlock modules are stacked L times to form a TitNet. Finally, a fully connected layer is used for classification, and the TitNet model is trained based on the label.
在本实施例中,预先采集网络原始流量数据,以pcap包的形式保存,然后对网络流量按照会话进行分割,并进行流量匿名,将IP地址和端口置零,然后将会话转换为高维时间序列,并统一时间序列长度为20,特征维度为120,如图1所示;In this embodiment, the original network traffic data is collected in advance and saved in the form of pcap packets, and then the network traffic is segmented according to the session, and the traffic is anonymized, the IP address and port are set to zero, and then the session is converted into a high-dimensional time series, and the time series length is unified to 20 and the feature dimension is 120, as shown in Figure 1;
在本实施例中,将网络流量转换为具有高维特征的时间序列后,根据时间序列的周期性,依据频率选择策略,将时间序列转换为二维张量,如图2所示;In this embodiment, after the network traffic is converted into a time series with high-dimensional features, the time series is converted into a two-dimensional tensor according to the periodicity of the time series and the frequency selection strategy, as shown in FIG2 ;
在本实施例中,通过Squeeze and reshape Block模块,如图3所示,将二维张量中的行视为子时间序列,进行squeeze操作后,根据频率选择策略,生成新的二维张量。通过(k-1)次Squeeze and reshape Block运算后,生成(k-1)个新的二维张量,总计k个二维张量。In this embodiment, through the Squeeze and reshape Block module, as shown in Figure 3, the rows in the two-dimensional tensor are regarded as sub-time series, and after the squeeze operation, a new two-dimensional tensor is generated according to the frequency selection strategy. After (k-1) times of Squeeze and reshape Block operation, (k-1) new two-dimensional tensors are generated, totaling k two-dimensional tensors.
在本实施例中,所述TitNet由L个TitBlock通过残差连接而成,如图4所示。所述TitBlock包括将一个时间序列转换为k个二维张量,对k个二维张量进行特征提取,得到k个特征图,通过聚合后转换为一个新的具有高维特征的时间序列。所述二维特征提取器包括经典的多尺度二维核—Inception块和轴注意力机制AxialAttention块,使用Inception块提取二维张量的局部空间特征,轴注意力机制通过在横向和纵向两个方向进行注意力计算,从而完整地提取出时间序列的周期间和周期内变化特征。另外,由于k个二维张量将时间序列分别按照大周期和小周期进行表示,因此,在聚合时,时间序列的大小周期的特征也被模型融合,最后通过全连接层进行分类。In this embodiment, the TitNet is composed of L TitBlocks connected by residuals, as shown in Figure 4. The TitBlock includes converting a time series into k two-dimensional tensors, extracting features from the k two-dimensional tensors, obtaining k feature maps, and converting them into a new time series with high-dimensional features after aggregation. The two-dimensional feature extractor includes a classic multi-scale two-dimensional kernel-Inception block and an axial attention mechanism AxialAttention block. The Inception block is used to extract the local spatial features of the two-dimensional tensor. The axial attention mechanism performs attention calculations in both the horizontal and vertical directions, thereby completely extracting the periodic and intra-periodic change features of the time series. In addition, since the k two-dimensional tensors represent the time series according to large and small cycles respectively, the characteristics of the large and small cycles of the time series are also fused by the model during aggregation, and finally classified by the fully connected layer.
实施例二Embodiment 2
一种基于时间序列转换的Tor流量检测分类方法,包括以下步骤:A Tor traffic detection and classification method based on time series conversion includes the following steps:
获取待测网络环境中的网络流量数据;Obtain network traffic data in the network environment to be tested;
将网络流量数据在会话水平上建模为具有高维特征的时间序列,基于时间序列的周期性,根据频率选择策略,将时间序列转换为二维张量;The network traffic data is modeled as a time series with high-dimensional features at the session level. Based on the periodicity of the time series and the frequency selection strategy, the time series is converted into a two-dimensional tensor.
将二维张量中的行视为子时间序列,根据频率选择策略,将子时间序列转换为二维张量,重复该操作,将时间序列转换为一组二维张量,对每一个二维张量进行特征学习,并将学习到的特征图聚合成一个新的具有高维特征的一维序列;Treat the rows in the two-dimensional tensor as sub-time series, convert the sub-time series into a two-dimensional tensor according to the frequency selection strategy, repeat this operation to convert the time series into a set of two-dimensional tensors, perform feature learning on each two-dimensional tensor, and aggregate the learned feature maps into a new one-dimensional sequence with high-dimensional features;
对所述一维序列进行分类,得到有无网络流量的识别结果。The one-dimensional sequence is classified to obtain an identification result of whether there is network traffic.
在本实施例中,将网络流量在会话水平上建模为具有高维特征的时间序列,具体方法如下:将一个会话中的的数据包数目视为时间序列长度,将数据包看作一个时间点向量,并进行时间序列长度与特征维度的统一。In this embodiment, network traffic is modeled as a time series with high-dimensional features at the session level. The specific method is as follows: the number of data packets in a session is regarded as the time series length, the data packet is regarded as a time point vector, and the time series length and feature dimension are unified.
在本实施例中,将一个时间序列转换为k个二维张量,包括原时间序列转换为1个二维张量和通过Squeeze and reshape Block,将二维张量的行视为子时间序列,继续生成新的二维张量。In this embodiment, a time series is converted into k two-dimensional tensors, including converting the original time series into one two-dimensional tensor and treating the rows of the two-dimensional tensor as sub-time series through the Squeeze and reshape Block, and continuing to generate new two-dimensional tensors.
将原时间序列转换为第1个二维张量过程如下:The process of converting the original time series into the first two-dimensional tensor is as follows:
1)根据频率选择策略,找到合适的频率值 1) Find the appropriate frequency value according to the frequency selection strategy
2)根据公式1,找到与频率值对应的周期 2) According to formula 1, find the frequency value The corresponding cycle
其中,表示第kth个时间序列的长度。in, represents the length of the kth time series.
3)将一维时间序列转换为二维张量X0,2D,如公式2所示:3) Convert one-dimensional time series Converted to a two-dimensional tensor X0,2D , as shown in Formula 2:
其中,表示二维张量中的每一个行向量。in, Represents each row vector in a two-dimensional tensor.
Squeeze and reshape Block包括squeeze操作和reshape操作,在操作过程中,将二维张量的行视为子时间序列,根据频率选择策略生成新的(k-1)个二维张量:Squeeze and reshape Block includes squeeze operation and reshape operation. During the operation, the rows of the two-dimensional tensor are regarded as sub-time series, and new (k-1) two-dimensional tensors are generated according to the frequency selection strategy:
1)将X0,2D的每一行视为一个时间序列,并进行squeeze操作,得到如公式3所示:1) Treat each row of X 0,2D as a time series and perform a squeeze operation to obtain As shown in Formula 3:
2)根据频率选择策略和公式1,找到时间序列X1,1D的主周期与对应频率并将X0,2D重塑,得到X1,2D,如公式4所示:2) According to the frequency selection strategy and formula 1, find the main period of the time series X 1,1D Corresponding frequency And reshape X0,2D to obtain X1,2D as shown in Formula 4:
其中,kth=0,1,...,k-1。Among them, kth = 0, 1, ..., k-1.
3)重复1和2步骤(k-1)次,生成(k-1)个新的二维张量,共k个二维张量。3) Repeat steps 1 and 2 (k-1) times to generate (k-1) new two-dimensional tensors, for a total of k two-dimensional tensors.
上面的频率选择策略,具体如下:The frequency selection strategy above is as follows:
1)在生成一个新的二维张量时,将时间序列进行FFT操作,并找到(k-kth)个幅值最大的频峰,如公式5所示:1) When generating a new two-dimensional tensor, perform FFT operation on the time series and find the (kk th ) frequency peaks with the largest amplitude, as shown in Formula 5:
其中topK()是取最大的(k-kth)个值,Amp()是取幅值,peak()是取频峰,即峰值频率,FFT是快速傅里叶变换。Among them, topK() is to take the largest (kk th ) value, Amp() is to take the amplitude, peak() is to take the frequency peak, that is, the peak frequency, and FFT is the fast Fourier transform.
2)当生成的二维张量为第kth个时,且kth∈[0,k-1),选择kth个幅值最大的频峰中的最小频率,如公式6所示:2) When the generated two-dimensional tensor is the kth one, and kth ∈[0,k-1), select the minimum frequency among the kth frequency peaks with the largest amplitude, as shown in Formula 6:
3)当生成的二维张量为第k个时,即kth=k-1时,直接选择幅值最大的频率,如公式7所示。另外,这里需要注意的是,kth=k-1时,公式7与公式6在物理意义上几乎等价,但减少了寻找频峰的计算成本:3) When the generated two-dimensional tensor is the kth, that is, kth = k-1, directly select the frequency with the largest amplitude, as shown in formula 7. In addition, it should be noted here that when kth = k-1, formula 7 is almost equivalent to formula 6 in physical sense, but the computational cost of finding the frequency peak is reduced:
该策略又被称为动态的频率选择策略,由时间序列生成新的一组二维张量时,在生成每个二维张量时考虑的频率值个数不同,最大程度地挖掘时间序列大周期与小周期的特征。为了方便表示与阅读,这里将两种频率统一记为则如公式8所示:This strategy is also called a dynamic frequency selection strategy. When a new set of two-dimensional tensors is generated from a time series, different numbers of frequency values are considered when generating each two-dimensional tensor, so as to maximize the characteristics of large and small cycles of the time series. For the convenience of representation and reading, the two frequencies are uniformly recorded as As shown in formula 8:
上述过程中,时间序列的转换由用于加密流量分类的时间序列模型TitNet进行。TitNet模型由L个TitBlock通过残差方式堆叠连接而成。TitBlock包括由一维时间序列转换生成k个二维张量、通过二维特征提取器对k个二维张量进行特征提取和将k个学习到的特征图重新分别转换为一维序列,然后聚合生成新的具有高维特征的一维序列。In the above process, the time series conversion is performed by the time series model TitNet for encrypted traffic classification. The TitNet model is composed of L TitBlocks stacked and connected in a residual manner. TitBlock includes converting a one-dimensional time series to generate k two-dimensional tensors, extracting features from the k two-dimensional tensors through a two-dimensional feature extractor, and converting the k learned feature maps back to one-dimensional sequences, and then aggregating them to generate a new one-dimensional sequence with high-dimensional features.
本实施例中,L个TitBlock通过残差方式堆叠连接构成TitNet,第l层的输入为该过程可以表示为公式9:In this embodiment, L TitBlocks are stacked and connected in a residual manner to form TitNet, and the input of the lth layer is The process can be expressed as formula 9:
其中,第一个TitBlock的输入为X0,1D。Among them, the input of the first TitBlock is X 0,1D .
本实施例中,二维特征提取器包括多尺度二维核—Inception块和轴注意力机制AxialAttention块。Inception块用于提取空间特征,AxialAttention块用于提取时间序列周期间和周期内的变化特征,二维特征提取的过程可以表示为公式10:In this embodiment, the two-dimensional feature extractor includes a multi-scale two-dimensional kernel—Inception block and an axial attention mechanism AxialAttention block. The Inception block is used to extract spatial features, and the AxialAttention block is used to extract the change features between and within cycles of the time series. The process of two-dimensional feature extraction can be expressed as Formula 10:
将k个学习到的二维特征图分别进行行向量之间的拼接,转换为k个一维序列,如公式11所示:The k learned two-dimensional feature maps are concatenated with row vectors and converted into k one-dimensional sequences, as shown in Formula 11:
将k个一维序列聚合生成新的具有高维特征的一维序列,即为当前TitBlock的输出,过程如公式12所示:Aggregate k one-dimensional sequences to generate a new one-dimensional sequence with high-dimensional features, which is the output of the current TitBlock. The process is shown in Formula 12:
其中是对进行Softmax计算得到,如公式13所示:in Yes The Softmax calculation is performed as shown in Formula 13:
实施例三Embodiment 3
一种基于时间序列转换的Tor流量检测分类系统,包括:A Tor traffic detection and classification system based on time series transformation, including:
获取模块,被配置为获取待测网络环境中的网络流量数据;An acquisition module is configured to acquire network traffic data in the network environment to be tested;
时间序列模型模块,被配置为将网络流量数据在会话水平上建模为具有高维特征的时间序列,基于时间序列的周期性,根据频率选择策略,将时间序列转换为二维张量;The time series model module is configured to model the network traffic data as a time series with high-dimensional features at the session level, and convert the time series into a two-dimensional tensor according to a frequency selection strategy based on the periodicity of the time series;
将二维张量中的行视为子时间序列,根据频率选择策略,将子时间序列转换为二维张量,重复该操作,将时间序列转换为一组二维张量,对每一个二维张量进行特征学习,并将学习到的特征图聚合成一个新的具有高维特征的一维序列;Treat the rows in the two-dimensional tensor as sub-time series, convert the sub-time series into a two-dimensional tensor according to the frequency selection strategy, repeat this operation to convert the time series into a set of two-dimensional tensors, perform feature learning on each two-dimensional tensor, and aggregate the learned feature maps into a new one-dimensional sequence with high-dimensional features;
分类模块,被配置为对所述一维序列进行分类,得到有无网络流量的识别结果。The classification module is configured to classify the one-dimensional sequence to obtain an identification result of whether there is network traffic.
本实施例中,时间序列模型模块,包括多个序列操作模块通过残差方式堆叠连接而成,每个序列操作模块包括第一转换模块、二维特征提取器和聚合模块,所述第一转换模块,用于将一维时间序列转换生成k个二维张量;In this embodiment, the time series model module includes a plurality of sequence operation modules stacked and connected in a residual manner, each sequence operation module includes a first conversion module, a two-dimensional feature extractor and an aggregation module, and the first conversion module is used to convert a one-dimensional time series into k two-dimensional tensors;
所述二维特征提取器,用于对k个二维张量进行特征提取;The two-dimensional feature extractor is used to extract features from k two-dimensional tensors;
所述聚合模块,用于将k个学习到的特征图聚合生成新的具有高维特征的一维序列。The aggregation module is used to aggregate k learned feature maps to generate a new one-dimensional sequence with high-dimensional features.
本实施例中,二维特征提取器包括多尺度二维核块和轴注意力机制块,所述多尺度二维核块用于提取空间特征,所述轴注意力机制块用于提取时间序列周期间和周期内的变化特征。In this embodiment, the two-dimensional feature extractor includes a multi-scale two-dimensional kernel block and an axis attention mechanism block. The multi-scale two-dimensional kernel block is used to extract spatial features, and the axis attention mechanism block is used to extract change features between and within cycles of a time series.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to the flowchart and/or block diagram of the method, device (system), and computer program product according to the embodiment of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the process and/or box in the flowchart and/or block diagram can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,本领域技术人员不需要付出创造性劳动所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and variations. Any modification, equivalent replacement, improvement, etc. made by those skilled in the art within the spirit and principle of the present invention without creative labor shall be included in the protection scope of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410785848.3A CN118861795A (en) | 2024-06-18 | 2024-06-18 | Tor traffic detection classification method and system based on time series conversion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410785848.3A CN118861795A (en) | 2024-06-18 | 2024-06-18 | Tor traffic detection classification method and system based on time series conversion |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118861795A true CN118861795A (en) | 2024-10-29 |
Family
ID=93163654
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410785848.3A Pending CN118861795A (en) | 2024-06-18 | 2024-06-18 | Tor traffic detection classification method and system based on time series conversion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118861795A (en) |
-
2024
- 2024-06-18 CN CN202410785848.3A patent/CN118861795A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zeng et al. | $ Deep-Full-Range $: a deep learning based network encrypted traffic classification and intrusion detection framework | |
| Yu et al. | PBCNN: Packet bytes-based convolutional neural network for network intrusion detection | |
| CN110177122A (en) | A kind of method for establishing model and device identifying network security risk | |
| CN110222795B (en) | P2P traffic identification method and related device based on convolutional neural network | |
| CN117312681B (en) | Meta universe oriented user preference product recommendation method and system | |
| CN112884204A (en) | Network security risk event prediction method and device | |
| CN115984633B (en) | Gate-level circuit component identification method, system, storage medium and device | |
| CN115567305B (en) | Sequential network attack prediction and analysis method based on deep learning | |
| CN112910890B (en) | Anonymous network flow fingerprint identification method and device based on time convolution network | |
| CN114510615A (en) | A fine-grained encrypted website fingerprint classification method and device based on graph attention pooling network | |
| Huang et al. | Internet traffic classification based on min-max ensemble feature selection | |
| Zhang et al. | An uncertainty-based traffic training approach to efficiently identifying encrypted proxies | |
| CN118861795A (en) | Tor traffic detection classification method and system based on time series conversion | |
| Bui et al. | A clustering-based shrink autoencoder for detecting anomalies in intrusion detection systems | |
| Guarino et al. | Towards adversarially robust DDoS-attack classification | |
| Nagai et al. | Acquisition of characteristic TTSP graph patterns by genetic programming | |
| CN115952493A (en) | Reverse attack method and attack device for black box model and storage medium | |
| AU2020103440A4 (en) | A method for optimizing the convergence performance of data learning with minimal computational steps | |
| CN110071845A (en) | The method and device that a kind of pair of unknown applications are classified | |
| Zheng et al. | Hypergraph-based session modeling: A multi-collaborative self-supervised approach for enhanced recommender systems | |
| CN114861178A (en) | Malicious code detection engine design method based on improved B2M algorithm | |
| Cheng et al. | Improving the transferability of adversarial attacks via self-ensemble | |
| Ge et al. | A dual-branch self-attention method for mobile malware detection via network traffic | |
| CN114596569B (en) | Light text recognition model design method, system, device and medium | |
| CN116541273B (en) | Binary code similarity detection method and system based on graph attention |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |