| The emergence of increasingly diverse network applications has rendered the network architect more sophisticated,which is a growing hindrance for network traffic classification.Meanwhile,hackers are speeding up their technique improvement to intrude and hijack the network space by evolving more cunning tricks,posing an enormous threat to the network environment.In the network security domain,one major challenge is to sift through massive network traffic and identify those anomalous ones by attackers.Compared to traditional machine learning,deep learning has become a new resolution for the network traffic study for its advantage of learning features automatically from raw traffic without heavy feature engineering.Nevertheless,there are still some non-trivial issues remaining unresolved.Firstly,the superiority of deep learning in image and natural language processing is not fully explored when applying it to raw traffic bytes.The second challenge is to cope with the rarity of attacks in real-world scenarios,which leads us to the identification of the sparse anomalous traffic samples from vast benign traffic by unsupervised learning for further classification.To this end,two models are proposed in this thesis to address the aforementioned issues.The contributions of this thesis are listed as follows:The first model is a three-phase CNN-LSTM with the attention mechanism designed for feature extraction from raw traffic bytes.In this model,the whole session flow is one-hot encoded before dimension reduction and spatial feature learning.After the Cov1 D operation is added for sequential features of bytes in the session,the session flow will be transformed to a sequence of feature vectors and fed to the bidirectional LSTM.The temporal feature learning is first applied on the packet level and then on the flow level,each paired with an attention layer.This hierarchical structure for temporal characterization aims to thoroughly examine and remember byte-and packet-wise to target the most significant vector for the classification of anomalous traffic.The CNN applied in this model is refined by PCA for spatial features learning,achieving a fast parameter adjustment on the convolution kernel in early training and a lower error rate with fewer iterations.The comparative experiments on anomalous traffic classification show that the results are significantly improved by this approach.The second model employs a method that combines RPCA and Autoencoder using unsupervised learning to isolate scattered anomalous traffic from hybrid traffic and feed the reconstructed anomalous traffic together with few tagged anomalous traffic samples to a Stacked Autoencoder for anomalous feature learning.This approach attempts to tackle the scarcity of anomalous traffic in real-world scenarios where network traffic is mostly generated by benign users and labeled traffic is formidable to attain.The experimental results show that this proposed approach outperforms traditional methods in terms of multi-criteria evaluation on anomalous traffic. |
PDF Full Text Request