Research On The Classification Of Unknown Malicious Traffic In Scenarios With Incomplete Information

As China implements its strategy to become a powerful cybernation and strengthens its information infrastructure,the internet penetration rate in the country reached 74.4% by June2022.The development of the internet has changed people’s modes of production and daily life,ushering in an era of ubiquitous connectivity.However,the expansion of the network,along with the increase in the number and types of devices,has made the cyber environment increasingly complex.Due to the open nature of the internet,there are serious security risks to production and daily life.Particularly in today’s complex international environment,cyberattacks targeting nations occur frequently,posing severe threats to a country’s economic,political,and scientific development.Maintaining cybersecurity is crucial to national security.In the Internet,the network serves as the carrier for information transmission.By analyzing network traffic,we can gain insight into the current network situation and,if malicious traffic is detected,take appropriate measures to prevent attack incidents.Machine learning-based detection and identification of known malicious traffic with abundant labeled samples have achieved satisfactory results.Unknown malicious traffic refers to the malicious traffic that does not have specific sample in the current defense detection system that could easily cause harm to the system.However,with the increasing professionalization and diversification of attack tools and techniques,a large number of unknown malicious traffic emerge,and the related information of unknown malicious traffic is difficult to obtain.This makes existing machine learning methods struggle to identify unknown malicious traffic,posing significant threats to cybersecurity.Therefore,research on unknown malicious traffic has research value.This dissertation focuses on the study of classifying unknown malicious traffic in scenarios where complete information about unknown malicious traffic cannot be obtained.In summary,to address the problem of classifying unknown malicious traffic in scenarios with incomplete information where there are no samples of unknown malicious traffic and different degrees of auxiliary information are available,this dissertation proposes an unknown malicious traffic classification method based on generative zero-shot learning and a new class discovery method for unknown malicious traffic based on semi-supervised learning.These methods solve the problem of classifying unknown malicious traffic in scenarios where information about unknown malicious traffic is difficult to collect.Finally,based on these two methods,we design and develop a prototype system for analyzing unknown malicious traffic.The prototype system can classify and identify specific types of unknown malicious traffic and discover new classes in malicious traffic.The main contributions of this dissertation are as follows:(1)In scenarios where it is impossible to obtain samples of unknown malicious traffic categories but semantic attributes of specific types can be acquired,we propose an unknown malicious traffic classification method based on generative zero-shot learning.By employing a generative zero-shot learning approach,we utilize the semantic attributes corresponding to each malicious traffic type and combine them with conditional generative adversarial networks.Through multiple iterations of training,the generator acquires the ability to generate features of specific types of unknown malicious traffic.At the same time,we incorporate contrastive learning methods to improve the quality of generated unknown malicious traffic samples.Ultimately,the generated unknown malicious traffic features are used to train the malicious traffic classifier,enabling it to classify both known and unknown malicious traffic.Experimental results show that,on the CICIDS2017 dataset,the classification of unknown malicious traffic can achieve an accuracy of 90%,demonstrating a strong performance.(2)In scenarios where there are no samples of unknown malicious traffic types and no auxiliary information,and where new malicious traffic classes may exist in the network,causing new security threats,we propose a new class discovery method for unknown malicious traffic based on semi-supervised learning.By utilizing two different contrastive learning methods,self-supervised contrastive learning and supervised contrastive learning,to perform representation learning on historical malicious traffic and malicious traffic to be analyzed,we obtain good representations.Then,based on the distribution of these representations,we classify the malicious traffic,enabling the identification of historical malicious traffic categories and the discovery of new malicious traffic classes in the to-be-analyzed malicious traffic.Additionally,we classify the new malicious traffic classes,providing support for subsequent feature extraction of new malicious traffic classes and enhancing security protection measures.Experimental results show that,on the CICIDS2017 dataset,the classification accuracy of new malicious traffic classes can reach 86%,demonstrating a certain application value.(3)Based on the aforementioned research work,we designed and implemented a prototype system for analyzing unknown malicious traffic.The platform uses the two proposed methods as the algorithmic core in the backend and provides related functionalities.Users can submit raw malicious traffic data packets,and the platform will automatically analyze them according to the selected features.The analysis results are presented to users in a visualized manner,offering a certain level of practical value.