融合SENet和Transformer的应用层协议识别方法

doi:10.3778/j.issn.1673-9418.2304045

摘要/Abstract

摘要： 协议识别技术在网络通信和信息安全领域具有至关重要的地位和作用。针对现有基于时空特征的协议识别方法提取协议特征不充分、不全面的问题，提出了一种基于SENet和Transformer的应用层协议识别方法。该方法关注协议数据的时空特征，由加入SENet注意力的残差网络构成的空间特征提取模块和Transformer网络编码器构成的时间提取模块组成。空间特征提取阶段，在残差网络结构中加入SE块获取多个卷积通道间的联系，自适应地为通道分配权重，提取不同通道中更加活跃的协议空间特征；时间特征提取阶段，由基于多头注意力机制的Transformer编码器通过堆叠的方式构建时间特征提取模块，利用输入数据的位置信息全面地获取协议数据的时间特征。通过对更加充足的空间特征和更加全面的时间特征的提取和学习，可以获得更有效的协议识别信息，进而提高协议识别性能。在ISCX2012和CSE_CIC_IDS2018混合数据集上的实验结果表明，所提模型的总体识别准确率达到99.20%，[F1]值达到98.99%，高于对比模型。

关键词: SENet, 残差网络, 自注意力, Transformer, 协议识别, 网络安全

Abstract: Protocol recognition technology assumes a crucial position and exerts significant influence in the domains of network communication and information security. Existing protocol recognition methods based on spatio-temporal features cannot adequately and comprehensively extract protocol features. An application layer protocol recognition method incorporating SENet channel attention and Transformer is proposed. The model focuses on spatio- temporal feature extraction of protocol data, and the model consists of a spatial feature extraction module and a time extraction module. SE blocks are added to the residual network to capture the associations between multiple channels and adaptively assign weights, so as to extract the key space features in different channels. The temporal feature extraction module is constructed by stacking the transformer encoders based on multi-head attention mechanism. This module is used to comprehensively capture temporal features of the protocol data by directly leveraging the positional information of the input data. After extracting and learning more detailed spatial features and more comprehensive temporal features, better protocol feature representation is obtained to improve protocol recognition performance. Experiments are conducted on the ISCX2012 and CSE_CIC_IDS2018 hybrid datasets, and the results show that the overall recognition accuracy of the proposed model reaches 99.20%, and the [F1] score reaches 98.99%, which are higher than those of the comparison models.

Key words: SENet, residual network, self-attention, Transformer, protocol recognition, network security

陈乾, 洪征, 司健鹏. 融合SENet和Transformer的应用层协议识别方法[J]. 计算机科学与探索, 2024, 18(3): 805-817.

CHEN Qian, HONG Zheng, SI Jianpeng. Application Layer Protocol Recognition Incorporating SENet and Transformer[J]. Journal of Frontiers of Computer Science and Technology, 2024, 18(3): 805-817.

参考文献

[1] 冯文博, 洪征, 吴礼发, 等. 网络协议识别技术综述[J]. 计算机应用, 2019, 39(12): 3604-3614.
FENG W B, HONG Z, WU L F, et al. Review of network protocol recognition techniques[J]. Journal of Computer Applications, 2019, 39(12): 3604-3614.
[2] XU W, ZOU F. Obfuscated Tor traffic identification based on sliding window[J]. Security and Communication Networks, 2021. DOI:10.1155/2021/5587837.
[3] NASIR M, JAVED A R, TARIQ M A, et al. Feature engineering and deep learning-based intrusion detection framework for securing edge IoT[J]. The Journal of Supercomputing, 2022, 78: 8852-8866.
[4] HE K, ZHANG X, REN S, et al. Deep residual learning for image recognition[C]//Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, Jun 27-30, 2016. Piscataway: IEEE, 2016: 770-778.
[5] NIU Z, ZHONG G, YU H. A review on the attention mechanism of deep learning[J]. Neurocomputing, 2021, 452: 48-62.
[6] HU J, SHEN L, SUN G. Squeeze-and-excitation networks[C]//Proceedings of the 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Salt Lake City, Jun 18-22, 2018. Piscataway: IEEE, 2018: 7132-7141.
[7] REN F, JIANG Z, LIU J. A bi-directional LSTM model with attention for malicious URL detection[C]//Proceedings of the 2019 IEEE 4th Advanced Information Technology, Electronic and Automation Control Conference, Chengdu, 2019. Piscataway: IEEE, 2019: 300-305.
[8] VASWANI A, SHAZEER N, PARMAR N, et al. Attention is all you need[C]//Advances in Neural Information Processing Systems 30, Long Beach, Dec 4-9, 2017: 5998-6008.
[9] FENG W, HONG Z, WU L, et al. Network protocol recognition based on convolutional neural network[J]. China Communications, 2020, 17(4): 125-139.
[10] WEI W, GU H, DENG W, et al. ABL-TC: a lightweight design for network traffic classification empowered by deep learning[J]. Neurocomputing, 2022, 489: 333-344.
[11] 吴吉胜, 洪征, 马甜甜, 等. 基于残差网络和循环神经网络混合模型的应用层协议识别方法[J]. 计算机科学, 2022, 49(11): 293-301.
WU J S, HONG Z, MA T T, et al. Application layer protocol recognition based on residual network and recurrent neural network[J]. Computer Science, 2020, 49(11): 293-301.
[12] SARHANGIAN F, KASHEF R, JASEEMUDDIN M. Efficient traffic classification using hybrid deep learning[C]//Proceedings of the 2021 IEEE International Systems Conference, Vancouver, 2021. Piscataway: IEEE, 2021: 1-8.
[13] 彭瑶. 基于深度学习的加密流量分类方法研究[D]. 广州: 广州大学, 2022.
PENG Y. Research on encrypted traffic classification method based on deep learning[D]. Guangzhou: Guangzhou University, 2022.
[14] HE K, ZHANG X, REN S, et al. Identity mappings in deep residual networks[C]//Proceedings of the 14th European Conference on Computer Vision, Amsterdam, Oct 11-14, 2016. Cham: Springer, 2016: 630-645.
[15] DOSOVITSKIY A, BEYER L, KOLESNIKOV A, et al. An image is worth 16x16 words: Transformers for image recognition at scale[J]. arXiv:2010.11929, 2020.
[16] GHANEM W A H M, GHALEB S A A, JANTAN A, et al. Cyber intrusion detection system based on a multiobjective binary bat algorithm for feature selection and enhanced bat algorithm for parameter optimization in neural networks[J]. IEEE Access, 2022, 10: 76318-76339.
[17] LIU L, ENGELEN G, LYNAR T, et al. Error prevalence in NIDS datasets: a case study on CIC-IDS-2017 and CSE-CIC-IDS-2018[C]//Proceedings of the 2022 IEEE Conference on Communications and Network Security, Austin, Oct 3-5, 2022. Piscataway: IEEE, 2022: 254-262.
[18] DE S, GOLDSTEIN T. Efficient distributed SGD with variance reduction[C]//Proceedings of the 2016 IEEE 16th International Conference on Data Mining, Barcelona, Dec 12-15, 2016. Piscataway: IEEE, 2016: 111-120.