Identifying malicious traffic under concept drift based on intraclass consistency enhanced variational autoencoder
作者机构:Institute of Information Engineering Chinese Academy of Sciences School of Cyber Security University of Chinese Academy of Sciences School of Computer Science and Technology Harbin Institute of Technology (Shenzhen)
出 版 物:《Science China(Information Sciences)》 (中国科学:信息科学(英文版))
年 卷 期:2024年第67卷第8期
页 面:238-252页
核心收录:
学科分类:0839[工学-网络空间安全] 08[工学]
基 金:supported by National Key Research and Development Program of China (Grant No. 2021YFB3101400)
主 题:concept drift malicious traffic identification variational autoencoder intrusion detection cyberspace security
摘 要:Accurate identification of malicious traffic is crucial for implementing effective defense countermeasures and has led to extensive research efforts. However, the continuously evolving techniques employed by adversaries have introduced the issues of concept drift, which significantly affects the performance of existing methods. To tackle this challenge, some researchers have focused on improving the separability of malicious traffic representation and designing drift detectors to reduce the number of false ***, these methods often overlook the importance of enhancing the generalization and intraclass consistency in the representation. Additionally, the detectors are not sufficiently sensitive to the variations among different malicious traffic classes, which results in poor performance and limited robustness. In this paper, we propose intraclass consistency enhanced variational autoencoder with Class-Perception detector(ICE-CP) to identify malicious traffic under concept drift. It comprises two key modules during training:intraclass consistency enhanced(ICE) representation learning and Class-Perception(CP) detector construction. In the first module, we employ a variational autoencoder(VAE) in conjunction with Kullback-Leibler(KL)-divergence and cross-entropy loss to model the distribution of each input malicious traffic flow. This approach simultaneously enhances the generalization, interclass consistency, and intraclass differences in the learned representation. Consequently, we obtain a compact representation and a trained classifier for nondrifting malicious traffic. In the second module, we design the CP detector, which generates a centroid and threshold for each malicious traffic class separately based on the learned representation, depicting the boundaries between drifting and non-drifting malicious traffic. During testing, we utilize the trained classifier to predict malicious traffic classes for the testing samples. Then, we use the CP det
同方期刊数据库