非監督式惡意流量偵測系統及方法

專利類型

發明

專利國別 (專利申請國家)

中華民國

專利申請案號

109107039

專利證號

I 715457

專利獲證名稱

非監督式惡意流量偵測系統及方法

專利所屬機關 (申請機關)

國立中正大學

獲證日期

2021/01/01

技術說明

到目前為止，對於各種攻擊最新的防禦系統仍然大都依靠事先定義之完整網路 flow 的特徵。這些特徵定義是人工的，而且在取出 flow 特徵之後也已經來不及阻擋惡意流量。本發明呈現一個有效的異常流量偵測機制，其中包含了(1)一個卷積神經網路從原始封包中自動學習特徵、(2)一個非監督式深度學習模型(自動編碼器)，經由(1)的輸出資料訓練過後，用以建立正 常流量的型態，並據此決定所檢視的流量是否異常。用來區別正常與惡意流量所設定的閥值是基於正常流量的 MSELoss 分佈。值得一提的是，這個系統只檢視每條 flow 的前幾個封包的前幾個 byte，因此可以大幅降低所檢視的流量。我們的評估顯示即使只在每條 flow 取前兩個封包，每個封包取其前面 50 個 bytes，就可以達到將近 100%的準確度，並有極低的誤判率。本發明可實現於標榜降低處理封包量與及時阻擋異常流量的線上異常偵測系統。 To date, the state-of-the-art defense systems against various attacks rely mostly on pre-defined features extracted from the entire flows or signatures. The feature definitions are manual, and it would be too late to block a malicious flow after extracting the flow features. This invention presents an effective anomaly traffic detection mechanism, which consists of (1) a Convolutional Neural Network (CNN) designed for auto-learning the features from raw packets, and (2) an unsupervised deep learning model (autoencoder) trained with the output data of (1) for building the profile of benign traffic and then precisely judge whether the traffic in the examined flows is abnormal. A threshold is set to distinguish benign and malicious traffic based on the MSELoss distribution of the benign traffic. Notably, the system inspects only the first few bytes of the first few packets in each flow for early detection, and this design can significantly reduce the traffic volume for inspection. Our evaluation shows that, by examining just the first two packets in each flow still performs with nearly 100% accuracy, while features an extremely low false positive rate. This invention can realize online anomaly detection systems that feature reducing the volume of processed packets and blocking traffic anomaly in time.

備註

連絡單位 (專責單位/部門名稱)

技術移轉授權中心

連絡電話

05-2720411轉16001

網址