Research Summary: Malicious Behavior Analysis in Network Traffic 研究总结:网络流量中的恶意行为分析与发现

2 minute read

Published:

A summary of my research on malicious behavior analysis and discovery in network traffic. Published 7 related papers (2 IIE-B tier, 5 IIE-C tier), including 3 as first author.

1. Hierarchical Clustering Based Network Traffic Data Reduction (TrustCom 2018, CCF-C, 1st author)

Problem: Network traffic data is enormous; even after processing, massive datasets remain.

Insight: Divide and conquer — first identify the important parts, then apply complex methods.

Approach: Use feature-based clustering to partition data into clusters, then random sampling within clusters to determine if they may contain malicious traffic. Only clusters with detected malicious samples undergo further analysis.

2. DeepGFL: Deep Feature Learning via Graph for Attack Detection (MilCom 2018, IIE-B, 2nd author)

Problem: Some network nodes have sparse features (e.g., relay nodes in attacks with only forwarding commands, or low-intensity DoS).

Insight: Use neighboring and multi-hop node information to enrich understanding of each node.

Approach: Deep feature learning using network flow direction — combining incoming flows for source nodes and outgoing flows for destination nodes.

3. Marrying Graph Kernel with Deep Neural Network (ICCS 2019, IIE-B, co-first author)

Problem: Whether network topology graphs built from short-term traffic patterns have discriminative value for traffic classification.

Insight: Same-type attack flows produce similar topology graphs; graph kernels express this similarity through subgraph comparison.

Approach: Two fusion strategies — (1) concatenate graph kernel features with raw features at input, (2) train separate models and combine at softmax layer.

4. Understanding the Influence of Graph Kernels on Deep Learning (TrustCom 2019, CCF-C, 1st author)

Further analysis showing graph kernels capture structural consistency in topology for multi-step and low-intensity attacks. Added temporal dimension using LSTM with sequential flow input.

5. STDeepGraph: Spatial-Temporal Deep Learning on Communication Graphs (TrustCom 2019, CCF-C, 2nd author)

6. Identifying Lateral Movement Attacks Based on Network Embedding (ISPA 2018, CCF-C, 5th author)

7. An Improved Method to Unveil Malware’s Hidden Behavior (Inscrypt 2017, IIE-C, 3rd author)

Large-Scale Malicious Behavior Measurement on Ethereum

Discovered malicious attack transactions targeting DApps on Ethereum. Proposed a sequence-transaction-graph-based detection method that can detect attack probing attempts before the actual successful attack. Published as “Evil Under the Sun” at USENIX Security 2021.

在网络流量中恶意行为分析与发现研究领域,已发表相关学术论文7篇(IIE-B类2篇,IIE-C类5篇),其中一作3篇。

1. Hierarchical Clustering Based Network Traffic Data Reduction(TrustCom 2018,CCF C类,一作)

问题描述:网络中的流量数据非常庞大,及时处理依旧会保留大量的数据集。

启发点:大事化小,小事化了,先找到重点部分,再套用复杂的方法。

方法:通过基于特征的聚类将数据划分为多个类簇,再通过类簇中随机采样判断类簇是否可能包含恶意流量,仅对发现恶意流量的类簇做进一步分析。

2. DeepGFL: Deep Feature Learning via Graph for Attack Detection(MilCom 2018,IIE B类,二作)

问题描述:网络流中的部分节点存在特征比较少(如攻击中的跳板节点、低强度DoS攻击)。

启发点:沿着网络流方向,使用相邻节点、多跳节点增加对当前节点的认识。

方法:深度特征学习——按照网络流方向,结合流入/流出flow共同运算。

3. Marrying Graph Kernel with Deep Neural Network(ICCS 2019,IIE B类,共同一作)

问题描述:不同流量在短时间内产生的网络拓扑图对于流量分类是否有影响。

启发点:同类型攻击flow构建的拓扑图具有相似性,graph kernel通过子图相似性表达图相似性。

方法:两种融合策略——(1)图核特征与原始特征在输入端链接,(2)分别训练后在softmax层叠加。

4. Understanding the Influence of Graph Kernels on Deep Learning(TrustCom 2019,CCF C类,一作)

进一步理解图核在深度学习中的作用,发现图核有利于捕捉攻击行为在拓扑空间上的结构一致性。增加时间维度,将flow按时间顺序输入LSTM。

5. STDeepGraph(TrustCom 2019,CCF C类,二作)

6. Identifying Lateral Movement Attacks Based on Network Embedding(ISPA 2018,CCF C类,五作)

7. An Improved Method to Unveil Malware’s Hidden Behavior(Inscrypt 2017,IIE C类,三作)

大规模以太坊恶意行为测量

发现针对以太坊DApp的恶意攻击交易。提出基于序列交易图的检测方法,能够在实际攻击成功前通过检测攻击试探过程预测即将发生的攻击。发表于USENIX Security 2021 “Evil Under the Sun”。