摘要
针对监督学习方法采集攻击样本困难以及无监督学习方法检测精度不足的问题,提出一种融合自监督学习与主动学习的域名系统(domain name system,DNS)隧道检测方法。该方法采用异常检测框架,无需获取攻击样本,同时,通过自监督学习引入训练指导过程,通过主动学习引入反馈调节过程,显著提升了检测精度。构建基于Transformer架构的自编码器,通过对正常样本特征进行自监督学习,实现了DNS数据包级别的异常检测。以此为基础,将主动学习方法应用于反馈引导的孤立森林(feedback-guided isolated forest,FBIF),实现了DNS交互流级别的异常检测,将检出的异常流视为与隧道攻击活动相关。实验结果表明,该检测方法在无需获取攻击样本的前提下,能准确检测出多种类型的隧道攻击,且在资源消耗方面具备高可扩展性。
To Address the challenges of collecting attack samples in supervised learning methods and the insufficient detection accuracy of unsupervised learning methods,a domain name system(DNS)tunnel detection method that integrates self-supervised learning and active learning is proposed.This method utilizes an anomaly detection framework that eliminates the need for acquiring attack samples.Simultaneously,it significantly improves detection accuracy by incorporating self-supervised learning in the training guidance process and introducing feedback regulation through active learning.An autoencoder based on the Transformer architecture is constructed,implementing anomaly detection at the DNS packet level through self-supervised learning of normal sample features.Building upon this,active learning is applied to feedback-guided isolation forest(FBIF)for anomaly detection at the DNS interaction flow level,considering detected anomalous flows as associated with tunnel attack activities.Experimental results demonstrate that this detection method accurately identifies various types of tunnel attacks without the need for obtaining attack samples and exhibits high scalability in terms of resource consumption.
作者
熊威
关洪涛
XIONG Wei;GUAN Hongtao(University of Chinese Academy of Sciences,Beijing 100190;Institute of Computing Technology,Chinese Academy of Sciences,Beijing 100190)
出处
《高技术通讯》
北大核心
2025年第5期461-471,共11页
Chinese High Technology Letters
基金
国家重点研发计划(2020YFB1805603)资助项目。
