面向加密流量分类的深度可解释方法

doi:10.11772/j.issn.1001-9081.2022030382

《计算机应用》唯一官方网站 ›› 2023, Vol. 43 ›› Issue (4): 1151-1159.DOI: 10.11772/j.issn.1001-9081.2022030382

• 网络空间安全 • 上一篇

面向加密流量分类的深度可解释方法

崔剑¹^,², 麻开朗¹^,², 孙钰¹^,², 王豆³, 周君良⁴()

^1.北京航空航天大学网络空间安全学院, 北京 100191
^2.空天网络安全工业和信息化部重点实验室(北京航空航天大学), 北京 100191
^3.浙江浙能数字科技有限公司, 杭州 311100
^4.浙江浙石油综合能源销售有限公司, 杭州 310000

收稿日期:2022-04-02 修回日期:2022-09-13 接受日期:2022-09-14 发布日期:2023-01-11 出版日期:2023-04-10
通讯作者: 周君良
作者简介:崔剑（1980—），男，北京人，讲师，博士，主要研究方向：硬件系统安全、工业互联网安全；
麻开朗（1999—），男，山西文水人，硕士研究生，主要研究方向：人工智能、网络安全；
孙钰（1985—），男，山东烟台人，副教授，博士，主要研究方向：人工智能、网络安全；
王豆（1993—），男，浙江绍兴人，硕士研究生，主要研究方向：工业信息化；
基金资助:
国家自然科学基金资助项目(32071775)

Deep explainable method for encrypted traffic classification

Jian CUI¹^,², Kailang MA¹^,², Yu SUN¹^,², Dou WANG³, Junliang ZHOU⁴()

^1.School of Cyber Science and Technology，Beihang University，Beijing 100191，China
^2.Key Laboratory of Ministry of Industry and Information Technology for Cyberspace Security （Beihang University），Beijing 100191，China
^3.Zhejiang Zhenergy Digital Technology Company Limited，Hangzhou Zhejiang 311100，China
^4.Zhejiang Petroleum Integrated Energy Sales Company Limited，Hangzhou Zhejiang 310000，China

Received:2022-04-02 Revised:2022-09-13 Accepted:2022-09-14 Online:2023-01-11 Published:2023-04-10
Contact: Junliang ZHOU
About author:CUI Jian， born in 1980， Ph. D.， lecturer. His research interests include hardware system security， industrial internet security.
MA Kailang， born in 1999， M. S. candidate. His research interests include artificial intelligence， network security.
SUN Yu， born in 1985， Ph. D.， associate professor. His research interests include artificial intelligence， network security.
WANG Dou， born in 1993， M. S. candidate. His research interests include industrial informatization.
Supported by:
National Natural Science Foundation of China(32071775)

摘要/Abstract

摘要：

目前的深度学习模型在加密流量分类任务上相较于传统机器学习方法的性能优势显著，然而由于它固有的黑盒特性，用户无法获知深度学习模型作出分类决策的机理。为了在保证分类准确率的同时提高深度学习模型的可信度，提出一种面向加密流量分类深度学习模型的可解释方法，包括基于原型的流量层级主动解释和基于特征相似显著图的数据包层级被动解释。首先，利用基于原型的流量原型网络（FlowProtoNet），在训练时自动提取各类流量的典型片段，即流量原型；其次，在测试时计算出待测流量与各类原型的相似度，从而在分类的同时实现训练集的溯源解释；然后，为进一步提升可视化解释能力，提出梯度加权的特征相似度显著图（Grad-SSM）方法。Grad-SSM首先通过梯度对特征图加权，过滤分类决策无关区域；接着，计算待测流量与FlowProtoNet提取的原型之间的推土机距离（EMD）得到相似矩阵，从而通过比较测试流量与该类原型，实现注意力热图的进一步聚焦。在ISCX VPN-nonVPN数据集上，所提方法的准确率达到96.86%，与不可解释的人工智能方法持平，而FlowProtoNet能通过给出与原型的相似度，进一步提供分类依据；同时，所提方法的可视化解释能力更强，注意力更聚焦于流量中的关键数据包。

关键词: 加密流量分类, 可解释人工智能, 原型, 溯源, 可视化解释能力

Abstract:

Current deep learning models have achieved significant performance advantages over traditional machine learning methods in encrypted traffic classification tasks. However， due to inherent black-box characteristic of the deep learning model， users cannot know the mechanism of classification decisions made by the model. In order to enhance the credibility of the deep learning model while ensuring the classification accuracy， an explainable method for deep learning model of encrypted traffic classification was proposed， including prototype-based traffic-level active explanation and feature similarity saliency map based packet-level passive explanation. Firstly， the prototype-based Flow Prototype Network （FlowProtoNet） was used to automatically extract typical segments of traffic during training， namely， traffic prototypes. Secondly， the similarity between the tested traffic and each prototype was calculated during testing to realize the classification and the traceability explanation of the training set. Thirdly， in order to further improve the visual explainability， Gradient Similarity Saliency Map （Grad-SSM） method was proposed， in which the irrelevant regions of classification decision were filtered out by weighting feature map with gradient， and then the Earth Mover’s Distance （EMD） between the tested traffic and the prototype extracted by FlowProtoNet was calculated to obtain the similarity matrix achieving further focus on attention heatmap by comparing the test traffic and this prototype. On ISCX VPN-nonVPN dataset， the accuracy of the proposed method reaches 96.86%， which is similar with that of the inexplainable method. And FlowProtoNet can further provide classification basis by giving the similarity with the prototype. At the same time， the proposed method has stronger visual explainability and focuses more on the key packets in the traffic.

Key words: encrypted traffic classification, explainable artificial intelligence, prototype, traceability, visual explainability

中图分类号:

TN391

崔剑, 麻开朗, 孙钰, 王豆, 周君良. 面向加密流量分类的深度可解释方法[J]. 计算机应用, 2023, 43(4): 1151-1159.

Jian CUI, Kailang MA, Yu SUN, Dou WANG, Junliang ZHOU. Deep explainable method for encrypted traffic classification[J]. Journal of Computer Applications, 2023, 43(4): 1151-1159.

图/表 8

图 1 面向加密流量分类的溯源解释与标注解释

Fig. 1 Traceability and annotation explanation for encrypted traffic classification

图 2 FlowProtoNet的架构

Fig. 2 FlowProtoNet architecture

图 3 SSM原理图

Fig. 3 Principal diagram of SSM

图 4 典型流量图样

Fig. 4 Typical traffic patterns

表 1 模型性能对比 (%)

Tab. 1 Model performance comparison

模型	精确率	召回率	F1值	准确率
FlowPic^［13］	98.56	96.52	97.33	98.02
FlowProtoNet	97.03	95.16	96.04	96.86
ProtoNet^［17］	96.80	93.83	94.65	96.61
ProtoPNet（1×1）^［18］	86.28	79.58	80.60	82.88
ProtoPNet（3×3）^［18］	78.24	72.90	72.34	80.53
ProtoPNet（5×5）^［18］	78.44	72.81	72.74	80.53

图 5 可视化解释优化实验结果

Fig. 5 Visual explanation optimization experiment results

图 6 SSM与Grad-SSM、Grad-CAM的注意力聚焦效果对比

Fig. 6 Comparison of attention focusing effect between SSM， Grad-SSM and Grad-CAM

图 7 Hangouts VoIP和Facebook Video流量的解释样例分析

Fig. 7 Sample analysis of Hangouts VoIP and Facebook Video traffic

参考文献 30

1	REZAEI S， LIU X. Deep learning for encrypted traffic classification： an overview［J］. IEEE Communications Magazine， 2019， 57（5）：76-81. 10.1109/mcom.2019.1800819
2	VELAN P， ČERMÁK M， ČELEDA P， et al. A survey of methods for encrypted traffic classification and analysis［J］. International Journal of Network Management， 2015， 25（5）：355-374. 10.1002/nem.1901
3	王炜. 网络应用层加密流量识别技术研究［D］. 郑州：信息工程大学， 2014：4-5.
	WANG W. Research on identification of encrypted network application traffic［D］. Zhengzhou： Information Engineering University， 2014：4-5.
4	WRIGHT C V， COULL S E， MONROSE F. Traffic morphing： an efficient defense against statistical traffic analysis［C/OL］// Proceedings of the 16th Annual Network and Distributed System Security Symposium ［2022-01-19］..
5	于强，霍红卫. 一组提高存储效率的深度包检测算法［J］. 软件学报， 2011， 22（1）：149-163. 10.3724/sp.j.1001.2011.03724
	YU Q， HUO H W. Algorithms improving the storage efficiency of deep packet inspection［J］ Journal of Software， 2011， 22（1）： 149-163. 10.3724/sp.j.1001.2011.03724
6	WANG W， ZHU M， WANG J L， et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks［C］// Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics. Piscataway： IEEE， 2017： 43-48. 10.1109/isi.2017.8004872
7	陈雪娇，王攀，俞家辉. 基于卷积神经网络的加密流量识别方法［J］. 南京邮电大学学报（自然科学版）， 2018， 38（6）：36-41. 10.14132/j.cnki.1673-5439.2018.06.006
	CHEN X J， WANG P， YU J H. Encrypted traffic identification method based on convolutional neural network［J］. Journal of Nanjing University of Posts and Telecommunications （Natural Science Edition）， 2018， 38（6）： 36-41. 10.14132/j.cnki.1673-5439.2018.06.006
8	LOPEZ-MARTIN M， CARRO B， SANCHEZ-ESGUEVILLAS A， et al. Network traffic classifier with convolutional and recurrent neural networks for Internet of Things［J］. IEEE Access， 2017， 5：18042-18050. 10.1109/access.2017.2747560
9	LIU C， HE L T， XIONG G， et al. FS-Net： a flow sequence network for encrypted traffic classification［C］// Proceedings of the 2019 IEEE Conference on Computer Communications. Piscataway： IEEE， 2019： 1171-1179. 10.1109/infocom.2019.8737507
10	LOTFOLLAHI M， JAFARI SIAVOSHANI M， SHIRALI HOSSEIN ZADE R， et al. Deep packet： a novel approach for encrypted traffic classification using deep learning［J］. Soft Computing， 2020， 24（3）： 1999-2012. 10.1007/s00500-019-04030-2
11	QIN T， WANG L， LIU Z L， et al. Robust application identification methods for P2P and VoIP traffic classification in backbone networks［J］. Knowledge-Based Systems， 2015， 82： 152-162. 10.1016/j.knosys.2015.03.002
12	CHEN Z T， HE K， LI J， et al. Seq2Img： a sequence-to-image based approach towards IP traffic classification using convolutional neural networks［C］// Proceedings of the 2017 IEEE International Conference on Big Data. Piscataway： IEEE， 2017： 1271-1276. 10.1109/bigdata.2017.8258054
13	SHAPIRA T， SHAVITT Y. FlowPic： encrypted internet traffic classification is as easy as image recognition［C］// Proceedings of the 2019 IEEE Conference on Computer Communications Workshops. Piscataway： IEEE， 2019： 680-687. 10.1109/infcomw.2019.8845315
14	PRIEBE C E， MARCHETTE D J， DeVINNEY J G， et al. Classification using class cover catch digraphs［J］. Journal of Classification， 2003， 20（1）： 3-23. 10.1007/s00357-003-0003-7
15	BIEN J， TIBSHIRANI B R. Prototype selection for interpretable classification［J］. The Annals of Applied Statistics， 2011， 5（4）：2403-2424. 10.1214/11-aoas495
16	WU C Y， TABAK E G. Prototypal analysis and prototypal regression［EB/OL］. （2017-08-23）［2022-01-20］..
17	LI O， LIU H， CHEN C F， et al. Deep learning for case-based reasoning through prototypes： a neural network that explains its predictions［C］// Proceedings of the 32nd AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2018： 3530-3537. 10.1609/aaai.v32i1.11771
18	CHEN C F， LI O， TAO C F， et al. This looks like that： deep learning for interpretable image recognition［C/OL］// Proceedings of the 33rd Conference on Neural Information Processing Systems. ［2022-01-23］..
19	HASE P， CHEN C， LI O， et al. Interpretable image recognition with hierarchical prototypes［C］// Proceedings of the 2019 AAAI Conference on Artificial Intelligence. Palo Alto， CA： AAAI Press， 2019： 32-40. 10.1609/hcomp.v7i1.5265
20	KIM E， KIM S， SEO M， et al. XProtoNet： diagnosis in chest radiography with global and local explanations［C］// Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2021： 15714-15723. 10.1109/cvpr46437.2021.01546
21	ZHOU B L， KHOSLA A， LAPEDRIZA A， et al. Learning deep features for discriminative localization［C］// Proceedings of the 2016 IEEE Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2016： 2921-2929. 10.1109/cvpr.2016.319
22	SELVARAJU R R， COGSWELL M， DAS A， et al. Grad-CAM： visual explanations from deep networks via gradient-based localization［J］. International Journal of Computer Vision， 2020， 128（2）：336-359. 10.1007/s11263-019-01228-7
23	CHATTOPADHYAY A， SARKAR A， HOWLADER P， et al. Grad-CAM++： generalized gradient-based visual explanations for deep convolutional networks［C］// Proceedings of the 2018 Winter Conference on Applications of Computer Vision. Piscataway： IEEE， 2018： 839-847. 10.1109/wacv.2018.00097
24	OMEIZA D， SPEAKMAN S， CINTAS C， et al. Smooth Grad-CAM++： an enhanced inference level visualization technique for deep convolutional neural network models［EB/OL］. （2019-08-03）［2022-01-20］. . 10.48550/arXiv.1908.01224
25	WANG H F， WANG Z F， DU M N， et al. Score-CAM： score-weighted visual explanations for convolutional neural networks［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops. Piscataway： IEEE， 2020： 111-119. 10.1109/cvprw50498.2020.00020
26	RUBNER Y， TOMASI C， GUIBAS L J. The earth mover’s distance as a metric for image retrieval［J］. International Journal of Computer Vision， 2000， 40（2）：99-121.
27	ZHAO W L， RAO Y M， WANG Z Y， et al. Towards interpretable deep metric learning with structural matching［C］// Proceedings of the 2021 IEEE/CVF International Conference on Computer Vision. Piscataway： IEEE， 2021： 9867-9876. 10.1109/iccv48922.2021.00974
28	ZHANG C， CAI Y J， LIN G S， et al. DeepEMD： few-shot image classification with differentiable earth mover’s distance and structured classifiers［C］// Proceedings of the 2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway： IEEE， 2020： 12200-12210. 10.1109/cvpr42600.2020.01222
29	DRAPER-GIL G， LASHKARI A H， MAMUN M S I， et al. Characterization of encrypted and VPN traffic using time-related features［C］// Proceedings of the 2nd International Conference on Information Systems Security and Privacy. Setúbal： SciTePress， 2016：407-414. 10.5220/0005740704070414
30	LIN T Y， GOYAL P， GIRSHICK R， et al. Focal loss for dense object detection［C］// Proceedings of the 2017 IEEE International Conference on Computer Vision. Piscataway： IEEE， 2017：2999-3007. 10.1109/iccv.2017.324

[1]	刘炜, 张聪, 佘维, 宋轩, 田钊. 基于Merkle山脉的数据可信溯源方法[J]. 《计算机应用》唯一官方网站, 2022, 42(9): 2765-2771.
[2]	雷靖玮, 伊鹏, 陈祥, 王亮, 毛明. 基于系统调用和数据溯源的PDF文档检测模型[J]. 《计算机应用》唯一官方网站, 2022, 42(12): 3831-3840.
[3]	杜炎, 吕良福, 焦一辰. 基于模糊推理的模糊原型网络[J]. 计算机应用, 2021, 41(7): 1885-1890.
[4]	郭帅, 苏旸. 基于数据流的加密流量分类方法[J]. 计算机应用, 2021, 41(5): 1386-1391.
[5]	张学旺, 殷梓杰, 冯家琦, 叶财金, 付康. 基于区块链与可信计算的数据交易方案[J]. 计算机应用, 2021, 41(4): 939-944.
[6]	林杰, 覃飙, 覃雄派. 数据库中不等式查询语句的resilience计算[J]. 计算机应用, 2018, 38(7): 1893-1897.
[7]	康照玲, 徐芹宝, 王昌达. 基于多粒度拓扑图的无线传感器网络逐级精化溯源方法[J]. 计算机应用, 2018, 38(1): 222-227.
[8]	王林, 郭娜娜. 基于差异度的不均衡电信客户数据分类方法[J]. 计算机应用, 2017, 37(4): 1032-1037.
[9]	韩国梁, 盛茂家, 包丛笑, 李星. IPv4网络与IPv6互联网的无状态通信机制[J]. 计算机应用, 2015, 35(8): 2113-2117.
[10]	沈学利, 申杰. 基于自治系统与动态概率包标记的DDoS攻击溯源优化方法[J]. 计算机应用, 2015, 35(6): 1705-1709.
[11]	邵凯计翔庄陵王光宇. 认知无线电系统中调制滤波器组的设计[J]. 计算机应用, 2014, 34(2): 329-332.
[12]	华保健周艾亭朱洪军. Android内核钩子的混合检测技术[J]. 计算机应用, 2014, 34(11): 3336-3339.
[13]	计翔庄陵邵凯王光宇. 基于改进离散傅里叶变换调制滤波器组的多载频系统设计[J]. 计算机应用, 2013, 33(12): 3465-3468.
[14]	刘军丹赵书良赵娇娇郭晓波陈敏柳萌萌. 家谱关系的元图表示[J]. 计算机应用, 2013, 33(07): 2037-2040.
[15]	李净郭洪禹. 图像检索中结合文本信息的多示例原型选择及主动学习策略[J]. 计算机应用, 2012, 32(10): 2899-2903.

面向加密流量分类的深度可解释方法

Deep explainable method for encrypted traffic classification

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 30

相关文章 15

编辑推荐

Metrics