Stacking ensemble adversarial defense method for encrypted malicious traffic detection model

doi:10.11772/j.issn.1001-9081.2024030327

Journal of Computer Applications ›› 2025, Vol. 45 ›› Issue (3): 864-871.DOI: 10.11772/j.issn.1001-9081.2024030327

• Cyber security • Previous Articles Next Articles

Stacking ensemble adversarial defense method for encrypted malicious traffic detection model

Ruilong CHEN¹, Tao HU¹(), Youjun BU¹, Peng YI¹, Xianjun HU², Wei QIAO²

^1.Information Technology Research Institute，Information Engineering University，Zhengzhou Henan 450002，China
^2.Purple Mountain Laboratories，Nanjing Jiangsu 211111，China

Received:2024-03-27 Revised:2024-06-04 Accepted:2024-06-11 Online:2024-07-16 Published:2025-03-10
Contact: Tao HU
About author:CHEN Ruilong， born in 2000， M. S. candidate. His research interests include network intrusion detection， deep learning.
BU Youjun， born in 1978， Ph. D.， associate research fellow. His research interests include network security， mimic defense.
YI Peng， born in 1977， Ph. D.， research fellow. His research interests include cyberspace security， network architecture.
HU Xianjun， born in 1989， Ph. D.， engineer. His research interests include advanced network defense.
QIAO Wei， born in 1989， M. S.， engineer. His research interests include advanced network defense.
Supported by:
National Natural Science Foundation of China(62176264)

面向加密恶意流量检测模型的堆叠集成对抗防御方法

陈瑞龙¹, 胡涛¹(), 卜佑军¹, 伊鹏¹, 胡先君², 乔伟²

^1.信息工程大学信息技术研究所，郑州 450002
^2.网络通信与安全紫金山实验室，南京 211111

通讯作者: 胡涛
作者简介:陈瑞龙（2000—），男，河南鹤壁人，硕士研究生，主要研究方向：网络入侵检测、深度学习
卜佑军（1978—），男，河南焦作人，副研究员，博士，主要研究方向：网络安全、拟态防御
伊鹏（1977—），男，湖北黄冈人，研究员，博士，主要研究方向：网络空间安全、网络体系结构
胡先君（1989—），男，安徽无为人，工程师，博士，主要研究方向：先进网络防御
乔伟（1989—），男，山东烟台人，工程师，硕士，主要研究方向：先进网络防御。
基金资助:
国家自然科学基金资助项目(62176264)

Abstract

Abstract:

Currently， deep learning-based traffic classification models are used widely for encrypted malicious traffic classification. However， adversarial attack samples faced by deep learning models severely impact the detection accuracy and availability of these models. Therefore， an adversarial defense method for encrypted malicious traffic detection models was proposed， namely D-SE （Detector-Stacking Ensemble）. D-SE employed a stacking ensemble learning framework， which was divided into an adversarial defense layer and a decision layer. The former was used to detect potential adversarial traffic samples， including three classifiers — Residual Network （ResNet）， CNN-LSTM， and Vision Transformer （ViT）， and a multilayer perceptron as an adversarial attack detector. Based on the predicted probability distribution of the classifiers， the existence of adversarial attack was detected by the multilayer perceptron. To improve the detection performance of the detector for adversarial samples， the detector was enhanced via adversarial training. In the decision layer， a joint decision module based on voting and weight mechanism was designed， and through a majority rule decision mechanism and a high-weight-preference mechanism， excessive dependence on some classifiers was alleviated in the final prediction. The performance of D-SE was tested on USTC-TFC2016 dataset， and the results show that the accuracy of D-SE is over 96% in the non-adversarial environment， and the accuracy of D-SE is more than 89% in the white-box attack environment. It can be seen that D-SE has certain ability of adversarial defense.

Key words: malicious traffic classification, deep learning, adversarial attack, defense mechanism, stacking ensemble learning framework

摘要：

当前，基于深度学习的流量分类模型已广泛应用于加密恶意流量分类，然而深度学习模型所面临的对抗样本攻击问题严重影响了这些模型的检测精度和可用性。因此，提出一种面向加密恶意流量检测模型的堆叠集成对抗防御方法D-SE（Detector-Stacking Ensemble）。D-SE采用堆叠集成学习框架，分为对抗防御层和决策层。对抗防御层用于检测潜在的对抗攻击流量样本，在该层中包括由残差网络（ResNet）、CNN-LSTM、ViT（Vision Transformer）这3种分类器以及多层感知机组成的对抗攻击检测器，多层感知机根据分类器预测概率的分布检测是否发生对抗攻击。为提高检测器的对抗样本检测效果，对检测器进行对抗训练。在决策层中设计一种基于投票和权重机制的联合决策模块，并通过择多判决机制和高权重者优先机制避免最终预测结果过度依赖部分分类器。在USTC-TFC2016数据集上对D-SE进行测试的结果表明：在非对抗环境下，D-SE的准确率达到96%以上；在白盒攻击环境下，D-SE的准确率达到89%以上。可见，D-SE具有一定的对抗防御能力。

关键词: 恶意流量分类, 深度学习, 对抗攻击, 防御机制, 堆叠集成学习框架

CLC Number:

TP393

Ruilong CHEN, Tao HU, Youjun BU, Peng YI, Xianjun HU, Wei QIAO. Stacking ensemble adversarial defense method for encrypted malicious traffic detection model[J]. Journal of Computer Applications, 2025, 45(3): 864-871.

陈瑞龙, 胡涛, 卜佑军, 伊鹏, 胡先君, 乔伟. 面向加密恶意流量检测模型的堆叠集成对抗防御方法[J]. 《计算机应用》唯一官方网站, 2025, 45(3): 864-871.

Figures/Tables 10

References 26

1	中国互联网络信息中心. 第52 次中国互联网络发展状况统计报告［R/OL］. ［2024-02-14］. .
	China Internet Network Information Center. The 52nd statistical report on Internet development in China［EB/OL］. ［2024-02-14］. .
2	IBM. Cost of a data breach report 2022 ［R/OL］. ［2024-03-13］..
3	APRUZZESE G， ANDREOLINI M， FERRETTI L， et al. Modeling realistic adversarial attacks against network intrusion detection systems ［J］. Digital Threats： Research and Practice， 2022， 3（3）： No.31.
4	AHMAD Z， KHAN A S， SHIANG C W， et al. Network intrusion detection system： a systematic study of machine learning and deep learning approaches ［J］. Transactions on Emerging Telecommunications Technologies， 2021， 32（1）： No.e4150.
5	GOODFELLOW I， McDANIEL P， PAPERNOT N. Making machine learning robust against adversarial inputs ［J］. Communications of the ACM， 2018， 61（7）： 56-66.
6	HE K， KIM D D， ASGHAR M R. Adversarial machine learning for network intrusion detection systems： a comprehensive survey ［J］. IEEE Communications Surveys and Tutorials， 2023， 25（1）： 538-566.
7	QIU H， DONG T， ZHANG T， et al. Adversarial attacks against network intrusion detection in IoT systems ［J］. IEEE Internet of Things Journal， 2021， 8（13）： 10327-10335.
8	ZHANG C， COSTA-PÉREZ X， PATRAS P. Adversarial attacks against deep learning-based network intrusion detection systems and defense mechanisms ［J］. IEEE/ACM Transactions on Networking， 2022， 30（3）： 1294-1311.
9	WANG N， CHEN Y， XIAO Y， et al. Manda： on adversarial example detection for network intrusion detection system ［J］. IEEE Transactions on Dependable and Secure Computing， 2023， 20（2）： 1139-1153.
10	DEBICHA I， COCHEZ B， KENAZA T， et al. Adv-Bot： realistic adversarial Botnet attacks against network intrusion detection systems ［J］. Computers and Security， 2023， 129： No.103176.
11	RUST-NGUYEN N， SHARMA S， STAMP M. Darknet traffic classification and adversarial attacks using machine learning ［J］. Computers and Security， 2023， 127： No.103098.
12	SUN P， LI S， XIE J， et al. GPMT： generating practical malicious traffic based on adversarial attacks with little prior knowledge ［J］. Computers and Security， 2023， 130： No.103257.
13	WANG J， PAN J， AlQERM I， et al. Def-IDS： an ensemble defense mechanism against adversarial attacks for deep learning-based network intrusion detection ［C］// Proceedings of the 2021 International Conference on Computer Communications and Networks. Piscataway： IEEE， 2021： 1-9.
14	VITORINO J， PRAÇA I， MAIA E. SoK： realistic adversarial attacks and defenses for intelligent network intrusion detection ［J］. Computers and Security， 2023， 134： No.103433.
15	XIONG W D， LUO K L， LI R. AIDTF： adversarial training framework for network intrusion detection ［J］. Computers and Security， 2023， 128： No.103141.
16	McCARTHY A， GHADAFI E， ANDRIOTIS P， et al. Defending against adversarial machine learning attacks using hierarchical learning： a case study on network traffic attack classification ［J］. Journal of Information Security and Applications， 2023， 72： No.103398.
17	PUJARI M， CHERUKURI B P， JAVAID A Y， et al. An approach to improve the robustness of machine learning based intrusion detection system models against the Carlini-Wagner attack ［C］// Proceedings of the 2022 IEEE International Conference on Cyber Security and Resilience. Piscataway： IEEE， 2022： 62-67.
18	MOHANTY H， HAGHIGHIAN ROUDSARI A， LASHKARI A H. Robust stacking ensemble model for darknet traffic classification under adversarial settings ［J］. Computers and Security， 2022， 120： No.102830.
19	WANG W， ZHU M， WANG J， et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks［C］// Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics. Piscataway： IEEE， 2017： 43-48.
20	GOODFELLOW I J， SHLENS J， SZEGEDY C. Explaining and harnessing adversarial examples ［EB/OL］. ［2023-12-23］. .
21	YUAN X， HE P， ZHU Q， et al. Adversarial examples： attacks and defenses for deep learning ［J］. IEEE Transactions on Neural Networks and Learning Systems， 2019， 30（9）： 2805-2824.
22	FRANKLE J， CARBIN M. The lottery ticket hypothesis： finding sparse， trainable neural networks ［EB/OL］. ［2024-01-23］..
23	FU Y， YU Q， ZHANG Y， et al. Drawing robust scratch tickets： Subnetworks with inborn robustness are found within randomly initialized networks ［C］// Proceedings of the 35th International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2021： 13059-13072.
24	DOSOVITSKIY A， BEYER L， KOLESNIKOV A， et al. An image is worth 16x16 words： Transformers for image recognition at scale［EB/OL］. ［2023-11-08］. .
25	DING Y， ZHU G， CHEN D， et al. Adversarial sample attack and defense method for encrypted traffic data ［J］. IEEE Transactions on Intelligent Transportation Systems， 2022， 23（10）： 18024-18039.
26	杨有欢，孙磊，戴乐育，等. 使用RAP生成可传输的对抗网络流量［J］. 计算机科学， 2023， 50（12）： 359-367.
	YANG Y H， SUN L， DAI L Y， et al. Generate transferable adversarial network traffic using reversible adversarial padding ［J］. Computer Science， 2023， 50（12）： 359-367.

ResNet-18			CNN-LSTM			Vision Transformer
模块	操作	层数	模块	操作	层数	模块	操作	层数
卷积层1	Conv2d-3×3，64	1	卷积层1	Conv1d-2×2，32	2	嵌入层	PatchEmbedding	1
卷积层1	Conv2d-3×3，64	4	池化层1	Maxpooling-2×2，32	1	Transformer 编码器	LayerNorm	8
池化层1	Maxpooling-2×2，64	1	卷积层2	Conv1d-2×2，64	2		MultiHeadAttention
卷积层2	Conv2d-3×3，128	4	池化层2	Maxpooling-2×2，64	1		Dropout
池化层2	Maxpooling-2×2，128	1	LSTM	LSTM，64	1		ResidualAdd
卷积层3	Conv2d-3×3，256	4	全连接层	Linear1，32	1		LayerNorm
池化层3	Maxpooling-2×2，256	1	全连接层	Linear2+Softmax	1		Linear
卷积层4	Conv2d-3×3，512	4					Dropout
池化层4	Maxpooling-2×2，512	1					Linear
池化层5	全局平均池化1×1，1 000	1					Dropout
全连接层	Linear+Softmax	1				全连接层	Linear	1

ResNet-18			CNN-LSTM			Vision Transformer
模块	操作	层数	模块	操作	层数	模块	操作	层数
卷积层1	Conv2d-3×3，64	1	卷积层1	Conv1d-2×2，32	2	嵌入层	PatchEmbedding	1
卷积层1	Conv2d-3×3，64	4	池化层1	Maxpooling-2×2，32	1	Transformer 编码器	LayerNorm	8
池化层1	Maxpooling-2×2，64	1	卷积层2	Conv1d-2×2，64	2		MultiHeadAttention
卷积层2	Conv2d-3×3，128	4	池化层2	Maxpooling-2×2，64	1		Dropout
池化层2	Maxpooling-2×2，128	1	LSTM	LSTM，64	1		ResidualAdd
卷积层3	Conv2d-3×3，256	4	全连接层	Linear1，32	1		LayerNorm
池化层3	Maxpooling-2×2，256	1	全连接层	Linear2+Softmax	1		Linear
卷积层4	Conv2d-3×3，512	4					Dropout
池化层4	Maxpooling-2×2，512	1					Linear
池化层5	全局平均池化1×1，1 000	1					Dropout
全连接层	Linear+Softmax	1				全连接层	Linear	1

加密流量类型	训练集样本数	测试集样本数
Benign traffic	210 206	52 549
Cridex	13 108	3 277
Geodo	32 758	8 189
Htbot	5 093	1 273
Miuref	10 784	2 696
Neris	27 032	6 758
Nsis	5 140	1 285
Shifu	7 707	1 926
Tinba	6 803	1 700
Virut	26 482	6 620
Zeus	8 776	2 194

加密流量类型	训练集样本数	测试集样本数
Benign traffic	210 206	52 549
Cridex	13 108	3 277
Geodo	32 758	8 189
Htbot	5 093	1 273
Miuref	10 784	2 696
Neris	27 032	6 758
Nsis	5 140	1 285
Shifu	7 707	1 926
Tinba	6 803	1 700
Virut	26 482	6 620
Zeus	8 776	2 194

场景编号	ResNet-18	ViT	CNN-LSTM	D-SE
1	98.61	99.52	99.21	99.65
2	80.73	96.25	95.64	96.88
3	82.78	96.84	96.34	97.36
4	77.13	94.92	95.70	96.86

Stacking ensemble adversarial defense method for encrypted malicious traffic detection model

面向加密恶意流量检测模型的堆叠集成对抗防御方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 26

Related Articles 15

Recommended Articles

Metrics

对抗攻击	基于ViT的白盒攻击				基于CNN-LSTM的白盒攻击
对抗攻击	ResNet-18	ViT	CNN-LSTM	D-SE	ResNet-18	ViT	CNN-LSTM	D-SE
Normal	77.13	94.92	95.70	96.86	77.13	94.92	95.70	96.86
FGSM	72.10	81.50	81.72	90.42	72.46	85.71	73.32	89.15
PGD	71.75	82.16	82.13	89.57	72.02	92.61	70.36	93.68
DeepFool	80.19	77.76	91.63	92.65	75.75	94.18	68.51	94.31
C&W	80.00	68.19	94.64	95.28	78.95	94.22	66.23	96.64

攻击对象	ResNet-18	ViT	CNN-LSTM	D-SE
Normal	77.10	94.95	95.43	96.86
ViT	74.82	82.64	91.66	94.03
CNN-LSTM	75.17	96.22	67.93	95.81

模型	检测器	联合决策模块	不同攻击下的准确率
模型	检测器	联合决策模块	Normal	FGSM	PGD-20	DeepFool	C&W
模型0	√	√	96.86	90.42	89.57	92.65	95.28
模型1	×	√	98.21	59.95	58.98	69.67	77.12
模型2	√	×	95.75	88.47	86.44	75.26	73.36
模型3	×	×	95.23	53.64	52.93	54.32	62.16

对抗攻击	D-SE					Def-IDS
对抗攻击	Accuracy	Precision	Recall	F1	ASR	Accuracy	Precision	Recall	F1	ASR
FGSM	90.42	98.94	77.94	87.19	19.15	87.51	96.45	77.91	86.21	22.58
PGD	89.57	99.28	78.04	87.39	21.74	89.46	96.51	81.93	88.67	18.51
DeepFool	92.65	99.31	89.56	94.24	9.71	87.88	96.45	78.41	86.57	21.57
C&W	95.28	99.28	93.21	94.02	6.77	89.64	96.54	82.12	88.74	17.83

[1]	Zhenhua XUE, Qiang LI, Chao HUANG. Vision foundation model-driven pixel-level image anomaly detection method [J]. Journal of Computer Applications, 2025, 45(3): 823-831.
[2]	Zirong HONG, Guangqing BAO. Review of radar automatic target recognition based on ensemble learning [J]. Journal of Computer Applications, 2025, 45(2): 371-382.
[3]	Zhongwei ZHANG, Jun WANG, Shudong LIU, Zhiheng WANG. Object detection in remote sensing image based on multi-scale feature fusion and weighted boxes fusion [J]. Journal of Computer Applications, 2025, 45(2): 633-639.
[4]	Miaolei DENG, Yupei KAN, Chuanchuan SUN, Haihang XU, Shaojun FAN, Xin ZHOU. Summary of network intrusion detection systems based on deep learning [J]. Journal of Computer Applications, 2025, 45(2): 453-466.
[5]	Songsen YU, Zhifan LIN, Guopeng XUE, Jianyu XU. Lightweight large-format tile defect detection algorithm based on improved YOLOv8 [J]. Journal of Computer Applications, 2025, 45(2): 647-654.
[6]	Danni DING, Bo PENG, Xi WU. VPNet： fatty liver ultrasound image classification method inspired by ventral pathway [J]. Journal of Computer Applications, 2025, 45(2): 662-669.
[7]	Yan LI, Guanhua YE, Yawen LI, Meiyu LIANG. Enterprise ESG indicator prediction model based on richness coordination technology [J]. Journal of Computer Applications, 2025, 45(2): 670-676.
[8]	Tianqi ZHANG, Shuang TAN, Xiwen SHEN, Juan TANG. Image watermarking method combining attention mechanism and multi-scale feature [J]. Journal of Computer Applications, 2025, 45(2): 616-623.
[9]	Siqi ZHANG, Jinjun ZHANG, Tianyi WANG, Xiaolin QIN. Deep temporal event detection algorithm based on signal temporal logic [J]. Journal of Computer Applications, 2025, 45(1): 90-97.
[10]	Zongsheng ZHENG, Jia DU, Yuhe CHENG, Zecheng ZHAO, Yuewei ZHANG, Xulong WANG. Cross-modal dual-stream alternating interactive network for infrared-visible image classification [J]. Journal of Computer Applications, 2025, 45(1): 275-283.
[11]	Xinran XU, Shaobing ZHANG, Miao CHENG, Yang ZHANG, Shang ZENG. Bearings fault diagnosis method based on multi-pathed hierarchical mixture-of-experts model [J]. Journal of Computer Applications, 2025, 45(1): 59-68.
[12]	Jietao LIANG, Bing LUO, Lanhui FU, Qingling CHANG, Nannan LI, Ningbo YI, Qi FENG, Xin HE, Fuqin DENG. Point cloud registration method based on coordinate geometric sampling [J]. Journal of Computer Applications, 2025, 45(1): 214-222.
[13]	Yan YAN, Xingying QIAN, Pengbin YAN, Jie YANG. Federated learning-based statistical prediction and differential privacy protection method for location big data [J]. Journal of Computer Applications, 2025, 45(1): 127-135.
[14]	Yunchuan HUANG, Yongquan JIANG, Juntao HUANG, Yan YANG. Molecular toxicity prediction based on meta graph isomorphism network [J]. Journal of Computer Applications, 2024, 44(9): 2964-2969.
[15]	Yexin PAN, Zhe YANG. Optimization model for small object detection based on multi-level feature bidirectional fusion [J]. Journal of Computer Applications, 2024, 44(9): 2871-2877.