| 熊威* **,关洪涛**.融合自监督学习与主动学习的DNS隧道检测方法[J].高技术通讯(中文),2025,35(5):461~471 |
| 融合自监督学习与主动学习的DNS隧道检测方法 |
| A DNS tunnel detection method integrating self-supervised learning and active learning |
| |
| DOI:10. 3772 / j. issn. 1002-0470. 2025. 05. 002 |
| 中文关键词: 域名系统隧道检测; 自监督学习; 主动学习; Transformer; 自编码器; 反馈引导的孤立森林 |
| 英文关键词: domain name system tunnel detection, self-supervised learning, active learning, Transformer, autoencoder, feedback-guided isolation forest |
| 基金项目: |
| 作者 | 单位 | | 熊威* ** | (*中国科学院大学北京 100190)
(**中国科学院计算技术研究所北京 100190) | | 关洪涛** | |
|
| 摘要点击次数: 56 |
| 全文下载次数: 110 |
| 中文摘要: |
| 针对监督学习方法采集攻击样本困难以及无监督学习方法检测精度不足的问题,提出一种融合自监督学习与主动学习的域名系统(domain name system,DNS) 隧道检测方法。该方法采用异常检测框架,无需获取攻击样本,同时,通过自监督学习引入训练指导过程,通过主动学习引入反馈调节过程,显著提升了检测精度。构建基于Transformer架构的自编码器,通过对正常样本特征进行自监督学习,实现了DNS数据包级别的异常检测。以此为基础,将主动学习方法应用于反馈引导的孤立森林(feedback-guided isolated forest,FBIF),实现了DNS交互流级别的异常检测,将检出的异常流视为与隧道攻击活动相关。实验结果表明,该检测方法在无需获取攻击样本的前提下,能准确检测出多种类型的隧道攻击,且在资源消耗方面具备高可扩展性。 |
| 英文摘要: |
| To Address the challenges of collecting attack samples in supervised learning methods and the insufficient detection accuracy of unsupervised learning methods, a domain name system (DNS) tunnel detection method that integrates self-supervised learning and active learning is proposed. This method utilizes an anomaly detection framework that eliminates the need for acquiring attack samples. Simultaneously, it significantly improves detection accuracy by incorporating self-supervised learning in the training guidance process and introducing feedback regulation through active learning. An autoencoder based on the Transformer architecture is constructed, implementing anomaly detection at the DNS packet level through self-supervised learning of normal sample features. Building upon this, active learning is applied to feedback-guided isolation forest (FBIF) for anomaly detection at the DNS interaction flow level, considering detected anomalous flows as associated with tunnel attack activities. Experimental results demonstrate that this detection method accurately identifies various types of tunnel attacks without the need for obtaining attack samples and exhibits high scalability in terms of resource consumption. |
|
查看全文
查看/发表评论 下载PDF阅读器 |
| 关闭 |
