MODEL AND TRAINING ALGORITHM OF MALWARE TRAFFIC DETECTOR BASED ON MODIFICATION OF GROWING NEURAL GAS

В’ячеслав Васильович Москаленко, Альона Сергіївна Москаленко, Микола Олександрович Зарецький

Abstract


It is proposed the model of the hierarchical convolutional extractor of malware traffic features. Image with resolution 28x28 pixels and 10-th channels formed on the basis of successive 10 network packet flows is considered as model input. It allows to describe the spatial-temporal statistical characteristics of the traffic. The feature extractor consists of two convolutional layers with three-dimensional filters, sub-sampling layers, and activation calculation layers based on the orthogonal matching pursuit algorithm and the ReLU function. It is proposed the model of decision rules of the malware traffic detector based on information-extreme classifier. It allows to receive computatially simple decision rules and evaluate the informational efficiency of the feature extractor in the condition of the limited volume of the relevant labeled training dataset. The classifier performs an adaptive feature discretization and construction of the optimal in the information sense of radial-basis containers of classes in binary Hamming space. An information criterion of learning efficiency is the modification of S. Kulbak's measure as a function of the frequency of errors of the first and second type. Growing neural gas algorithm for pretraining of the feature extractor is improved by modifying the mechanism of insertion and updating of neurons. It allows utilizing unlabeled training samples and obtaining the optimal distribution of neurons to cover the training sample. Modification of the mechanism of insertion of new neurons is to form a new neuron at the reach of the threshold, and not with a given frequency. It allows you to improve the stability of the learning process and regulate the generalization ability of the model. The modification of the mechanism for updating the weighting coefficients of the neurons is to use the of Oja's rule instead of the Hebb's rule, which allows to avoid uncontrolled growth of neuron weights and adapts convolutional filters for sparse coding of input observation. It is proposed meta-heuristic search algorithm of simulated annealing for the training of decision rules and fine-tuning high-level filters of feature extractor. Simulation results using CTU-Mixed and CTU-13 datasets confirm the effectiveness of the resulting decision rules for recognizing the malware traffic from test samples

Keywords


malware network traffic; growing neural gas; convolutional neural network; sparse coding; information criterion

References


Skrzewski, M. Flow Based Algorithm for Malware Traffic Detection. Proc. of the 18th Conference Computer Networks (Communications in Computer and Information Science), Ustroń, Poland, 2011, vol. 160, pp. 271–280.

DOI: https://doi.org/10.1007/978-3-642-21771-5_29.

Berkay Celik, Z., Walls, R. J., McDaniel, P., Swami, A. Malware traffic detection using tamper resistant features. Proc. of the IEEE MILCOM 2015 – 2015 IEEE Military Communications Conference, Tampa, FL, 2015, pp. 330–335.

DOI: https://doi.org/10.1109/MILCOM.2015.7357464.

Iglesias, F., Zseby, T. Analysis of network traffic features for anomaly detection. Machine Learning, 2015, vol. 101, i. 1–3, pp. 59–84.

DOI: https://doi.org/10.1007/s10994-014-5473-9.

Yousefi-Azar, M., Varadharajan, V., Hamey, L., Tupakula, U. Autoencoder-based feature learning for cyber security applications. Proc. of the 2017 International Joint Conference on Neural Networks (IJCNN). Anchorage, Alaska, USA, 2017, pp. 3854–3861.

DOI: https://doi.org/10.1109/IJCNN.2017.7966342.

Wang, W. Zhu, M., Zeng, X., Ye, X., Sheng, Y. Malware traffic classification using convolutional neural network for representation learning. Proc. of the 31st International Conference on Information Networking (ICOIN 2017). Da Nang, Vietnam, 2017, pp. 712–717. DOI: https://doi.org/10.1109/ICOIN.2017.7899588.

Zhao, B., Lu, H., Chen, S., Liu, J., Wu,D. Convolutional neural networks for time series classification. Journal of Systems Engineering and Electronics, 2017, vol. 28, no. 1, pp. 62–169.

DOI: https://doi.org/10.21629/JSEE.2017.01.18.

Szegedy, C., Liu, W., Jia, Y., Sermanet, P., Reed, S., Anguelov, D., Erhan, D., Vanhoucke, V., Rabinovich, A. Going deeper with convolutions. Proc. of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Boston, MA, 2015, pp. 1–9. DOI: https://doi.org/10.1109/CVPR.2015.7298594.

Feng, Q. Chen, C. L. P., Chen, L., Compressed auto-encoder building block for deep learning network. Proc. of the 3rd International Conference on Informative and Cybernetics for Computational Social Systems (ICCSS), Jinzhou, 2016, pp. 131–136.

DOI: https://doi.org/10.1109/ICCSS.2016.7586437.

Labusch, K., Barth, E., Martinetz, T. Sparse coding neural gas: learning of overcomplete data representations. Neurocomputing, 2009, vol. 72, i. 7–9, pp. 1547–1555.

DOI: https://doi.org/10.1016/j.neucom.2008.11.027.

Mrazova, I., Kukacka, M. Image Classification with Growing Neural Networks. International Journal of Computer Theory and Engineering, 2013, vol. 5, no. 3, pp. 422–427.

DOI: https://doi.org/10.7763/IJCTE.2013.V5.722.

Palomo, E. J., López-Rubio, E. The Growing Hierarchical Neural Gas Self-Organizing Neural Network. IEEE Transactions on Neural Networks and Learning System, 2017, vol. 28, no. 9, pp. 2000–2009. DOI: https://doi.org/10.1109/TNNLS.2016.2570124.

Kim, S., Yu, Z., Man Kil, R., Lee, M. Deep learning of support vector machines with class probability output networks. Neural Networks, 2015, vol. 64, pp. 19–28.

DOI: https://doi.org/10.1016/j.neunet.2014.09.007.

Dovbysh, A. S., Rudenko, M. S. Information-extreme learning algorithm for a system of recognition of morphological images in diagnosing oncological pathologies. Cybernetics and Systems Analysis, 2014, vol. 50, i. 1, pp. 157–162.

DOI: https://doi.org/10.1007/s10559-014-9603-y.

Moskalenko, V., Pimonenko, S. Optimizing the parameters of functioning of the system of management of data center IT infrastructure. Eastern-European Journal of Enterprise Technologies, 2016, vol. 5, i. 2 (83), pp. 21–29.

DOI: https://doi.org/10.15587/1729-4061.2016.79231.




DOI: https://doi.org/10.32620/reks.2018.3.02

Refbacks

  • There are currently no refbacks.