skip to main content
10.1145/3589334.3645479acmconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article
Open access

ContraMTD: An Unsupervised Malicious Network Traffic Detection Method based on Contrastive Learning

Published: 13 May 2024 Publication History

Abstract

Malicious traffic detection has been a focal point in the field of network security, and deep learning-based approaches are emerging as a new paradigm. However, most of them are supervised methods, which highly depend on well-labeled data, and fail to handle unknown or continuously evolving attacks. Unsupervised methods alleviate the need for labeled data, but existing methods are often limited to detecting anomalies either in vertical perspective through historical comparisons or in horizontal perspective by comparing with concurrent entities. Relying on data from a single perspective is unreliable, and it limits the model's accuracy and generalizability. In this paper, we propose a novel method ContraMTD based on contrastive learning, which comprehensively considers both vertical and horizontal perspectives. ContraMTD extracts local behavior features and global interaction features from normal network traffic by proposed SEC and DE-GAT respectively, then employs contrastive learning to learn the relationship, especially consistency between them, and finally detects malicious traffic through a multi-round scoring approach. We conduct extensive experiments on three datasets, including a self-collected dataset, and the results demonstrate that our method outperforms many state-of-the-art methods in the domain of unsupervised malicious traffic detection.

Supplemental Material

MP4 File
Supplemental video

References

[1]
2023. AutoML for Image, Text, Time Series, and Tabular Data. https://auto.gluon.ai/stable/index.html Accessed: 2023-9-13.
[2]
2023. Malware Capture Facility Project. https://www.stratosphereips.org/datasets-malware Accessed: 2023-9-10.
[3]
Sambaran Bandyopadhyay, Lokesh N, Saley Vishal Vivek, and M Narasimha Murty. 2020. Outlier resistant unsupervised deep architectures for attributed network embedding. In Proceedings of the 13th international conference on web search and data mining. 25--33.
[4]
2012)]% bilge2012before, Leyla Bilge and Tudor Dumitracs. 2012. Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security. 833--844.
[5]
Canadian Institute for Cybersecurity. 2017. IDS 2017 Dataset. https://www.unb.ca/cic/datasets/ids-2017.html. Accessed: 2023--9--25.
[6]
Marta Catillo, Antonio Pecchia, and Umberto Villano. 2023. CPS-GUARD: Intrusion detection for cyber-physical systems and IoT devices using outlier-aware deep autoencoders. Computers & Security, Vol. 129 (2023), 103210.
[7]
Ting Chen, Simon Kornblith, Mohammad Norouzi, and Geoffrey Hinton. 2020. A simple framework for contrastive learning of visual representations. In International conference on machine learning. PMLR, 1597--1607.
[8]
Susu Cui, Cong Dong, Meng Shen, Yuling Liu, Bo Jiang, and Zhigang Lu. 2023. CBSeq: A Channel-level Behavior Sequence For Encrypted Malware Traffic Detection. IEEE Transactions on Information Forensics and Security (2023).
[9]
Kaize Ding, Jundong Li, Rohit Bhanushali, and Huan Liu. 2019. Deep anomaly detection on attributed networks. In Proceedings of the 2019 SIAM International Conference on Data Mining. SIAM, 594--602.
[10]
Guanghan Duan, Hongwu Lv, Huiqiang Wang, and Guangsheng Feng. 2022. Application of a dynamic line graph neural network for intrusion detection with semisupervised learning. IEEE Transactions on Information Forensics and Security, Vol. 18 (2022), 699--714.
[11]
Jingcan Duan, Siwei Wang, Pei Zhang, En Zhu, Jingtao Hu, Hu Jin, Yue Liu, and Zhibin Dong. 2023. Graph anomaly detection via multi-scale contrastive learning networks with augmented view. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 37. 7459--7467.
[12]
Zhuoqun Fu, Mingxuan Liu, Yue Qin, Jia Zhang, Yuan Zou, Qilei Yin, Qi Li, and Haixin Duan. 2022. Encrypted malware traffic detection via graph-based network analysis. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. 495--509.
[13]
Jie Gu and Shan Lu. 2021. An effective intrusion detection approach using SVM with na"ive Bayes feature embedding. Computers & Security, Vol. 103 (2021), 102158.
[14]
Will Hamilton, Zhitao Ying, and Jure Leskovec. 2017. Inductive representation learning on large graphs. Advances in neural information processing systems, Vol. 30 (2017).
[15]
Xueying Han, Susu Cui, Song Liu, Chen Zhang, Bo Jiang, and Zhigang Lu. 2023. Network intrusion detection based on n-gram frequency and time-aware transformer. Computers & Security, Vol. 128 (2023), 103171.
[16]
Xin He, Kaiyong Zhao, and Xiaowen Chu. 2021. AutoML: A survey of the state-of-the-art. Knowledge-Based Systems, Vol. 212 (2021), 106622.
[17]
Jordan Holland, Paul Schmitt, Nick Feamster, and Prateek Mittal. 2021. New directions in automated traffic analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 3366--3383.
[18]
Nan Hua, Haoyu Song, and TV Lakshman. 2009. Variable-stride multi-pattern matching for scalable deep packet inspection. In IEEE INFOCOM 2009. IEEE, 415--423.
[19]
Ming Jin, Yixin Liu, Yu Zheng, Lianhua Chi, Yuan-Fang Li, and Shirui Pan. 2021. Anemone: Graph anomaly detection with multi-scale contrastive learning. In Proceedings of the 30th ACM International Conference on Information & Knowledge Management. 3122--3126.
[20]
Srikanth Kandula, Ranveer Chandra, and Dina Katabi. 2008. What's going on? Learning communication rules in edge networks. In Proceedings of the ACM SIGCOMM 2008 conference on Data communication. 87--98.
[21]
Thomas N Kipf and Max Welling. 2016. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016).
[22]
Sailesh Kumar, Sarang Dharmapurikar, Fang Yu, Patrick Crowley, and Jonathan Turner. 2006. Algorithms to accelerate multiple regular expressions matching for deep packet inspection. ACM SIGCOMM computer communication review, Vol. 36, 4 (2006), 339--350.
[23]
Zhen Ling, Junzhou Luo, Kui Wu, Wei Yu, and Xinwen Fu. 2014. TorWard: Discovery of malicious traffic over Tor. In IEEE INFOCOM 2014-IEEE Conference on Computer Communications. IEEE, 1402--1410.
[24]
Jingmei Liu, Yuanbo Gao, and Fengjie Hu. 2021a. A fast network intrusion detection system using adaptive synthetic oversampling and LightGBM. Computers & Security, Vol. 106 (2021), 102289.
[25]
Yixin Liu, Zhao Li, Shirui Pan, Chen Gong, Chuan Zhou, and George Karypis. 2021b. Anomaly detection on attributed networks via contrastive self-supervised learning. IEEE transactions on neural networks and learning systems, Vol. 33, 6 (2021), 2378--2392.
[26]
Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. 2018. Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:1802.09089 (2018).
[27]
Euclides Carlos Pinto Neto, Sajjad Dadkhah, Raphael Ferreira, Alireza Zohourian, Rongxing Lu, and Ali A Ghorbani. 2023. CICIoT2023: A real-time dataset and benchmark for large-scale attacks in IoT environment. (2023).
[28]
Iman Sharafaldin, Arash Habibi Lashkari, and Ali A Ghorbani. 2018. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, Vol. 1 (2018), 108--116.
[29]
Branka Stojanović, Katharina Hofer-Schmitz, and Ulrike Kleb. 2020. APT datasets and attack modeling for automated detection methods: A review. Computers & Security, Vol. 92 (2020), 101734.
[30]
James J Treinen and Ramakrishna Thurimella. 2006. A framework for the application of association rule mining in large intrusion detection infrastructures. In Recent Advances in Intrusion Detection: 9th International Symposium, RAID 2006 Hamburg, Germany, September 20--22, 2006 Proceedings 9. Springer, 1--18.
[31]
Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. 2017. Attention is all you need. Advances in neural information processing systems, Vol. 30 (2017).
[32]
Petar Velivc ković, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Lio, and Yoshua Bengio. 2017. Graph attention networks. arXiv preprint arXiv:1710.10903 (2017).
[33]
Ke Wang and Salvatore J Stolfo. 2004. Anomalous payload-based network intrusion detection. In International workshop on recent advances in intrusion detection. Springer, 203--222.
[34]
Ning Wang, Yimin Chen, Yang Hu, Wenjing Lou, and Y Thomas Hou. 2022. FeCo: Boosting intrusion detection capability in IoT networks via contrastive learning. In IEEE INFOCOM 2022-IEEE Conference on Computer Communications. IEEE, 1409--1418.
[35]
Renjie Xie, Jiahao Cao, Enhuan Dong, Mingwei Xu, Kun Sun, Qi Li, Licheng Shen, and Menghao Zhang. 2023. Rosetta: Enabling Robust $$TLS$$ Encrypted Traffic Classification in Diverse Network Environments with $$TCP-Aware$$ Traffic Augmentation. In 32nd USENIX Security Symposium (USENIX Security 23). 625--642.
[36]
Pei Zhang, Fangzhou He, Han Zhang, Jiankun Hu, Xiaohong Huang, Jilong Wang, Xia Yin, Huahong Zhu, and Yahui Li. 2023. Real-Time Malicious Traffic Detection With Online Isolation Forest Over SD-WAN. IEEE Transactions on Information Forensics and Security, Vol. 18 (2023), 2076--2090.
[37]
Han Zhao, Xu Yang, Zhenru Wang, Erkun Yang, and Cheng Deng. 2021. Graph Debiased Contrastive Learning with Joint Representation Clustering. In IJCAI. 3434--3440.

Index Terms

  1. ContraMTD: An Unsupervised Malicious Network Traffic Detection Method based on Contrastive Learning

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      WWW '24: Proceedings of the ACM Web Conference 2024
      May 2024
      4826 pages
      ISBN:9798400701719
      DOI:10.1145/3589334
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 13 May 2024

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. contrastive learning
      2. graph neural network
      3. malicious network traffic detection

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      WWW '24
      Sponsor:
      WWW '24: The ACM Web Conference 2024
      May 13 - 17, 2024
      Singapore, Singapore

      Acceptance Rates

      Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • 0
        Total Citations
      • 1,012
        Total Downloads
      • Downloads (Last 12 months)1,012
      • Downloads (Last 6 weeks)100
      Reflects downloads up to 19 Feb 2025

      Other Metrics

      Citations

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media